Uber and Under the Breach

Everything you need to know about the Uber data breach, and much more. If you work in information security or privacy, you should read this…

 

Sleep

Darn, I really wanted to sleep, I really did! I had to work on something till late tonight, already got total upset by 4pm, and when I finally ended it near midnight, I checked twitter and darn, Uber been hacked. “What the heck, they fired Joe Sallivat, their head of Information security and Craig Clark, (the?)  director of legal? Wow, I must write about it”. Luckily tomorrow I need to wake up early then usual.  Darn lucky.

But this is important.

Flashback – I think it’s 2013. I’m speaking with Alex Hutton during a BruCON break. At some point Alex tells me something, that for some reason got engraved in my mind forever: “If you’re will not know how to measure risk and communicate it to the board you will not be CISO for long.”

Darn right.

So here is what we know, according to Bloomberg:

What happened:

Hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders. Plus, information of 7 million drivers, including some 600,000 U.S. driver’s license numbers. Uber paid $100K to get the data erased.

 

How it happened:

Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

 

Uber? No way!

This data breach is NOT Equifax redux. Uber is a totally different bread of a company. it’s a market breaker, it’s cutting edge in technology, it’s DevOps, it’s containers technology and microservices, it’s cloud and buckets, it’s all the things that most senior management in most companies consider as “buzz words”, because they don’t understand anything about it. These are not buzzwords. These are technologies that can kill organisations, might make board members lose their jobs, and almost certain cause senior infosec and privacy people to lose their jobs, and not only senior.

 

The CISO

The CSO, Joe Sullivan, worked previously at PayPal, eBay, was head of security for Facebook, and surprise, surprise – he knows a lot of red team tricks, which he used throughout his stay in Uber. All the privacy violation programs Uber were running, been “spearheaded” by Joe. Uber was very aggressive in its offensive infosec ops. Obviously that focus ignored defensive security, which led to the data breach.

The Board

Obviously Joe didn’t pay 100K from his own pockets, as the article clearly states “Uber paid”. The article states that Joe Sullivan spearheaded the response to the hack last year. As an ex CISO (bank), if this is not a subject of discussion for a company board, I don’t know what a subject of discussion for a company board should look like. No way this was not under the board discussion, it must have been the CEO, and CIO (CTO), and Legal, and finance, and operations. If not, Uber have a horrible management organisation, with no real governance in place. Which they obviously had till recently. As a reminder, just two months ago Uber agreed to 20 years of privacy audits to settle FTC charges.

Data Privacy

Which brings us to data privacy. The article states “Uber riders around the world”. Let me guess, if I will say “Voulez-vous coucher avec moi?” there is a good chance there some of the people who were impacted by this hack as “riders” will be from a certain European country. Does this mean multiple notification to multi countries?

 

Lessons & questions to take home

  • Heads first: First of all, it’s a reminder. It’s a reminder that what Alex Hutton said to me a few years ago is true to all of us who work and/or manage information security or data privacy. It’s a sharp reminder that our heads can find themselves in a guillotine basket if, sorry, when a breach occurs.
  • Survival is Defensive: see my previous post, and scroll down to see the video of Jordan Peterson. Nature survival is based on defensive of the known and moving along the unknown path of life. This is why we are wired to react when we see a snake, not when our prefrontal cortex has finished processing to decide if it’s a snake or a wooden stick. Life is an art of staying where you should, not over protective, and not over offensive.
  • Smart can be your Achilles’ heel: Joe Sallivat seems to be good in what he does, the dude was on a NIST commission on enhancing national cybersecurity, advising to the president! Based on what I had the chance to look at, the guy is most likely smarter than most of the people who will read this post, and for certain smarter than the person who is writing this post. If this guy would have invested more in defensive rather than aggressive red team he might be able to prevent this stupid data leakage from occurring. Smart does not mean wise. Which brings me to the next point…
  • Risk: I don’t know if Joe know about Quant Risk, I guess he must know it. Most of the really smart people I meet knows about Quantitative risk management, such as FAIR. FAIR is the future right now – the big four are looking into it, RSA is working with RiskLens on it, so if you don’t do quant risk, it’s time to wake up and smell the auditors. If you need to measure cyber risk, please start to plan decommissioning risk heat maps. They are useless in measuring cyber risks.
  • DevOps: I hear some of you think out loud “I told you, DevOps means no security”. Not true, but also true. How did the two got access to the private GitHub repository? If they had security in place this would not have happened, but when speed is more important than anything else, and security is busy on offensive, the back is left vulnerable.
  • GDPR: Can any of us imagine how a data breach as such relating to EU citizens will look like in 2019? Well, I actually can, but this will be the topic for a totally other article, it’s already too late.
  • Awareness: oh, so much to write here, but will keep it to a new … talk perhaps 😊

 

 

Never underestimate

Uber is a very unique company. It decided to play as if regulations and laws don’t apply on them, and they were the best and the worst in many ways. It has a huge customer base, and a huge of explaining to do. Some rules and regulations are important. I don’t want to live in a dystopian reality where people work as slaves but are being called “independent drivers”. If there is a valid business model that is not violating the ethical and moral codes of our society I will be happy to support it. If not, unless it changes, I will stop using it. Never underestimate the determination of a tired information security professional…

 

 

Eh’den

© All rights reserved, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *