In our latest podcast: the ride sharing firm Uber finds itself on the wrong side of a Florida Man story after paying $100,000 in hush money to a man from The Sunshine State who stole information on 57 million Uber customers. We speak with Katie Moussouris about how the company’s actions could affect the future of the young vulnerability disclosure industry. Also: with BitCoins trading for $16,000 each, Wandera researcher Dan Cuddeford joins us to talk about mobile crypto-jacking schemes that hijack mobile devices to mine crypto currencies. And we invite Alan Brill of the firm Kroll back to discuss recent House of Representatives hearings on the future of authentication in an age of rampant data sharing and data theft.
Welcome to this, the 74th installment of The Security Ledger Podcast. Here’s what we have for you this week.
Part 1: Scrutiny on the bounty
In our first segment, we delve into the most recent travails of the ride sharing firm Uber, which has a well-earned reputation as a visionary and innovative technology company with a penchant for hubris and bone-headed management. Those latter qualities were on display in recent weeks as the company revealed that it withheld information on a hack involving the theft of data on some 57 million users and paid a Florida man responsible for the attack a $100,000 “bounty”with the understanding that he would keep his actions private.
That “bounty” sounded a lot more like hush money to us – and others. So, to set the record straight, we invited Katie Moussouris in to talk about it. Katie (@k8em0) is the founder of Luta Security and a pioneer in the creation of bug bounty programs at Microsoft and, later, Hacker1. Katie said that Uber’s use of the term “bounty” to describe what looks more like a ransom or a bribe risks doing lasting damage to a healthy, but still growing vulnerability disclosure industry.
Part 2: There’s (crypto) gold in them mobile phones!
With the price of a single Bitcoin hovering around 16,000 dollars, there’s a crypto gold rush to mine BitCoin and a range of other crypto currencies by whatever means necessary. Increasingly that “any means necessary” encompasses a range of illegal mining operations that leverage hacked computers – or “cryptojacking.”
In this week’s podcast, we speak with Dan Cuddeford of the firm Wandera about one of the more interesting flavors of cryptojacking which uses mobile devices and a network of compromised websites and unwitting mobile phone owners.
Part 3: Authentication in a post breach world
And finally: experts testifying before the House Energy and commerce committee this month warned that the wealth of stolen and willingly shared personal data floating about the Internet is making traditional knowledge based authentication schemes vulnerable to trivial hacks. But if knowledge based authentication is going the way of the horse and buggy, what will replace it?
In our last segment, Alan Brill of the firm Kroll says that, while there are ways to prolong the usefulness of knowledge based authentication, the future lies with biometric and device based authentication including facial and voice recognition software, as well as “Big Data” analysis, which will give companies ever more reliable measures of identity.