The way they are disclosing this is pretty disgusting, in my opinion. Go check out their info page about this[1]. In bold it says:
> No bank account numbers or Social Security numbers were compromised, other than:
Then below that, in non-bold, it basically says "oh, except for these 140,000 social security numbers and 80,000 bank account numbers" - which is the primary reason folks are worried about this!
To me, the first thing you are going to see is "No bank account numbers or Social Security numbers were compromised" in bold letters. Which is completely false and misleading. Technically they are telling the truth, but the way they've done it is clearly meant to be misleading.
On top of that, I'm a Capital One customer myself, and I can't figure out how to find out if I was affected at all!
But the those 140k and 80k number are their own bullet points that I feel make them stand out more then the bold line. I feel like this is clear enough.
This is obviously anecdotal, but that was not my personal experience. I was getting ready to go to bed last night when I saw this and grabbed my tablet to see if I needed to worry. This bolded bit was the first thing I saw, and I immediately thought "hm, must have been over-exaggerated, no SSNs were exposed". Now I obviously read on and saw the bullet point, but for someone skimming this, it's not at all obvious.
But further, why even word it that way? It was clearly done intentionally. There's no need for this to be presented in this way other than to intentionally try to mislead. Why not just say, in bold letters "140,000 social security numbers and 80,000 bank account numbers were compromised". Or say it "The following were compromised".
I'm not sure I agree. The ", other than:" portion was also bolded, and the line
> We will notify affected individuals through a variety of channels.
Gives me some confidence the very small subset of individuals who should be worried about those much more exploitable leaks will be informed and offered assistance.
But as another Capital One customer I'm quite irked I can't just query a simple page to find out what data of mine was leaked, if any.
> hacked into a cloud-computing company server, federal prosecutors in Seattle said
> the cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.
Does this feel like it was just an S3 bucket with permissions set incorrectly? I've come across sensitive documents in S3 buckets with a well crafted google search.
Misconfigured WAF - see my comment elsewhere here.
Correction: according to the complaint, the defendant is alleged to have assumed an IAM role in the context of Capital One's account whose policy provided access to the S3 bucket in question. So it wasn't that the S3 bucket was public, but rather, that there was some vulnerability she took advantage of by which she obtained indirect credentials to it.
Might have been an SSRF exploit if the WAF was accepting parameter values that were then used to expose IAM credentials via the EC2 metadata service. See https://ejj.io/blog/capital-one for a good write-up.
> The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history.
> About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.
I haven't yet read (all of) the complaint but I presume it goes into even more detail than the article did.
Actually looks like she worked for Amazon on S3. So there might have been some insider knowledge. From the complaint below, and googling her name you can find her resume
I know that reading the actual linked content on HN is verboten, but the Bloomberg story says
"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."
“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.
(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)
Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?
Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.
Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.
It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.
Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".
Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.
The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.
I feel modern CV is a little clumsy. Especially how it handles columns. You like this better? The example provided I don't love, but I'm not a designer, it looks good enough I think.
I use it too. I think it looks good enough, definitely better than my last horrible-looking resume. It seems to work well with a bit more text compared to many.
If you put data in the cloud, make sure you encrypt with keys only you have even when they promise all sorts of assurances of oversight and process in addition to “we use AES”.
This right here. Take away any outsiders ability to access things. I also feel AWS and the rest should be able to notify you when files untouched en masse for years are being accessed and it should set off alarms like crazy. If not acted upon then its the issue of whoever got those emails.
You can. It’s cloudwatch. Also at least put these things in glacier so you have some time between the download request and when they get the file to hopefully stop it.
Pretty much doubt there'd be much insider knowledge, guessing in 2015 a L4(entry) System engineer is going to be pretty much spending 80% of their time building new regions by hand...
Only facing up to 5 years apparently. I wonder if that will change over time. Considering her hack is worse than what Aaron Swartz hacked (not PII) I cant believe she only gets 5 years.
IANAL, but I believe part of the issue is that breaching a hundred million records is one data breach, but exfiltrating a few thousand journals is one infringement per journal.
In point of fact, the prosecutor on Swartz case (Stephen Heymann) had previous authored an article describing how the Internet age allowed crime to scale, enabling hackers to commit thousands of criminal acts per second. It's my personal belief that Heymann wanted to use Swartz' case as a validation of this belief.
(Source: The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, ISBN 978-1476767727)
I think the minimum to be considered an IDE, you need to be able to edit, possibly compile depending on the language, and run/debug from within the same tool. By last loose definition, I've joked my most used "IDE" would be bash. I can edit with vim, compile/link with make/gcc/ld, and debug using gdb or run my bins directly.
I mean it's an integrated development environment in that I can access all of my tools from one centralized location, the bash shell, but certainly not integrated in the sense that I have a GUI that hides the nuances of commands of various tools behind menus and friendlier non-command-line names and making it appear that the half dozen or so tools are a single entity.
I also use Visual Studio for Windows development and I've been switching between VS Code and PyCharm for Python development.
But are git and svn an IDE? No. They are both merely source control management systems.
My point was going to be that these are concepts and protocols rather than programs, and that you would use an actual program (eg TortoiseGit) to actually use it.
