Hacker News new | past | comments | ask | show | jobs | submit login
Capital One Says Breach Hit 100M Individuals in U.S (bloomberg.com)
491 points by pseudolus 24 days ago | hide | past | web | favorite | 285 comments



The way they are disclosing this is pretty disgusting, in my opinion. Go check out their info page about this[1]. In bold it says:

> No bank account numbers or Social Security numbers were compromised, other than:

Then below that, in non-bold, it basically says "oh, except for these 140,000 social security numbers and 80,000 bank account numbers" - which is the primary reason folks are worried about this!

To me, the first thing you are going to see is "No bank account numbers or Social Security numbers were compromised" in bold letters. Which is completely false and misleading. Technically they are telling the truth, but the way they've done it is clearly meant to be misleading.

On top of that, I'm a Capital One customer myself, and I can't figure out how to find out if I was affected at all!

[1] https://www.capitalone.com/facts2019/


And in a non bulleted sentence below that it notes that 1 million Canadians social insurance numbers were also compromised.


But the those 140k and 80k number are their own bullet points that I feel make them stand out more then the bold line. I feel like this is clear enough.


This is obviously anecdotal, but that was not my personal experience. I was getting ready to go to bed last night when I saw this and grabbed my tablet to see if I needed to worry. This bolded bit was the first thing I saw, and I immediately thought "hm, must have been over-exaggerated, no SSNs were exposed". Now I obviously read on and saw the bullet point, but for someone skimming this, it's not at all obvious.

But further, why even word it that way? It was clearly done intentionally. There's no need for this to be presented in this way other than to intentionally try to mislead. Why not just say, in bold letters "140,000 social security numbers and 80,000 bank account numbers were compromised". Or say it "The following were compromised".


But directly below, on a non bullet-pointed line, they mention that one million Canadian social insurance numbers were compromised..


I'm not sure I agree. The ", other than:" portion was also bolded, and the line

> We will notify affected individuals through a variety of channels.

Gives me some confidence the very small subset of individuals who should be worried about those much more exploitable leaks will be informed and offered assistance.

But as another Capital One customer I'm quite irked I can't just query a simple page to find out what data of mine was leaked, if any.


> hacked into a cloud-computing company server, federal prosecutors in Seattle said

> the cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.

Does this feel like it was just an S3 bucket with permissions set incorrectly? I've come across sensitive documents in S3 buckets with a well crafted google search.


Misconfigured WAF - see my comment elsewhere here.

Correction: according to the complaint, the defendant is alleged to have assumed an IAM role in the context of Capital One's account whose policy provided access to the S3 bucket in question. So it wasn't that the S3 bucket was public, but rather, that there was some vulnerability she took advantage of by which she obtained indirect credentials to it.

(Complaint, page 6, lines 14-27.)


Might have been an SSRF exploit if the WAF was accepting parameter values that were then used to expose IAM credentials via the EC2 metadata service. See https://ejj.io/blog/capital-one for a good write-up.


I wonder what data was in the bucket?


> The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history.

> About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.

I haven't yet read (all of) the complaint but I presume it goes into even more detail than the article did.


Actually looks like she worked for Amazon on S3. So there might have been some insider knowledge. From the complaint below, and googling her name you can find her resume

I won't link it here, but here's a screenshot of a snippet: https://i.imgur.com/NezWVKw.png


I know that reading the actual linked content on HN is verboten, but the Bloomberg story says

"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."


“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)


The AWS spokesman quoted in the article also explicitly says it wasn't a vulnerability.


Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.


Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.


It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.

Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.


The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.


Oh cool I use the same LaTeX template as her for my resume. Mine is blue instead of pink though! https://github.com/posquit0/Awesome-CV


Don’t forget to mention that on your next interview!


ftw


I feel modern CV is a little clumsy. Especially how it handles columns. You like this better? The example provided I don't love, but I'm not a designer, it looks good enough I think.


I use it too. I think it looks good enough, definitely better than my last horrible-looking resume. It seems to work well with a bit more text compared to many.


If you put data in the cloud, make sure you encrypt with keys only you have even when they promise all sorts of assurances of oversight and process in addition to “we use AES”.


This right here. Take away any outsiders ability to access things. I also feel AWS and the rest should be able to notify you when files untouched en masse for years are being accessed and it should set off alarms like crazy. If not acted upon then its the issue of whoever got those emails.


You can. It’s cloudwatch. Also at least put these things in glacier so you have some time between the download request and when they get the file to hopefully stop it.


If you put data in the cloud...

assume it is no longer private.


As opposed to on your computer connected to the internet?


Pretty much doubt there'd be much insider knowledge, guessing in 2015 a L4(entry) System engineer is going to be pretty much spending 80% of their time building new regions by hand...

Not much really there to learn


Looks well qualified to run the coding bootcamp in her prison.


Only facing up to 5 years apparently. I wonder if that will change over time. Considering her hack is worse than what Aaron Swartz hacked (not PII) I cant believe she only gets 5 years.


> worse than what Aaron Swartz hacked (not PII)

Violation of copyright would appear to be a significantly worse offense according to present US law.


IANAL, but I believe part of the issue is that breaching a hundred million records is one data breach, but exfiltrating a few thousand journals is one infringement per journal.

In point of fact, the prosecutor on Swartz case (Stephen Heymann) had previous authored an article describing how the Internet age allowed crime to scale, enabling hackers to commit thousands of criminal acts per second. It's my personal belief that Heymann wanted to use Swartz' case as a validation of this belief.

(Source: The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, ISBN 978-1476767727)


“Up to” limits on sentencing are different from what people actually get. Swartz supposedly would have got 6 months recommended by the prosecutor. https://mashable.com/2013/01/17/aaron-swartz-prosecutor-orti...


That is a lot of buzzwords.


Are Git and SVN really considered IDEs?


Not to anyone even remotely in the industry.

I think the minimum to be considered an IDE, you need to be able to edit, possibly compile depending on the language, and run/debug from within the same tool. By last loose definition, I've joked my most used "IDE" would be bash. I can edit with vim, compile/link with make/gcc/ld, and debug using gdb or run my bins directly.

