Category Archives: security

Why it matters if Uber execs access user data: U.S. Congress loves Uber

heatmap Uber DC

heatmap Uber DC

Last night, Buzzfeed editor-in-chief Ben Smith published an explosive story, reporting on a dinner in New York City where Uber executive Emil Michael floated the idea of hiring opposition researchers to dig up dirt on journalists who had been critical of the startup. Michael, who has since repeatedly apologized, asserted that neither “me nor my company would ever engage in such activities.” Uber spokesperson Nairi Hourdajian tweeted that “We have not, do not and will not investigate journalists. Those remarks have no basis in the reality of our approach.”

If so, Uber would differ from H-P, Wal-Mart, Deutche Telekom, Fox News and other tech companies that have investigated and monitored journalists reporting on them. Regardless of the truth of whether this famously aggressive company has or will gather such “dirt files,” one item in Smith’s report deserves special notice, as Jay Yarrow picked up this morning: Smith reported that Uber demonstrated how it could spy on journalists:

In fact, the general manager of Uber NYC accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so.

Uber told Smith that “Any such activity would be clear violations of our privacy and data access policies. Access to and use of data is permitted only for legitimate business purposes. These policies apply to all employees. We regularly monitor and audit that access.”

According to Ellen Cushing, a senior editor at San Francisco Magazine, that policy doesn’t look watertight.

Cushing explained more in a followup post about the warning she received::

It’s worth noting here that as far as I know, the company hasn’t looked into my logs. After talking to Uber staffers, it’s quite clear that the company stokes paranoia in its employees about talking to the press, so there’s a solid possibility that my sources’ fears were just the result of overzealous (and unfounded) precaution. But when I contacted a former employee last night about the news, this person told me that “it’s not very hard to access the travel log information they’re talking about. I have no idea who is ‘auditing’ this log or access information. At least when I was there, any employee could access rider rating information, as I was able to do it. How much deeper you could go with regular access, I’m not sure, as I didn’t try.” A second former employee told me something similar, saying “I never heard anything about execs digging into reporters’ travel logs, though it would be easy for them to do so.”

If you’re not thinking through the potential issues of Uber knowing who its riders are, when, and where, and what they are likely to have been doing, it’s worth stepping back a bit. Such associations can be powerful, as Uber has itself noted itself, from a “Ride of Glory“, defined as “anyone who took a ride between 10pm and 4am on a Friday or Saturday night, and then took a second ride from within 1/10th of a mile of the previous nights’ drop-off point 4-6 hours later (enough for a quick night’s sleep” to associations with alcohol and prostitution.

Uber blog: "How Prostitution and Alcohol Make Uber Better." "Areas of San Francisco with the most prostitution, alcohol, theft, and burglary also have the most Uber rides. "

Uber blog: “How Prostitution and Alcohol Make Uber Better.” – “Areas of San Francisco with the most prostitution, alcohol, theft, and burglary also have the most Uber rides. ”

With great data comes great power, and therefore responsibility. That means culture and ethics matter. The reason Michael was angry at Sarah Lacy is appears to be because of her excoriating post about Uber’s culture.

Now, imagine if powerful members of Congress decide that they don’t like Uber’s labor practices, or surge pricing, or its approach to flaunting regulatory strictures, or the way it lobbies city governments not to be subject to reporting on compliance with accessibility laws. What then? Will the same executives who have showed a limited “God View” at launch parties choose not to use more powerful internal analytics to track who is going where and when?

I know this is all hypothetical, but multiple reports of executives accessing user profiles mean we need keep our eyes open and ears clear, particularly given the relationships we can see forming between powerful politicians and tech companies, and the stories we already know meta data can tell about our lives.

The co-founder and CEO of Uber, Travis Kalanick, is a driven entrepreneur relentlessly focused on building a great product that seamlessly connects demand to capacity in a brilliant mobile app, leaving payment and logistics in the background. When I sat across from him at the launch party for Uber in DC, I found him to be funny and quick-witted, with a natural salesman’s charisma. Today, I think Uber users, including me, need to hear from him next, however, isn’t about future profit projections, plans for future expansion or more partnerships: it’s that we can trust him and his company with our locations and our safety. We want to know that they won’t ever use the data generated by our movements or pickups against us or the people who represent us. We want to know that they aren’t “morally bankrupt.” The stakes are too high to blindly trust without verifying.