But then I read your comment and realised in *nix the program is actually called "git". So I concede :-)
Some S3 eng accidentally dropped a big chunk of the servers that were the s3 equivalent of an hdfs nameserver, ie mapping blob name to location info, as part of an unrelated config change.
While attempting to recover, the s3 team discovered and/or decided the nameserver needed a full restart. That's when they discovered the info in the nameserver had grown so large since the last full restart years previous that it took far longer than expected to restart the nameserver. Right around that point in time my guess is they realized just how shit their morning was going to be. And their afternoon.
Somewhere in there, they realized that their health dashboard depended on s3 working.
Though to be fair, as an aws customer, we -- along with the rest of internet -- were well aware that stuff was badly broken.
I feel terribly for whoever did this, because IIRC, he or she just fat fingered part of a command in a standard playbook, and the config script had no safeguards. I personally took down a company you've heard of in the exact same way; I knocked all pops off the internet because the config script had a hard requirement around certain values that was neither communicated to me nor checked. And I was trying to figure out wtf I did to a system that I was not particularly familiar with while receiving forwarded texts from the CEO about cascading datacenter down alerts.
Just taking the company dark and being personally embarrassed. There was no punishment, though there was a lot of teasing. Also spending 4-ish weeks cleaning up the mess that was made.
Likely referring to the February 28th, 2017 S3 Service Disruption in the Northern Virginia (US-EAST-1) Region, for which Amazon published a postmortem at https://aws.amazon.com/message/41926/
Per the complaint, it doesn't sound like the bucket was exposed to the world. Rather, security credentials were "obtained":
> Capital One determined that the first command, when executed, obtained security credentials for an account named XXXX-WAF-Role, that in turn, enabled access to certain of Capital One's folders at the Cloud Computing Company.
Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.
* edited to reflect this is lifted from the complaint, not indictment.
> Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.
You use your own credentials and issue an API call to do it. If you're using the AWS CLI, it's "aws sts assume-role".
We do something similar with our accounts. You can place a restriction on the role that an MFA token must be used while assuming the role, so this allows you to give out longer-term credentials to your devs/admins that can then be used (with an MFA token) to assume a more privileged role.
The role itself needs to be configured with a trust relationship that allows for this, and many roles are restricted to AWS services (i.e. you are authorizing an AWS service to assume the role--not a specific user). I've never used WAF before though, so I'm not sure if it's typical for the WAF role to have that trust relationship or not.
It's possible an STS token was obtained using the role. If you're not monitoring where those tokens are issued to and used from, you're gonna have a bad time.
I recall a newbie dev at our company some years back accidentally posted creds in code to github. I have talked about this here before - but - we had paid for 200 repos.. problem was he made a new repo, which became 201 - which since we had only paid for 200, github auto makes the next one public. Bots slurp these and hunt...
They used those creds to launch like 1700 gpu machines across the globe for a bitcoin mining network...
The culprit was from germany...
We got it cleared and AWS forgave all the charges.
It doesn’t matter. There is never a reason for credentials to be anywhere near your repository. If you’re running locally, you should have your credentials in your home directory (via aws configure). If you are running your code on AWS either on an EC2 instance, lambda, or Docker you should be using the role associated with the execution environment.
Every SDK that I have used let’s you use a constructor without a parameter and can get your credentials from the config file/role.
i know, this was a few years ago, and these types of practices were still being developed out in the greater community (lambda didnt exist yet, dockeer was still nascient etc)
I’m sympathetic in that a lot of people started learning this on the fly but that was widely recognized as bad practice even before Amazon was founded and various patterns for doing it right were widely established.
(If anyone needs me, I’m busy feeling old after remembering having this conversation with a new PHP developer in 1998)
Given that they're on AWS and "The intrusion occurred through a misconfigured web application firewall that enabled access to the data" thats what im betting too.
Well, if it was a misconfigured WAF (which usually is just a reverse proxy with mod_proxy) to an application then you would not need to gain access to any Tokens, etc. all you would need to do is gain access to the server. Or be able to use that WAF as a proxy to gain access to other http bound resources?
From there any IAM role access the underlying server had, you would now have as well. And that would work with any sort of access (don't need root, etc.)
No way...I don't remember hearing about this. You mean changing the URL from like /data/customer/1 to /data/customer/2 ? And the person who did this was prosecuted? Jeez.
But sounds like she's an engineer that used to work in aws, specifically S3. If true, seems likely as she would have insider knowledge of existing attack vectors and possibly vulns. Maybe even using something we discovered while on the job.
If this is true, this is a great reason for people to stop using S3 or to start doing daily bucket audits. Or you know, not store PII in the cloud poorly.
You could be costing some unfortunate woman her job here man. Kind of like when that lady cop broke into that black guy's apartment and blew him away. Then all these people on social media started posting pictures of his coworker on social media and almost cost the woman her position at PwC.
We should try to be a little more responsible than that.
I think you're overreacting. Their name is public, and I didn't link to the public profile, nor did I say the public profile was the person in question. Only that if it is them, then having a work history of AWS adds an interesting dimension.
