It's not just the external threat, but the threat of people who are basically people you've opened your kimono to, people who you've sort of embraced or brought into your company or trusted.

You open your kimono to your investment bankers?

Who does that?

Smashing Security, Episode 153: Cybercrime Phishing, ransomware, and phishing. Time doesn't pay, but Uber does. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 153. My name's Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello, Graham.

We are—

How are you today?

Well, thank you very much for asking. I'm not too bad, actually. And I'm particularly excited because we have a brand new guest on the show.

Never been on the show before.

Never been on the show before. Can you believe it?

There's just a few people out there. Absolutely.

Someone who hasn't been on the show before. It's Lisa Forte. Hello, Lisa.

Hello.

Now, Lisa, you should tell us what you do and who you do it for and why are you here?

Wow, so many questions all at once. So I'm a partner at Red Goat Cybersecurity, and we specialize in security training and crisis simulations for crisis management teams and organizations where we simulate a cyberattack and then see how they handle it and the sorts of decisions they do or do not make. And then I write a brutal report up on how well they did.

That sounds awesome. Now, did you have anything to do with the name of the company?

Yes.

Oh, tell me why. Why Red Goat?

So it was kind of funny actually, because it really wasn't planned. And just as I was setting up the company, I read this report in the New Scientist that was about some study done by UCL in London, and they'd recognized that goats can tell intruders to their herd just by hearing their voice. And I thought, this is kind of exactly my thing for my company and what we're doing. So I thought, you know what, I'll do it. And now when I go into some of my clients, they go, oh, the goat lady's here.

So charming.

You can't ask for anything better in life.

I wonder if you can use something like a deepfake lyrebird on goats and then present them in front of them and they might get duped. Okay, I digress. I digress.

Just slightly. Carole, what have we got coming up on the show this week?

Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, on today's show, Graham tells us what happened to a Romanian couple who hijacked surveillance cameras in Washington, D.C. Lisa visits the world of insider traders who are trading our secrets. And I'm revisiting the Uber hack of 2016, now that we have all the juicy details. All this and loads more coming up on this episode of Smashing Security.

Now, chums, chums, can I take you back in time once again to the happy days of January 2017?

Are you planning to start every single story now that has happened before last week with—

I'm glad you've noticed this. Exactly. We're going back in time almost three years. January 2017, a time when we were full of hope, wasn't it? Do you remember what was going on? This beautiful romantic couple were walking the streets of Washington, D.C. Him, he was tall. He was tanned, his blonde hair blown in the wind like a young Robert Redford, a long red tie dangling down his torso. And next to him, a pouting former model from Slovenia, a picture of true love. I'm talking, of course, I think you can guess.

Trumpistan?

Exactly. About Donald and Melania. I almost called her Melanoma. Melania. There they were as he was given the nuclear attack codes and the keys to the White House. And we thought, oh, wonderful, a whole brand new era of civilization is about to begin. How fantastic, how optimistic. Yes, those were happy times, and we knew everything was in safe, albeit quite small, hands. Well, Graham, let's not bring my hands into things. But we knew we had nothing to fear. But Donald Trump's presidential inauguration could have gone horrifically wrong. There's some people who think it did go horrifically wrong, of course, but you know, just days before the ceremony, just days beforehand, hackers managed to hijack 70%— 7-0%— of Washington, D.C.'s public surveillance cameras being used by the police. And they demanded a ransom for their safe return of over $60,000.

A worldwide investigation is underway into a cyberattack on Washington, D.C. surveillance cameras ahead of last month's inauguration. Hackers targeted traffic and security cameras in the nation's capital just 8 days before President Trump was sworn in, and the attack happened while federal law enforcement officials were trying to ramp up security.

So they came in via the internet and basically just jammed them all up so they couldn't be used.

Oh, so they jammed them. It wasn't they were taking what was being recorded, they were just flooding them.

No, no, I mean, they could have just tuned into CNN or MSNBC. That wouldn't have been that tricky. I mean, I know it can be hard getting those stations overseas, but you wouldn't necessarily go to this effort. But what they did was they installed ransomware onto the computers controlling the cameras.

Yeah.

And they then used those computers not only to sort of block them up, but also they used them to spam out an additional 180,000 email addresses with a ransomware-laden payload. Nasty stuff. And the Secret Service, as you imagine, you know, they sprung into action because this was—

So did they figure it out? So they hijacked this 70% of— this must be thousands of cameras, and what people noticed right away— or they sent out the ransom right away. Oh yeah, they demanded a ransom.

I think, yeah, and I think the smart chaps at the Secret Service and the Washington police noticed when the ransom message— yeah, exactly.

Yeah, when they got the ransom message, yeah, put on their hats, stood up, did a little backstretch, went and handled the problem.

Was it their ransomware or was it purchased?