UPDATE: Kalanick tweeted out the following statement after I published this post: “Emil’s comments at the recent dinner party were terrible and do not represent the company. His remarks showed a lack of leadership, a lack of humanity, and a departure from our values and ideals. His duties here at Uber do not involve communications strategy or plans and are not representative in any way of the company approach. Instead, we should lead by inspiring our riders, our drivers and the public at large. We should tell the stories of progress and appeal to people’s hearts and minds. We must be open and vulnerable enough to show people the positive principles that are the core of Uber’s culture. We must tell the stories of progress Uber has brought to cities and show the our constituents that we are principled and mean well. The burden is on us to show that, and until Emil’s comments we felt we were making positive steps along those lines. But I will personally commit to our riders, partners and the public that we are up to the challenge. We are up to the challenge to show that Uber is and will continue to be a positive member of the community. And furthermore, I will do everything in my power towards the goal of earning that trust. I believe that folks who make mistakes can learn from them – myself included – and that also goes for Emil. And last, I want to apologize to @sarahcuda.”

I’ll update this if he replies to my question. An edited version of this post was published on Wired.com.

UPDATE: On Tuesday night, un response to further concerns and criticism about its data use, Uber updated its privacy policy in a post to the company blog. I’m posting the statement in full below:

We wanted to take a moment to make very clear our policy on data privacy, which is fundamental to our commitment to both riders and drivers. Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors.

Examples of legitimate business purposes for select members of the team include:

Supporting riders and drivers in order to solve problems brought to their attention by the Uber community.

Facilitating payment transactions for drivers.

Monitoring driver and rider accounts for fraudulent activity, including terminating fake accounts and following up on stolen credit card reports.

Reviewing specific rider or driver accounts in order to troubleshoot bugs.

The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.

Uber’s business depends on the trust of the riders and drivers that use our technology and platform. The trip history of our riders is confidential information, and Uber protects this data from internal and external unauthorized access. As the company continues to grow, we will continue to be transparent about our policy and ensure that it is properly understood by our employees.

[Graphic Credit: TechCrunch, Uber]

Leave a comment

Filed under article, security, technology

Beware sexy honeybots spear phishing on social media

220px-Robin_SageIf your connected life includes access to sensitive, proprietary or confidential information, be thoughtful about who you friend, follow or connect to online.

When fake femme fatale can dupe the IT guys at a government agency, you could also be spear phished.

If this all sounds familiar, you might be thinking of “Robin Sage,” when another fictitious femme fatale fooled security analysts, defense contractors and members of the military and intelligence agencies around the DC area.

Everything is new again.

[Image Credit: Wikipedia]

Leave a comment

Filed under blogging, security, social media, technology

Apple releases first transparency report on government requests for user data

Apple, one of the least transparent companies in the world, has released a transparency report on government requests for user data.(PDF). Requests from the United States of America dwarf the rest of the world — and that’s without including the ones that Apple cannot tell us about, due to gag orders and National Security Letters.

apple-transparency-table

Notably, Apple has indicated that it will join other tech companies in seeking the ability to disclose such requests:

“We believe that dialogue and advocacy are the most productive way to bring about a change in these policies, rather than filing a lawsuit against the U.S. government. Concurrent with the release of this report, we have filed an Amicus brief at the Foreign Intelligence Surveillance Court (FISA Court) in support of a group of cases requesting greater transparency. Later this year, we will file a second Amicus brief at the Ninth Circuit in support of a case seeking greater transparency with respect to National Security Letters. We feel strongly that the government should lift the gag order and permit companies to disclose complete and accurate numbers regarding FISA requests and National Security Letters. We will continue to aggressively pursue our ability to be more transparent.”

Apple did break new ground with the report, as FT reporter Tim Bradshaw observed: it was the first to disclose requests for device data.

device-data-requst

The U.S. government leads the rest of the world in device data requests by law enforcement as well, though not by as wide a margin: Australia, the United Kingdom, Singapore and Germany have all made more than 1000 requests, according to the disclosure.

Be careful about what you put in that iCloud, folks.

Apple’s transparency report ends with an interesting footnote: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

For those unfamiliar with that part of the law, it has been the subject of intense criticism for years from privacy and civil liberties advocates, particularly since the disclosures of mass surveillance of U.S. telecomm data by the NSA entered the public sphere this past summer.

3 Comments

Filed under journalism, security, technology

Hi! Click here to stop from getting phished on Twitter

Today, Twitter finally started rolling out dual-factor authentication for its users. Twitter will allow users to use text messaging to a mobile phone to confirm their identity upon log-in.

In a post and accompanying video on the company blog, Twitter product security team member Jim O’Leary (@jimeo) explained how Twitter’s version of 2-factor authentication will work:

…when you sign in to twitter.com, there’s a second check to make sure it’s really you. After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com.

