SAN FRANCISCO (CN) — After toiling for weeks to identify the two hackers who had breached Uber's Amazon web server and stole data belonging to 57 million app users, finding out that one was Brandon Glover from Winter Springs, Florida, marked a triumphant moment for security engineer Mat Henley.
The email Henley sent Glover on Jan. 2, 2017 felt especially satisfying.
"Hey Brandon,” he wrote. “I wanted to reach out now that the holidays are over to circle back on your bounty. I definitely appreciated the help from you guys. It was a great catch, and it's a perfect example of the value that the program brings to both us and the security community. I’m sure it was a great way to kick off your Christmas:0”
"I wanted him to know he was no longer anonymous. I knew who he was,” Henley said on the stand Wednesday in the criminal trial of his former boss Joe Sullivan, whom prosecutors say hid the breach from regulators. Sullivan stands accused of both obstruction and concealing a felony from law enforcement.
Henley worked directly under Sullivan as an attribution researcher, a job he described as “going after the bad guys and convincing them to stop doing whatever the threat is.”
He described Sullivan as a highly ethical, trustworthy, and well-respected leader in the infosec community. The two had worked together for years— at Uber, Facebook, and eBay. “He is one of the most honest and ethical people I know and have worked with," Henley said.
The data breach ordeal began when Glover’s partner, Vasile Mereacre, reached out to Uber under the pseudonym “John Doughs” and demanded a six-figure payment.
Henley and his security team emailed back and forth with John Doughs throughout November 2016 , trying to stall him while they worked to suss out his real identity and location. Security engineer Rob Fletcher handled the communication, though Henley said he helped write some of the emails.
The team knew that Doughs had accessed an Amazon "simple storage service” bucket, or folder, containing more than 200 files of private user data, including email addresses, names and phone numbers, along with 600,000 driver’s license numbers. He got into the server by first infiltrating GitHub, a website where software developers store and share software code.
“The way they get into Github was through reusable beached data sets,” Henley explained on the stand. “Linkedin had a notorious breach, and all of their data was dumped.”
The hackers took already-compromised sign-in credentials available online, and tried them on Github to see if any Uber employees were still using the same email addresses and passwords. “They in turn used that same email address and password to log in to GitHub. That's what happened to us," Henley said.
Once in GitHub, they found a key that would give them access to the Amazon data storage, or S3 bucket. It was a very simple security flaw, but one for which Uber would pay dearly.
“[h]ow much are you guys willing to pay for this?” Doughs, who was really Mereacre, had asked in an email to Fletcher.
Uber often paid “researchers” who found and reported security vulnerabilities through its bug bounty program with HackerOne. The company usually paid a maximum bounty of $10,000, but they made an exception in this case and paid out $100,000 in two installments.
Henley explained that by getting the hackers to electronically sign a nondisclosure agreement, Uber had a good chance of finding an IP address.
Though the hackers had disguised their location by laundering their IP address through a virtual private network, the NDA they signed through AdobeSign revealed one IP address that did not appear to have been rotated.
This IP address was owned by a cloud hosting provider located in West Palm Beach, Florida called Cloud South.