Wasn't her name that the parent comment referenced originally posted in the news article? If that's the case, I would blame the news article and not the parent. Especially since they said "could" and not "yep, that's her".
-Paige left code used in the "attack" on her GitHub.
-Paige left text files with unencrypted data there, too.
-Paige openly posted about it in an open (!!!) Slack channel and publicly named her VPN service of choice, which of course, matched access logs AND GitHub server logs. (Also tor, which the FBI agent was able to confirm and add yet another data point)
-Paige said "I have a leak proof IPredator router setup." nice.
It says she posted on "social media" (Twitter) about it, claiming to have Capital One information, "and that she recognizes that she acted illegally".
Nothing about Opsec here. She basically asked them to arrest her. Probably had some of the usual motivations: "look at me I'm clever", "look at this stupid big company with bad security", or maybe used the opportunity for some political thing with banks. Not the sophisticated hacker type. But who knows.
Edit: originally I asked about her Github profile listed in the complaint as paigea(5x * characters)thompson but was iffy on whether that was okay on HN.
Interesting note that she comments that they skipped 3 for the fan values. Seemingly an oversight for the fact that these fan values of 1,2,4 indicate that it is probably a bitfield with each bit indicating a fan speed.
Almost certainly deactivated/seized and part of evidence. With some googling you can find her Keybase and other pages aplenty if you like. Almost all her content is scrubbed from the Internet, however.
(this person's original comment was asking for her github profile)
Heh, not even close. I know several individuals who should be in prison for their cyber crimes. But the fact is, not only have they never been caught, the victims probably don’t even know that anything happened.
There is such a lack of talent out there right now in the cybersecurity industry that it’s very easy for criminals to slip around undetected. You’d have to be a total idiot to get caught, or catch the attention of someone really motivated to catch someone.
Mostly people call me by my first name and I do the same to most people (likely more to men than women, if I had to guess). People call Edward Snowden by his last name because it's unique and catchy.
Theo de Raadt is often just called "Theo" here for similar reasons. Rarely if ever have I seen him called "de Raadt" on this forum.
Your comment is unfortunately typical of drive-by Internet outrage these days.
Sorry to be pedantic, but this is merely a complaint. This is the initial document used to get an arrest warrant. An indictment is returned by a grand jury.
Intersting. She ran three commands - the first downloaded IAM credentials and the second then listed buckets using those credentials.
I'm curious about what the first command could have been
Also this all unfurled after a report to their security line from someone monitoring gists - that public feed as well as text dump sites have always been a good source of new vulnerabilities
A lot of crime would go unsolved if people just kept their mouths shut. There's a human tendency to need to talk about things you've done, I guess, especially stuff that will get you "street cred".
A news-source I won't mention, because it's trash, did a full stalk of her on social media, and she seemed to be in an _erratic_ state of mind, but maybe that's just her personality.
Instead of focusing on the lady involved, perhaps holding Capital One accountable for their part in the matter may be a better thrust to this thread.
While it might not be okay to instigate such breaches, we might also consider it the actions of a whistleblower. Especially given the unusual way she went sbout disclosing things.
Sure, perhaps there is a little bit of hey look at me about it, but at the bottom of the trough it is actually the corporation that has ultimate responsibility.
I look forward to a statement from Capital One of regret that they allowed the breach to happen and will strive for better standards of security.
And that is actually a message for the entire industry.
If I came across an s3 bucket with my credit application details and I could delete it, I would probably do it and then report to their security team. It’s MY data security they’re being casual with.
It occurs to me now that if I did that it would likely be a crime because of the harm to the company. The irony.
Who cares if it has your data in it or not. Just report it to authorities and the guy who runs haveibeenpwned.
Plus what are you going to do with credit card applications anyway? Sell them to a marketing company with some phony story? Or the 'sell them on the darknet to fraudsters in Russia' angle? Unless you're already involved in some dirty business already this isn't very valuable.
I think the point is: unless the hacker is already aware of how to sell PII of this nature and how to move "good money" then a hack like this is for naught.
Reading the mistakes made in the hack itself makes me wonder if black markets and money laundering are a skill they posses.
I think you could just sign up on one of the onion drug/fraud markets for ~$500 vendor deposit and put up a listing for those profiles at like $5-10 a pop.
If you were lazy you could just hit up an existing vendor and ask them to sell your data in batches.
I’m not saying this would be a good idea, but it certainly wouldn’t be very difficult.
Then Capital One will find out immediately because banks hire firms to watch darknet markets. JP Morgan discovered a breach when they found data being sold on one of those forums and that was years ago.
This will just intensely increase the scrutiny of where the data came from and they'd likely be caught anyway, unless they did a very clean job security-wise. Which very few people seem to be able to do when the feds really want you.
Moving to Russia or another country without extradition treaties would probably be a good first step of that plan.
I operate under the assumption my name, address, email, social media profiles, social security number, place of birth, and mother's maiden name are all easily available in the wild. I've bought one of those online background checks before, at the very least I can be confident the info on that report is available to anyone.
In the UK this would definitely open you up to the Computer Misuse act, and I imagine the police would have something to say to you about evidence tampering too.
