THE UBER BREACH: HOW A 17-YEAR-OLD HACKED A FORTUNE 500 COMPANY | S1 EP3
He never could have done it by himself.
He couldn't climb the mountain.
He needed to have a friend.
He needed to have a team.
And if you have a good team as a CISO.
This will save the day.
On this episode, we take a ride back
to 2022 to investigate
the Uber breach,
where a teenager
with nothing more than a clever lie
and stolen keys
slipped behind the wheel
of a multibillion dollar company
and took it
for a joyride,
exposing its most guarded secrets.
No elaborate malware,
no nation state army.
Just a persuasive message,
a few whispered words,
and suddenly the doors swung open.
Every control, every alarm, every bright
line of defense faded into the rearview.
And by the time
anyone realized what had happened,
they weren't passengers anymore.
They were hostages.
Joining me on this drive into the dark
heart of social engineering is our guest,
Ori Stein, CISO at TrustNet.
Someone who's seen
how easily trust can become a weapon.
Ori welcome to the podcast.
Before we hit the road,
can you tell us a bit about yourself?
My name is Ori Stein.
I'm in security for like 20 years.
So I started out as a practitioner
and with time
and I went up to different roles
in cyber security.
And today.
I'm the CISO for Tama Group
here in Israel.
Great to have you with us.
Now let's begin the investigation.
We are in the midst of a ceaseless war,
not of bombs or bullets, but of breaches.
Firewalls and silent incursions.
The targets,
our borders, our banks, our commerce
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code,
fueled by greed, glory,
and a desire for chaos.
This is the story of the unseen
protectors, the nameless generals,
the CISOs,
chief information security officers.
They are the guardians at the gate,
watchers on the wall.
Ever vigilant and always listening
for The CISO Signal.
Uber was built like a modern day
fortress, resting on the shaky
foundations of a boastful business model,
all about disrupting the legacy
taxi licensing monopoly.
Uber's gates weren't made of steel.
They were constructed from code.
Its Guardians were policies with names
like Zero Trust
and multi-factor authentication.
And inside those walls, many believed
they had planned for every contingency.
But there's one thing
even the best blueprints often forget
the people.
Not just insiders with keys,
but outsiders
who understand
how to make those keys turn.
In late 2022,
something slipped through
Uber's digital defenses.
Not with a battering ram,
not with malware, but with a message.
The kind that sounds helpful, urgent
and familiar.
What followed wasn't just a breach.
It was a gut punch to the tech world’s
assumptions about
what's secure,
what's safe,
and what a teenager can do
with the right words at the right time.
This is what happens when Uber
gets taken for a ride on The CISO Signal.
So what do you imagine was
going through Joe Sullivan's mind?
Uber's CISO,
the moment he first learned
of the breach,
and the teenager
taunting them
on their internal slack channels?
I don't think that
the first time they knew
it was a teenager.
I mean, you get an incident,
as a CISO,
and we're talking about Joe Sullivan,
who’s a very experienced CISO
he used to work for the government.
And, basically, if you’re a CISO for Uber,
who's a big company,
you don't really start to
to think about your own,
I don't know, liability or whatever.
You just do it professionally.
You have playbooks,
you run your playbooks.
It's just like in every other incident.
Of course,
this one was big,
but you
you align yourself to your playbooks
and you start
an investigation.
Just a cool headed.
And then right away.
So I don't think it was panic.
It was professionally executed.
So back in 2022, Uber was already
a massive company
with tens of thousands of employees.
We're talking about 30,000
during the time of this breach.
What role,
if any, do you think
company culture played
in this security breach?
I don't think that there was
any kind of negligence
or security is not a big part
of the organization.
You have to understand
that bigger organizations like Uber.
It's really hard
to tighten every bolt
that's in your network.
So as a CISO
you try to mitigate risks
and you can't have a policeman
on every user.
And the nature of the technology
is that
sometimes,
you need
to give access to the system itself,
and it needs high privileges to run.
And you can't again,
you can't
make sure that every developer,
every security person
or every IT guy is following,
the procedures.
And sometimes, you know,
you upgrade your systems
and the third party,
an integrator who's responsible
for those systems,
he might even just add
something that you, didn't intend to.
And, that's why it's really hard.
You get thousands of events,
but one little event can
just be an incident in an instance.
We love making this podcast,
and we really hope
that shows in the care
and quality that we invest in it.
And we would really appreciate it
if you could take a moment to like
and share it with your fellow
security professionals,
as well as dropping us a comment,
letting us know what stories and guests
you'd like to have on the podcast
in future episodes.
Now back to the story.
Act 1
A Fortress in the Cloud.
From the outside.
Uber was a fortress,
not of stone, but of systems
not guarded by soldiers, but by software.
Behind its digital gates pulsed a global
empire rides, deliveries, logistics,
all orchestrated by code,
all reliant on trust.
In 2022, Uber wasn't just a company,
it was a verb.
Tens of thousands
of employees, contractors and partners,
millions of users,
and billions of transactions.
Its backend spread across AWS,
Google Workspace, Duo Security,
one login and more.
