Skip to Content

Threat Sheet—Saturday, October 10, 2015

Imagine the temptation.

You’re leading technology at a fledgling car-sharing service. Your biggest competitor is valued at 24 times as much as your firm. Worse yet, that rival is a big bully.

Among other vicious practices, the company has been recruiting your drivers through a relentless poaching campaign. It has been blocking your entrance into new markets with cutthroat tactics, including, allegedly, repeatedly ordering and then canceling rides. It even has a name for the program: SLOG, aka “supplying long-term operations growth”—or else, “to wallop.” The objective? Apparently, to win. By any means necessary.

And then: a godsend. Your arch-nemesis has, unwittingly, publicly posted the private encryption key for an important database—one containing the personal information of its employees, er, contractors—on the code-sharing site GitHub. It has committed, as Dan Goodin, security editor at Ars Technica describes, “the online equivalent of stashing a house key under a doormat.” In the event that you stumble upon that instrument of ingress, do you ignore the windfall? Play the good samaritan, and notify the company? Or do you strike, unlocking its proprietary secrets?

I am, of course, describing the feud between ride sharing services Lyft (your team, above) and Uber (the rival) circa spring 2014: around the same time that a hacker breached the latter’s database and downloaded as many 50,000 of its drivers’ names and license numbers. The above is framed from the possible (and entirely unconfirmed) perspective of Chris Lambert, the chief technology officer at Lyft, who two sources say is believed to be associated with the cyber intrusion, according to Reuters. (Hey, if Aaron Sorkin is allowed to take such liberties…)

Lambert has yet to publicly confirm or deny the accusation, although a Lyft spokesperson has stated that the company investigated the matter “long ago” and concluded that “there is no evidence that any Lyft employee…had anything to do with Uber’s May 2014 data breach.” In the meantime, Uber has begun prodding Comcast to hand over information concerning an IP address associated with the incident that may reveal the identity of the perpetrator. Time will tell.

If true, it’s worth noting that the culprit did not gain access to the data, as far as anyone knows, by sending spear-phishing emails to people at the company, as the alleged state-sponsored hackers who breached Samsung-owned LoopPay likely did. Nor did anyone vengefully, to anyone’s knowledge, hand over login credentials to a hacking group, as the former social media editor Matthew Keys allegedly did. Uber left the keys under the welcome mat, so to speak. And an intruder used them to gain entry.

Seeing as I previously wrote about Uber’s newfound hacking prowess, I felt it’s only fair that I mention the possibility that Lyft has chops, too. But Fortune cannot say who is responsible for the deed. Indeed, the author has no privileged insight—as yet. Nevertheless, one does not have to strain to find a plausible motive for Lambert; the narrative that these sources have spun in the absence of hard evidence is a compelling one. Now let’s have the proof.

Before you read on, here’s a public service announcement to celebrate the second weekend of cyber security awareness month: Avoid posting your private encryption key in the public domain. You never know who will come a-knocking.

 

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.

THREATS

Lyft allegedly hacked Uber? Uber is seeking a subpoena of Comcast records to determine the identity of the user behind an IP address connected to its May 2014 data breach. Sources close to the matter believe the address is assigned to Chris Lambert, Lyft’s chief technology officer. (Reuters)

Chinese hackers breached Samsung Pay’s LoopPay. Attackers gained access to three computer servers at the Burlington, Mass.-based Samsung subsidiary responsible for a key part of the company’s smartphone payment technology. LoopPay learned of the breach in August, a month before Samsung Pay debuted in the U.S. (Fortune)

Dell may spin out its cyber security business. Amid its blockbuster bid to take over the much bigger tech firm EMC, Dell has confidentially filed for an IPO for its SecureWorks division, according to reports. Earlier reports have suggested that Dell’s cybersecurity business is valued at more than $1 billion. (Fortune)

Dow Jones hit with data breach. The publishing and financial information firm said that hackers gained unauthorized access to its computer systems, potentially exposing the contact and financial data for as many as 3,500 subscribers. The intrusion is likely a part of a broader campaign, CEO William Lewis said. (Fortune)

Journalist found guilty of hacking. Matthew Keys, formerly a deputy social media editor at Reuters, was charged on Thursday with helping to deface the website of the LA Times. He allegedly provided login credentials to members of the hacking group Anonymous. (Guardian)

Californian law advances digital privacy. The Electronic Communications Privacy Act will force state law enforcement agencies to obtain warrants any time they request metadata or digital communications from a business. California Governor Jerry Brown signed the document into law this week.

LogMeIn buys LastPass for $125 million. The remote connectivity firm based in Boston, Mass. is acquiring the popular password manager startup that suffered a security breach over the summer. Previously, LogMeIn bought Meldium, a LastPass competitor, for $15 million.

Share today’s Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

Fortune senior writer Barb Darrow explains how Amazon Web Services physically protects its cloud.

“Cloud providers continue to fight the perception that a customer’s servers are inherently more secure sitting in a company facility than running in a cloud somewhere else. And that remains a hurdle to wider cloud adoption. But how many of those server rooms are encased by not one, not two, but three physical barriers equipped with card readers, video cameras, metal detectors?” Read the rest on Fortune.com.

TREATS

Dat Snowden bump. The whistleblower’s traffic hose. (Wired)

World War III. Russia, the U.S., Syria. (Popular Mechanics)

Democrats debate. No password necessary. (Fortune)

Meet “Digilantes”: Digital vigilantes. (Fusion)

Trump on cyber? Mum’s the word. (CSO Online)

FORTUNE RECON

5 things I learned at Morgan Stanley’s pre-IPO conference by Michal Lev-Ram

Make your beer taste better…with a tea bag? by Chris Morris

Amazon’s new Fire TV fails to sizzle, and here’s why by Jason Cipriani

Is the global economy headed for recession? by Chris Matthews

Who to watch at Fortune’s exclusive 2015 Most Powerful Women Summit by Patricia Sellers

ONE MORE THING

Introducing the Fortune Fantastical 27. Here are the top comic book businesses—as in imaginary companies—as ranked by Fortune. (Fortune)

EXFIL

“Uber allowed login credentials for their driver database to be publicly accessible for months before and after the breach.”

Lyft spokesman Brandon McCormick, issuing a statement on Monday about the ride-sharing service’s alleged hacking of rival car-sharing firm Uber. He added that the startup had investigated the matter “long ago” and determined that “there is no evidence that any Lyft employee…had anything to do with Uber’s May 2014 data breach.” Two sources told Reuters that an IP address linked to the incident traces back to Chris Lambert, Lyft’s chief technology officer, who has yet to make a public statement about the allegation. (Reuters)