Uber and Under the Breach
Everything you need to know about the Uber data breach, Why Uber is the Chris Brown of the cyber economy, and much more...
[Updated 23th Nov 2017 - see "Cover-up?" Section + afterthoughts]
Sleep
Darn, I really wanted to sleep, I really did! I had to work on something till late tonight, already got total upset by 4pm, and when I finally ended it near midnight, I checked twitter and darn, Uber been hacked. “What the heck, they fired Joe Sallivat, their head of Information security and Craig Clark, (the?) director of legal? Wow, I must write about it”. Luckily tomorrow I need to wake up early then usual. Darn lucky.
But this is important.
Flashback – I think it’s 2013. I’m speaking with Alex Hutton during a BruCON break. At some point Alex tells me something, that for some reason got engraved in my mind forever: “If you’re will not know how to measure risk and communicate it to the board you will not be CISO for long.”
Darn right.
So here is what we know, according to Bloomberg:
What happened:
Hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders. Plus, information of 7 million drivers, including some 600,000 U.S. driver’s license numbers. Uber paid $100K to get the data erased.
How it happened:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Uber? No way!
This data breach is NOT Equifax redux. Uber is a totally different bread of a company. it’s a market breaker, it’s cutting edge in technology, it’s DevOps, it’s containers technology and microservices, it’s cloud and buckets, it’s all the things that most senior management in most companies consider as “buzz words”, because they don’t understand anything about it. These are not buzzwords. These are technologies that can kill organisations, might make board members lose their jobs, and almost certain cause senior infosec and privacy people to lose their jobs, and not only senior.
The CISO
The CSO, Joe Sullivan, worked previously at PayPal, eBay, was head of security for Facebook, and surprise, surprise – he knows a lot of red team tricks, which he used throughout his stay in Uber. All the privacy violation programs Uber were running, been “spearheaded” by Joe. Uber was very aggressive in its offensive infosec ops. Obviously that focus ignored defensive security, which led to the data breach.
The Board
Obviously Joe didn’t pay 100K from his own pockets, as the article clearly states “Uber paid”. The article states that Joe Sullivan spearheaded the response to the hack last year. As an ex CISO (bank), if this is not a subject of discussion for a company board, I don’t know what a subject of discussion for a company board should look like. No way this was not under the board discussion, it must have been the CEO, and CIO (CTO), and Legal, and finance, and operations. If not, Uber have a horrible management organisation, with no real governance in place. Which they obviously had till recently. As a reminder, just two months ago Uber agreed to 20 years of privacy audits to settle FTC charges.
Cover-up?
A Routers report claimed the following:
A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the probe took place.
That is interesting. What could have happened is that two people (according to the report) scanned Uber properties, found the Github repositories, used the credentials, downloaded the information, and then contacted Uber and demanded an award for their actions. I guess that the CSO had Craig Clark authorise for him a $100K payment to these people.
Let's assume we believe this imaginary story. There are SO many problems with it:
First, I want to say wow on behalf of all other CISOs around the world that we envy a CSO who can throw away $100K. There are enough CISOs out there who don't even have a budget of $100K.
More importantly - A CSO who can get a $100K payment to individuals without having anyone at finance contacting them asking what the heck is going on? That's a neon light the sign of the "Hollywood" sign flashing in red with sirens that can be heard by a deaf person. If this is true Uber have no real corporate governance in place, period.
Last point - "a probe" by a board committee - so let me get this thing right - you ask the people who are most likely be framed by an investigation to perform an investigation and you want us to accept the results? Thanks, but I don't buy it. If the boot fits... [youtube https://www.youtube.com/watch?v=S4g0OuGo38U]
Data Privacy
Which brings us to data privacy. The article states “Uber riders around the world”. Let me guess, if I will say “Voulez-vous coucher avec moi?” there is a good chance there some of the people who were impacted by this hack as “riders” will be from a certain European country. Does this mean multiple notification to multi countries?
Lessons & questions to take home
Heads first:
First of all, it's a reminder. It’s a reminder that what Alex Hutton said to me a few years ago is true to all of us who work and/or manage information security or data privacy. It’s a sharp reminder that our heads can find themselves in a guillotine basket if, sorry, when a breach occurs.
Survival is Defensive: see my previous post, and scroll down to see the video of Jordan Peterson. Nature survival is based on defensive of the known and moving along the unknown path of life. This is why we are wired to react when we see a snake, not when our prefrontal cortex has finished processing to decide if it’s a snake or a wooden stick. Life is an art of staying where you should, not over protective, and not over offensive.
Smart can be your Achilles' heel: Joe Sallivat seems to be good in what he does, the dude was on aNIST commission on enhancing national cybersecurity, advising to the president! Based on what I had the chance to look at, the guy is most likely smarter than most of the people who will read this post, and for certain smarter than the person who is writing this post. If this guy would have invested more in defensive rather than aggressive red team he might be able to prevent this stupid data leakage from occurring. Smart does not mean wise. Which brings me to the next point…
Risk: I don’t know if Joe know about Quant Risk, I guess he must know it. Most of the really smart people I meet knows about Quantitative risk management, such as FAIR. FAIR is the future right now - the big four are looking into it, RSA is working with RiskLens on it, so if you don’t do quant risk, it’s time to wake up and smell the auditors. If you need to measure cyber risk, please start to plan decommissioning your risk heat maps. They are useless in measuring cyber risks.
DevOps: I hear some of you think out loud “I told you, DevOps means no security”. Not true, but also true. How did the two got access to the private GitHub repository? If they had security in place this would not have happened, but when speed is more important than anything else, and security is busy on offensive, the back is left vulnerable.
GDPR: Can any of us imagine how a data breach as such relating to EU citizens will look like in 2019? Well, I actually can, but this will be the topic for a totally other article, it’s already too late.
Awareness: oh, so much to write here, but will keep it to a new ... talk perhaps 😊
Never underestimate
Uber is a very unique company. It decided to play as if regulations and laws don’t apply on them, and they were the best and the worst in many ways. It has a huge customer base, and a huge of explaining to do. Some rules and regulations are important. I don’t want to live in a dystopian reality where people work as slaves but are being called “independent drivers”. If there is a valid business model that is not violating the ethical and moral codes of our society I will be happy to support it. If not, unless it changes, I will stop using it. Never underestimate the determination of a tired information security professional…
Afterthoughts
The more I was thinking about it, the more it feels that Uber is the Chris Brown of the cyber economy. The same way Chris was kicking the living hell out of Rihanna, Uber been molesting us, our privacy, our laws, but we don't do anything about it. Would we stay in a relationship with it until we will look like this?
Sure feels like that.
OK. enough said. Let the music play...
[youtube https://www.youtube.com/watch?v=WHXxPrBoIcc]
Eh'den
© All rights reserved, 2017