A sprawling eco system interconnected,
interdependent and invisible.
But with size often
comes complexity and with complexity.
Cracks.
Uber, like many tech titans of San
Francisco, invested heavily in security,
penetration testing, bug bounty programs
and single sign-on.
Two factor authentication
A sophisticated internal architecture
designed to stop threats at the gate.
What they didn't plan for
was someone already holding the keys.
At the heart of Uber's security
model was a belief in verification
MFA multi-factor authentication designed
to stop unauthorized access
even if a password leaked.
If someone
got a hold of your credentials,
they'd still need a second check,
a push notification to your phone,
one final barrier between an intruder
and the kingdom inside.
But MFA has a flaw.
It depends on human behavior,
and humans get tired.
Enter a relatively new tactic
in the attackers playbook.
MFA fatigue
a method as subtle as it is relentless.
Here's how it works.
An attacker obtains a username
and password, often from a prior breach
or a sale on the dark web.
Then they flood the user's phone
with a barrage of MFA prompts minute
after minute,
hour after hour, each one asking
do you approve this login?
It's not hacking
in the traditional sense.
It's harassment
wearing down the willpower of a person
until they tap.
Yes, just to make it stop.
This technique had surfaced
in scattered reports
targeting corporations,
nonprofits, and even governments,
but many still underestimated its power
or assumed
it couldn't happen here at Uber.
It started with a contractor,
young, likely undertrained
possibly overworked
one of the thousands
with access to the internal VPN,
someone who had credentials
that could be used but not
it was believed, abused until they were.
What no one at Uber realized,
at least not yet,
was that someone had bought
this contractor's
login details and that someone had a plan.
Not a virus, not malware, just a script,
a strategy, and patience.
The attacker didn't go
for Uber's firewalls,
didn't launch
zero days, didn't
exploit technical vulnerabilities.
They targeted a person
and they waited
for the moment that person
let their guard down.
Uber had spent billions
to keep bad actors out, but in the end,
they didn't need to break in.
They only had to be let in,
and soon they would be.
So with a company the size of Uber,
the number of alerts
that are coming in on a daily
basis are going to drown.
an inexperienced
SOC team
in the vast majority of those alerts,
of course, are just false alarms.
They're going to be forgotten
as quickly as they pop up.
But there's the wisdom
that comes with experience
in the knowledge
that one of those alerts one day
could potentially explode
into an incident
that's going to take down
the entire company.
What is the weight of that responsibility
like for you personally as a CISO?
Yeah,
that's why
you try to do a lot of training.
You try to do awareness
and it depends on your team.
If you have a good team,
you kind of get the feeling of the
what's the baseline for your company.
You know,
events are coming in every time.
There are a lot of false positives event.
You kind of know
when there's something that is different.
A good SOC team knows
the difference between
you know
and and benign event
and something that looks this
this shouldn't be that.
This is something
that we need to look into
because it looks a little bit different
than we’re used to.
And the good SOC team
will flag such an event
and get on it really early.
And that will usually prevent an event
from being, an incident. Interesting.
So there's almost like a little spidey
sense that tingles when you like that.
Something doesn't look quite
right about this.
Exactly. Yeah.
It depends also,
you know,
on the
on the seniority of the
of the SOC team that you have,
they need to know
the business,
the applications,
the network, the infrastructure.
And if they're really good,
they kind of get the...
The ‘spidey sense’ that something is amiss here
something is wrong.
It shouldn't be. Let's have a look at it.
Whereas the vast
majority of these incidents,
you're just like,
okay, that's just a typical issue
that we're dealing with.
We know that we can dismiss it
and move on to the next.
Yeah.
I mean, if you didn't
fine tune your systems
and you get ten thousand events
every second,
there's no human who can say,
yeah, that's a little suspicious.
So you need to fine tune
every system and every new system
that gets onboarded.
You need to see that
it reports
to your Security Operations Center.
And then it comes down to the people
that the people are
the most important part
of your security team, that they
they got the eyeballs on the events.
And if they know the organization,
they will flag it really soon.
And that's the key.
Again, prevention is ideal,
but detection and responding is a must.
It began the way
so many breaches do
not with a bang but a ping.
The contractor name unknown
to the public,
forgotten by the company
they briefly worked for, was under siege.
Not by malware,
not by a brute force attack,
but by the sound of his phone buzzing
again and again and again.
Each alert was the same.
Approve. Login question mark.
Yes or no? Question mark.
Push notifications
designed to protect
now turned into weapons of attrition.
Uber's
security system
had been carefully
calibrated to assume the best
that a second check
would stop an intruder cold,
but it hadn't accounted
for something
more dangerous than malware... exhaustion.
And then, as the MFA fatigue
wore on, the attacker made their move.
A WhatsApp message
appeared professional, polite, concerned.
Hey, this is it.
We've noticed some login anomalies.
Need your help to resolve them.
No menacing threats, no broken English,
just reassurance.
The kind of social engineering
that doesn't raise alarm bells
but dismantles them.
The attacker wasn't hiding
behind a mask or code.
They were playing a role, one that felt
helpful, human, trustworthy.