I mean it's an integrated development environment in that I can access all of my tools from one centralized location, the bash shell, but certainly not integrated in the sense that I have a GUI that hides the nuances of commands of various tools behind menus and friendlier non-command-line names and making it appear that the half dozen or so tools are a single entity.

I also use Visual Studio for Windows development and I've been switching between VS Code and PyCharm for Python development.

But are git and svn an IDE? No. They are both merely source control management systems.


Are they even considered programs?


yes, they are programs. They, like most of the truly important software, don't have a UI, but they run none the less.


My point was going to be that these are concepts and protocols rather than programs, and that you would use an actual program (eg TortoiseGit) to actually use it.

But then I read your comment and realised in *nix the program is actually called "git". So I concede :-)


Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?


> Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?

The last commit in the Git repository where her resume is located shows this:

    commit 44e40140ab1ccdd47d8b56a8a78fc532d5b3386d
    (HEAD -> master, origin/master, origin/HEAD)
    Author: Paige Thompson <paige********@gmail.com>
    Date:   Thu Jan 10 14:38:02 2019 -0800
    
        update linkedin address
    
    diff --git a/cv.pdf b/cv.pdf
    index bf26140..add1ea9 100644
    Binary files a/cv.pdf and b/cv.pdf differ
If we assume this is the only repository she has, then the resume seems to be up to date.


Unlikely. S3 was publicly rebuilt in the wake of the 2017 S3pocalypse.


What does this refer to?


Some S3 eng accidentally dropped a big chunk of the servers that were the s3 equivalent of an hdfs nameserver, ie mapping blob name to location info, as part of an unrelated config change.

While attempting to recover, the s3 team discovered and/or decided the nameserver needed a full restart. That's when they discovered the info in the nameserver had grown so large since the last full restart years previous that it took far longer than expected to restart the nameserver. Right around that point in time my guess is they realized just how shit their morning was going to be. And their afternoon.

Somewhere in there, they realized that their health dashboard depended on s3 working.

Though to be fair, as an aws customer, we -- along with the rest of internet -- were well aware that stuff was badly broken.

I feel terribly for whoever did this, because IIRC, he or she just fat fingered part of a command in a standard playbook, and the config script had no safeguards. I personally took down a company you've heard of in the exact same way; I knocked all pops off the internet because the config script had a hard requirement around certain values that was neither communicated to me nor checked. And I was trying to figure out wtf I did to a system that I was not particularly familiar with while receiving forwarded texts from the CEO about cascading datacenter down alerts.


If you don't mind me asking, what was the punishment for what you did?


Just taking the company dark and being personally embarrassed. There was no punishment, though there was a lot of teasing. Also spending 4-ish weeks cleaning up the mess that was made.


Likely referring to the February 28th, 2017 S3 Service Disruption in the Northern Virginia (US-EAST-1) Region, for which Amazon published a postmortem at https://aws.amazon.com/message/41926/


Per the complaint, it doesn't sound like the bucket was exposed to the world. Rather, security credentials were "obtained":

> Capital One determined that the first command, when executed, obtained security credentials for an account named XXXX-WAF-Role, that in turn, enabled access to certain of Capital One's folders at the Cloud Computing Company.

Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.

* edited to reflect this is lifted from the complaint, not indictment.


> Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.

You use your own credentials and issue an API call to do it. If you're using the AWS CLI, it's "aws sts assume-role".

We do something similar with our accounts. You can place a restriction on the role that an MFA token must be used while assuming the role, so this allows you to give out longer-term credentials to your devs/admins that can then be used (with an MFA token) to assume a more privileged role.

The role itself needs to be configured with a trust relationship that allows for this, and many roles are restricted to AWS services (i.e. you are authorizing an AWS service to assume the role--not a specific user). I've never used WAF before though, so I'm not sure if it's typical for the WAF role to have that trust relationship or not.


It's possible an STS token was obtained using the role. If you're not monitoring where those tokens are issued to and used from, you're gonna have a bad time.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...


I recall a newbie dev at our company some years back accidentally posted creds in code to github. I have talked about this here before - but - we had paid for 200 repos.. problem was he made a new repo, which became 201 - which since we had only paid for 200, github auto makes the next one public. Bots slurp these and hunt...

They used those creds to launch like 1700 gpu machines across the globe for a bitcoin mining network...

The culprit was from germany...

We got it cleared and AWS forgave all the charges.


It doesn’t matter. There is never a reason for credentials to be anywhere near your repository. If you’re running locally, you should have your credentials in your home directory (via aws configure). If you are running your code on AWS either on an EC2 instance, lambda, or Docker you should be using the role associated with the execution environment.

Every SDK that I have used let’s you use a constructor without a parameter and can get your credentials from the config file/role.


i know, this was a few years ago, and these types of practices were still being developed out in the greater community (lambda didnt exist yet, dockeer was still nascient etc)


I’m sympathetic in that a lot of people started learning this on the fly but that was widely recognized as bad practice even before Amazon was founded and various patterns for doing it right were widely established.

(If anyone needs me, I’m busy feeling old after remembering having this conversation with a new PHP developer in 1998)


Haha, agreed...

He was a remote worker and aparently had a poor handler on our end. I was head of ops not in dev, so i just had to deal with the fallout.


If it's an instance role and you are on the EC2 instance, then "curl http://169.254.169.254/latest/meta-data/iam/security-credent... will return the credentials.


The court filing directly says "s3", so yeah, it's Amazon.


Good thing they didn't mention it by name ;)


Given that they're on AWS and "The intrusion occurred through a misconfigured web application firewall that enabled access to the data" thats what im betting too.


Well, if it was a misconfigured WAF (which usually is just a reverse proxy with mod_proxy) to an application then you would not need to gain access to any Tokens, etc. all you would need to do is gain access to the server. Or be able to use that WAF as a proxy to gain access to other http bound resources?

From there any IAM role access the underlying server had, you would now have as well. And that would work with any sort of access (don't need root, etc.)


Kind of like the AT&T "hack" wherein just changing the url leaked other customers info.

They were still successfully prosecuted though. And AT&T received no punishment.

When a company says jump the USG asks how high.


No way...I don't remember hearing about this. You mean changing the URL from like /data/customer/1 to /data/customer/2 ? And the person who did this was prosecuted? Jeez.


