Mar
11
2019
--

Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can easily be discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders were scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

  • Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researchers found flaws that made it easy to change reservations booked with Amadeus.
  • Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
  • Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.
  • Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.
  • Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.
  • Opportunity International, a nonprofit aimed at ending global poverty, exposed in a massive spreadsheet a list of donor names, addresses and amount given.
  • Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords.
  • PointCare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four digits of Social Security numbers.
  • United Tissue Network, a whole-body donation nonprofit, exposed body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Roy said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode,” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added.

When we asked Amadeus how it concluded there was no improper access, another spokesperson, Ben Hunt, said: “We have the full audit trail for Box and access of these files — none of the files have been downloaded outside of either Amadeus or authorized customers.”

The spokesperson declined to explain its statement when told files were downloaded to verify their contents.

PointCare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but we are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data and several Chinese government surveillance systems.

Adversis has open-sourced and published its scanning tool.

Feb
04
2019
--

Workplace messaging platform Slack has confidentially filed to go public

Slack, the provider of workplace communication and collaboration tools, has submitted paperwork with the Securities and Exchange Commission to go public later this year, the company announced on Monday.

This is its first concrete step toward becoming a publicly listed company, five years after it launched.

Headquartered in San Francisco, Slack has raised more than $1 billion in venture capital investment, including a $427 million funding round in August. The round valued the business at $7.1 billion, cementing its position as one of the most valuable privately held businesses in the U.S.

The company counted 10 million daily active users around the world and 85,000 paying users as of January 2019. According to data provided (via email) by SensorTower, Slack’s new users on mobile increased roughly 21 percent last quarter compared to Q4 2017, while total installs on mobile grew 24 million. The company recorded 8 million installs in 2018, up 21 percent year-over-year.

Slack’s investors include SoftBank’s Vision Fund, Dragoneer Investment Group, General Atlantic, T. Rowe Price Associates, Wellington Management, Baillie Gifford, Social Capital and IVP, as well as early investors Accel and Andreessen Horowitz.

Slack is one of several tech unicorns on deck to go public this year. Uber and Lyft have both similarly filed confidentially to go public in what are expected to be traditional initial public offerings. Slack, however, is expected to pursue a direct listing, following in Spotify’s footsteps. Instead of issuing new shares, Slack will sell directly to the market existing shares held by insiders, employees and investors, a move that will allow it to bypass a roadshow and some of Wall Street’s exorbitant IPO fees.

Nov
15
2018
--

Uber joins Linux Foundation, cementing commitment to open-source tools

Uber announced today at the 2018 Uber Open Summit that it was joining the Linux Foundation as a Gold Member, making a firm commitment to using and contributing to open-source tools.

Uber CTO Thuan Pham sees the Linux Foundation as a place for companies like his to nurture and develop open-source projects. “Open source technology is the backbone of many of Uber’s core services and as we continue to mature, these solutions will become ever more important,” he said in a blog post announcing the partnership.

What’s surprising is not that they joined, but that it took so long. Uber has been long known for making use of open source in its core tools, working on over 320 open-source projects and repositories from 1,500 contributors involving over 70,000 commits, according to data provided by the company.

“Uber has made significant investments in shared software development and community collaboration through open source over the years, including contributing the popular open-source project Jaeger, a distributed tracing system, to the Linux Foundation’s Cloud Native Computing Foundation in 2017,” an Uber spokesperson told TechCrunch.

Linux Foundation Executive Director Jim Zemlin was certainly happy to welcome Uber into the fold. “Their expertise will be instrumental for our projects as we continue to advance open solutions for cloud native technologies, deep learning, data visualization and other technologies that are critical to businesses today,” Zemlin said in a statement.

The Linux Foundation is an umbrella group supporting myriad open-source projects and providing an organizational structure for companies like Uber to contribute and maintain open-source projects. It houses sub-organizations like the Cloud Native Computing Foundation, Cloud Foundry Foundation, The Hyperledger Foundation and the Linux operating system, among others.

These open-source projects provide a base on top of which contributing companies and the community of developers can add value if they wish and build a business. Others like Uber, which uses these technologies to fuel their backend systems, won’t sell additional services, but can capitalize on the openness to help fuel their own requirements in the future, while also acting as a contributor to give as well as take.

Aug
13
2018
--

New Uber feature uses machine learning to sort business and personal rides

Uber announced a new program today called Profile Recommendations that takes advantage of machine intelligence to reduce user error when switching between personal and business accounts.

It’s not unusual for a person to have both types of accounts. When you’re out and about, it’s easy to forget to switch between them when appropriate. Uber wants to help by recommending the correct one.