Having wide open access to customer details with full ability to read/write on the open internet..? That seems like it should be stretching the Computer Misuse too far, but yes, your're right.
Whats funny to me about this statement is it would propose an interesting legal question in the EU due to GDPR. You certainly do have your right to delete it there.... Despite it being unconventional.
Why am I finding out about this from the news and not an email from Capital One themselves? I wish there was legal liability to inform customers in the event of a data breach.
They are legally obligated, especially in California, to disclose part or all of this breach to customers. But that obligation is not immediate. Give it some time.
According to the Daily Mail article linked above, they've known since mid-July. They could have issued a statement today if they wanted to. I can understand why they didn't do it earlier, to minimize the number of press cycles with their name attached to this incident.
But if this were my credit card company, I would be pretty irked to be finding out about it weeks after the company knew, from the news.
If this is the case, they should have had an announcement ready to go for yesterday. The absence of a response makes it seem like either they’re not taking the incident seriously enough, or they still don’t know the full scope and want to delay their announcement until then.
The problem with AWS (and other cloud providers) is that it's nearly impossible to properly configure an environment because of how many different methods there are to gain access to resources.
Capital One has been all in on AWS and has dedicated an immense amount of time and money to developing systems for managing their AWS resources (Cloud Custodian for instance) and yet they still couldn't protect their data. What chance is there that anyone else could?
The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products as well as trying to limit your costs. With that sort of open-ended system, unless everyone is always thinking security first and okay with the inevitable slow downs associated with a highly locked down system then you will more than likely always run the risk of this sort of situation.
Having everything locked down by default on AWS/Azure/GCP would go a long way to improving the security of the internet. Centralisation isn't healthy, but at least these companies could make a credible impact on data security by pushing the mentality.
> The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products
There is nothing approaching quick setup and deployment at large banks.
Not Citibank, but previously worked for a financial firm that sold a copy of it's back office fund administration stack. Large, on site deployment. It would take a month or two to make a simple DNS change so they could locate the services running on their internal network. The client was a US depository trust with trillions on deposit. No, I wont name any names. But getting our software installed and deployed was as much fun as extracting a tooth with a dull wood chisel and a mallet.
This is my experience with one very large bank, but from speaking with others that have worked for/with other large banks, their experience has largely echoed mine. They tend to be very risk averse with external IT products, such as deferring critical security updates because they can't be sure what it could break and also likely don't have end to end tests for critical systems that could cost a lot of money if the upgrade fails.
I know this first hand, because you dont always know or understand whats going on in 3rd party systems. I once screwed up a 3rd party system hosted on site. I was testing an upgrade on a dev server. Part of it invovled schema changes, and I had dbo rights on both production and development servers. The hidden part that I didn't realize is that the 3rd party tool stored DB settings in your Windows roaming profile. So, because we only had 1 Windows AD domain and no otherwise network separation, even though I was on a dev box, I was talking to the prod DB. Didnt even realize it (wasn't directly evident unless you dug deep into settinga) until I started getting calls from my users, complaining of errors. This was on the 3rd of July in the US. By the time I figured out the issue, it was about 3-4am on the 4th of July.
Had to make the call of rolling forward or back. But, the supplied installer was missing some packages, so couldn't complete the install. If we rolled back, an entire days worth of tedious work by a 10 person team would have been lost. Worse yet, the tool was used by traders in Europe who were about to start their day. Being early in the morning on a US holiday, I couldnt reach their support. Couldnt even get of their EU support. I was on the phobe with my boss, his boss and the head of back office at the wee hours of the morning on a holiday.
Decision was made to hold off on doing anything until we could talk to the vendor on the 5th. Ended up rolling forward and completing the install, but I was nearly shutting myself. We were handling somewhere around 25B USD notional in bank debt for several days (which caused huge issues in PNL - proffit and loss - reporting for several business days) that we coyld take no action on.
Thought for sure I was going to be fired. But, in the post mortem, I explained everything, and it was agreed that while I shared some blame, the totality of it wasn't my fault and that because I had diagnosised it and fixed it in the most timely manner I could, I was ok. IIRC, I think the only real remediation we took to prevent a similar mishap was to disable roaming profiles on the dev server and delete all existing profiles on the dev servers...
Yep, sounds like a bank to me. I worked at one of the big 4 for 6 years (way too long, I know) and the experience was horrible. It once took us a full year (no exaggeration) to get a single server allocated...and my group was actually one of the well funded teams
Funding wasn't a problem for the client in my story. They were happy to spend money. I think the initial contract was for X million USD that would have covered something like 5000 support hours on our end (was based on time spent, not per incident) and then after, it was like 300 USD per hour.
Separate project, I know I was billed out at 500 USD per hour 10 years ago. That was working with an exchange. Initially a joint venture, my company decided to divest itself. We sold all the source for the system that we developed and theyd be running to the exchange. We clearly documented our "build" process and requirements. The core part of the system (and as far as I know the only part that ever went live) was a Python app that used very specific modules, but we also had some patches that were submitted upstream, but not yet in public distributions. So, we were very explicit that you need exactly these versions of Python, these explicit versons of the libs and you need to apply our patches to the libs. We had also only developed and tested on a specific version of linux, and made the indication they should use the same, or we couldnt guarantee the software.