Not sure if this is a reputable source: https://heavy.com/news/2019/07/paige-adele-thompson/

But sounds like she's an engineer that used to work in aws, specifically S3. If true, seems likely as she would have insider knowledge of existing attack vectors and possibly vulns. Maybe even using something we discovered while on the job.


If this is true, this is a great reason for people to stop using S3 or to start doing daily bucket audits. Or you know, not store PII in the cloud poorly.


Really, sensitive data should not be stored unencrypted. It just shouldn't.


Or on S3, because unencrypted is just an API call away.


There are more details on dailymail article:

https://www.dailymail.co.uk/news/article-7299511/Ex-Seattle-...


The suspect had previously worked for AWS as well.


What do these queries look like...


[flagged]


Woah man.

You could be costing some unfortunate woman her job here man. Kind of like when that lady cop broke into that black guy's apartment and blew him away. Then all these people on social media started posting pictures of his coworker on social media and almost cost the woman her position at PwC.

We should try to be a little more responsible than that.


I think you're overreacting. Their name is public, and I didn't link to the public profile, nor did I say the public profile was the person in question. Only that if it is them, then having a work history of AWS adds an interesting dimension.


According to the publicly released report, the woman that was arrested used to work for the "cloud computing company" that was involved.

https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl...


Wasn't her name that the parent comment referenced originally posted in the news article? If that's the case, I would blame the news article and not the parent. Especially since they said "could" and not "yep, that's her".


I downloaded the indictment (edit: complaint, not indictment) from PACER: https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl...


Good lord.

-Paige left code used in the "attack" on her GitHub.

-Paige left text files with unencrypted data there, too.

-Paige openly posted about it in an open (!!!) Slack channel and publicly named her VPN service of choice, which of course, matched access logs AND GitHub server logs. (Also tor, which the FBI agent was able to confirm and add yet another data point)

-Paige said "I have a leak proof IPredator router setup." nice.

Nice opsec there. Sheesh.

EDIT: Thanks for the PACER share, by the way.


It says she posted on "social media" (Twitter) about it, claiming to have Capital One information, "and that she recognizes that she acted illegally".

Nothing about Opsec here. She basically asked them to arrest her. Probably had some of the usual motivations: "look at me I'm clever", "look at this stupid big company with bad security", or maybe used the opportunity for some political thing with banks. Not the sophisticated hacker type. But who knows.

Edit: originally I asked about her Github profile listed in the complaint as paigea(5x * characters)thompson but was iffy on whether that was okay on HN.



That also links to her gitlab profile which contains her resume/CV in PDF format (among other OSS work).

She did indeed work at Amazon on AWS in 2016 , specifically on s3:

https://i.imgur.com/DRBKYsc.png

That PDF also contains her home address and other personal information so I'd rather not link directly.


In https://gist.github.com/paigeadelethompson/620192d8c4b344d24...

Interesting note that she comments that they skipped 3 for the fan values. Seemingly an oversight for the fact that these fan values of 1,2,4 indicate that it is probably a bitfield with each bit indicating a fan speed.


Her gitlab account shows it was updated just few hours ago. How is this possible?

https://gitlab.com/netcrave


When you star a project it gets "updated" even if you unstar it. Kinda like Unix's touch command.


Almost certainly deactivated/seized and part of evidence. With some googling you can find her Keybase and other pages aplenty if you like. Almost all her content is scrubbed from the Internet, however.

(this person's original comment was asking for her github profile)


Generally having a screenshot of someone telling you "don't go to jail plz" in a criminal complaint against you is not ideal.


I hope the reality is that criminals are really dumb and not that we only catch the really dumb ones.


Heh, not even close. I know several individuals who should be in prison for their cyber crimes. But the fact is, not only have they never been caught, the victims probably don’t even know that anything happened.

There is such a lack of talent out there right now in the cybersecurity industry that it’s very easy for criminals to slip around undetected. You’d have to be a total idiot to get caught, or catch the attention of someone really motivated to catch someone.


It's both, if that helps.


Why do you use first name here instead of last?

No one calls Snowden just Edward, this comes across as a form of degrading women to girls.


Mostly people call me by my first name and I do the same to most people (likely more to men than women, if I had to guess). People call Edward Snowden by his last name because it's unique and catchy.

Theo de Raadt is often just called "Theo" here for similar reasons. Rarely if ever have I seen him called "de Raadt" on this forum.

Your comment is unfortunately typical of drive-by Internet outrage these days.


Sorry to be pedantic, but this is merely a complaint. This is the initial document used to get an arrest warrant. An indictment is returned by a grand jury.

http://www.mololamken.com/news-knowledge-29.html


Edited, thanks.


Intersting. She ran three commands - the first downloaded IAM credentials and the second then listed buckets using those credentials.

I'm curious about what the first command could have been

Also this all unfurled after a report to their security line from someone monitoring gists - that public feed as well as text dump sites have always been a good source of new vulnerabilities


It's a wild ride. Who hacks in via Tor and then posts the data to a GitLab account under their own name?


A lot of crime would go unsolved if people just kept their mouths shut. There's a human tendency to need to talk about things you've done, I guess, especially stuff that will get you "street cred".


A lot of crime does indeed go unsolved because of people keeping their mouths shut.


Could be a frame job, remorse, freakout, or some kind of dissociative or other personality disorder.


A news-source I won't mention, because it's trash, did a full stalk of her on social media, and she seemed to be in an _erratic_ state of mind, but maybe that's just her personality.


Or simply the age old quest to become (in)famous.


Love that the FBI agent can't even spell the company's name correctly.


Instead of focusing on the lady involved, perhaps holding Capital One accountable for their part in the matter may be a better thrust to this thread.

While it might not be okay to instigate such breaches, we might also consider it the actions of a whistleblower. Especially given the unusual way she went sbout disclosing things.

Sure, perhaps there is a little bit of hey look at me about it, but at the bottom of the trough it is actually the corporation that has ultimate responsibility.

I look forward to a statement from Capital One of regret that they allowed the breach to happen and will strive for better standards of security.

And that is actually a message for the entire industry.


If I came across an s3 bucket with my credit application details and I could delete it, I would probably do it and then report to their security team. It’s MY data security they’re being casual with.