They told the contractor
how to approve the login
request, explained
how to
resolve this issue,
and nudged him through the steps.
And eventually he tapped.
Yes.
At that moment,
the attacker's access
was no longer hypothetical.
It was real. They were inside.
But this wasn't a smash and grab.
This was reconnaissance
inside Uber's network.
The intruder took their time.
Navigator through VPN
protected systems,
scan shared internal folders, and there,
among routine scripts and config files,
they found it - a single PowerShell script,
harmless on the surface but embedded
inside hardcoded
administrator credentials.
A relic from a rushed deployment.
A short cut by a dev who meant well,
no one knows,
but the result
was catastrophic nonetheless.
With those credentials, the attacker
didn't just have access, they had power.
They moved laterally, quickly,
Precisely.
First the domain controller
the brain of Uber's internal network,
then Duo Security's
admin panel where MFA policies
could be manipulated.
One login Uber's identity provider,
and AWS where
backend infrastructure lived.
And then finally G suite,
the digital home
of Uber's corporate memory. Vaults
of sensitive information,
live dashboards, engineering roadmaps,
private communications, everything now
within reach,
and all of it obtained
without writing a single line
of exploit code.
This wasn't a technical marvel.
It was a con job.
A 17 year old, yes, 17
had maneuvered through one of the world's
most well
defended corporations
using only persistence, intuition
and charm.
But here's the twist
even as the attacker elevated privileges,
move through systems
and exfiltrated data,
Uber still had no idea
the alarms hadn't gone off.
Security teams weren't mobilized,
no blinking red
lights on a dashboard somewhere.
Just silence.
Because the breach hadn't
come through a firewall.
It had walked through the front door,
held open by someone
who thought they were being, or for,
and behind that open door.
The real show was just beginning.
So if we're looking for a prevention
versus detection
sort of analogy here, I'm
going to use a popular culture
reference, one of my favorite
all time books and movie
series, Lord of the Rings.
And I've got to think it's better
to have Legolas
and a bunch of elves
up on the castle parapets
with bows and arrows,
taking out orcs
from hundreds of yards away
instead of Aragorn
and Gimli taking on the orcs
after they've already breached
the castle gates.
Whoa, that's that's awesome.
That's awesome.
I mean,
Frodo who held the ring
he was always challenged with,
you know,
something bad is going to happen.
He's going to fall to the ring.
And yet, to his friend... Sam.
Push...
Pulled him
just at the last moment.
He said, get to your senses.
And this is a good CERT team
because again,
you're always on this edge telling, yeah,
something's going to happen.
And then comes to the person who saves the day
yeah,
every CISO needs a Samwise Gamgee
by their side.
Yeah. Sam. Sam.
Yeah. That's was his name.
Yeah. Yeah, exactly.
And that's again,
he never could have done it by himself.
He couldn't climb the mountain.
He needed to have a friend.
He needed to have a team.
And if you have a good team as a CISO,
again, this will save the day.
The secret to a CISO’s success
is having, a fellowship around them.
Oh, that's nice... a fellowship.
That's that's the.
Yeah,
not many companies have the luxury for,
full blown SOC in-house.
You're many times even dependent on,
outsourcing
MSSPs
which they don't know the business.
I think
it comes down to knowing these systems,
the networks, the applications, the users
and the business that you’re in.
Act 3,
The Keys to the Kingdom
inside Uber.
Nothing looked out of place.
The dashboards hummed,
the metrics ticked
forward, and engineers
sipped coffee and filed tickets.
The business of disrupting the world
continued uninterrupted.
But beneath the surface,
deep in the veins of the system,
a silent intruder had taken root,
not lurking, exploring their credentials
now carried the full
weight of an Uber admin.
Not a rogue user,
not a glitch in the matrix.
An actual keycard
blessed by the system
and waved past every security gate.
Most intrusions rely on stealth.
This one relied on legitimacy.
Every login,
every query was authenticated, verified,
and approved
by Uber's own identity systems.
No flashing alerts,
no intrusion
detection sirens
because as far as the software
was concerned,
the attacker
was actually who they claimed to be.
And so step by step,
they wandered through the architecture.
They accessed the company's
internal SharePoint
drives, its slack channels, its
AWS control panels.
Some systems had additional protection,
some were left wide open.
In one internal document,
the attacker discovered
credentials that hadn't yet
expired
and another access tokens
for third party services.
Each new discovery
peeled back another layer.
Each door opened,
revealed another hallway,
and then, in the blink of a cursor,
they found it.
Hacker one Uber's private bug
bounty program,
a platform
where researchers quietly
submit vulnerabilities
where engineers
fix holes before bad
actors can find them.
A digital confession booth for security.
Since the attacker logged in and read
and read
and read unpatched vulnerabilities.
Zero day exploits
blueprints to Uber's most sensitive,
weak points,
hand written by white
hat hackers who trusted
they'd remain secret
now in the hands of someone
who wasn't here to help.
Screenshots were taken, documents
downloaded and exploit,
details cataloged.
It was a breach of terrifying symmetry.