Yes, they'd bought it from hackers based in another country. But the Secret Service, you know, they sprung into action. They said this was a really high priority due to the impact on their mission, which was obviously to protect the First Lady and POTUS as he was given all the power.

And presumably every single person in Washington, D.C.

Right.

And I'm sorry, but to play the cynic, also kind of embarrassing.

Ever so slightly.

In some ways, that's kind of the worst part of it. You're "oh my God, it wasn't even sophisticated."

And God.

And obviously, based upon what we subsequently found out, no one would have wanted cameras out of action at the inauguration. I mean, that was a truly historic moment, needed to be recorded. We needed photographs of the crowds for posterity so that we could later count how many.

So, did they use the public surveillance cameras, Graham, to do a crowd count? But to your point, if they were worried about any dissidents at the event, that is presumably how you would capture them.

Now, fortunately, before the big day, things actually got sorted out, but nobody likes loose ends when it comes to a cybercrime attack. It's fun to unravel the mystery and find out who did what and why. And that is what a recent article in the Wall Street Journal does rather spectacularly. And I was reading this and I thought, oh, I would love to share this with listeners of Smashing Security. So I'm gonna tell you what was happening because while Donald and Melania, let's not start a rumor that the First Lady's a man. No, so Melania, while they were, you know, doing all those lovely things, there was another couple 5,000 miles away in Bucharest.

Okay.

And this young couple, now I'm probably going to butcher their name. So, you know, I'm sorry, I'm not Romanian. So apologies. Alexandru Isvanca and Evelyn Cismaru, a guy and a girl, and they were set up in Bucharest and they were rather like Bonnie and Clyde. They were a bit like cyber criminals of the 21st century. They actually liked to call themselves, their nicknames, their pet names for each other were Bobo and Eve. So I think I might call them Bobo and Eve as well.

I wouldn't want to tell you my husband's nickname for me, just saying.

Eek.

Eek, eek, eek.

Waiting for that data breach. So now they'd been together for a while. In fact, ever since around about a year after they first met, they had supported themselves in their relationship through computer crime and credit card fraud. Fairly unsophisticated stuff. Yeah, romantic. Well, you know, who knows what they're buying. Committing small-scale online fraud with stolen credit card numbers, spamming out people. And they largely got away with it, I think, because for the police, the cost to investigate the crime was just too high.

Yeah.

Actually, Lisa, didn't you used to be with the police?

I did indeed.

And was this your experience that some computer crime doesn't get investigated for that reason?

Yeah, and to be honest, you've gotta balance out the chance of being able to catch someone and the harm that's been caused by whatever they've done and cost to the police resources. And sometimes that doesn't always mean everything gets investigated.

I imagine the amount of time and resources required just to make contact with the correct officials in Eastern Europe would be in itself completely off-putting.

Totally. Yeah.

Right. So there's different legislation in different countries, there's different languages, there's different time zones. It all adds up to money, money, money, and lots of effort, which maybe could be being spent elsewhere. And I think some financial institutions, if it's not tens of millions, are happy to take it on the chin. You know, and they think, well, consumers are gonna pay for this ultimately. You know, through bank fees or whatever. So Evelyn, also known as Eve, she was actually found guilty of some credit card fraud back in 2012, but she only got a suspended sentence and told to behave herself in future. But surprise, surprise, that didn't stop her. And it didn't stop Bobo either. And from their apartment in Bucharest, they had spammed out this ransomware attack to an email list they'd picked up. And it just so happened that it infected all of these computers running Washington DC.

Oh, so it wasn't a targeted attack by any stretch. It was just a lucky find.

But that's even more embarrassing.

Yes, I agree. I agree.

Exactly. It wasn't like they'd put loads of effort into infecting those particular computers. It's just that they were unprotected or the users on those computers had clicked on an email attachment, and bam, they got infected, and then it spread inside the organization.

So it's like casting a net with your eyes closed and you just happen to catch this huge poisson.

Yeah.

But to be honest, it is nice to do something with your partner and have something in common.

Yeah, a story you can tell at dinner, right? Exactly. Or to your friends.

Yeah, how did you guys meet?

Yep, well, it's kind of funny.

Do you have a partner, Lisa? I mean, you're an ex-police person.

I wonder if—

Now, on the very same day that Bobo, the guy, managed to infect all these CCTV cameras in Washington, D.C. streets, he made a mistake. And his mistake was to order food from a pizza shop called Andy's Pizza in Bucharest.

What, on the same—

On the same day.

On the same day.

On the same day.

I know where this is going.

So now his mistake wasn't ordering a Hawaiian pizza.

Okay, phew, that's fine. That's what I thought it was gonna be. Yeah. I'm Italian, so people get hung in Italy for ordering Hawaiian pizzas. So please don't do it.