Well, we handed all of the source and documentation to the exchange. They, in turn, hired an outside consulting group. For the life of them, they could not get it to work. First question asked was: did you follow the instructions? Response was "of course, do you think we're idiots?"
The assertion that they followed the instructions exactly sent me down around a 3 week debugging session, attempting to reproduce the issues they were having in our office. Starting from scratch and the exact instructions I had written up for them (I was the only author of the Python app that was failing), I could not reproduce the issue.
After 3 weeks of back and forth, escalations on all sides and some thinly veiled accusations of sabotage, I went on site, sat down with the consultant, told him to start from scratch and show me what he'd been doing.
First thing I notice is that he installs the latest version of Python, and latest version of all the extra libs we needed. He'd completely ignored all of our instructions despite telling us the exact opposite!
It took all of 15 minutes to identify and correct the issue. Ended up billing close to 40K USD in support because the contractor didnt follow instructions and, well, lied (intentional or not) about having done so. Never heard a peep about it from management about the hours or questioning the resolution, and as far as I know the exchange paid the bill without question, even in the height of the aftermath of the 2008 crash.
Are there AWS experts who can do some sort of quick audit or "sanity check" of an environment's configurations? AWS almost makes it too easy for someone who only sort of knows what they're doing (like me) to get things up and running.
There are many different automated systems for checking for misconfigurations in your AWS organization. Capital One even developed a very popular one (Cloud Custodian). Like most automated configuration checkers or monitoring systems they rely on being configured by experts because at their default settings they are mainly a source of annoying alerts that end up auto-filed to email folders you never look in because this is agile and we can rationalize the alert rules in the next iteration (we won't). They can also auto apply actions. Have fun debugging your Cloud Formation stack that failed because the automated checker system terminated the instance without notifying anyone because it was missing a required tag.
As useless as these checkers are, the main problem is that there are so many different ways to gain access to resources that it's almost impossible to have a system that's useful to the business while also provably secure either manually or automatically.
AWS locks everything down by default. As far as I know, there is no direct way through the GUI to make a bucket public, you have to know how to add the JSON policy and even then you get a very noticeable warning.
Basically, no. AWS is flexible enough to let you set it up in any complicated way you want, meaning it gives you plenty of rope to hang yourself with. It's arguably much easier to audit a random Linux box for security than an AWS account.
I don't know that there's a "quick audit", there are too by vectors for any single professional to check. You'd be best served by using an auditing or monitoring solution. Even then, you're really just auditing _known_ vectors as it's likely impossible to cover all possible ones.
I used to work on an auditing and monitoring platform, there really are too many vectors.
Generally it's not a good idea to sabotage your employer's clients, but I wonder how many engineers across the Big 3 US cloud providers have the know-how to exploit holes in how Forture 500 companies use their platforms.
I'm an Amazon employee here - but my words don't represent the company.
Internally we also talk to AWS support. They absolutely don't have much visibility into our accounts at all - much to my frustrations. They only see metadata - even for internal accounts.
The only teams that have some access to such information is security team, or when you Grant access explicitly to the other person via standard AWS auth mechanism (IAM)
If you include professional services in that list then the number is quite high. Also, keep in mind that many AWS services are composed of other AWS services, and in that composition there are services and infrastructure operating within AWS to manage it. All of that will operate on some type of maturity curve and sometimes be backed by an alarmingly small team.
That of course doesn't mean you won't get hacked, but there's at least some evidence that the service is operated in accordance within AWS control standards, which are generally quite good and should minimize your exposure to rogue admins run amok.
This spooked me. I thought I recognized the name, and then I remembered she had recently contacted me out of the blue on meetup.com to ask if I was interested in doing some urban exploration. I said yes, but we never got around to picking a day. Now I'm kind of glad we didn't!
Few years back the FBI arrested people carding throughout the country. Turns out I knew two. One was just good at social engineering but not a dev by any means, I knew him from the private server community.
The other was someone I followed on Tumblr. I was shocked about him being arrested. He was pretty popular on Tumblr and me and him would chat on TinyChat from time to time.
After reading the affidavit it was a former AWS employee. The accused worked there from 2015-2016 and it’s not immediately clear that it was a misconfigured S3 bucket. There’s a particular IAM role she used to execute API commands (ListBuckets, etc..). The buckets contained credit card applications and other data including DOB and SSN. She gloated about it on Slack and said she was using a VPN and Tor.
The affidavit is a good read. Linked elsewhere in this thread.
"""
A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.
According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data.
"""
"ORDER APPOINTING FEDERAL PUBLIC DEFENDER appointing Christopher Sanders for Paige A Thompson. On the basis of the defendant's sworn financial statement, the court finds that he/she is financially unable to retain counsel."
I stand corrected. It sounds like she exploited a vulnerability that allowed her to assume an IAM role with access, rather than the S3 public permissions I previously assumed.
Why, exactly, did she "post[ed] on the information sharing site GitHub about her theft of information from the servers storing Capital One data" ?
