
Capital One attacker may have breached other major corporations - panarky
https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
======
dawhizkid
From the snippets of text I've seen in various articles, it just sounds like
she was bored? I imagine she had worked for a number of years and saved up a
decent amount of money and decided to leave her job, had nothing to do all day
and just posted at a Starbucks working on personal projects, which ended up
including hacking into large corporations...?

Reminds me of my first manager, who was mid/late 30s and could've retired very
comfortably long ago, and his primary motivation for working was because
boredom, for him, would've been (in his words) a dangerous thing.

~~~
tinalumfoil
Is it paranoid to consider if this was a government actor? Boredom is plenty
to keep someone from retiring, but digging into private customer data I'd
think would take a pretty serious motivation. If I had the resources and
wanted to wreck some havoc on the US economy data security (ie lack thereof)
would certainly seem like a weak point worth prodding.

~~~
mattnewton
I don’t think a government actor would put them on the same public github that
is linked to their resume.. The only way I can see can see her being so smart
and yet so dumb is if she didn’t think much of what she was doing.

~~~
Scoundreller
Probably had moments of insight and lapses of insight at different times.

It’s a roller-coaster that a lot of people can’t understand. Oh, and Capital
One.

~~~
ownagefool
Possibly just slowly lost it because of what they see is a terrible industry
with terrible practices. The suicide vest comments suggests she knew what she
was doing.

Does she just want fame, or did she want to show them?

Maybe not though.

~~~
Scoundreller
Or knew what she did, but there was no going back.

------
poxrud
Does anyone know how she gained the IAM role? Many comments mention her
exploiting a misconfigured WAF to gain the role needed to access the S3
bucket, but that is not enough detail to understand the attack.

~~~
ownagefool
FBI Report suggests something, probably an instance, was left opened to the
world. Misconfigured firewall is what they said.

It's unclear why the resource couldn't widthstand attack, maybe it had known
vulerable software, a weak password, I'm not sure it's been published, but
something happened.

Whatever it is was able to assume the *-WAF-Role which had an amazing amount
of access.

Given the name of the role and the stupid amount of access, I'd wager it was
some shitty security product, but who knows. Maybe we'll find out.

~~~
akamai
modsec

~~~
october_sky
What's wrong with modsec?

~~~
akamai
Nothing. The problem here was not the waf, but the credential/role being
compromised.

~~~
ownagefool
Apparently it was both. The WAF was used to SSRF the metadata service which
would have exposed the role.

Why a WAF role needed so much access to data is something that's hard to
explain, and would suggest a major fuckup by the teams involved.

------
duxup
Basked on the slack comments and her behavior described in other stories ...
it seems like she was struggling with life and ultimately chose some self
destructive behavior.

The lack of security seems like she all but wanted to get caught, or actually
did.

~~~
TearsInTheRain
I read she literally posted stolen data to github. Might as well have called
up the FBI herself

~~~
duxup
Some other evidence was on GitLab too...

Lots of crumbs left all over social media.

------
panarky
Krebs claims "there is evidence to suggest we may hear similar disclosures
from other companies soon".

[https://twitter.com/briankrebs/status/1156204409203908609](https://twitter.com/briankrebs/status/1156204409203908609)

~~~
kyrra
From the article, there are a few other company names listed in the screenshot
(caveat: these are just based on filenames, it's not 100% clear that these are
the exact companies, they just seem to match):

42lines.net, apperian.com, globalgarner.com, astem.net, ford, identiphy (not
clear which), codecademy.com, safesocial.media, starofservice.us,
unicreditgroup.eu

There are other files in the dump, but it's not clear which companies they
are.

~~~
dmix
Well hopefully this turns into a helpful public service in the end since she
didn't _try_ to sell them or use them for fraud. So most will probably just
get fixed, again I hope.

But she was basically asking to go to jail and this could have easily gotten
her some good money if she reported it responsibly. Either as an infosec
worker or through vuln rewards programs.

~~~
Scoundreller
Hopefully she has foiled a malware attack or two in her past. Otherwise it’s
not looking good for her future.

She doesn’t sound like the most... neurotypical, and US courts really hate
that.

------
rtempaccount1
It's interesting that we're still in a place in 2019, where one motivated
attacker, can compromise the security of major corporations, and access
sensitive systems and data, and that those corporations don't realise/react to
the breach until notified by external parties.

For security to improve, there needs to be a "mess up tolerance" of more than
one (i.e. if a single mistake/vulnerability causes a major loss, you're in
trouble)

Mistakes happen, vulnerabilities happen, security required defense in depth to
be effective.

~~~
oppositelock
As someone responsible for Cloud security for the last several years at a
couple of companies, I can tell you exactly how this happens.

You, the sec-ops engineer, propose your pie-in the sky, compartmentalized
fortress. There is no one security domain, but many, with barriers in between
them, so that having one part of your org compromised leaves the rest intact.

Then, you talk to your peers, and have many discussions of the form, "yes,
that's secure, but it's really annoying to work with, and my engineers won't
be able to monkey-patch the production environment to test stuff". you say,
that's the point, the CTO says, you can't slow down dev.