That wasn't his boo-boo. What his boo-boo was is that he used the same email address that he had used to spam out all these other people.

That's pretty 101 mistake, isn't it?

Well, it turns out, Carole—

Oh, sec 101. Yeah, yeah.

It turns out that quite a few cybercriminals make 101 mistakes. The thing is, they may only make them once or twice, but that's enough, isn't it?

Yeah, well.

Wow.

Well, he wasn't the only one making a boo-boo, was Bobo. Eve, she had this other criminal scheme up her sleeve. You see, she was running a fraudulent seller account on Amazon. You know, you can buy things on Amazon which don't come directly from Amazon, but from other people who sort of set up online stores up there.

Yeah, of course.

She set up a fake one. And what happened was whenever people ordered something from her, she'd get the alert saying, oh, you know, Frank has ordered a book or a DVD box set or something. And then she would use a stolen credit card to go and buy it from a legitimate seller. So they would do all the shipments. So she'd get the money and then she'd use a fake credit card to actually buy it and get it delivered. Well, it's astonishing this sort of thing goes on, but it does go on. But she didn't use her own computer to do this because that would of course left too many clues lying around, right?

Oh my God, that would be the best outcome.

Well, she used one of the computers belonging to the police in Washington, D.C., controlling the CCTV cameras. And so when the U.S. officials, when the Secret Service were running around fixing the hijacked cameras and panicking about that and resetting the computers, they went to one of these computers and they found on it this tracking number of an Amazon package being sent to the UK, right? And interestingly, when they looked at the order of what was being sent to the UK, do you know what it described the item as?

No.

A smoking gun.

Oh my God.

Now, when I heard of a smoking gun, I thought this might be something that people vape with, right? Because that's sort of, you know, all the smoke and stuff, which I thought maybe it's something like that.

Okay.

Or a cigarette lighter or something. But no, apparently a smoking gun is an accessory used by people who like barbecues. And according to the Amazon description, adds a lovely smoky flavor to food and drinks.

Are you sure it's not a smoker gun?

Yeah, I would have said smoker gun.

Well, look, I— this is the Wall Street Journal, and far be it from me to suggest that they've got this wrong.

Okay, but did you Google it? I'm just going to do that right now.

Well, you can go ahead and use a search engine of your choice if you wish.

Start Page. Don't you worry.

While you're looking at that, I'll carry on. The UK cops were then told by the Americans, look, this is the house where this gun is being delivered, and we think it's associated with this hijack of the CCTV cameras. So cops went round to this house in Streatham.

Where the smoking gun was delivered.

Where the smoking gun was delivered.

Apparently Amazon call it that too, so there you go.

There you go. Okay. And they arrested the people. There was a 50-year-old British guy and a 50-year-old Swedish woman at the address, and they said, look, we know nothing about this. We're just into barbecues in quite a serious fashion.

Yeah.

And so they were initially arrested in connection with the hack, but they weren't actually connected at all. But Eve had blundered some more. She had created a Gmail account as a backup to some of her other online accounts, and she'd attached to that Gmail account her real name. And you may not be surprised to discover that the police have it within their ability, if they have a name, to then possibly locate the person associated with that name. And so they were able to identify that this was the same Evelyn in Bucharest.

So what you're saying, it's like if I had AAA and BBB and CCC as fake accounts, but as a backup account, I put it under my legit email address. And so they just—

Carole Theriault at SmashingSecurity.com or something like that. Yeah.

Right.

Well, again, not the smartest. So Europol investigated, and Eve and Bobo went on the run. They're eventually caught, put under house arrest. Evelyn Chutsemaru, also known as Eve, was extradited to the States and has since pleaded guilty and agreed to testify against her former boyfriend. The full story of how she was caught is quite fascinating. You can go and read it on the Wall Street Journal. It is quite interesting to read. But anyway, she has since been released for time served. And she's now in London working as a fashion fitness entrepreneur.

Good for her.

What is that?

You go, Eve.

You go, Eve. Well, you can say go Eve to her yourself because she's on Instagram and she has got 80,000 followers to her account.

Wow.

Where she is posting glamorous selfies. Now, Alexandru Izvanca, meanwhile, also known as Bobo, he hasn't come up quite so good out of all this. He's facing trial in Romania on other credit card theft charges. And is currently facing extradition to the States where he could face up to 20 years in prison.

Can I just say that the point at which they went on the run, I mean, we've all been there with our partner where we've had an argument and it just gets way out of hand. Can you imagine the arguments that they were going on in that car? No, it was you because you ordered that pizza. No, it was you because— I mean, it would have been beautiful.

It would be a lover's tiff, to be sure.

For sure.

Yeah.

We've all gone on witness protection

We've all been there.

