Uber hacker is a 20 yr-old Florida man -

Uber hacker is a 20 yr-old Florida man

Credit: itnews.com.au

  • Dec 07 2017 04:40About: 7 days ago
  • 14 views

A 20-year-old Florida man was responsible for a massive data breach at Uber last year and was paid by Uber to destroy the data through a bug bounty program, three people familiar with the events have told Reuters.

Uber announced late last month that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016.

It also revealed that it had paid the hacker US$100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a bug bounty program designed to reward security researchers who report flaws in a company’s software, the three people said.

Uber’s bug bounty service is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber chief executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of US$100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record".

Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the US$5000 to US$10,000 range.

HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs.

“In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to US Internal Revenue Service forms.

According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing.

Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mum in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems.

Uber last month said the attacker had managed to gain access into the private Github repository of Uber software developers and use the credentials within to access data stored on an Amazon Web Services server.

“Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” GitHub said in a statement.

‘Shout it from the rooftops'

Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.

Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.

Uber’s US$100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.

“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.

Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.

Sullivan and Clark did not respond to requests for comment.

Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.



Follow Us on Twitter

Paid keep quiet bounty.

Related stories with Uber hacker is a 20 yr-old Florida man

Tokyo 2020 unveil bug-eyed Olympic mascot hopefuls -World News
Tokyo 2020 unveil bug-eyed Olympic mascot hopefuls 7 days ago
TOKYO: Tokyo Olympic organisers unveiled a shortlist of three official 2020 Games mascots Thursday - from bug-eyed cartoon heroes to cuddly raccoons. The Olympic and Paralympic designs, which celebrate the themes of harmony, diversity and resilience, wer
Deals of the week – 7 December -World News
Deals of the week – 7 December 7 days ago
Christmas is just around the corner and luckily there is still time to snatch up some great deals. This week we found all different kinds of goods that will make your festive season that much merrier. Get on it now before the deals expire. Outdoor Sports
Allison Janney Gives Anna Faris' Boyfriend Michael Barrett the Seal of Approval -World News
Allison Janney Gives Anna Faris' Boyfriend Michael Barrett the Seal of Approval 7 days ago
See what the actress just told E! News about her Mom co-star's relationship status
Bitcoin climbs to $12,000 as futures move closer to reality -World News
Bitcoin climbs to $12,000 as futures move closer to reality 7 days ago
Bitcoin surpassed $12,000 (about ¥1.3 million) on Wednesday for the first time amid speculation that the widespread use of futures will help lead to digital ...
Law and Order: SVU's Midseason Cliffhanger Is Benson's Worst Nightmare -World News
Law and Order: SVU's Midseason Cliffhanger Is Benson's Worst Nightmare 7 days ago
Intent, SVU's midseason finale, ended with a huge cliffhanger that rocks Benson to her core
South Korea voices regret over Russia Winter Olympics ban -World News
South Korea voices regret over Russia Winter Olympics ban 7 days ago
SEOUL: South Korea on Thursday (Dec 7) voiced regret over the decision to ban Russia from the Pyeongchang Winter Olympics, saying the participation of the country's athletes was crucial to the success of the event. The South Korean sports ministry urged
Margot Robbie on the Challenges of Playing Tonya Harding in I, Tonya -World News
Margot Robbie on the Challenges of Playing Tonya Harding in I, Tonya 7 days ago
I didn't realize...everyone had already passed judgment on her, the actress tells E! News
Japan’s tourism trade embraces portable credit card terminals -World News
Japan’s tourism trade embraces portable credit card terminals 7 days ago
Restaurants, souvenir shops and even temples and shrines are hoping to cater to foreign guests with an international custom yet to be fully adopted in ...
Man Shot Twice In South Tulsa -World News
Man Shot Twice In South Tulsa 7 days ago
A man was shot twice Wednesday evening in south Tulsa.
Lindsay Lohan Wants a Mean Girls Sequel ASAP:
Lindsay Lohan Wants a Mean Girls Sequel ASAP: "We Need Rachel McAdams!" 7 days ago
The actress, who is also working on new music, denies reports she's dating Je-yong Ha
The Porsche Club of America Omega Speedmaster Will Keep You Right on Time -World News
The Porsche Club of America Omega Speedmaster Will Keep You Right on Time 7 days ago
Your parents probably tried to drill into you just how important punctuality is. Tidbits of counsel like “If you’re not five minutes early, you’re late” might still be ringing in your ears. You might shrug your shoulders and wonder what it matters
Overground worker of LeT, Hizbul Mujahideen militants held for jawan Irfan Dar’s abduction, killing -World News
Overground worker of LeT, Hizbul Mujahideen militants held for jawan Irfan Dar’s abduction, killing 7 days ago
Dar’s bullet-riddled body was found in Wuthmula village in Shopian district on November 25.