Uber files John Doe lawsuit in response to nine month-old data breach


Uber has filed a John Doe lawsuit in the district court of Northern California as part of its investigation regarding a data breach of one its driver’s database.

Last year in on September 17th, Uber discovered that one of its databases had been accessed using a login key that was posted on a post on Github.  The key was used to access Uber's internal database which houses information about 50,000 drivers.

Uber has begun reaching out to drivers whose information was stored in the breached database. The company has also provided a one year free membership of Experian’s ProtectMyID Alert to drivers whose information has been stolen.

Uber has also subpoenaed Github to share the IP addresses of anyone who visited a particular gist post (the login key used to access the database was posted there) between March and September 2014.

Uber shared the information about the breach through a post on its blog, on which it mentioned that the breach of data had occurred sometime around 12th May, last year. The files that were stolen from the database contained names and driving license numbers of its drivers, past and present. According to Uber, no case of misuse of any stolen data has been reported.

Questions have risen after the post was published on Uber's blog as to why the company did not come forward with the information earlier, and why were driver partners whose information was stolen and put at risk, not informed about the incident earlier?

Apple releases Bash update addressing ShellShock vulnerability

Over the last few days we have seen headlines about the critical security bug in Bash shell that affects Unix, Linux and even Mac computers.

Apple previously noted that only few Mac users who runs the advanced Unix Services were actually affected by the shell shock vulnerability.  Others are not at risk to this bug.

Apple said they are working to quickly provide update to patch this problem.

As promoised, it has released OS X bash update for OS X Lion, Mountain Lion and Mavericks.

You can download the update from their support page:
http://support.apple.com/downloads/

Cyber Security & Privacy Foundation certifies Security Products


Cyber Security and Privacy Foundation(CSPF) has certified a few security products after extensive testing.

CSPF has selected Avast Antivirus and ESET Nod32 as best anti virus products which is suitable for Indian environment.

"DiskCryptor" in disk encryption category, "React OS" in operating system category, 'Zemana' and 'Keyscrambler' in Anti keylogger category, "IronWASP" in Web Application pentesting tool category have all been certified by the CSPF.

We asked the founder of CSPF  Mr. J. Prasanna if CSPF will certify any other products in the future and on what basis these tools were chosen for testing? He said "We will only certify tools after they have been extensively tested for the Indian market, we do not take any funding or sponsorships from companies that own these products."

"We were recently approached by some other companies to test their products, but we discovered that many of them do not even pass the eligibility criteria."
 
We at EHN hope that CSPF will test many such products in the future and thus enable the public make better decisions about the softwares they run in their computers.

CSPF introduces Free online Ethical Hacking Course

Cyber Security and Privacy Foundation is happy to announce the first free online Ethical Hacking & Cyber Defence Course.

Within first 10 days after the course is launched, we have seen alreay 240 students registered for the online course.  The students registered range from Age group of 20 to 60.

Mr. Gemini Ramamurthy, chairman of CSPF, says we are very happy with overwhelming response from across the Globe for this course.  CSPF will continue to offer more such courses to the Online academy.


White Hat Hacking Course:
https://www.udemy.com/certified-whitehat-hacker-level-1/

Cyber Defence Course:
https://www.udemy.com/cyber-defence-course-cdc/

Security Vulnerability in Android allows any app to make phone calls

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed.

Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls. 

By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls.  It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.

The security bug appears to be introduced in Android Jelly bean 4.1.1  and it exits in all latest versions through Android Kitkat 4.4.2.

CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.

The bug has been fixed in the latest version of android (v4.4.4).

Schools Kids hacked BMO ATM using Operators manual found online

A couple of school kids from Winnipeg has managed to hack into a Bank of Montreal's (BMO) ATM operating system during their lunch break.

Matthew Hewlett and Caleb Turon, the grade 9 students, used an ATM operators manual they found online to get into the machine's operator mode, according to Toronto Sun.

The operator mode asked them to enter password.  However, the kids were successfully able to guess the six-digit password on the first try.   The machine has used a common default password.

The kids reported about the issue to a nearby BMO Branch.  However, Bank staff didn't believe them.  So, the kids asked the staff "Is it alright for us to get proof".

They headed back to the ATM to get a proof and come back with the printout of how much money the ATM is currently having.  They even changed the ATM's Greeting Message to "Go away. This ATM has been hacked."

This time, staff took them seriously and the Branch Manager to contacted Head security to take steps to fix the issue.


Ralph Marranca, Spokesperson for BMO said no customer information and accounts and the contents of the ATM were never at risk and are secure.