Thursday, September 29, 2022 | Back issues
Courthouse News Service Courthouse News Service

Former Uber security chief details hunt for hackers behind 2016 data breach

On the stand Wednesday in the criminal trial of his former boss, former Uber security chief Mat Henley described how his team found the two hackers who stole private user data in 2016.

SAN FRANCISCO (CN) — After toiling for weeks to identify the two hackers who had breached Uber's Amazon web server and stole data belonging to 57 million app users, finding out that one was Brandon Glover from Winter Springs, Florida, marked a triumphant moment for security engineer Mat Henley.

The email Henley sent Glover on Jan. 2, 2017 felt especially satisfying.

"Hey Brandon,” he wrote. “I wanted to reach out now that the holidays are over to circle back on your bounty. I definitely appreciated the help from you guys. It was a great catch, and it's a perfect example of the value that the program brings to both us and the security community. I’m sure it was a great way to kick off your Christmas:0”

"I wanted him to know he was no longer anonymous. I knew who he was,” Henley said on the stand Wednesday in the criminal trial of his former boss Joe Sullivan, whom prosecutors say hid the breach from regulators. Sullivan stands accused of both obstruction and concealing a felony from law enforcement.

Henley worked directly under Sullivan as an attribution researcher, a job he described as “going after the bad guys and convincing them to stop doing whatever the threat is.”

He described Sullivan as a highly ethical, trustworthy, and well-respected leader in the infosec community. The two had worked together for years— at Uber, Facebook, and eBay. “He is one of the most honest and ethical people I know and have worked with," Henley said.

The data breach ordeal began when Glover’s partner, Vasile Mereacre, reached out to Uber under the pseudonym “John Doughs” and demanded a six-figure payment.

Henley and his security team emailed back and forth with John Doughs throughout November 2016 , trying to stall him while they worked to suss out his real identity and location. Security engineer Rob Fletcher handled the communication, though Henley said he helped write some of the emails.

The team knew that Doughs had accessed an Amazon "simple storage service” bucket, or folder, containing more than 200 files of private user data, including email addresses, names and phone numbers, along with 600,000 driver’s license numbers. He got into the server by first infiltrating GitHub, a website where software developers store and share software code.

“The way they get into Github was through reusable beached data sets,” Henley explained on the stand. “Linkedin had a notorious breach, and all of their data was dumped.”

The hackers took already-compromised sign-in credentials available online, and tried them on Github to see if any Uber employees were still using the same email addresses and passwords. “They in turn used that same email address and password to log in to GitHub. That's what happened to us," Henley said.

Once in GitHub, they found a key that would give them access to the Amazon data storage, or S3 bucket. It was a very simple security flaw, but one for which Uber would pay dearly.

“[h]ow much are you guys willing to pay for this?” Doughs, who was really Mereacre, had asked in an email to Fletcher.

Uber often paid “researchers” who found and reported security vulnerabilities through its bug bounty program with HackerOne. The company usually paid a maximum bounty of $10,000, but they made an exception in this case and paid out $100,000 in two installments.

Henley explained that by getting the hackers to electronically sign a nondisclosure agreement, Uber had a good chance of finding an IP address.

Though the hackers had disguised their location by laundering their IP address through a virtual private network, the NDA they signed through AdobeSign revealed one IP address that did not appear to have been rotated.
This IP address was owned by a cloud hosting provider located in West Palm Beach, Florida called Cloud South.

ADVERTISEMENT

Cloud South said it couldn’t give Uber details on the owner of the virtual private server without giving them 48 hours notice. But two days later, they revealed the name. “It was a gentleman in India,” Henley said. “We did a lot of high-fiving. We thought this is our guy.”

It wasn’t. The guy in India turned out to be an engineer who ran a small VPS hosting service. But the traffic Uber was seeing came from one customer with the registered email address [email protected]

Liquid Sigma had been careful to not leave any digital breadcrumbs, but in Feb. 2015, Liquid Sigma had posted a bounty on the InsidePro hacker forum for a password hash to be cracked. The person who cracked it and claimed the bounty had posted his Bitcoin wallet in his signature, and by running it through a public blockchain, Henley said he was able to find the transaction.

Henley then took Liquid Sigma’s Bitcoin wallet and ran it through a publicly available dump of “bitcoin addresses, the email addresses they registered with, and some IP addresses.”

From there, they found an email address tied to Liquid Sigma’s Bitcoin wallet. clockwize0gmail.com. “That's what got us into the world of Brandon,” Henley said.
By December 16, Henley had Brandon's name and an address in Winter Springs, Florida.

Henley said he wanted to get Glover to sign the NDA with his real name, so he sent Glover an email, letting him know, as Henley put it Wednesday “that the jig was up.”

“It was the most favorite email I've ever been able to send in my life,” Henley said.

Uber sent Ed Russo to interview Mereacre in Toronto. “Ed is a 25 year veteran law enforcement person who does interviews and interrogations as a job and hobby,” Henley said.
Henley added, “It quickly became apparent after meeting them that every bit of brain was in Florida. And the loud, obnoxious emails were all coming out of Toronto.”

Russo's report characterized Mereacre as cooperative and polite, if somewhat cocky. “Subject said there was no malicious intent behind what he and BG did when they hacked into and seized the company’s information," he wrote. “He thought he could do a good deed by pointing out a vulnerability to the company while being paid for his efforts.”

Russo added, “The two of them were surprised to find out how easy it was to hack into our company and others, including StubHub, Angie’s List, and others. Having not donee this before they did not know how to handle the situation.”

Russo also wrote that Glover and Mereacre were worried the company would repair the breach without compensating them
“The subject and BG also feared the company would not only not pay them for their service, but pursue legal and civil action. For this reason they concocted elaborate scheme to conceal their identities and location.”

Henley said he trusted Russo’s assessment because “He's the best [interviewer],” Henley said. “He taught it at Quantico.”
Though Uber was confident the data had been deleted and the matter resolved, Sullivan was fired in November 2017 by CEO Dara Khosrowshahi, who had just taken over from Travis Kalanick.

Sullivan’s defense lawyers have argued that Khosrowshahi wanted Sullivan out because the data breach would have tarnished its legacy before it even got started.

Khosrowshahi testified last week that he fired Sullivan because he did not think he could trust him, since Sullivan had omitted certain facts from an email summary he’d sent Khosrowshahi about the incident, including how many riders and drivers it affected, the type of information that was taken, and that data had been downloaded by the hackers.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...