To get started, visit your account settings page, and select the option “Require a verification code when I sign in”. You’ll need a confirmed email address and a verified phone number. After a quick test to confirm that your phone can receive messages from Twitter, you’re ready to go.

Twitter has lagged behind Google, Microsoft, Facebook and institutions that allow online banking in providing this additional layer of protection. It’s showed: Twitter has been plagued by phishing scams for years.

Recently, however, high profile hacks of Twitter accounts at the Associated Press, the Financial Times and The Onion have put more focus on adding this feature. As Twitter adds more e-commerce deals and becomes more integrated into politics and business, improving security will only become more important.

Today’s announcement is a much-needed improvement. Here’s hoping it gets rolled out quickly to the hundreds of millions of users who can’t get someone at Twitter on the phone after they clicked on the wrong link.

Hat tip: The Verge

2 Comments

Filed under article, government 2.0, journalism, microsharing, security, social media, technology, Twitter

Hacks at Twitter, New York Times, WSJ and Washington Post highlight need for better security hygiene

email_header_710Earlier tonight, I received an email I would just as soon not have gotten from Twitter, along with 250,000 Twitter users who had their password reset. Twitter security director Bob Lord explained why I’d received the email on the company blog:

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

Mike Isaac has been following the story the hack at Twitter at AllThingsD, if you want the latest news tonight.

After the password reset, I went through revoked Twitter authorization access to a number of unused apps, something I’ve been doing periodically for years now. That habit is among Twitter’s security recommendations.

I’m thinking about other social media accounts now, too. Shortly after Nicole Perloth began covering IT security for the New York Times, she shifted her practices:

“Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.”

She talked to two top-notch security experts and wrote up a useful list of good digital security practices. Unfortunately, it may be that it takes getting hacked and embarrassed (as I was on Twitter, on Christmas Eve a couple years ago) to change what how people approach securing their digital lives.

I don’t recommend that sort of experience to anyone. I was lucky, was tipped nearly right away and was able to quickly get help from the remarkable Del Harvey, head of the Twitter Safety team.

It could have been much, much worse. I’m thinking of Mat Honan, a Wired journalist who experienced an epic hacking that came about through a chain of  compromised accounts at Amazon, iTunes, Gmail and Twitter. After a lot of work, Honan managed to recover his data, including some precious pictures of his child. In the wake of the hack, he turned on 2-factor authentication on Google and Facebook, turned off “Find my” Apple device, and set up dedicated, secret accounts for password management. Honan isn’t alone in the tech journalist ranks: he just happens to have a bigger platform than most and was willing to make his own painful experience the subject of an extensive story.

A jarring reality is that even people who are practicing reasonably good security hygiene can and do get p0wned. Unfortunately, the weakest point in many networks are the humans — that’s reportedly how Google ran into trouble, when key employees were “spear phished” during “Operation Aurora,” targeted with social engineering attacks that enabled hackers to access the networks.

The last paragraph of Lord’s post suggests that a similar expertise was at work at Twitter, although he does not specify a source.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

It’s been true for a decade but it’s even clearer in the second month of 2013: practicing basic information security hygiene is now a baseline for anyone else online, particularly those entrusted with handling confidential sources or sensitive information.

Chris Soghoian was clear about the importance of journalists and media companies getting smarter about keeping sources and information safe in 2011. Tonight, I am not sanguine about how much has changed since in the news industry and beyond.

Two days ago, the New York Times disclosed that hackers had infiltrated …the New York Times. The next day, The Wall Street Journal has disclosed similar intrusions. Earlier today, Brian Krebs reported that the Washington Post was broadly infiltrated by Chinese hackers in 2012. The Post confirmed the broad outlines of an attack on its computers.

If you’re a journalist & you’re not using a password manager+unique, long random passwords per website: stop, install and configure one now.

— Christopher Soghoian (@csoghoian) February 2, 2013

If you have a moment this weekend, think through how you’re securing your devices, networks and information. If you use Twitter, visit Twitter.com and update your password. If you haven’t turned on 2-factor authentication for Facebook and Gmail, do so. Update your Web browser and use HTTPS to connect to websites. disable Java in your Web browser. Think through what would happen if you were hacked, in terms of what numbers you would call and where and how your data is backed up. Come up with tough passwords that aren’t easily subject to automated cracking software.

And then hope that researchers figure out a better way to handle authentication for all of the places that require a string of characters we struggle to remember and protect.

3 Comments

Filed under journalism, security