A hacker
stealing the secrets of other hackers,
some of which could be weaponized
against Uber
or sold to the highest bidder.
But this was never about subtlety,
not anymore.
Because next, the attacker moved
to slack,
Uber's digital watercooler,
a place where projects are born,
jokes are traded, and product
launches are quietly celebrated.
And in the middle of a routine afternoon,
the attacker introduced themselves.
They posted under the handle, quote
“Uber has been hacked”, end quote,
not just one message.
Several. Screenshots,
credentials, dashboards,
admin panels
all shared in a company wide channel.
The screenshots weren't faked
and they weren't vague.
They were precise,
damning, and unmistakably real.
Some employees assumed it was a prank.
Others
thought it might be
an internal security test, but it wasn't
the attacker was showing their cards.
They were flexing.
And behind the scenes,
Uber's security team
began scrambling
slowly at first,
then with a rising sense of dread,
the scale was incomprehensible,
the scope unthinkable.
The attacker had gotten into places
that should have been unreachable.
They bypassed systems designed
by some of the most advanced
security teams in the world,
and they'd done it without malware,
without ransomware,
without deploying a single exploit.
They'd done it with psychology. A text,
a push notification,
a moment of human vulnerability.
By the time Uber began containment,
the attacker had already burrowed
deep into the core.
Access was revoked,
systems were locked
down,
credentials rotated,
but the damage was done.
What began
with a tired contractor tapping ‘approve’
had now exploded into a full scale
security incident
that spanned departments,
platforms and continents.
A teenager,
17 years old had paralyzed a tech titan,
and he was only just getting started.
Do you think
it's possible
that a more strategic,
multi-factor authentication configuration
could have changed the outcome for Uber?
If you look at the event basically,
it was a social engineering event.
So, you know,
there's this scam going on for decades.
The Nigerian, scam.
Yeah.
So you get this email saying
I'm a prince from Nigeria.
I just inherited a lot of money
and I need your help.
There's no way
a technical
solution
can prevent this kind of stuff.
Because if I come to you and say
I'm doing really bad
and can you help me out with $1,000
and you give the person
the thousand dollars,
then there's no technical way
to prevent something like this.
Only, you know, it's it's awareness
and talking to the users
and educate the users
that this shouldn't happen.
So social engineering
is really hard
to combat in technical ways.
It's only possible to
to do it with awareness
and the person itself.
In the Uber case he did good.
I mean he didn't...
He got bombarded with to accept
an authentication...
he didn't do it, but
The attacker contacted
the same person over
I think it was
WhatsApp and just said, I'm
from the helpdesk.
And isn't it true
that your phone is getting bombarded
with MFA requests?
So yeah, sure. Yeah. It's happening.
You know,
we know exactly what the problem is.
You need
just to accept it
once and we will take care of the rest.
That's the attack
and the attacker got in.
So what are your options
in this kind of case.
So you do try to layer you defenses.
So someone got in
using a social engineering attack.
So let's make it harder
for them to move laterally
you know inside the system.
And they had great great
layers of defense.
But then you come again
to just a little mistake.
And that little mistake
was having credentials, hardcoded
in code who were accessible to everyone.
So that's the next question.
Why is storing hardcoded
credentials and scripts
still such a common failure point?
Sometimes it's the technical limitations.
Sometimes it's
just to upgrade the system.
And then we will,
you know, erase it...
and then you kind of forget about it.
And sometimes it's
just to make life easier.
Security is hard.
And, even for administrators.
And you have so many systems
to take care of and people
like to automate their jobs.
So why not run a script
that does it for you?
The problem is that
if you don't think in the risk level
and you say, okay, I'm doing it
for convenience
or to be faster and not do it
every time manually,
you need to think about the risks.
And many times
these kinds of risks
don't even come to the CISO.
It's a risk that same IT guy
who's not a security guy or DevOps,
who’s not a security person.
They will assume the risks.
And here lies the problem.
These are not security guys.
And don't don't think in terms of risk.
They think of terms of productivity
and giving the business
what it needs to get it going
or to keep it going.
So as someone who builds
global security programs,
what's your take on
how Uber
could have spotted
lateral movement sooner, if at all?
So again,
it comes down to the defense
and depth or layered defense okay.
So you need to make sure
you need to think about risks.
So what happens
at every point of interactions.
How a bad guy can get
inside of your network.
And lateral movement is really it's
really challenging to defend it
because usually companies
have and hard outer shell,
but inside is squishy.
That's just the reality.
You know, you have legacy tech,
you have the new systems,
you have complex systems,
and you can't really separate
internal network from everything.
Because again, you try to be productive.
It's really hard to balance
productivity with security.
So from the outside,
you always want to have the hard shell.
And from the inside
you try to mitigate risks.
And the reality is you can't do it
every time for every system.
And that's why it's hard
to prevent lateral movement.
Again, it comes down to detecting
detection is key.
If you're able to detect lateral movement
you cannot prevent it.
But if you detect it
then you are able to respond
in this case.
they just used
usernames and passwords.
They were clear text.
So they just logged in as a regular user.
And you can’t differentiate
your administrators from the hacker
if they got high privileged access.
