My father was a big influence so pardon me for referring yet again to an observation he made about someone who understood and embraced technology in the early years of desktop computers. My father marveled at this person’s ability to understand the intricacies of technologies and foresee how they could ultimately be harnessed for uses not yet imagined. What drove my father crazy was the tech genius’ push to adopt technologies that weren’t yet perfected and not ready for prime time.
“Dave (not his real name) is a genius,” was my father’s familiar refrain. “But he’s got no common sense.”
A lack of common sense was something I also witnessed when I did some advisory work at the MIT student newspaper call The Tech when I was a journalism graduate student. Without exception, every person I encountered was scary smart, capable of understanding ideas and technologies requiring an intelligence bandwidth way beyond my brain’s processing power. Yet many of them struggled with a very simple journalism concept known as W5, which held that every news story should address these elements: Who, What, When, Where, Why (and How). I learned there were sometimes advantages to not being so smart.
Reading up on Uber’s latest massive security breach it became apparent that some common sense must urgently be applied to America’s IT and cybersecurity industries.
According to this New York Times story, a hacker claiming to be only 18-years-old gained control of Uber’s entire IT system by claiming to be a corporate information person and persuading an employee to turn over their network login password. Kevin Reed, a Singapore-based Chief Information Security Officer (CISO), speculated on LinkedIn that the hacker then found highly privileged credentials laying on a network share file and used them to access everything, including Uber’s production systems, the console used to monitor and analyze suspicious behavior, and the company’s Slack management interface.
“This looks bad,” said Reed, who wasn’t convinced that a lone hacker compromised Uber but possibly “other, less loud parties.”
The hack could have gone undetected for quite some time, possibly forever, had someone not taken the time to introduce themselves on Uber’s Slack message system.
“I announce I am a hacker and Uber has suffered a data breach,” the New York Post reported the message as saying, as well as arguing that Uber drivers should be “better compensated for their work.” One employee told Fortune that the hacker posted a photo of an erect penis and the message “F— YOU DUMB WANKERS.”
Reading up on the Uber hack I was taken aback that an employee would give their login information to an unknown person identifying themselves in a text message as part of the corporate IT department. Turns out this happens with such frequency there is a technical name for the con: Social engineering.
“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” Rachel Tobac, chief executive of SocialProof Security, told the Times. Tobac, whose company specializes in the hacker use of social media to gain entry into IT systems, pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break into the company. The Times said similar social engineering techniques were used in recent breaches at Microsoft and Okta.
“We are seeing that attackers are getting smart and also documenting what is working,” Tobac told the Times. “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”
My disconnect with Tobac’s insights is that if attackers are getting smart and documenting what is working, aren’t CISO’s getting as smart or smarter documenting what isn’t working? Are tech people unfamiliar with the adage: Fool me once, shame on you. Fool me twice, shame on me?
I’m more dumfounded by Kevin Reed’s suggestion that the hacker obtained privileged credentials laying on a network file share. Even I, a technophobe and easily among the dimmest consumer bulbs when it comes to technology, would never keep an electronic file with all my passcodes stored on my electronic devices. Moreover, if my cousin Rob, who I wholeheartedly trust, texted me for password access to any critical technology function, I’d call him and give him the information verbally just to make sure it was him requesting the information.
Uber’s chief information security officer is Latha Maripuri, who’s received all sorts of favorable press and regularly appears on panels to discuss her cybersecurity expertise, including a Bloomberg Technology Summit held this past June. Maripuri earlier served as Global CISO and deputy chief technology officer at News Corp., which owns the Wall Street Journal. Earlier she worked at IBM, where her bio says she “helped shape” the company’s security division.
In fairness to Maripuri, I doubt any CISO could adequately protect a corporate IT system at companies where employees volunteer their login information to strangers. Uber’s “chief people officer” is Nikki Krishnamurthy, who last year was paid $10.7 million in compensation.
This isn’t Uber’s first major security breach. Hackers in 2016 gained access to the license numbers of 600,000 U.S. Uber drivers, as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers. Joe Sullivan, Uber’s security chief at the time and an erstwhile prosecutor, went on trial earlier this month in what is believed to be the first instance of an executive facing criminal charges because of a data breach. Sullivan allegedly paid off the hackers with a secret $100,000 settlement and failed to disclose the breach as required by law.
Unlike most legacy media reporters, I’m not readily trusting of prosecutors and their motives. For a taste of just how low they will stoop, read this 2013 Vanity Fair story by famed business writer Michael Lewis about the prosecutions of Sergey Aleynikov, a former tech executive Goldman Sachs accused of stealing computer code.
I’m not alone in my suspicions that Sullivan was unfairly made a fall guy for the 2016 breach and payoff. Uber’s CEO at the time was founder Travis Kalanick, who aggressively built and expanded Uber’s operations on the premise that laws were meant to be challenged and broken. Kalanick should be held legally responsible for the culture he created.
Sullivan wasn’t alone in failing to disclose a major data breach. Verizon after acquiring Yahoo in 2017 discovered and disclosed the social media company had been subject to a major security breach in 2013 that was far greater than former Yahoo CEO Marissa Mayer previously disclosed. Mayer walked away with a $260 million severance package after Verizon acquired the moribund company she failed to turn around.
Uber CEO Dara Khosrowshahi, who last year earned $20 million in compensation, is the person who should ultimately be held responsible for the security breach. Uber’s official name is Uber Technologies, Inc. and it speaks poorly of Khosrowshahi that Uber’s IT system was so easily breached, particularly after the 2016 incident. Even without the breach, Khosrowshahi’s compensation was a disgrace. The company hasn’t had one successful innovation since he was named CEO five years ago.
Uber’s directors wouldn’t dare slay their golden CEO goose. Directors last year were paid between $310,153 to $647,511 to attend some meetings and chew on some bon bons I imagine were organic and locally sourced.
One of the directors was John Thain, who was paid $328,372. Here’s the skinny on Thain: After getting forced at Goldman Sachs he was named CEO of the New York Stock Exchange, which went into an almost immediate and unrecoverable tailspin under his leadership. He was named CEO of Merrill Lynch, from which he was fired amid allegations he distributed billions in bonus money despite the company racking up huge losses. When Thain joined Merrill, he spent more than $1.2 million renovating his office, which included the purchase of a $35,000 ‘Commode on Legs.’
I’m not a cybersecurity expert but here are my two ideas on how to dramatically curb breaches: Hire HR persons who can develop screens to identify employees who aren’t savvy enough to resist hacker “social engineering” and fire CEOs whose companies are victims of IT breaches.
Sometimes seemingly complicated problems can easily be solved with simple common sense.