So I thought this is a salutary warning to other cybercriminals out there not to make such elementary mistakes. from time to time with our Maybe not even commit the crime in the first place, but also as a backup for your future career, maybe set up an Instagram account because maybe you'll become an Instagram influencer. partners. We've done it.

So basically their mistake was almost inevitable. The mistake was they got too big a fish that they didn't know how to handle. They caught the attention of the FBI, who otherwise would never have looked their way because they were doing petty crime in Bucharest.

I think you're absolutely right, Carole. I think if you spam out a lot of email addresses, there's a danger that you might infect someone who you didn't want to infect, like the FBI, like Scotland Yard, like the NSA. You know, you just want to stay well away from those kind of targets.

Mossad would be another one that I would guess.

Oh, you don't want to— You don't want to mess with the Israelis.

Back away.

There's a few of them on the list that you just probably want to search for.

Says the Italian. As though they never cause any trouble.

Yes.

Lisa, what story have you got for us this week?

So I also have a romantic tale.

Ah, lovely.

Love and treachery, and you know, it's just— it's a beautiful story. Basically what has happened is two London investment bankers, madly in love, have just been charged in the US. And they've been charged for insider trading, basically.

Whoa, whoa, investment bankers with a heart?

Sounds— oh yeah, they love each other. They loved each other and they loved money.

So, right, oh, the best thing.

Truffle snuffling.

Yeah, exactly. But it's kind of interesting because one of the commentary pieces on it was that in some of the cases they released information like, okay, there's going to be a merger. So the share price was going to go up.

Right.

So in some ways, although they released that information, it benefited the company because their share price just went up early.

Yeah.

But there was also situations where they passed really damaging information to short sellers. And essentially short sellers are kind of hated.

The enemy of the company.

Yeah, they're basically people who bet that your share price is going to plummet. Exactly. And they make money when it does. So they get some sort of dirt on the company from these people and then they publish it and then the share price drops. So interestingly, they were just at this for years and it seems to be that this is just the tip of the iceberg and they reckon that there could be 10, 15 other people around the world who've been involved in this ring of insider traders. So it's really fascinating because obviously they were at a company that you'd have thought would have had a reasonable amount of security, but yet they were still managing to exfiltrate all this information and then use it to make millions.

So do you know if bankers or investment traders have to sign an oath that they're not going to pass on these secrets? I don't know how it works.

Exactly. Yeah, so they've basically been taking loads of information from the companies they work for and selling it on to other traders through middlemen so that they can basically make— they reckon about tens of millions of dollars in profits have been made from this, and it's been going on for over 5 years. So their OPSEC was a little bit better than— so they had pseudonyms for each other as well.

It must just be, "How was your day?" "Fine." "Good." It's being married to a spy or something.

They called each other Pops and Popsie in their emails. I know, it's beautiful, isn't it? So they were sort of going through middlemen, sending these things, and one of the messages that has been sort of revealed in this court case is that he wrote, once upon a time, there was a pop searching for truffles in the forest. Yeah, totally. Well, it's definitely highly, highly illegal.

Yes.

Yeah.

For sure. It reminds me a little about a hacking gang who a few years ago hacked into PR Newswire and some of the other press newswires, because of course that was somewhere where hundreds of companies were posting financial news or news about mergers and acquisitions.

And attached to said email was a highly confidential file relating to a pharmaceutical company that got sent to another trader. And they use these cryptic messages. They were encrypting everything. They were using burner phones to pass information. And yeah, they cost a lot of people a lot of money and they're in a bit of trouble for it. So it was a beautiful story of love and money.

And the hackers managed to get hold of these press releases before they were published and then sell them to dodgy people who were doing the trading. And they made a fortune. This really is a more effective way, if you don't get caught, of making a large amount of money through cybercrime than just sending out ransomware, I reckon.

Totally. And I think the other thing, people always think that, 'cause we talk so much about PII and personal information and stuff, actually to an insider threat, that's pretty useless information because the stuff that's gonna make you big, big bucks is going to be trade secrets, it's going to be market information, it's going to be IP. You know, that's the sort of stuff that you can steal and sell for a lot more money than any personal information of any employee or anything.

Yeah, that's true, isn't it? It's stealing a company's secrets as well is very useful, you know, if you can target the competitor to sell it on to.

The intellectual property or something.

Yeah, the IP.

Yeah, because the Google exec has just been indicted, hasn't he? Because he stole trade secrets about the self-driving cars that Google were developing and he sort of took them with him when he left. Rolled into Uber and was, "Hey, Uber, guess what?" This is such a big problem, isn't it?

It's not just the external threat, but the threat of people who are basically people you've opened your kimono to, people who you've sort of embraced or brought into your company or trusted.