It occurs to me now that if I did that it would likely be a crime because of the harm to the company. The irony.


Who cares if it has your data in it or not. Just report it to authorities and the guy who runs haveibeenpwned.

Plus what are you going to do with credit card applications anyway? Sell them to a marketing company with some phony story? Or the 'sell them on the darknet to fraudsters in Russia' angle? Unless you're already involved in some dirty business already this isn't very valuable.


I would imagine complete credit card applications contain the type of information identity thieves would be willing to pay good money for.


I think the point is: unless the hacker is already aware of how to sell PII of this nature and how to move "good money" then a hack like this is for naught.

Reading the mistakes made in the hack itself makes me wonder if black markets and money laundering are a skill they posses.


I think you could just sign up on one of the onion drug/fraud markets for ~$500 vendor deposit and put up a listing for those profiles at like $5-10 a pop.

If you were lazy you could just hit up an existing vendor and ask them to sell your data in batches.

I’m not saying this would be a good idea, but it certainly wouldn’t be very difficult.


Then Capital One will find out immediately because banks hire firms to watch darknet markets. JP Morgan discovered a breach when they found data being sold on one of those forums and that was years ago.

This will just intensely increase the scrutiny of where the data came from and they'd likely be caught anyway, unless they did a very clean job security-wise. Which very few people seem to be able to do when the feds really want you.

Moving to Russia or another country without extradition treaties would probably be a good first step of that plan.


By now everyone's identity data is already widely disseminated, no?


I operate under the assumption my name, address, email, social media profiles, social security number, place of birth, and mother's maiden name are all easily available in the wild. I've bought one of those online background checks before, at the very least I can be confident the info on that report is available to anyone.


The old joke.. "DDon't worry, the NSA made a backup for you"

But now its more like "Don't worry The 5Eyes have made back for everyone"


> and I could delete it, I would probably do it

In the UK this would definitely open you up to the Computer Misuse act, and I imagine the police would have something to say to you about evidence tampering too.


Having wide open access to customer details with full ability to read/write on the open internet..? That seems like it should be stretching the Computer Misuse too far, but yes, your're right.


Whats funny to me about this statement is it would propose an interesting legal question in the EU due to GDPR. You certainly do have your right to delete it there.... Despite it being unconventional.


Why am I finding out about this from the news and not an email from Capital One themselves? I wish there was legal liability to inform customers in the event of a data breach.


They are legally obligated, especially in California, to disclose part or all of this breach to customers. But that obligation is not immediate. Give it some time.


According to the Daily Mail article linked above, they've known since mid-July. They could have issued a statement today if they wanted to. I can understand why they didn't do it earlier, to minimize the number of press cycles with their name attached to this incident.

But if this were my credit card company, I would be pretty irked to be finding out about it weeks after the company knew, from the news.


The FBI is probably to blame there, announcing before charges files would be interfering with their investigation


If this is the case, they should have had an announcement ready to go for yesterday. The absence of a response makes it seem like either they’re not taking the incident seriously enough, or they still don’t know the full scope and want to delay their announcement until then.

Either way, not good.


Let me play this sad violin music for them


Do they need to notify those of us not located in California?


YMMV, but all 50 U.S. states require some sort of notice for security breaches.


Nope. You're irrelevant unless they legally have to talk to you /s.


I was there when C1 negotiated that deal with Amazon and they swore it couldn't happen but of course, we all know that's false.


Miss the LevelMoney folks...

Yeah AWS can’t protect you against a misconfigured environment


The problem with AWS (and other cloud providers) is that it's nearly impossible to properly configure an environment because of how many different methods there are to gain access to resources.

Capital One has been all in on AWS and has dedicated an immense amount of time and money to developing systems for managing their AWS resources (Cloud Custodian for instance) and yet they still couldn't protect their data. What chance is there that anyone else could?


The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products as well as trying to limit your costs. With that sort of open-ended system, unless everyone is always thinking security first and okay with the inevitable slow downs associated with a highly locked down system then you will more than likely always run the risk of this sort of situation.


Having everything locked down by default on AWS/Azure/GCP would go a long way to improving the security of the internet. Centralisation isn't healthy, but at least these companies could make a credible impact on data security by pushing the mentality.


All AWS APIs are deny-by-default. Only if a pertinent policy (IAM or resource policy) grants access is it allowed.

IME, the usual mistake many implementors make is that they inadvertently grant too many privileges and often to the wrong audience.


> The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products

There is nothing approaching quick setup and deployment at large banks.

Not Citibank, but previously worked for a financial firm that sold a copy of it's back office fund administration stack. Large, on site deployment. It would take a month or two to make a simple DNS change so they could locate the services running on their internal network. The client was a US depository trust with trillions on deposit. No, I wont name any names. But getting our software installed and deployed was as much fun as extracting a tooth with a dull wood chisel and a mallet.

This is my experience with one very large bank, but from speaking with others that have worked for/with other large banks, their experience has largely echoed mine. They tend to be very risk averse with external IT products, such as deferring critical security updates because they can't be sure what it could break and also likely don't have end to end tests for critical systems that could cost a lot of money if the upgrade fails.

I know this first hand, because you dont always know or understand whats going on in 3rd party systems. I once screwed up a 3rd party system hosted on site. I was testing an upgrade on a dev server. Part of it invovled schema changes, and I had dbo rights on both production and development servers. The hidden part that I didn't realize is that the 3rd party tool stored DB settings in your Windows roaming profile. So, because we only had 1 Windows AD domain and no otherwise network separation, even though I was on a dev box, I was talking to the prod DB. Didnt even realize it (wasn't directly evident unless you dug deep into settinga) until I started getting calls from my users, complaining of errors. This was on the 3rd of July in the US. By the time I figured out the issue, it was about 3-4am on the 4th of July.

Had to make the call of rolling forward or back. But, the supplied installer was missing some packages, so couldn't complete the install. If we rolled back, an entire days worth of tedious work by a 10 person team would have been lost. Worse yet, the tool was used by traders in Europe who were about to start their day. Being early in the morning on a US holiday, I couldnt reach their support. Couldnt even get of their EU support. I was on the phobe with my boss, his boss and the head of back office at the wee hours of the morning on a holiday.