That seems... unwise. Anyone have a pointer to the github post? Would be interesting to see if it was a "Haha! Look what I did!" kind of thing, or a "Crap, CapOne has an open S3 bucket" kind of post.
I don't trust in the U.S. justice system to handle every crime and person as it should but for us, context is important: This person's Twitter is 0xA3A97B6C, y'all can go there and get a better picture of the situation.
So much evidence of mental illness there (see also Facebook). I hope this person gets help, but given their claim to also be in the country illegally (Tuvalu), who knows.
I was ready to think this person was being set up by someone who didn't like her, given how exposed she was to being identified, but the Twitter and FB posts strongly suggest a vulnerable person making poor decisions instead.
>Jesus christ, how many times did she come back into Discord rooms she was banned from under new names, just to brag about how she "snuck in," like within two weeks, and of course getting banned again. Being a desperate attention whore is bad opsec.
>I guess she's finally getting all that attention she's been begging for.
>She pulled the same shit with our tiny IRC network nobody on earth could possibly give a shit about. I don't know how a person can be this insane. Relentless stalking of individual users, histrionic rants, literally attempting to dox randos and flooding the server with spambots, you fucking name it.
Given that Ms. Thompson is transgender [0], it's likely a lot was stacked against her emotionally. 40% of trans-identifying individuals to attempt suicide [1]. This is a disappointing omission from the reporting and the road that lies ahead for Ms. Thomson in the hands of the federal prison system is surely horrifying.
I wonder if it could be an effective legal defense for her, akin to plot of Soderbergh Side Effects (2013). "not guilty by reason of insanity" due to hormonal treatment, there are precedents
As a transgender person, I can tell you that estradiol absolutely cannot induce insanity. At the absolute most, it can screw with your emotions in the same exact ways as PMS (and PMS is indeed caused by hormonal fluctuations).
The idea that it's on the same level as ambien is absurd.
NGRI is just a legal term covering committing a crime while not in full possession of ones faculties, not limited to the put me in the cuckoo house stuff people tend to associate with the word.
It's really tough, because not treating gender dysphoria properly can be much more dangerous. It's a severe disorder thats made much, much worse by discrimination.
It really seems like a lot of cases of gender dysphoria is more society driven. Younger trans or non-binary kids I know seem to be quite a bit happier than trans folks I know in their 30's. Gender is not inherently tied to sex, and variation in gender expression is normal and not unhealthy at all (societies all around the world recognize it). I think improving attitudes might really be having an effect of reducing the amount of gender dysphoria.
Interestingly the Daily Mail had this detail, and I wondered why they felt the need to include it; at first glance it didn't seem at all relevant. My belief is that the small number of trans people I know would rather be judged by their actions in an absolute sense, rather than "well this is kinda excusable because he/she is trans", but maybe I need to re-examine that.
Some of the conversation occurred on her Slack server, which as of an hour or two ago was still completely open/public via an invite linked shared on Meetup.
The entire server chat log is a few Google searches away.
Right. It was an open Slack group. It's likely the Special Agent is the source of those logs and photos; no need for Slack to confirm anything except for metadata to authenticate the logs (if that's even necessary for yet another nail in the coffin).
Do you mean ingress? You probably wouldn’t want to allow ingress or egress, but the statement says connecting from a TOR exit node to CapitalOne, not the other way around.
Sometimes the best way to handle "bad" traffic is not to reject/block it, but to respond to it incredibly slowly, or divert to an uninteresting flaky phantom server, or reject every login attempt (even with correct credentials) to divert attacker's attention.
The ingress was okay, but the egress flow was very very bad!
By the sounds of it, the s3 bucket was internally accessible only. But attacker connected through the corp's Web Application Firewall after grabbing the credentials to login to the S3 bucket.
"Internally accessible only" just means you have to have credentials to access it.
You can also add IP address restrictions to a bucket access policy; this was obviously not done here because once she had the credentials, it didn't matter where she was accessing from.
Looks to me that it should rather be using an IP white list. It's not like their systems would need access to these documents from an dynamic IP dial up connection.
I wonder why data security professionals don't practice compartmentalization. 100 million accounts should not be accessible from one account. It should be like watertight compartments in a ship. Breaching one doesn't sink the ship.
I worked at a tech company, three times my personal data was put at risk because someone at HR left their laptop in their car during a night on the town.
I asked if my personal data was stored in files downloaded to the laptop, they said yes.
When I asked why my data needed to be downloaded to the laptop and not limited to just online access they stopped responding.
This of course was the same company who mailed me my co-workers salary in spreadsheet form, twice because my name was similar to another manager.
At most large companies, IT sets the policy and developers are required to work within that policy. I've worked at about 10 jobs. The only one where devs could write their own ticket was a startup
IT doesn’t have any involvement when it comes to S3 buckets at any company I’ve seen. Anything in a cloud tenancy is devops acting with autonomy. Sometimes they have a security person review it, but many companies don’t do that, and the ones that do have way more moving parts than their security engineers are capable of reviewing, so stuff gets through.