What's your take on the fact that
this attacker,
it seemed wasn't interested in
ransom, wasn't interested in destruction,
was just kind of interested in gloating
and making it very public very early on.
I mean, on the slack channels,
they were taking screenshots.
They reached out,
I think, to The New York Times
letting everyone know.
I mean,
they could have hung out quietly inside
for some period of time
and gotten information
that they could have profited from.
What do you think about that?
I think that
the group that the sponsor of the person
was part of Lapsus$ and Lapsus$,
kind of the teenage,
let's call it teenage very knowledgeable.
But they're teenagers, basically,
and they just want to be on the news.
They want to be the 90s hackers.
Like, I want to see what I did
effect the real world and just be on the news.
WOW! I managed to breach Uber.
That's a cool story
I can tell my friends over
slack channels.
Yeah, I did it.
Yeah, I'm responsible for it.
And I don't think they are really,
like those hardcore gangs
that are looking to make a lot of money.
It was more like reputational thing.
Listen, I'm part of the group and look
what I did.
Act 4
The Ghost in the Gears.
The building blocks of any modern company
are made of code,
APIs, tokens, dashboards and credentials.
Invisible scaffolding
that powers everything
from logins to logistics.
And Uber had plenty of it.
Layers upon layers of systems
and services
and third party integrations.
A digital skyscraper
built on the speed of ambition.
But no matter how tall the structure,
no matter how clean the code,
the foundation is always human.
And now a ghost moved through
that foundation,
uninvited, unseen, and unstoppable.
What began
as a quiet infiltration
had exploded
into an open parade of compromise,
one system after another,
waving the attacker through as though
they were wearing an Uber badge
and a company issued hoodie,
he pivoted across environments from a
AWS to G Suite to Onelogin to Duo.
He touched the domain controller,
the security consoles,
the internal admin
tools once reserved
for only the most trusted employees.
He didn't need to guess passwords,
and he didn't need to brute force logins.
He had the golden ticket
granted not by force, but by faith,
because somewhere along the way,
trust had become the soft
underbelly of cybersecurity.
A helpdesk request, a name
that sounded familiar,
a tone that sounded
just convincing enough.
That's all it took
to turn an ordinary employee
into an unwitting accomplice.
But the attacker didn't stop at access.
He wanted an audience,
and now he had one.
After his messages exploded into Uber's
internal slack, engineers
began investigating.
They followed the trail
of breadcrumbs, screenshots, logs, unusual
access patterns,
and then they saw it.
Live sessions
opened under legitimate accounts,
console commands issued from IP addresses
that didn't match
any known employee. Access was revoked,
passwords reset, tokens purged.
But it was like slamming the brakes after
driving off the cliff.
The attacker had already
exfiltrated documents,
internal communications and bug reports.
He'd broadcast his presence
like a warlord announcing a siege.
And with every screenshot shared online,
Uber's internal chaos became external
theater. News outlets pounced.
The word
‘hacked’ lit up
headlines from Silicon Valley
to Singapore.
Whispers of an inside job. Speculation,
of state
sponsored actors and fingers
pointed at foreign adversaries.
But the truth was more unsettling.
It wasn't a nation state.
It wasn't ransomware.
It wasn't even a team.
It was a single teenager
operating alone, using free tools
and communicating through public
apps and cloud based platforms.
No war chest, no zero day exploit,
just social engineering, luck,
and a disturbing level of competence.
And as investigators
started connecting the dots,
a familiar name emerged from the shadows,
Lapsus$,
a hacking collective known more for chaos
than cash,
a group that traded infamy like currency.
And this breach
fit their signature perfectly. Loud,
brash, and very public.
Whether the teenager was
a full fledged member or simply inspired
by them remained unclear,
but the effect was the same.
Uber was now the latest trophy
on the Lapsus$ wall.
Internally,
a war room was assembled
and engineers
worked around the clock,
scrubbing logs, tracing access paths,
cataloging every compromised system
externally, Uber tried to calm the storm.
A public statement was issued.
It confirmed the breach,
but stopped
short of revealing
how deep the attacker had gotten
because at that point, even Uber wasn't
sure the attacker moved like a phantom.
They touched everything and left digital
fingerprints
on nearly every pane of glass.
And he'd done it
not with sophisticated
malware or $1 million exploit,
but by exploiting something
far older than any technology.
The human instinct to help.
So when a breach gets this
public this fast,
what are the stakes
for security leadership?
Wow, Uber, such a big company,
such a big footprint.
And they have so much data regarding
public data, you know, sensitive data.
They have a driver's license.
They have so much data, GPS data.
I mean,
this is really as a CISO,
this is your main responsibility
to safeguard this data.
And if you look at it, the stakes here,
yeah, they were pretty high, they are significant.
And Joe knew exactly the responsibility
what he has to guard.
So you mentioned
certainly
the private data of the drivers,
the private data of the company
and the routes
that they're taking,
the private data of the consumers
who, you know, I'm
guessing there's credit card information
and there's all sorts of additional data
that way.
So once a hacker has access to that,
there's all sorts
of potential repercussions
and costs there.