Decision was made to hold off on doing anything until we could talk to the vendor on the 5th. Ended up rolling forward and completing the install, but I was nearly shutting myself. We were handling somewhere around 25B USD notional in bank debt for several days (which caused huge issues in PNL - proffit and loss - reporting for several business days) that we coyld take no action on.

Thought for sure I was going to be fired. But, in the post mortem, I explained everything, and it was agreed that while I shared some blame, the totality of it wasn't my fault and that because I had diagnosised it and fixed it in the most timely manner I could, I was ok. IIRC, I think the only real remediation we took to prevent a similar mishap was to disable roaming profiles on the dev server and delete all existing profiles on the dev servers...


Yep, sounds like a bank to me. I worked at one of the big 4 for 6 years (way too long, I know) and the experience was horrible. It once took us a full year (no exaggeration) to get a single server allocated...and my group was actually one of the well funded teams


Funding wasn't a problem for the client in my story. They were happy to spend money. I think the initial contract was for X million USD that would have covered something like 5000 support hours on our end (was based on time spent, not per incident) and then after, it was like 300 USD per hour.

Separate project, I know I was billed out at 500 USD per hour 10 years ago. That was working with an exchange. Initially a joint venture, my company decided to divest itself. We sold all the source for the system that we developed and theyd be running to the exchange. We clearly documented our "build" process and requirements. The core part of the system (and as far as I know the only part that ever went live) was a Python app that used very specific modules, but we also had some patches that were submitted upstream, but not yet in public distributions. So, we were very explicit that you need exactly these versions of Python, these explicit versons of the libs and you need to apply our patches to the libs. We had also only developed and tested on a specific version of linux, and made the indication they should use the same, or we couldnt guarantee the software.

Well, we handed all of the source and documentation to the exchange. They, in turn, hired an outside consulting group. For the life of them, they could not get it to work. First question asked was: did you follow the instructions? Response was "of course, do you think we're idiots?"

The assertion that they followed the instructions exactly sent me down around a 3 week debugging session, attempting to reproduce the issues they were having in our office. Starting from scratch and the exact instructions I had written up for them (I was the only author of the Python app that was failing), I could not reproduce the issue.

After 3 weeks of back and forth, escalations on all sides and some thinly veiled accusations of sabotage, I went on site, sat down with the consultant, told him to start from scratch and show me what he'd been doing.

First thing I notice is that he installs the latest version of Python, and latest version of all the extra libs we needed. He'd completely ignored all of our instructions despite telling us the exact opposite!

It took all of 15 minutes to identify and correct the issue. Ended up billing close to 40K USD in support because the contractor didnt follow instructions and, well, lied (intentional or not) about having done so. Never heard a peep about it from management about the hours or questioning the resolution, and as far as I know the exchange paid the bill without question, even in the height of the aftermath of the 2008 crash.


I think AWS's use of synthetic reasoning in this space is groundbreaking and shows the way to go forward for complex systems in the future.

See also: https://aws.amazon.com/blogs/security/protect-sensitive-data...


Are there AWS experts who can do some sort of quick audit or "sanity check" of an environment's configurations? AWS almost makes it too easy for someone who only sort of knows what they're doing (like me) to get things up and running.


There are many different automated systems for checking for misconfigurations in your AWS organization. Capital One even developed a very popular one (Cloud Custodian). Like most automated configuration checkers or monitoring systems they rely on being configured by experts because at their default settings they are mainly a source of annoying alerts that end up auto-filed to email folders you never look in because this is agile and we can rationalize the alert rules in the next iteration (we won't). They can also auto apply actions. Have fun debugging your Cloud Formation stack that failed because the automated checker system terminated the instance without notifying anyone because it was missing a required tag.

As useless as these checkers are, the main problem is that there are so many different ways to gain access to resources that it's almost impossible to have a system that's useful to the business while also provably secure either manually or automatically.

Don't forget even AWS themselves created a "managed" policy for some minor service which accidentally gave users root access in the account: https://medium.com/ymedialabs-innovation/an-aws-managed-poli...


Ironically Capital One built Cloud Custodian, which does just this. But as you can see by the number of pull requests, it is an immense problem space: https://github.com/cloud-custodian/cloud-custodian/pulls?q=i...


AWS locks everything down by default. As far as I know, there is no direct way through the GUI to make a bucket public, you have to know how to add the JSON policy and even then you get a very noticeable warning.


Check out the Trusted Advisor dashboard, GuardDuty is also a good thing to have running in your account


We run this tool every now and again which has helped me in the past. Not sure how it compares to Cloud Custodian though.

https://github.com/toniblyx/prowler


Basically, no. AWS is flexible enough to let you set it up in any complicated way you want, meaning it gives you plenty of rope to hang yourself with. It's arguably much easier to audit a random Linux box for security than an AWS account.


I don't know that there's a "quick audit", there are too by vectors for any single professional to check. You'd be best served by using an auditing or monitoring solution. Even then, you're really just auditing _known_ vectors as it's likely impossible to cover all possible ones.

I used to work on an auditing and monitoring platform, there really are too many vectors.


AWS roles and access are incredibly complex to configure and audit though. Needlessly so.


Generally it's not a good idea to sabotage your employer's clients, but I wonder how many engineers across the Big 3 US cloud providers have the know-how to exploit holes in how Forture 500 companies use their platforms.


This is a legitimate risk.

At a minimum, AWS Support has near complete read access to AWS accounts in connection with support cases.

It would be interesting to hear from an AWS employee how access to customer information is controlled.


Metadata, yes. But not content. So they can see you have 200 c5.9xlarges running in 3 AZs in 3 subnets in one VPC, for example.

But they can't see what you have on the volumes attached to those instances, what processes are running, etc.


I've had AWS support tell me exactly what processes are running on my instance. They do seem to have some visibility beyond metadata.


I'm an Amazon employee here - but my words don't represent the company.

Internally we also talk to AWS support. They absolutely don't have much visibility into our accounts at all - much to my frustrations. They only see metadata - even for internal accounts.

The only teams that have some access to such information is security team, or when you Grant access explicitly to the other person via standard AWS auth mechanism (IAM)


Seems vanishingly unlikely, unless you're using a service (SSM Inventory or similar) that would reflect what you have running/installed.