Even then, it’s unlikely that a security person would recommend compartmentalizing this particular data set. Any application that needs access to some of it probably needs access to all of it, and it makes little difference if you compromise a server and get one key or if you get 30 keys. The trust boundaries haven’t moved, so it would increase cost without really mitigating any threats.
I don’t think they even had a legitimate reason to keep this data around. Surely they aren’t all active accounts and s3 isn’t a place the data likely needs to be long term.
I guess this is how we all finally get paid for our data. Just continually file for our $125 check as every company that exists is hacked over the next decade.
FYI, getting a $125 check from Equifax is contingent on most of the people that are eligible to get one not actually requesting it. It'll probably be less
Because most people won't qualify to get the payout. It's just restitution for people who responded to the news of the breach by paying for credit-monitoring services. If you didn't do that, you don't get paid. You just get free credit-monitoring service.
> Capital One Financial Corp. lost data from as many as tens of millions of credit card applications after a Seattle woman hacked into a cloud-computing company server
> The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers
I can’t tell whether the company virtual server got hacked or whether the cloud provider was who got breached. Hopefully just the vm
Well, the main cloud Capital One uses is Amazon as far as I know.
If you think about the attack vectors here, it was most definitely the virtual server that got attacked. If it was the cloud provider (Amazon), there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen.
This is a huge blow for the public cloud and financial services companies, unfortunately.
Edit: Seemingly a WAF firewall issue. I wonder what happened. These rules should be applied automatically for Capital One using Cloud Custodian [0], so a config issue definitely occurred somewhere.
Final edit: A leaked account with access to IAM permissions. Good lord was occam's razor correct here.
so I wrote the majority of cloud custodian and still maintain it. I no longer work at capitalone (since jan 2019). afaics the suspect (https://www.linkedin.com/in/paige-t-704a29188/) worked at AWS 3 years ago is also irrelevant which its why its not part of the filing.
so this isn't a case of s3 bucket being public/wide open, its a case of a waf iam permissions being overly broad if I'm parsing the filing correctly. Its unclear how the waf product was hacked/bypassed and its credentials obtained.
wrt to custodian in this equation, its not really related afaics, custodian has lots of filters to help determine stuff like is my ec2 or anything with iam role (lambda, etc) overly permissive wrt to permissions (check-permissions filter). it also has the ability to filter individual statements and access on any resource (s3, lambda, etc there are many) with an embedded iam policy on a fine grained basis (allow y accounts but not x accounts) to protect against account level access (cross-account filter). And the ability on ec2 via guard duty alerts to auto remediate (suspend, memory snapshot, yank role, volume snapshot). its used by lots of users/enterprises across the governance, security, cost-optimization domains because its flexible and supports many clouds.
AWS has Macie to catch this sort of thing, not to mention the usual AWS security automation tools available like Security Monkey. Or the fact that a pen test should have caught this, or employees following the data use policy.
"there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen."
ROTFLMAO....you have clearly never worked for a bank, no offense mate. Capital left this shit in plain text on an S3 bucket, I guarantee you
Bucket encryption doesn't protect against anything except someone getting access to the hard drives underlying S3 and somehow recovering data.
If you've somehow left access to a bucket open the odds are that you also have it configured to let anyone with access to the bucket decrypt the files. AWS calls this server side encryption, where S3 automatically encrypts and decrypts files for you. You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application.
Default bucket encryption would require you to misconfigure two controls instead of one. S3 only automatically decrypts if you are an authorized principal on the KMS key, having S3 permission is not enough.
"You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application."
Well,SSE-KMS is not difficult to manage if you have sensitive customers data like Capital One does. I use it all the time. You can pretty much audit the buckets and see what is going on.
And if Capital One has used SSE-KMS on the buckets,we might not be talking about this data breach today.Incompetence? Complacency?
I am well aware how S3 works, I just mean you can use custodian to enforce SSE on the bucket as well as KMS based encryption, so the original commenter is just being a troll was the point I was getting at.
And if you knew anything of what you were talking about, you would see how easy it is for an engineer to make a mistake and there is 0 auditing or oversight. Also, if YOU actually took 10 seconds, you would see all the data was un-encrypted and in plain text. So where is all this "safety" the dude is speaking of? Cloud Custodian does shit when implemented incorrectly -and that's my point. You think banks are making all this effort, but in reality, the security team is completely understaffed, often not listened to, and in the end - we find this stuff happening all the time.
There, I gave you more than 10 seconds. Trying keeping up.
"I sincerely apologize for the understandable worry this incident must be causing those affected." - CEO
He worded it carefully. He's not apologizing for the actual and potential harm of the breach so as to not take responsibility for it. Not a real, sincere, apology, but just a legally defensive move.
I'm still not clear what I need to do to protect myself from a similar class of misconfiguration mistakes.
"The first command, when executed, obtained security credentials for a role known as *-WAF-Role" says the affadavit.
Was some web app of CapOne coded so the JavaScript app fetched IAM credentials over HTTP so it could do its job by accessing some other S3 bucket?? And thats how Paige or someone she knew found the toehold in? That would be pretty brain dead. Or was it more subtle in terms of pure WAF misconfiguration?