But it's certainly damages their,
their brand, the trust
that they have with the public.
How do you, as a security
professional deal with that?
The thing is that I think
for Uber,
there was an ongoing investigation
for another incident.
FTC they had an investigation ongoing.
So now think of the CISO.
You know,
your company is already
under investigation
and there are going to be repercussions.
And then you have to deal
with another incident even bigger.
You know,
what do you say to the regulators?
How do you
you can come forward and say, listen,
we have another incident. Yeah.
While the first one is not even concluded.
So there's immense pressure,
immense pressure.
And I mean also from the business, I'm
pretty sure it wasn't said.
But there a pressure
because regulations is always a
business risk and the potential fines.
So just imagine
if you have one investigation going
and then you have a second.
You don't even know...
It can bury your company.
And I think the CISO did what he thought
was best to protect the company.
The reputation.
So as a CISO,
you've got that
glorious ‘C’ in your title.
But unlike the rest of the C-suite,
you've got some
unique legal liability
and exposure issues.
What are your thoughts on that?
That's right.
Yeah, the challenges are immense.
The pressure is immense.
You're always
thinking about the worst cases.
And even then if something happens,
you get thrown under the bus
because you kind of... your title
says you're responsible for security.
And again,
you can’t defend
for 100% of all the events.
So since the Uber breach,
the role of CISO has evolved
in regards to the expectations
for public facing transparency
and obviously the regulations
have also changed.
Can you speak a bit about the evolution
and the pros
and cons associated
with CISOs and transparency?
It’s so interesting,
because every incident is also
it's like a different beast.
Every incident has its own life.
It's a little bit different.
And the issue of transparency
is also something
that kind of depends on the culture.
And again,
if you're a public traded company back
then, you if you are transparent,
you might hurt your stock.
If you're too transparent.
Today we got a regulation
that said you need to report
after 72 hours.
But back then
if you were transparent enough,
it could backfire. Yeah.
And most of the time, again,
if there's a big incident,
you don't really know all the details,
you don't really know what happens.
And being too transparent
can actually hurt you.
Right. Absolutely. Yeah.
If being transparent means
that the stock takes a tumble
and all the
all the
shareholders and the board
or are banging at your door
saying, what are you doing?
Yeah, you've got communications.
People who are there
and PR people who are very carefully
managing the message that goes out.
It's a it's
a very challenging situation. In PR,
every word is getting dissected.
The context really matters.
There are companies
when you see the breach notification,
then you read it.
It just basically
blah blah blah
because some lawyer wrote it,
some generic stuff.
Yeah, we're looking into it.
You know that they're not transparent.
Transparency needs to become
we had an incident.
Yeah.
We are actively investigating it
and we're doing all we can.
We have teams.
And you said you are part
you're exposing
not exactly what you're doing,
but the process.
There was a big cyber
event from a third party
that the CEO of Kaseya was the big is
a big,
service provider for many companies.
And they got popped
and like
because it's like a third party attack,
they they manage network
for many companies.
And the CEO went on camera on YouTube
and just spilled it out.
We messed up.
It is our fault.
We are doing everything we can.
We didn't want it to happen,
but it happened.
And now we're doing A, B, C
and this kind of transparency, you know,
you got so much help
just by being out there
and being truly, truly transparent.
And, you know, big companies said
we will help you with no charge.
But again, it depends on the company.
If you're publicly traded, it
depends on the stakes
and the risk levels.
Yeah,
I've heard from several CISOs basically
the best course of action
is to be as honest as you can
and as transparent as you can be,
because in many situations
you have attackers
who, if you aren't honest,
they will come out and contradict
you with the truth
just to make you look bad.
And nothing looks worse
than being attacked,
being exposed, and having an attacker
publicly shame you by saying
they're not being honest.
And here's the proof
that they're not being honest.
The attackers are even smarter than that.
They will say,
if you don't pay us or whatever,
we will report you to the SEC.
Let's say
if your public company,
we will report you to the FTC
or to any regulatory body,
we will do it for you.
We will file the incident request.
You’re not doing it,
and you either pay us the money
or we're going to go to the regulators,
and then it's going to be known
that the hacker reported
you for the breach.
Act 5 The Mirror Test.
In the days
that followed, Uber's breach
became more than a headline.
It became a mirror
held up not just to one company,
but to an entire industry.
Because if they could be breached,
a tech titan
built in the heart of San
Francisco fortified
with layers of security vendors
backed by billion dollar budgets
and a battalion of engineers
then who couldn't?
The question wasn't
how the attacker got in.
That part was already clear.
He tricked a human.
He found a script.
He escalated privileges.
He walked right through doors
that were supposed to be locked.
No, the real question was
how many other companies
were holding their doors
open for hackers as well?
The Uber breach didn't expose just Uber.
It exposed the assumptions
we've all been making.
That 2FA is enough
that VPNs are secure,
that if you just buy the right tools,
compliance will turn into protection.
But as Uber's internal report
would later reveal,
the attacker
didn't succeed
because defenses were weak.