Who opens your kimono to your investment bankers? Who does that? Graham, seriously, I'm worrying about you, man. Yeah, listen to him. He's wheezing away practically dead. Are you lying on the ground as you do this podcast? Carole, what's your story for us? We know it's about Uber. Well, Uber, right? The bane of every old school cabbie out there, but so loved by city dwellers the world over for its convenience. And I might argue its adventure as well. I mean, with an Uber, you never really know what you're gonna get. You must have a crazy Uber story. I think everybody does.

I definitely do.

Okay, tell.

I, okay, this is, I would, I got an Uber in London once and I had this Irish driver and he spent the entire duration of the journey telling me what kneecapping was.

Oh, how nice.

Oh my God.

So yeah, that was my, that's my experience. Yeah.

I got into the cab and he was furious the entire time because this previous person had vomited in the car but didn't tell me until we had taken off. So that's when the smell hit me. And with the cleaning Febreze stuff. Oh no. Oh my God. Oh.

I had a bad experience as well. I once vomited in the back of Uber and all I had was a Febreze spray with me and I just quickly sprayed it around. Got out quick. Yeah.

Now you both will of course remember that Uber got hacked 3 years ago, back in October 2016, with the hackers stealing the personal data of almost 60 million customers and drivers. Well, the two guys behind the hack have recently pled guilty, and some pretty juicy details have come out since. The upshot is Uber did not react the way you would want a respected company to behave, in my opinion. So question one was, how did these two hackers get into Uber and steal that ginormous treasure trove of user information?

ZDNet pulled together a rather insightful article on this based on court documents. Here's the gist. So in 2016, the two hackers, a Floridian named Brandon and a Torontonian named Vasily, used their custom—

Sorry, can I just ask, were these guys romantically involved?

Not at all. I have no love in my story. I know.

Okay, that's a shame.

Though you can imagine them holding hands. Okay.

I will, I'm doing that now.

Okay, so you've got your Floridian guy, he's gonna be wearing shorts, you know, maybe Magnum P.I. style-y.

Oh, sexy.

Yep, and Torontonian just wearing a big hoodie and a big, big, big toque for your head.

A moose.

Yeah, wearing a moose, yes. These two guys used their custom-built GitHub account checker tool to test user credentials leaked from other sites against GitHub's own service, and they were particularly interested in targeting credentials of corporate employees because they wanted to get high-value GitHub accounts. They weren't interested in little, you know, people like me with a few things there. They want to look for the motherlode.

So what they were doing was they were searching GitHub to see if developers had left passwords and keys?

Right.

Right.

They're looking for credentials. And then once they were able to get those credentials, they had this huge backup of information of sensitive data like user details and backups and all that sort of stuff. So boom, they had the goods. They're looking for usernames. They're looking for passwords, looking for keys, looking for anything that's gonna allow them to breach any associated Amazon Web Services. This is the personal information of nearly 60 million users and drivers. Now, question 2, how do they extort the money but stay under the radar? Because of course, no one knew about this. If the attack happened in October 2016, it didn't make it out into the public arena till a year later. So with this data in possession, the two hackers created and used a ProtonMail email service.

Oh yeah, I've got a ProtonMail account. Yeah.

They used this ProtonMail address to contact Uber. And this was in November 2016. This was a full month after the attack. Now they contacted the then chief security officer, Joe, the CSO. And they said they found a major vulnerability and provided a sample of the stolen data. And they demanded $100,000 payment in bitcoin to delete the info.

Yeah. The major vulnerability is we've managed to nab some of your passwords.

We've got—

Getting access to your data.

And here is all the data we have of yours that you should be keeping under lock and key.

Right.

Now, Joe, the CSO, you may remember, ended up paying off these hackers but told no one about it. Not the authorities, as the rules stipulate, not the affected users whose data had been stolen. Everything was kept deep, deep undercover.

That's scandalous, isn't it?

I mean, it's a strategy. I mean, it's not a good strategy, but I guess, you know.

Yeah. It's gotta be a stressful time for Joe the CSO at this stage, right? Because he's taken a road of— He's taken the left fork in the road. What is it? He's— I can't even speak.

I like the analogy, Carole. I mean— The wheels are possibly going off it, but it's— Well, I mean, this is Uber all over though, isn't it? I mean, certainly a few years ago, I know they've changed CEOs since then, but they were up to a lot of very dodgy things, which will make them very controversial. And they did seem to, yeah, ride a bit rough shod over the rules.

So here's some cute things about this that I found interesting. So first one was Joe, the CSO, responded to their ransomware threat as though it were a bug report, right? So he carried on the charade. You know, Joe the CSO paid via the company's HackerOne bug bounty program, which from a corporate standpoint is probably a very, very good way to hide if you're gonna pay off a ransom.

Yeah, definitely.

