|
Ex-Uber Security Chief's Trial Continues
Hacker details plot to breach Uber’s data servers
Vasile Mereacre, one of the hackers who stole
personal information from 57 million Uber riders and drivers in a 2016 data
breach, took the stand Monday in the criminal trial of its former head of
security Joseph Sullivan, accused of hiding the breach from the authorities.
 When
hackers Vasile Mereacre and Brandon Glover teamed up in 2016 and began scouring
Github for exploitable security flaws, they weren’t looking to hack any one
company specifically. But Uber’s lax security quickly made the ride-hail
giant the pair’s top target.
Testifying Monday in former Uber security chief Joe Sullivan’s
criminal obstruction and concealment trial, Mereacre said he and Glover
modeled their hack off others they’d read about in online forums, where stolen
email addresses and passwords were used to access Github, a website where
software developers store and share software code.
Once they gained access to Github, Mereacre and Glover searched the public site
for access keys to Uber company servers, which were hosted by Amazon Web
Services. After a while, they hit the motherlode— an AWS key that unlocked a
“simple storage service,” or S3 folder, containing more than 200 files of
private user data.
Mereacre said he and Glover were "struck" that the one of the keys they’d stolen
from Github had actually worked. After all, it wasn’t like they were looking
through an internal company chat; this was the public Github site. He also said
most companies usually change or “rotate” the keys regularly as a routine
security measure.
“I guess they would have better security, but Uber did not,” Mereacre said. He
and Glover then downloaded the data, consisting of the names, email address
and phone numbers of 57 million app users, along with 600,000 driver’s license
numbers.
They then decided to contact Uber and demand a ransom. "We thought to reach
out to Uber to see if we could get some money out of it," Mereacre said.
Mereacre used the pseudonym “John Doughs” in his email to security chief Joe
Sullivan. “We didn't want our identities to be public because of the way we'd
gotten the data and downloaded it,” Mereacre said. “The process was illegal.”
His email read: “Hello Joe. I have found a major vulnerability in uber I was
able to dump uber database and many other things.”
Sullivan did not handle the breach on his own, though he alone stands accused
of concealing the breach from authorities and obstructing an
investigation by the Federal Trade Commission into Uber’s security practices.
Aside from his initial email to Sullivan, Mereacre communicated almost
exclusively with Rob Fletcher, a member of the company's security response team.
Though Fletcher’s name was on the emails, he said his team collaborated on their
creation.
Fletcher testified Monday that he and his team originally thought the email from
“John Doughs” was a hoax. It wasn’t an unreasonable conclusion; Fletcher ran
the company’s “bug bounty” program where hackers (companies prefer to call them
researchers) are paid to search for and report security flaws. He said most
of the so-called bugs that get reported are “junk.”
&uuid=(email)) Prosecutors
showed the jury an early message Fletcher sent colleague Collin Greene that
showed his early assessment of the situation: “lol Can almost guarantee this
is bullshit but will continue to keep you looped in :).”
But a lengthy string of emails between Fletcher and John Doughs revealed the
gravity of the situation as it unfolded. Fletcher asked Doughs to show him
some proof, and asked him to interact through the bug bounty program Uber ran in
partnership with the site HackerOne.
Mereacre, still going by Doughs, responded with a sample of Fletcher’s own
downloaded data.
Fletcher replieds "Cool some of the values do look concerning- we most
certain pay bounties for qualifying reports. In order to validate the issue,
can produce reproduction steps?”
But Mereacre wasn’t taking the bait. Under questioning from Assistant U.S.
Attorney Andrew Dawson, he said he and Glover were looking for a big payout.
“Was it your intent to extort Uber?” Dawson asked, to which Mereacre
answered, “Yes.”
Early emails to Fletcher indicate a threatening bent. "Before we continue, I
want to ask how much are you guys willing to pay for this?” Mereacre wrote.
“It's not a vulnerability, it s a lack of security. And
this lack of security causes [sic] for all the data to be exposed.”
But just to play along, Mereacre created an account on HackerOne, though he said
that on skimming the guidelines, it didn’t appear to him that his hack would
qualify since he and Glover had already stolen data.
He also told scolded Uber, via an email to Fletcher, about the company’s
carelessness with passwords, specifically its lack of 2-factor authentication
and and negligent lead of an AWS key on a public site. “Uber should have
mandatory 2 step authentication on GitHub,” he wrote. "ALL INTERNAL data was
able to downloaded and seen. Your security steps are very poorly done, the lack
of negligence [sic] and care here is zero to none. Your employees are careless
and don’t care about security.”
He said he and his “team” also breached servers owned by Stubhub, Seatgeek, and
Lynda.com, an online learning company now owned by LinkedIn.
When Fletcher informed Mereacre that the maximum “bounty” Uber typically pays
is only $10,000, Mereacre pushed back, writing, “Our team will not disclose
this vulnerability for 10k. Our minimum is six digits.”
Four days after the hack, Fletcher wrote to Mereacre that he was able to get
approval for a $100,000 bounty, with one caveat. “With a case like this, we
have a confidentiality form that needs to be singed by you and your team. It
essentially states that you've deleted all the data and agree not discuss this
publicly. I've signed it and submitted it . . . . can you provide mail addresses
for the other members of your team so I can get a copy to them as well? After
that, Hacker one will release payment and I think we can call this closed out.”