It succeeded
because defenses were predictable
and because trust between employee
and IT,
between tool
and credential, between company and cloud
was treated as an asset
instead of a liability.
In the aftermath, Uber
did what most companies do
they reset passwords,
they audited access logs,
they partnered with law enforcement,
and they promised
it wouldn't happen again.
But in a quiet corner
of that chaos, somewhere inside a now
hardened slack channel
or a quarantined server,
a deeper realization took hold.
The enemy had changed.
It wasn't just foreign governments
or blackhat syndicates anymore.
It was kids.
It was hobbyists.
It was threat actors
who didn't want money.
They wanted mayhem.
Not ransomware, just reputation.
And when you're playing defense
against someone who's not after profit
but attention,
the rulebook goes out the window.
The attacker behind
the Uber breach was reportedly traced
a British teenager,
17 years old,
allegedly connected to Lapsus$,
the same group
behind breaches at Microsoft,
Nvidia and Samsung.
A boy
not yet old enough to vote
who walked past Uber security
like it was a bead curtain.
He didn't break in.
He was let in, and once inside,
he danced through their systems,
leaving behind not destruction,
but a message.
Security, he seemed to say,
is not a product.
It's not a dashboard.
It's not a checkbox on a compliance form.
Security is a mindset.
And Uber, like many others,
had been too busy building fast
to build deep.
Their engineers were brilliant,
their infrastructure expansive,
but their defenses,
they were built for a different
kind of war.
The kind with perimeters,
the kind with rules,
the kind where you can tell who's inside
and who's out.
But this wasn't that kind of war anymore.
This was post perimeter post trust.
A world where your weakest link
isn't your firewall.
It's your colleague,
the well-meaning employee
just trying to finish their shift,
respond
to one last message,
approve one more login request.
And so Uber joined a long and growing
list of companies
forced to confront
the uncomfortable truth.
We've architected our digital empires
on a foundation of assumed trust,
and all it takes is one clever
whisper, one misplaced click, or one 17 year
old with enough nerve and time
to bring it all to its knees.
So if you were advising
Uber's security team post incident,
where would you start?
Oh, that's a hard one.
And that's really,
and again,
we were talking about hindsight.
In hindsight,
everything, you know
kind of looks great and rosy.
I think if you dissect the incident
and you try to boil
down to the root cause,
the root cause was social engineering.
That's where it started.
And I would say that
the focus
of the security program
should shift to the person,
to the employees, to the workers,
and focus on user awareness.
Don't forget,
you know, since Covid,
people are working remotely
and it's even harder
to vet someone who is a remote worker
who you don't see,
you don't have physical access.
So he can just,
pretend to be someone else or he just get
he can get paid to leak
sensitive data or,
because the help desk has,
you know, more access
than regular employee.
By the way, Coinbase
just had an incident.
Coinbase is like a big crypto company
who had this exact incident.
Hackers contacted the help desk
and gave them money
to disclose information
about their customers.
They didn't even have to breach Coinbase.
They just asked the help desk
with access to internal systems
“Hey give me information.”
So speaking of weak links,
how does this event reshape
the way that you think
about vendor sprawl
and Software as a Service visibility?
There's a whole industry
trying to solve this problem right now.
There's no way where you can vet
third parties
to have the same security posture as you.
It's almost impossible
because how it works today,
if you have a critical vendor,
you send them out
security questionnaires
and they fill it out,
and then you kind of file it and say,
okay, let's pray.
Because, yeah,
I mean,
you don't have the visibility
in their systems
to see if something bad
is happening at their part.
What might affect me today?
We... most
companies are reliant on third
parties, just as companies
are reliant on remote work.
Again, it's an industry
wide problem with no solution.
Okay, so let's look at another facet
of the modern
threat landscape
and sort of psychology over tech.
What's your take on
social engineering versus
technical exploits today?
I would say social engineering
is the easiest way and no amount
I mean you can do user awareness,
but then you need to think about,
you know, user onboarding,
and offboarding, and your security program
needs to go over
the same topics
that address fraud and social engineering
every time.
Basically,
you need to have a program
that runs through all those risks
constantly.
Security is one part of the business.
Users or employees are getting bombarded
with every kind of message.
You have sexual harassment
security, physical security, fire drills,
and then you have the security awareness
if you need to do it
correctly, it should be microlearning.
So you can't
so the employee doesn't feel like he's
getting bombarded with like,
do this
half an hour
security awareness program
where you go to sleep,
we'll just click play
and I'm leaving the screen and come back
just to get my 100%.
You need to build
your security awareness program
in the way
that it should be engaging enough
for the users, for them
to recognize what's in it for me.
Why should I care about security?
Because these kinds of attacks
are really easy to execute,
and they have a big impact
on our company.
So how do you build a culture
that resists attacks like that?
You try to make it.
less painful for the user.
You still got your phishing,
your phishing tests
that kind of shoots
for the whole company.
But then you try to focus down
on the individual of the company.
So then you do
like let's say marketing team.
You send them over a short video
1.5 minutes
regarding specific risks
for the marketing team.
And then you take the finance team
and you talk about fraud,
that they're responsible for...