Right? 'Cause that money's already earmarked. It's not like you're trying to steal it from sales or marketing and you have to come up with some made-up reason. It's okay. So this gets interesting here, right, for me. So we have responsible ethical hackers out there, right? And they find flaws and they contacted the affected company. They provide proof that they were able to do something. And then often they look for payment for their hard work. In exchange for that, they will not go public until the problem is sorted. That's effectively what we'd call responsible disclosure. Now these guys, they're doing a similar thing, except they're holding data for ransom. They threaten to go public with that information unless Uber pays up.

Well, I think the difference probably is that if you were a genuine security researcher who is behaving ethically, you would not download all the gazillions and oodles of data from that Amazon bucket. You'd simply see that you had access to it.

But what's more important for me, I think, is that that person doesn't then share it with everyone in the entire universe and put it up on a database.

Yeah. Yeah.

So let's keep that in mind because I want to come back to that in a second. So the other big question, how did Uber know that the hackers would not release the data after they made their payment? Right? That's the big question we always have. How, you know, okay, I've paid off the ransom, but how do I know? Now, in order to ensure that the hackers stayed stum about their activities and their big treasure trove of data, Uber made the hackers sign NDAs. This is a non-disclosure agreement, right, that holds parties accountable to keeping their trap shut. But how did they do that, right? They didn't know the hackers' true identities, did they? Yes, they did.

Oh, Uber.

Yes, they did. Yes, they did. And then according to media reports, in January 2017— okay, this is still 7 months before any of us found out.

This is after Uber have paid them.

They paid them first.

I think they paid them and then they investigated and found their identities.

So, okay, so then in January 2017, an Uber rep went down to Florida to meet with our U.S. Floridian hacker and got him to sign an NDA with his real name. And then two days later, another Uber rep meets up with the Canadian hacker in a Toronto restaurant and gets his John Hancock on the NDA form.

So John Hancock, what's that?

Signature. Oh, don't know that.

Is that what people call signatures? John Hancocks? Why would a signature be John Hancock?

I'll let you Google it.

Am I terribly ignorant?

I'll let you Google it.

Am I exhibiting my ignorance? Okay.

Yeah. It's not Hancock though. Okay.

Hancock. No, I don't think that. Hang on. John Hancock.

So to sum up, Uber required the two hackers to sign a confidentiality agreement prohibiting the use of data and public disclosure of the security breach. So they knew who hacked them, but never gave the identities to the cops. So to be fair though—

John Hancock has the largest signature on the Declaration of Independence. And his is the only one still legible on the highly faded document, it says.

There you go.

He wanted to be sure that King George III could read it. There you are. Because he's like, let's get me in there, do a really big signature.

We could maybe do this at the end of my segment.

Yeah, I'm sorry, I've just found it interesting.

I'd just like to have a bit of rhythm, if I could.

Yeah, okay.

If that's all right. Yes, Lisa.

Yes, that's fine.

Can I just say though, Uber did not tell the police who these people were, but if you've just gone out of your way to hunt these people down, get them to sign NDAs to keep everything completely quiet, and then you go to the police and go, guess what, I've got them, let's just make this public. It's kind of a waste of time, really. I just think that in fairness, it does make logical sense. It's not a very good strategy decision, and it clearly does not make you look very transparent, but you're not exactly going to go and publicize it after you've got them to sign NDAs.

Well, I had two thoughts on this, right? One of them was, remember we were talking earlier about the NDAs and them signing it. The fact that they did this kind of ensures that they weren't going to go live with the data. So in a way, it may have been a very responsible thing to do in terms of Uber customers whose data had been stolen.

But still not tell the customers.

Maybe Joe the CSO did something really good here.

No.

Because of course, even if they've signed an NDA, they could still have told, you know, Mario in Bucharest or something. They could have just whispered to him or left him a copy of it, or they may have been lazy with their own security, so someone else could have hacked the data. And who knows, because those passwords were left on GitHub, someone else could have pinched it as well. So they should have told all those Uber customers and drivers about the problem.

Mm-hmm.

And let's be honest, what was going on here was Uber are thinking, our share price has taken a battering. We really can't afford to have this huge, massive data breach that shows knows how incompetent we've handled our data to come out and then our share price will be zero and we won't, you know, that'll be that. That was really the motivation.

Yeah. And ironically, what leg did Joe the CSO, what could he stand on afterwards after he paid off the money? What was he going to do, hold them to their NDA if they did go live? What was he going to do, go live on the record and say, yeah, okay, so I paid them, I knew who they were, I made them sign NDAs to keep it all under quiet, and that would have been better for the company anyone.

Now, haven't Uber said in response to this that Joe and somebody else were kind of off on a frolic of their own and no one knew that they were?