“Using machine learning, Uber can predict which profile and corresponding payment method an employee should be using, and make the appropriate recommendation,” Ronnie Gurion, GM and Global Head of Uber for Business wrote in a blog post announcing the new feature.

Uber has been analyzing a dizzying amount of trip data for so long, it can now (mostly) understand the purpose of a given trip based on the details of your request. While it’s certainly not perfect because it’s not always obvious what the purpose is, Uber believes it can determine the correct intention 80 percent of the time. For that remaining 20 percent, when it doesn’t get it right, Uber is hoping to simplify corrections too.

Photo: Uber

Business users can now also assign trip reviewers — managers or other employees who understand the employee’s usage patterns, and can flag questionable rides. Instead of starting an email thread or complicated bureaucratic process to resolve an issue, the employee can now see these flagged rides and resolve them right in the app. “This new feature not only saves the employee’s and administrator’s time, but it also cuts down on delays associated with closing out reports,” Gurion wrote in the blog post announcement.

Uber also announced that it’s supporting a slew of new expense reporting software to simplify integration with these systems. They currently have integrations with Certify, Chrome River, Concur and Expensify. They will be adding support for Expensya, Happay, Rydoo, Zeno by Serko and Zoho Expense starting in September.

All of this should help business account holders deal with Uber expenses more efficiently, while integrating with many of the leading expense programs to move data smoothly from Uber to a company’s regular record-keeping systems.

Mar
20
2018
--

Travis Kalanick is already back running a company with a $150M investment

Travis Kalanick, the former Uber CEO who was shown the door in June last year amid a series of major controversies, has already found his next leading role following his announcement of a new investment fund just weeks ago.

Kalanick said on Twitter that his fund would be investing $150 million to take a controlling interest in City Storage Systems, or CSS. He will also be running the company as CEO, according to Recode. It’s a holding company focused on redevelopment of distressed real estate. Kalanick resigned from Uber after facing a lawsuit with Waymo over trade secrets, an ongoing battle with existing shareholders Benchmark Capital, and the fallout from a harassment probe led by former attorney general Eric Holder. Uber brought on new CEO Dara Kosrowshahi in August last year.

Travis announced that he would be starting a new fund with his windfall from Uber shares sold in its most recent major secondary round. At the time, Kalanick said the new fund — called 10100, or “ten one hundred” — would be geared toward “large-scale job creation,” with investments in real estate, ecommerce, and “emerging innovation in India and China.” CSS has two businesses, CloudKitchens and CloudRetail, which focus on redevelopment of distressed assets in those two areas.

The former is pretty interesting given that Uber has its own food delivery service, UberEats. Should Kalanick’s new venture find ways to acquire distressed food-related real estate — kitchens around a city, for example — there may be a natural overlap with his experience at Uber as it started to explore food. Having massive operating kitchens located in one area with a delivery fleet associated with it is one thing, but having an array of smaller kitchens redeveloped through a company like CSS could provide a kind of distributed network that might make it easier to get food from one kitchen to its delivery in a shorter period of time.

It’s not that we know CSS is focusing on that explicitly, but Amazon also bought a bunch of buildings for $13.7 billion, and now it has a two-hour delivery service in major metropolitan areas. Of course, Travis was shown the door at Uber, so it remains to be seen how this one is going to play out. The Information notes that CSS was owned by a friend of Kalanick’s as well as having a loose connection with Uber.

Sep
14
2017
--

Facebook is the latest tech giant to hunt for AI talent in Canada

 Facebook is turning its attention to Canada with a new AI research office in Montreal. Google and Microsoft already have outposts in the city and countless other tech companies, including Uber, have researchers based in Canada. McGill University’s Joelle Pineau will be leading Facebook’s AI efforts in Montreal. Pineau’s research focus tends to lean heavily on robotics and… Read More

Aug
15
2017
--

Uber debuts new Uber for Business with custom travel programs and rules

 Uber is introducing a major revamp of their Uber for Business platform today, the first significant update they’ve done since the enterprise tool’s introduction. The new Uber for Business incorporates a lot of user feedback to provide easy setting of rules to ensure travel policy is followed, as well as group-based access levels and custom program creation. Previously, a lot of… Read More

Jun
29
2017
--

Crunch Report | Blue Apron IPO Has A Rocky Start

Crunch Report 6.29 Today’s Stories 

Blue Apron IPO off to a rough start
Microsoft confirms Cloudyn acquisition, sources say price is between $50M and $70M
Instagram implements an AI system to fight mean and harassing comments
Uber crosses the 5 billion trip milestone amid ongoing issues
A brief history of the iPhone

