Bug Bounties To Covert Ops: Diving Into One Of 2017’s Biggest Hacks



Dan Gunderman
01/16/2018

The Jan. 15 episode of “Task Force 7 Radio,” hosted by information security executive George Rettas, was quite eventful – shedding light on Uber’s alleged whistleblower letter and its bug bounty program. The latter led to the ultimate termination of the ride-hailing company’s Chief Security Officer Joe Sullivan, and security lawyer Craig Clark.

Monday’s episode, entitled “New News! Uber Wasn’t Hacked?” comes as Rettas’ continued coverage of the pervasive breach – that led to the exposure of records for 57 million drivers and consumers.

Rettas began the show by continuing to pour over the 37-page redacted letter from former Uber employee Richard Jacobs, which outlines all kinds of questionable practices allegedly carried out by the ride-hailing giant.

A recent story from Recode suggested the value of Uber is sinking. According to the site, at least three Uber shareholders have indicated that their valuations of Uber have been reduced. The company was valued at $69 billion in 2016, but SoftBank purchased hundreds of millions of shares at a $48 billion estimate. That’s a 30% drop-off from the 2016 mark, according to Recode.

Rettas further explained that the Jacobs letter outlined alleged illegal intelligence gathering operations carried out on a global scale by Uber. Some reportedly included the theft of trade secrets – administered by the internal group called the Marketplace Analytics (MA) Team. The letter suggests that the team existed to acquire code base, competitive intelligence, supply/demand, and carry out hacks into competitors’ networks.

“I’d like to know why you need to know vulnerabilities in competitors’ cyber security posture,” Rettas commented.

Another division, called the Strategic Services Group (SSG), allegedly enabled the theft of trade secrets and recruited sources within competitor organizations, according to Jacobs’ commentary. 

Jacobs reportedly alleged that the MA team impersonated others to obtain information to use for Uber’s own platform, and inflate the ultimate valuation of the company.

See Related: Uber’s Cyber Hack One Piece Of Larger Ethics Breach: Report

The letter reportedly outlines the collecting of foreign intelligence – including using covert operatives (given the acronym LAT) to impersonate people over the internet, access closed social media groups and fraudulently gain an advantage.

Further, the SSG allegedly brought in an unknown person to pose as a sympathetic protester against Uber, to gain access to a closed Facebook group, to understand non-public plans and intentions.

On the alleged illegality of these actions, carried out by seasoned security veterans, Rettas said, “I’m not taking anyone’s side here, because I don’t know what the truth is. I’m just providing analysis on this whistleblower letter. But this, quite frankly, is hard for me to believe. It sounds like pretty sensational stuff. I’ve been in this business for a long time. And I’m telling you, it’s hard to swallow.”

Rettas then referenced a New York Times piece detailing Uber’s bounty payment to a hacker nicknamed “Preacher.”

The article reports that Sullivan received an email that appeared to be no different than others he had received in his position. It was believed to be a part of the company’s bug bounty program – which encourages hackers to find weaknesses in the organization. Uber’s eventual payment was celebrated as a rare win, but morphed into a public relations debacle, the article notes. The company’s new CEO, Dara Khosrowshahi, has called it a “failure” that consumers and others affected by the breach were not notified earlier.

See Related: ‘Key To The Kingdom’: A Look At Decentralized Authentication

The Times’ article draws on two dozen internal Uber emails related to the incident. Sullivan disputed that the episode was a breach, instead believing it to have been an “authorized vulnerability disclosure,” the story notes. It suggests that initially, Sullivan was proud of the company’s engineers for fixing the issue before it was abused.

The Times story suggests that Uber employees left certain code, called “keys,” on the programming site Github, which allowed the hacker, “Preacher,” to gain access to Uber’s Amazon web servers – where source code and 57 million driver and consumer accounts were stored.

The hacker then allegedly demanded high compensation for the findings. Preacher said he’d only accept a six-digit reward.

Rettas drew the line here, saying that in dealings like this, you “don’t know the ethical compass of the people you’re speaking with.”

Uber reportedly told Preacher they’d have to authorize the payment. Eventually, they drew details on the hacker – including the location of his computer and proof that the data was deleted. The company allegedly offered Preacher a trip to its headquarters in San Francisco. Preacher refused.

Former CEO Travis Kalanick then reportedly signed off on the $100,000 payment. The trail to Preacher later uncovered a 20-year-old who lived in a Florida trailer park with his family. The only identifying information, a first name: Brandon. He refused to meet a company official at a coffee shop and instead received payment inside his home.

On whether Uber broke the law with the payment, Rettas again drew on The Times’ commentary, which notes that the Department of Justice (DOJ) weighed in on bug bounties in 2017, leaving much of it up to the organization.

The “Task Force 7” Radio recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7" Radio, click here.

Featured Photo Credit (Above): Jirapong Manustrong / Shutterstock.com

Task Force 7 Radio