Yes, well, excuse number 48 from any organization. Potentially true, potentially true, but right? He certainly paid the price. He no longer works at Uber. And you know, it was only 10 months after this NDA signing, right, that Uber told riders and drivers— and that was under new management, you mentioned that earlier— so that's a long time now. The current CEO, he said in a statement last week, "None of this should have happened and I will not make excuses for it." And he said, "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes." Now, I was all cool with this apology till the word mistake. Okay, mistake. I think that's a little bit rich, don't you think? I mean, I'm not talking about the breach, the fact that they got, you know, their security wasn't on par and someone stole their data. But how they responded to the breach is really abysmal.

Yeah, the company-wide manhunt wasn't an oops moment. It was a dedicated team of resources going after these people.

Flying to Toronto to get an NDA signed, you know, showing a lot of forethought.

Classic mistakes.

Yeah.

It is terrible, isn't it? I mean, we talk all the time about companies getting hacked and the mistakes they make, but this sort of deliberate cover-up, an attempt to avoid telling your breached customers about what's happened is scandalous.

And I always say this to my clients, you know, when I'm doing these things, that the best thing you can possibly do is a Maersk situation, because Maersk is held as the gold standard of incident response now, right? And their comms messaging was on point, really transparent. And I truly think that honesty is your best policy if you know you've been breached.

100%. And the way you handle these breaches can do a lot for your share price thereafter, for sure, right? When you— how you handle yourself in a crisis is a very good measure of something, someone you want to invest in.

Now, what's the damage to Uber now? Are they being punished?

It's all very interesting. So the FTC placed Uber under a strict security audit. Okay. The UK fined Uber just shy of £400,000. So what, $600,000? And the Netherlands charged €600,000. And there was a $148 million fine for a class action lawsuit, right? So this was a settlement for that. So all that together, still for a company reaching $3 billion in revenue is a tiny, tiny tap on the nose rather than a smart slap on the choppers.

It's about the same amount it would cost me to get an Uber to Edinburgh. Or something, I expect. It is a return trip.

It's funny because, right, all these fines, this money goes to government agencies. And wouldn't it be great if somehow affected users got that as a tax break? If they— so if they get the money and you're, oh, well, you were an Uber user, you can get, you know, £140 off your— this year's taxes. That might encourage—

Good luck with that. That might—

Yeah. Okay, good point.

That might be a vote winner if anyone's got an election coming up.

Okay, hand on heart time, how many of you can say that your password hygiene is squeaky clean? If you're feeling it could use a tune-up, maybe check out LastPass Enterprise. With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution. Find out more at lastpass.com/smashing. Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th, in the wonderful city of Manchester. Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about all things security related. We would love to see you there. Check out the registration page on lastpass.com/smashing. On with the show.

And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

Pick of the Week.

Pick of the Week. Yeah!

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

Should not be.

And mine is not security-related necessarily. There I was the other night in the bath thinking, how can I entertain myself because it's so dull here with my loofer? And oh, I see my wife has left the iPad. Within reach. I thought, I wonder what I could prop— I could prop that up somewhere and see if I can watch something.

Are you in the bath with electronics again?

Don't worry about it. It's absolutely safe, I'm sure. Anyway, so I propped it up at the end of the bath and I went onto Amazon Prime and I went back in time once again, because I'm quite nostalgic. I remembered being a 12-year-old boy watching a BBC TV show from the late 1970s, early 1980s. Called The Master Game.

The Master Game.

The Master Game. And this was a BBC Two show, I think it was. And there is one series, the sixth series, which is available to view for free on Amazon Prime. You don't have to pay. On some of them you have to pay, but on this one you can watch the entire series for free. And it stars 15-year-old Deep Purple fan Nigel Short. And if that isn't enough of a clue, Carole, as to what this TV show is about, it's about chess.

Ah, no, I had no idea.

I'm sorry about that.

I had no idea.

Yes, it is an innovative TV show. I absolutely loved it at the time because what they would do is they would pit two International Masters or two Grandmasters against each other. And as they were playing, you would actually get their internal commentary from the player themselves as though they were playing it. So they'd go, oh, what to do? Interesting. That's a very sensible move he has made.

Is this a voiceover? Or is—

Yes.

They do it after they watch their moves afterwards.

Exactly. They watch it afterwards and they act it as though they're playing it.

I think of how much an asshole he is and I will kill him with the next move.

And it's fantastic. I absolutely love it because it's so rare to get that kind of insight from the people who are actually playing. It was very innovative at this time because of course they didn't have computer graphics.

I was just gonna say, have you been on YouTube? Because everyone is willing to give commentary at every single thing they do.

Yes, but this is both parties on a game and it was presented wonderfully. And one of the presenters, the commentator, is a chap called Bill Hartston. I have to say, when I was 12, Bill Hartston was a bit of a hero for me. Reminds me a bit of my dad—sort of softly spoken, sort of nice chap.

He looks like Bill Cosby.

Right. Well, yep.