Credits
Written and Hosted by: Anthony Ha
Filmed by: Matthew Mauro
Edited by: Joe… Read More

May
02
2017
--

Twilio stock plummets as major client Uber distances itself

 A good report on revenue wasn’t enough to keep Twilio stock from taking a dive in after-hours trading. What at first glance appeared to be a positive story very quickly divulged into a financial nightmare. Shares in the cloud communications company have fallen 27 percent in after-hours trading. Read More

Apr
20
2017
--

Percona Live Featured Session with Casper Kejlberg-Rasmussen: Placing Databases @ Uber

Percona Live Featured Session

Percona Live Featured SessionWelcome to another post in the series of Percona Live featured session blogs! In these blogs, we’ll highlight some of the session speakers that will be at this year’s Percona Live conference. We’ll also discuss how these sessions can help you improve your database environment. Make sure to read to the end to get a special Percona Live 2017 registration bonus!

In this Percona Live featured session, we’ll meet Casper Kejlberg-Rasmussen, Software Developer at Uber. His session is Placing Databases @ Uber. Uber has many thousands of MySQL databases running inside of Docker containers on thousands of hosts. When deciding exactly which host a database should run on, it is important that you avoid hosts running databases of the same cluster as the one you are placing, and that you avoid placing all databases of a cluster on the same rack or in the same data center.

I had a chance to talk to Casper about Uber and database placement:

CasperPercona: How did you get into database technology? What do you love about it?

Casper: When I took my Ph.D., my thesis area was about dynamic data structures. During my bachelor, master and Ph.D., I took all the algorithms and data structure classes I could. So it was natural for me to also work with databases in my professional career. Databases are a prime example of a very useful dynamic data structure.

Percona: Your talk is called Placing Database @ Uber. What do you mean by placing databases, and why is it important?

Casper: At Uber, the storage team manages all of Uber’s storage offerings. Our main database technology is an in-house NoSQL database called Schemaless. Schemaless builds on top of MySQL (and we specifically use our own fork of Percona’s MySQL variant, found here in GitHub). We have many thousands of databases that run inside of Docker containers. Whenever we need to create a new Schemaless instance for our internal customers, or we need to add capacity to an existing Schemaless instance, we need to place new Docker containers with Percona Server for MySQL running inside. For our Schemaless instances to be reliable, durable and highly available, we need to place databases in at least two different data centers. We want to avoid placing two databases of the same instance on the same rack or the same host. So consideration needs to be taken when deciding where to place the databases.

Percona: What are some of the conditions that affect where you place databases?

Casper: When we place a database we have to take into account the labels on the hosts we consider. These labels can be which data center or rack the host is part of, or what Clusto (Clusto is an internal hardware management tool we have) pools a host belongs to. This can be a testing, staging or production host, etc. A host also has “relations.” A relation is also a label, but instead of stating facts about the host, a relation states what other databases are running on the host. An example of a relation label is schemaless.instance.mezzanine, which indicates that the host is running a Schemaless database from the Mezzanine instance. Another example is schemaless.cluster.percona-cluster-mezzanine-us1-db01, which indicates that the database is a Schemaless database belonging to the cluster percona-cluster-mezzanine-us1-db01.

Percona: What do you want attendees to take away from your session? Why should they attend?

Casper: I want the attendees to remember that there are three steps when placing a database or any container:

  1. Filter out any host that fails the hard requirements (like not having enough resources) or fails the label or relation requirements (like having databases of the same instance as the one we want to place)
  2. Rank the hosts to select the best one, which can be having a host with the most free space left or having a low number of other databases on it
  3. As time passes and databases consume more resources, we want to relocate databases to other hosts at which it makes more sense to place them.

People should attend my session to see how to get good database placements in a simple way.

Percona: What are you most looking forward to at Percona Live 2017?

Casper: I look forward to hearing about other NoSQL solutions, and hearing about different storage engines for MySQL systems. And of course meeting other exciting people from the database community! ?

Register for Percona Live Data Performance Conference 2017, and see Casper present Placing Databases @ Uber. Use the code FeaturedTalk and receive $100 off the current registration price!

Percona Live Data Performance Conference 2017 is the premier open source event for the data performance ecosystem. It is the place to be for the open source community, as well as businesses that thrive in the MySQL, NoSQL, cloud, big data and Internet of Things (IoT) marketplaces. Attendees include DBAs, sysadmins, developers, architects, CTOs, CEOs, and vendors from around the world.

The Percona Live Data Performance Conference will be April 24-27, 2017 at the Hyatt Regency Santa Clara and the Santa Clara Convention Center.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com