I'm at AWS and we have basically zero insight into these things.


If you include professional services in that list then the number is quite high. Also, keep in mind that many AWS services are composed of other AWS services, and in that composition there are services and infrastructure operating within AWS to manage it. All of that will operate on some type of maturity curve and sometimes be backed by an alarmingly small team.

So my recommendation is only use AWS services that have been included in compliance certifications that are important to you: https://aws.amazon.com/compliance/services-in-scope/

That of course doesn't mean you won't get hacked, but there's at least some evidence that the service is operated in accordance within AWS control standards, which are generally quite good and should minimize your exposure to rogue admins run amok.


This spooked me. I thought I recognized the name, and then I remembered she had recently contacted me out of the blue on meetup.com to ask if I was interested in doing some urban exploration. I said yes, but we never got around to picking a day. Now I'm kind of glad we didn't!


I'd be kinda bummed I didn't


Few years back the FBI arrested people carding throughout the country. Turns out I knew two. One was just good at social engineering but not a dev by any means, I knew him from the private server community.

The other was someone I followed on Tumblr. I was shocked about him being arrested. He was pretty popular on Tumblr and me and him would chat on TinyChat from time to time.


It's a very small world in these circles. Seems everyone is only a few degrees separate.


After reading the affidavit it was a former AWS employee. The accused worked there from 2015-2016 and it’s not immediately clear that it was a misconfigured S3 bucket. There’s a particular IAM role she used to execute API commands (ListBuckets, etc..). The buckets contained credit card applications and other data including DOB and SSN. She gloated about it on Slack and said she was using a VPN and Tor.

The affidavit is a good read. Linked elsewhere in this thread.


Anyone have a copy of the complaint handy? I'd love to read the Government's allegations in more detail.

(Edited: complaint, not indictment.)


DOJ press release:

https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arr...

""" A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.

According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. """


"ORDER APPOINTING FEDERAL PUBLIC DEFENDER appointing Christopher Sanders for Paige A Thompson. On the basis of the defendant's sworn financial statement, the court finds that he/she is financially unable to retain counsel."

Oh, dear.


intrusion occurred through a misconfigured web application firewall

The affidavit states “exfiltrating and stealing information, including credit card applications and other documents”.

She used a particular role to exfill from an S3 bucket. Not sure how she got the creds for the role she used to execute List Buckets, etc...

Affidavit shows the accused was an employee at the unnamed cloud vendor (clearly AWS at this point) from 2015 - 2016.


Either that or an open MongoDB with default credentials. Again.


Sounds less like intrusion and more like accidental exposure by Capital One.


I stand corrected. It sounds like she exploited a vulnerability that allowed her to assume an IAM role with access, rather than the S3 public permissions I previously assumed.

https://news.ycombinator.com/item?id=20560594


It sounds like an internal threat to me (she was an employee at Amazon).


Not at the time of the hack. Insider access was not used.


Why, exactly, did she "post[ed] on the information sharing site GitHub about her theft of information from the servers storing Capital One data" ?

That seems... unwise. Anyone have a pointer to the github post? Would be interesting to see if it was a "Haha! Look what I did!" kind of thing, or a "Crap, CapOne has an open S3 bucket" kind of post.


>the information sharing site GitHub

I mean if that's what some legal news site calls it… :P




User iancarroll was kind enough to post the complaint from PACER.


So, in other words, you’re asking the government “what’s in your docket?”


I don't trust in the U.S. justice system to handle every crime and person as it should but for us, context is important: This person's Twitter is 0xA3A97B6C, y'all can go there and get a better picture of the situation.


So much evidence of mental illness there (see also Facebook). I hope this person gets help, but given their claim to also be in the country illegally (Tuvalu), who knows.

I was ready to think this person was being set up by someone who didn't like her, given how exposed she was to being identified, but the Twitter and FB posts strongly suggest a vulnerable person making poor decisions instead.


>Erratic finally got arrested?

>Jesus christ, how many times did she come back into Discord rooms she was banned from under new names, just to brag about how she "snuck in," like within two weeks, and of course getting banned again. Being a desperate attention whore is bad opsec.

>I guess she's finally getting all that attention she's been begging for.

>She pulled the same shit with our tiny IRC network nobody on earth could possibly give a shit about. I don't know how a person can be this insane. Relentless stalking of individual users, histrionic rants, literally attempting to dox randos and flooding the server with spambots, you fucking name it.

Sounds like personality disorder.


Given that Ms. Thompson is transgender [0], it's likely a lot was stacked against her emotionally. 40% of trans-identifying individuals to attempt suicide [1]. This is a disappointing omission from the reporting and the road that lies ahead for Ms. Thomson in the hands of the federal prison system is surely horrifying.

[0] https://twitter.com/0xA3A97B6C/status/1152518528907354112 [1] https://transequality.org/sites/default/files/docs/usts/USTS...


I wonder if it could be an effective legal defense for her, akin to plot of Soderbergh Side Effects (2013). "not guilty by reason of insanity" due to hormonal treatment, there are precedents

https://www.charlotteobserver.com/news/local/crime/article64...

https://ps.psychiatryonline.org/doi/full/10.1176/appi.ps.53....

https://www.mercurynews.com/2012/08/21/man-acquitted-after-a...


As a transgender person, I can tell you that estradiol absolutely cannot induce insanity. At the absolute most, it can screw with your emotions in the same exact ways as PMS (and PMS is indeed caused by hormonal fluctuations).

The idea that it's on the same level as ambien is absurd.


NGRI is just a legal term covering committing a crime while not in full possession of ones faculties, not limited to the put me in the cuckoo house stuff people tend to associate with the word.


Maybe drs shouldn't prescribe meds in such doses if they have such harmful effects?


It's really tough, because not treating gender dysphoria properly can be much more dangerous. It's a severe disorder thats made much, much worse by discrimination.

It really seems like a lot of cases of gender dysphoria is more society driven. Younger trans or non-binary kids I know seem to be quite a bit happier than trans folks I know in their 30's. Gender is not inherently tied to sex, and variation in gender expression is normal and not unhealthy at all (societies all around the world recognize it). I think improving attitudes might really be having an effect of reducing the amount of gender dysphoria.