Both Mereacre and Glover received copies of a nondisclosure agreement, in which
they falsely attested that they did not download or store any data. They both
signed the agreement using fake names — Mereacre with his John Doughs pseudonym,
Glover as “Scott Wilson.”
“Unfortunately, our legal team said I can't pay out to John Doughs since we get
audited for compliance with 'OFAC and bribery laws' and can't just send $100k
into the wild,” Fletcher wrote back. “They said you should be ok with signing
your real name.”
“I kind of had a feeling at the time that they wouldn't buy the John Doughs
name,” Mereacre told the jury. So he signed a second NDA as “William Loafman.”
The subterfuge made it difficult for Mereacre to collect the bounty. First, the
cryptocurrency exchange Coinbase flagged the payment as fraudulent because it
was too high. And HackerOne required Mereacre and Glover to submit tax forms and
other information to verify their real identities. Mereacre asked Fletcher if
they could bypass the HackerOne program. An email he sent Fletcher on Nov. 29
said, “I would very much appreciate it if came from you guys rather than hacker
one. They require a lot of information I don't have (and then it goes to
Coinbase they are known to hold money for a long time) Other companies that
likes [sic] to ask for every single detail.”
By Dec. 5, Mereacre was getting antsy. He wrote Fletcher, “Please keep in
mind, that the contract states, ‘all data will be deleted once the money is
paid'. The ball is in your court. Will leave my bitcoin address in this
message and you will have to speak with upper manager on what you guys decide to
do.”
Mereacre told the jury, “I was saying we still have possession of the data and
we'd like to get paid or else.”
On Dec. 7, Fletcher replied, “Hey, I think we've got some movement. We think we
we can get hacker one to release it if we sign off it based on our contract.”
By Dec. 8, Mereacre had the money. In early January, Glover received an email
from Mat Henley, another member of Uber’s security team. “Hey Brandon, I wanted
to reach out now that the holidays are over to circle back on your bounty,”
Henley wrote. "I definitely appreciated the help from you guys. It was a great
catch, and it's a perfect example of the value that the program bring to both us
and the security community. I’m sure it was a great way to kick off your
Christmas:)”
Quickly changing his breezy tone, Henley then asked Glover and Mereacre to sign
fresh NDAs with their actual names and indicated he knew that Mereacre is
originally from Moldova and now lives in Toronto. He added, “I happen to have
one of my team members down in Florida right now and he will meet who you
tomorrow to get the contact signed.”
“Our first reaction was how were they able to find us?” Mereacre testified. "We
were dumbstruck — just the amount of information they had on us.”
Fletcher testified that Uber’s security team had used the bug bounty program
as a way to find out their real identities, though the company ultimately
decided not to pursue legal action. The process was painstaking.
“We're not closer to attribution,” Henley wrote in a message to Fletcher at one
point. "It's becoming clear we're not dealing with a novice. We’re paying now
and continuing attribution, I think risk of a dump is high if we don't."
In December, Fletcher asked Henley if Uber’s “end goal” was to get the hacker
arrested or just get him to go away.
“The end goal is not to arrest him . . . but we really need to find him because
he could dump just to be an ass,” Henley replied. “We're feeling really
incompetent right now, it's very frustrating.”
Under cross-examination by Sullivan’s attorney Tyler Francis, Fletcher said the
email negotiations with John Doughs were all part of Uber’s grand scheme to
stall the hackers while Henley hunted them down.
The plan seemed to work. Mereacre said he met Uber’s chief legal counsel at a
hotel in downtown Toronto to sign the forms. A year later, the hackers were
arrested. They
agreed to cooperate in exchange for a reduced sentence.
Sullivan was fired in 2017 for mishandling the incident, was charged in 2020
with one count of obstruction and one count of hiding a felony from authorities
in what’s said to the the first example of a security chief being prosecuted
over a data breach. courthousenews.com
courthousenews.com
Here's the Daily's previous coverage on the
Uber case:
September 9, 2022:
Lawyers for Uber's Ex-Security Chief Say Company
Scapegoated Him
September 7, 2022:
As Ex-Uber CSO Heads to Trial, the Security Community
Reels
August 4, 2022:
Fraud charges in hacking case against Uber ex-security
chief are dismissed
July 26, 2022:
Uber admits massive 2016 data breach coverup, cooperates
with feds
April 28, 2022:
Former Uber Chief Security Officer To Face Wire Fraud
Charges
August 24, 2020:
Watch: Former Uber CSO Charged With Covering Up 2016 Data
Breach
August 21, 2020:
Former Chief Security Officer For Uber Charged With
Obstruction Of Justice
September 27, 2018:
Uber Fined $148 Million for Breach Cover-Up
February 7, 2018:
Uber Paid Hackers $100K to Destroy Stolen Data on 57M
people, Keep Quiet
December 1, 2017:
Three Uber security managers resign after CEO criticizes
practices
|
&uuid=(email))
&uuid=(email))