Oh no. Oh boy.

Yep.

Bill Hartston is one of the people who occasionally appears on the sofa in Gogglebox. Gogglebox is a TV show where they basically film people sat on a sofa watching TV and responding to TV.

For real. That is what it is.

That is—

It's quite entertaining.

Anyway, Bill Hartston is one of those people. And so he's also—and I remember watching Gogglebox once and I said, that's Bill Hartston. Chess master. Fantastic, very exciting for me. So I would recommend, if you have any interest in chess—I know I've probably lost you if you aren't interested at all—then go and check out The Master Game on Amazon Prime, and you can also see some clips on YouTube as well. And that is why it is my pick of the week. Lisa?

It's pretty cool.

It is, it is pretty cool. Lisa, what is your pick of the week?

So anyone who knows me or has met me will know that this is obviously going to be a little bit dark, because that's kind of how I feel. So mine is an app, it's a game that I've recently become addicted to and it's called Plague. Yeah, it's gonna—it's just gonna get worse from this point. And basically it's a bit weird, but it's a game where you have to design a bioweapon, a virus, a bacteria that's gonna infect and kill off every single member of the human race. And it's really, really difficult because the damn humans keep working on cures or isolating. They close airports, they close shipping ports, and you have to get around it, and it's really difficult.

So you're teaching the machines how to kill us? Yeah, in future. And your virus will mutate, and it's just, you know, you've just got to sneak in, infect everyone. If you kill them off too soon, they can't infect other people. I waste so many hours traveling, playing, killing humans, basically, is what I do.

So do you—are you playing the same game, or you have to start again? Do they suddenly win and you have to go back to the beginning?

Yeah, so if they win, then it's over. If they don't, and then you've got to see how fast you can kill everybody off, basically.

Have you beaten the people?

Oh yeah, several times. Yeah, pretty proud of my achievements.

I love the premise of it. I love how they flipped it on its head, but you're not protecting humanity but going after them.

Yeah, it's really annoying when they start using hand sanitizer. Okay, I'm actually gonna—I'm gonna check this out.

I'm gonna check this out.

It's called Plague and it's available for iOS and Android and maybe some other platforms as well. Actually, I'm just website right now. Looks like it's—oh, there's even a board game version of it.

For those Christmas memories. I think I might do that. Good.

Carole, what's your pick of the week?

So as some of you know, I've been trying to get better at art, right? And it turns out that more often than not, something comes out particularly badly. Not at all what I had in mind. It's really frustrating and I don't want to do it anymore. And in those times, I have taken to watching old art documentaries on the YouTube.

Yeah.

Yeah. And there are a few wonderful compilations, which I will share in the show notes on the Smashing Security webpage. We're talking hundreds of hours of intelligent thought-provoking, insightful, interesting things into artists or art movements or techniques or scandals. I was recently watching one called The Great Contemporary Art Bubble. It's a BBC documentary from 2017, and this is on Damien Hirst and how he was at the center of the art bubble because there was this gallery called The White Cube in London and they would occasionally come, "We've got a brand new Damien Hirst and it's valued at 500 million," you know, and have an auction around that. But it turned out that someone had leaked their inventory and price list and they had hundreds or even thousands of Hirsts in the back room and they had all the prices written down. So in other words, they were controlling the supply and demand of the artworks to keep by keeping them scarce. And what does Damien Hirst end up doing? He decides to hold his own auction of the works he still owns, right? So this could undercut the gallery, but what are the galleries supposed to do? If they don't support him, then his work might get undervalued because he might sell them for a few thousand. But if they do support him, they don't get to see any of the money returned because he owns the whole auction. Fascinating. Check it out. I will have a bunch of show notes of different YouTube compilations and a few shows that I found fantastic. And if you're into art or artists or Francis Bacon— crazy, crazy.

I will. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And you can join the discussion with us about the episode on Reddit. Just look for the Smashing Security subreddit. Oh yeah.

Anyway, go check it out. That's my pick of the week. Sounds excellent, Carole. Yeah, fantastic. Yeah, Twitter. I'm @LisaForteUK. Catch you on the flip side.

And tell me how quickly you annihilate humanity and then

Okay.

I can judge.

Okay. And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.

Until next time, cheerio, bye-bye, bye-bye.

Lisa, you're great!

Oh cool, I had fun. I just laughed a lot.

You were awesome.

Crow, you say that you stuffed the envelopes yourself. I'm just thinking about—

Graham, did you stuff, did you put anything into an envelope?

I technically did not stuff the envelopes.

So then what's your problem?

Well, I did stick the names and addresses onto the front of them that I then had to put tape around.

Well, okay, because your Pritt Stick skills were not that great. Let's be honest here, Graham. It was doing a job with a 4-year-old. Everyone with a 4-year-old knows exactly what I'm saying.