Can someone ELI5 how one bank has critical information on 100M US individuals? Is this metric representative of accounts or anyone involved in a transaction with a Capital One account?
>Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.
Cool, just other stuff, such as name, address, income, credit score, transaction history, payment history, ya know, nothing too important or personal..
Arguably the least important data element is the account number...
I took down the mailbox at my house and now use my business address for all my mail, because bulk junk mail doesn't get delivered to business addresses. Targeted credit offers do still get delivered, unfortunately. But the amount of junk mail in general is about 10% of what it was.
Works well, though I do often get accused of being a Unibomber type when I tell people they can't send mail to my house address because I removed my mailbox. The bank that holds my mortgage also came calling because the USPS declared my lot "vacant" to HUD after I did it, and that confused everybody.
Mailboxes live in this weird property-right limbo (that I don’t know really anything about) where the homeowner buys it but it is “property of” the US Postal Service. I found this[1] Supreme Court case that sort of touches on how the property rights work.
I don't think that's what they're saying though. They're talking about what the mailbox while it's in use. I didn't find anything mentioning boxes being property of the USPS, they use the term "authorized repository." When it's in use, it's still property of the private entity, but it's usage is subject to the rules of USPS. (I'm not a lawyer)
My understanding it they can remove the USPS box (looking at what postal workers said on Quora), but they wouldn't be part of the mail system anymore. I guess they could have mail forwarded to a new box, or else it'd be undeliverable.
> Writing for the majority, Associate Justice William H. Rehnquist said that no one was required to receive mail or to have a mailbox but that once a postal customer provides a box for receiving mail he implicitly agrees to abide by postal regulations on its use.
CO finally stopped sending me junk mail after I'd send back their offers with "stop sending me these" written in red crayon across the application form. I did it for months.
Their mobile apps are top notch though. I used a card in the past and it came with free credit scoring and the mobile apps were better designed (UI and performance) than most. At least here in my country.
It even had automatic categorization of spending in a Mint.com style.
sdinsn is commenting on the (startling) omission of the journalist who wrote the particular article here and not on my post. The information is already reported widely elsewhere.
In fact, I'm very surprised that my post highlighting the bullying actions of prosecutors against transgender people was flagged. This is a very real issue, as anyone with any experience of the criminal justice system is aware.
I single news article, certainly. A handful of news articles, probably. But news articles can be effectively used to support strategic decision making. It's done all the time.
In my case I believe that putting trade secrets on an AWS cloud instance just doesn't seem like a good idea.
> She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Her lawyer declined to comment.
We need to start putting the hammer down on these people; maximum five years, meaning she/he will probably do one year. The US needs to start making examples and these people and increase penalties.
The Feds aren’t like state courts. There is no parole and judges have minimal discretion on sentencing in many scenarios.
Most federal cases are about negotiating the sentence, and win a public defender she is probably screwed. She’ll spend more time in prison than the average rapist.
From what I read in the complaint, it wasn't as blatantly bone headed as other breaches. Seemed to be an IAM permission issue related to AWS WAF.
This argument is constantly made on HN and it is analogous to; you left your back door open at your house, and instead of arresting and prosecuting the robber, we are going to arrest you. Sure, I made a mistake and left my back door open, but that doesn't give the robber the right to break in and steal my stuff. It is lacking a moral compass and sense of right and wrong. There needs to be consequences for bad behavior.
I think it's more like I left the back door of your house open, without ever having permission to access your house, and you got robbed because of that.
I admit the Equifax situation was worse. The people whose data was lost by Capitol One probably at least have some sort of business relationship with that company (for example, they may have applied for a credit card). I had no business relationship with Equifax at all, yet apparently information about me was leaked. I don't buy anything on credit, so I don't give a tinker's damn what my credit score is. Equifax provides no value to me whatsoever, yet I now have to worry about information they collected about me with no authorization from me. I'd like that company to be sued into bankruptcy.
The closest analogy would be that you gave me your house key so I could go in and water your plants while you’re on vacation (signing up for an account), but someone grabbed the key off my counter because I left my back door unlocked. The folks who had their information leaked in this instance had signed up for accounts with C1.
If I steal capital ones company vehicle and get in a head-on collision, capital ones insurance still pays the damage. I'm still criminally liable for unlawful entry, but C1s insurance covers the damage done by their vehicle. The same precedent needs to apply here. If I broke into a chemical plant and released harmful toxins into the air, the company is still civilly liable. In this case, the data is the toxin.
They will likely come up with more as the investigation progresses. Capital One only contacted the FBI like 10 days ago. This was enough to pick her up on and get things rolling.
> No bank account numbers or Social Security numbers were compromised, other than:
Then below that, in non-bold, it basically says "oh, except for these 140,000 social security numbers and 80,000 bank account numbers" - which is the primary reason folks are worried about this!
To me, the first thing you are going to see is "No bank account numbers or Social Security numbers were compromised" in bold letters. Which is completely false and misleading. Technically they are telling the truth, but the way they've done it is clearly meant to be misleading.
On top of that, I'm a Capital One customer myself, and I can't figure out how to find out if I was affected at all!
[1] https://www.capitalone.com/facts2019/