I recommend researching and listening to the growing group of young people (mostly women) who are talking about their experience with desistance.


Interestingly the Daily Mail had this detail, and I wondered why they felt the need to include it; at first glance it didn't seem at all relevant. My belief is that the small number of trans people I know would rather be judged by their actions in an absolute sense, rather than "well this is kinda excusable because he/she is trans", but maybe I need to re-examine that.


The Tuvalu thing was obviously a joke.

But yes, those tweets do show that this person is clearly experiencing a mental health crisis.


Stolen from someone else but:

I wonder if we should create a new BSI (Broken System Interconnection) model

1 - Customer

2 - Former Employee

3 - Current Employee

4 - Bitcoin Miners

5 - Unknown Hackers

6 - Own Government

7 - Foreign Government

8 - Hardware Vulnerability


What was Slack's role in all of this?

They appear to have turned over historical images and chat logs, not just for the person indicted, but even others in the same channel.

Did the FBI ask nicely or was there actually some formal process?


Some of the conversation occurred on her Slack server, which as of an hour or two ago was still completely open/public via an invite linked shared on Meetup.

The entire server chat log is a few Google searches away.


Right. It was an open Slack group. It's likely the Special Agent is the source of those logs and photos; no need for Slack to confirm anything except for metadata to authenticate the logs (if that's even necessary for yet another nail in the coffin).


The complaint doesn't make it clear what happened in this specific case, but Slack's general policy is here: https://slack.com/user-data-request-policy


"According to Capital One, its logs show a number of connections or attempted connections to Capital One’s server from TOR exit nodes"

Now there's a fail.


How's that a fail?


They should not be letting egress traffic through to a Tor node.


Do you mean ingress? You probably wouldn’t want to allow ingress or egress, but the statement says connecting from a TOR exit node to CapitalOne, not the other way around.


Sometimes the best way to handle "bad" traffic is not to reject/block it, but to respond to it incredibly slowly, or divert to an uninteresting flaky phantom server, or reject every login attempt (even with correct credentials) to divert attacker's attention.

The ingress was okay, but the egress flow was very very bad!


That seems like a great way to waste your own time accomplishing nothing.


I think it was a part of mailinator’s approach to running a disposable email server.

The operator’s approach to bad actors was to respond as slowly as possible instead of quickly rejecting.


What sort of rule or policy would you put into play to detect that a connection was a TOR node?


Tor node IPs are published, so you can just block that list. There's probably a way to detect them too, but I don't think an exit node can be secret.


Is there enough space in an S3 bucket access policy to include DENY rules for every known Tor IP address?


By the sounds of it, the s3 bucket was internally accessible only. But attacker connected through the corp's Web Application Firewall after grabbing the credentials to login to the S3 bucket.


"Internally accessible only" just means you have to have credentials to access it.

You can also add IP address restrictions to a bucket access policy; this was obviously not done here because once she had the credentials, it didn't matter where she was accessing from.


Looks to me that it should rather be using an IP white list. It's not like their systems would need access to these documents from an dynamic IP dial up connection.


Commenting on you because I can't comment below:

Tor node IPs are published, so you can just block that list.


You can reply to deep-nested posts by clicking into their permalink.


Ah, I thought this was meant from the attacker's perspective.


You probably want your corp firewall to block/deflect connections from TOR exit node IPs.


How is this person's information wiped off the Internet? I literally cannot find anything related to her. Is it just me?


Just keep refreshing this page, people seem to have no problem linking her information all over this thread.

I get that much of this info is already public, but this feels like borderline doxxing.


her twitter account's still active. https://twitter.com/0xA3A97B6C. Also, someone posted other accounts, but that's dead for some reason. https://news.ycombinator.com/item?id=20561258


It might just be you. I was able to find some info about her with Google pretty easily.


The New York Times has also picked up the story: https://www.nytimes.com/2019/07/29/business/capital-one-data...


>Seattle Warez Kiddies

That is some old school naming.


Apparently she used "erratic" as a pseudonym.

After reading through some of the complaint, it seems quite fitting.


Quite possibly self-aware of their own ups and downs.

But that can get you in trouble when you're playing with fire.


I wonder why data security professionals don't practice compartmentalization. 100 million accounts should not be accessible from one account. It should be like watertight compartments in a ship. Breaching one doesn't sink the ship.


I worked at a tech company, three times my personal data was put at risk because someone at HR left their laptop in their car during a night on the town.

I asked if my personal data was stored in files downloaded to the laptop, they said yes.

When I asked why my data needed to be downloaded to the laptop and not limited to just online access they stopped responding.

This of course was the same company who mailed me my co-workers salary in spreadsheet form, twice because my name was similar to another manager.

Why that was necessary was beyond me too.


Data security professionals don’t make these decisions, random developers do. And they do what is easiest.


At most large companies, IT sets the policy and developers are required to work within that policy. I've worked at about 10 jobs. The only one where devs could write their own ticket was a startup


IT doesn’t have any involvement when it comes to S3 buckets at any company I’ve seen. Anything in a cloud tenancy is devops acting with autonomy. Sometimes they have a security person review it, but many companies don’t do that, and the ones that do have way more moving parts than their security engineers are capable of reviewing, so stuff gets through.

Even then, it’s unlikely that a security person would recommend compartmentalizing this particular data set. Any application that needs access to some of it probably needs access to all of it, and it makes little difference if you compromise a server and get one key or if you get 30 keys. The trust boundaries haven’t moved, so it would increase cost without really mitigating any threats.


I don’t think they even had a legitimate reason to keep this data around. Surely they aren’t all active accounts and s3 isn’t a place the data likely needs to be long term.


They have to keep the data at least 7 years because of some regulation(s)

Doesn’t excuse what happened, obviously


I guess this is how we all finally get paid for our data. Just continually file for our $125 check as every company that exists is hacked over the next decade.


FYI, getting a $125 check from Equifax is contingent on most of the people that are eligible to get one not actually requesting it. It'll probably be less


Yeah, there's only $31M allocated for those payouts :/


Because most people won't qualify to get the payout. It's just restitution for people who responded to the news of the breach by paying for credit-monitoring services. If you didn't do that, you don't get paid. You just get free credit-monitoring service.