And so you need to tailor
your awareness program
to the employees
and what they're doing,
what their business function
is almost personalize
The security awareness to the individual
almost getting down to the individual.
Of course, you cannot do it
for every employee.
But sometimes we do user awareness.
We do talks.
We have learning breaks
where you specifically
can focus on the topic.
You bring in outside
security professionals who can talk.
We as a professional
like to talk about EDR (Endpoint Detection and Response)
you know, all this technical stuff.
So bring someone in to talks
at the level of just a plain, simple user
who doesn't understand security.
And you do
the workshops,
you do some interesting stuff.
You hand out fliers
saying, listen, think before you click
small messages.
You need to do it in many different ways,
but you need to be consistent
so the user gets a feeling.
Security is important.
It's something strategic
for the company.
It's not just,
let's do it just to check the box.
And if you get to
this level - can come and touch
the individuals,
then you're on a good track.
Do you think that incidents
like this
breach change the board's
expectations of CISOs?
What the board wants to know basically,
they will a CISO
“are we secure?”
But that's not the correct question.
The question should be
are we managing risks?
That's the correct question.
Or let's say
the correct answer from the CISO
should be
there's not 100% security,
but we are managing the risks.
And the risks are specific
for the company.
So if you are embedded as a Cisco,
you know your company.
You know you're
what makes your money,
you know the critical systems
and you have a good security program
that guards all those risks.
Then you can come to the board and say,
we are
managing the risks at the level
that it's good enough for our company.
And if there is something missing,
you need to come forward and say, listen.
In order
to reduce the risk to acceptable level,
you need to invest X, Y, Z.
But you as a board need to tell me
what's the acceptable level of risk.
And this is the hard part.
Boards and management.
They can’t quantify risk.
It's really hard
to quantify cyber as a risk because again
thousands of events
and one of them can be the event
that will shut you down.
So right now out there
somewhere is the CISO
who will get caught up
in the next massive public breach,
whose company or organization
will be in the headlines
for all the wrong reasons?
What blindspots should CISOs
be paying attention to today
to make sure
they're not in the headlines tomorrow?
I think today in this environment,
the blind spots are the cloud.
It's a big blind spot because, again,
and if you're on prem,
you have the security team,
your SOC team,
you have eyeballs on everything
in the cloud. It's a different game.
Usually who runs the cloud?
They are not even security.
There are developers
who run the cloud
and you don't have
visibility as a security team
into what's happening
in the cloud.
Second thing is that the attacks
today are based on.
You have a lot of integration
of the applications
that talk to one another using APIs.
And again, it's code based.
If someone hardcoded an API key.
It's really hard to find such a weakness.
And users on the attackers
are just stealing
the API keys
and basically logging in
or doing whatever they want.
It's really challenging. Today.
There's a phrase
in the security community
that says hackers.
They don't try to breach you.
They log in,
they just steal your cookies.
Everyone is using browsers
if you're in the cloud you’re using a browser.
And if I'm able to steal your cookies,
I just take them and I can log in.
Even if you have multifactor
authentication. Ori,
thank you very much. It was fantastic.
I'm so grateful to have you on
the show. It was a great conversation.
Hey, listen, Jeremy
it really was a pleasure
meeting you, talking to you
and what you're doing is really awesome.
I really hope that this thing gets
like a rocket... After the Fall.
Cybersecurity
often feels like a game of upgrades.
Stronger firewalls, tighter
policies, new acronyms, new vendors,
a never ending race
to stay a few steps ahead.
But sometimes it takes a breach
not just of systems,
but of confidence
to realize the race itself
might be flawed.
Uber's breach wasn't
the work of a nation state.
It wasn't some high tech siege
with zero days and cyber weapons.
It was something simpler,
something human.
A teenager with a gift for imitation.
A company that trusted too quickly
and a culture that,
like so many others,
confused access with security.
The tools worked as designed.
The alerts went out,
the systems responded,
but by the time the rules kicked
in, the intruder had already
rewritten them.
We want our villains to wear masks
and wield code like sorcery,
but the truth is,
the most dangerous attackers
aren't magicians.
They're illusionists.
They make you look over here
while the real damage happens
somewhere else.
In Uber's case,
the breach began with a push notification
and ended with a post in slack
somewhere between those two points,
a billion dollar
security stack was made irrelevant
by a few lines of PowerShell
and a well-timed message on WhatsApp.
And yet, this story isn't about Uber.
It's about what happens when we assume
we are safe,
when we mistake complexity for strength,
when we forget that the hardest problems
don't live in code, they live in people.
Because you can't patch human nature,
you can only prepare for it.
Design around
it, and build systems
that expect failure instead of
just hoping to avoid it.
The Uber breach didn't
expose a flaw in the system.
It exposed the system.
And so we must remain vigilant
and always listening for The CISO Signal.
All episodes are based on publicly
available reports, post-mortems,
and expert analysis.
While we've done our best
to insure accuracy,
some cyber security incidents
evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame.
Where facts are unclear,
we've used cautionary language
and we always welcome your corrections.
Thanks for listening to The CISO Signal.