So, you come up with something that's as secure as you can make it within the
limited ability you have to impose inconvenience. Then it comes to
implementing the thing.

You don't have time to implement everything yourself, so you delegate. Some
people now have credentials to the production systems, and to ease their own
debugging, or deployment, spin up little helper bastion instances, so they
don't have to use 2FA each time to use SSH or don't have to deal with limited-
time SSH cert authorities, or whatever. They roll out your fairly secure
design, and forget about the little bastion they've left hanging around, open
to 0.0.0.0 with the default SSH private key every dev checks into git. So, any
former employee can get into the bastion.

Now, that's what happens when someone designs something secure from the
outset.

When you start out with everything being in the default VPC, initially brought
up by hand, with a subnet setting which default-assigns public IP addresses,
you're basically boned, but that's where most companies which roll service in
the cloud start.

------
rolltiide
did anyone notice the landlord got arrested too? when you see it...

[https://www.seattletimes.com/business/seattle-woman-
arrested...](https://www.seattletimes.com/business/seattle-woman-arrested-in-
breach-of-capital-one-systems-millions-of-credit-applications/)

okay I'm dying laughing here, so much win and fail at the same time.

~~~
JustSomeNobody
> While federal agents were sweeping the three-bedroom house where Thompson
> lives they discovered 20 firearms — both assault-style rifles and handguns —
> as well as firearm accessories, including bumpstocks, scopes, grips and
> ammunition, in another bedroom, according to a separate complaint filed
> against the homeowner, 66-year-old Park Quan.

> Quan, who was convicted of being a felon in possession of explosives in 1983
> and being a felon in possession of an unregistered machine gun in 1991, was
> arrested and charged Monday with being a felon in possession of a firearm,
> federal court records show.

> In the 1983 criminal case, Quan and two co-conspirators were linked to a
> failed contract killing using a truck bomb made of dynamite, according to
> court records and news reports. The bomb, which the would-be victim found
> attached to the underside of his pickup in Ocean Shores, Grays Harbor
> County, had malfunctioned, The Seattle Times reported at the time.

There are no words...

~~~
VoiceOfWisdom
If you are already a felon for owning a gun, why the hell would you own a
bumpstock? Just go full giggle at that point.

~~~
mieseratte
> Just go full giggle at that point.

Well it's not as if you can just break into any old gun store or rural home
and find a select-fire weapon.

~~~
jdhn
Just put a lightning link into your AR style rifle, and voilà, you have a full
auto gun.

~~~
nostalgk
Pretty sure a lightning link is more "elect-fire", not select-fire. Not to
mention much more dangerous than the relatively well documented and simple
(highly illegal without an SOT) procedure that can be easily found to do a
proper conversion.

------
jedberg
The thing that sticks out most to me is that from what’s been disclosed, she
didn’t need any insider AWS knowledge or access to achieve these attacks.

~~~
mmazing
I'm sure it didn't hurt to have the in-depth knowledge of AWS from working on
their team.

~~~
poxrud
Many articles are suggesting that she was able to do this due to her insider
knowledge, this is untrue and shifts the blame off of C1.

------
bagacrap
She posted a lot of her technique on Twitter. If there were other breaches,
they might have been copy cat attacks.

~~~
whenchamenia
Those arent exactly novel techniques.

------
rolltiide
so this attack is different because the culprit got caught? or am I missing
something

why isn't this just the usual "we got breached" "Collection #3 available on
Empire.onion" "sign up for another $125"

------
sealthedeal
if one individual can attain access to all of that data that "easily", it
makes me flabbergasted at the type of data we and other countries are
"acquiring" in our new age cyber warfare...

------
ec109685
I wonder how Capital One could have been GDPR compliment. Surely they weren’t
going into these S3 files and deleting customer data when asked to.

------
ndarwincorn
Tangentially related, half of those comments are yikes-tier.

~~~
RankingMember
Oof, I regret you posting this comment because I had to go look. Rampant
litigation of gender pronouns, if me saying that saves someone else some time
and brain melt.

~~~
rolltiide
Why are so many people in that forum contradicting themselves? Like they say
something criticizing the prior person's opinion on gender and then say
something completely intolerant. Is this a running gag? I never seen people
misunderstand a topic so... halfway? Its usually more like "okay I'm learning"
or "I completely reject this line of reasoning", but these comments are like
something else

~~~
RankingMember
As with so many internet comment sections, sometimes, rather than trying to
understand, it's best for your own mental health if you close the window,
throw your computer in the trash, and go for a walk.

~~~
codyb
The people on the internet are not the people outside is how I always think of
it. Too bad the internet denizens so frequently shape and mold the
conversation.

~~~
RankingMember
Definitely an important thing to remember. I wonder what percentage of people
out there are effectively "read-only" with regard to the public internet,
never signing up for accounts (other than personal stuff like email) or
leaving comments on news stories.

~~~
codyb
I think the majority tend to be lurkers for the most part. I believe the
Pareto principle (80% of effects come from 20% of causes) maps pretty well to
internet cultures based on statistics curated from some of the forums and
aggregators around. Can't provide a source for that though.