Incredible, ~147 million people's data was exposed and they've only allocated 248,000 people's worth of checks. That's 0.17% of the victims..


So less than 5% of the settlement goes to people affected? Yes, that seems reasonable...


Right? Also just FYI I pulled that number from

https://www.theverge.com/2019/7/26/8932398/equifax-settlemen...


Our society should give up expecting these things to stay private, secure, secret etc and figure out how to do financial things another way.


dont you mean $2 check? Equifax settlement is capped at ~30mil


Company statement discussed here: https://news.ycombinator.com/item?id=20561212


> Capital One Financial Corp. lost data from as many as tens of millions of credit card applications after a Seattle woman hacked into a cloud-computing company server

> The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers

I can’t tell whether the company virtual server got hacked or whether the cloud provider was who got breached. Hopefully just the vm


Well, the main cloud Capital One uses is Amazon as far as I know.

If you think about the attack vectors here, it was most definitely the virtual server that got attacked. If it was the cloud provider (Amazon), there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen.

This is a huge blow for the public cloud and financial services companies, unfortunately.

Edit: Seemingly a WAF firewall issue. I wonder what happened. These rules should be applied automatically for Capital One using Cloud Custodian [0], so a config issue definitely occurred somewhere.

Final edit: A leaked account with access to IAM permissions. Good lord was occam's razor correct here.

[0] https://github.com/cloud-custodian/cloud-custodian


so I wrote the majority of cloud custodian and still maintain it. I no longer work at capitalone (since jan 2019). afaics the suspect (https://www.linkedin.com/in/paige-t-704a29188/) worked at AWS 3 years ago is also irrelevant which its why its not part of the filing.

the best link for understanding what happened is actually the court case filing not the media reports. https://www.justice.gov/usao-wdwa/press-release/file/1188626...

so this isn't a case of s3 bucket being public/wide open, its a case of a waf iam permissions being overly broad if I'm parsing the filing correctly. Its unclear how the waf product was hacked/bypassed and its credentials obtained.

wrt to custodian in this equation, its not really related afaics, custodian has lots of filters to help determine stuff like is my ec2 or anything with iam role (lambda, etc) overly permissive wrt to permissions (check-permissions filter). it also has the ability to filter individual statements and access on any resource (s3, lambda, etc there are many) with an embedded iam policy on a fine grained basis (allow y accounts but not x accounts) to protect against account level access (cross-account filter). And the ability on ec2 via guard duty alerts to auto remediate (suspend, memory snapshot, yank role, volume snapshot). its used by lots of users/enterprises across the governance, security, cost-optimization domains because its flexible and supports many clouds.


Thanks for writing Cloud Custodian. What are you working on these days?


Still working on custodian, k8s integration up next. else atm. trying to ensure that the next 20 years of opensource are open.


AWS has Macie to catch this sort of thing, not to mention the usual AWS security automation tools available like Security Monkey. Or the fact that a pen test should have caught this, or employees following the data use policy.


Where did you see it was a leaked account?


Attacker had access to the account. It is in the complaint posted by user iancarroll.


"there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen." ROTFLMAO....you have clearly never worked for a bank, no offense mate. Capital left this shit in plain text on an S3 bucket, I guarantee you


If you took ten seconds to look at the posted source note above, you would see Cloud Custodian has a policy to enforce bucket encryption.


Bucket encryption doesn't protect against anything except someone getting access to the hard drives underlying S3 and somehow recovering data.

If you've somehow left access to a bucket open the odds are that you also have it configured to let anyone with access to the bucket decrypt the files. AWS calls this server side encryption, where S3 automatically encrypts and decrypts files for you. You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application.


Default bucket encryption would require you to misconfigure two controls instead of one. S3 only automatically decrypts if you are an authorized principal on the KMS key, having S3 permission is not enough.


"You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application."

Well,SSE-KMS is not difficult to manage if you have sensitive customers data like Capital One does. I use it all the time. You can pretty much audit the buckets and see what is going on.

And if Capital One has used SSE-KMS on the buckets,we might not be talking about this data breach today.Incompetence? Complacency?


I am well aware how S3 works, I just mean you can use custodian to enforce SSE on the bucket as well as KMS based encryption, so the original commenter is just being a troll was the point I was getting at.


And if you knew anything of what you were talking about, you would see how easy it is for an engineer to make a mistake and there is 0 auditing or oversight. Also, if YOU actually took 10 seconds, you would see all the data was un-encrypted and in plain text. So where is all this "safety" the dude is speaking of? Cloud Custodian does shit when implemented incorrectly -and that's my point. You think banks are making all this effort, but in reality, the security team is completely understaffed, often not listened to, and in the end - we find this stuff happening all the time.

There, I gave you more than 10 seconds. Trying keeping up.


They're on AWS so I doubt the cloud provider got hacked, it would have been a much bigger news story. https://aws.amazon.com/solutions/case-studies/innovators/cap...


"I sincerely apologize for the understandable worry this incident must be causing those affected." - CEO

He worded it carefully. He's not apologizing for the actual and potential harm of the breach so as to not take responsibility for it. Not a real, sincere, apology, but just a legally defensive move.


I'm still not clear what I need to do to protect myself from a similar class of misconfiguration mistakes.

"The first command, when executed, obtained security credentials for a role known as *-WAF-Role" says the affadavit.

Was some web app of CapOne coded so the JavaScript app fetched IAM credentials over HTTP so it could do its job by accessing some other S3 bucket?? And thats how Paige or someone she knew found the toehold in? That would be pretty brain dead. Or was it more subtle in terms of pure WAF misconfiguration?


Can someone ELI5 how one bank has critical information on 100M US individuals? Is this metric representative of accounts or anyone involved in a transaction with a Capital One account?


Is it just me or is there no mention from Capital One WHERE customers can go to

1) check if they were affected by this breach and

2) what customers who are affected should do??

great way to start the day...


What to do? Freeze your credit!

https://krebsonsecurity.com/2018/09/credit-freezes-are-free-...

Not just for this breach but for all the past and current ones we don’t know about and future ones that will happen.

The real problem is there is zero security/identity management in our financial systems which is beyond nuts in this day and age.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: