Reminds me of my first manager, who was mid/late 30s and could've retired very comfortably long ago, and his primary motivation for working was because boredom, for him, would've been (in his words) a dangerous thing.
This is incorrect.
It’s a roller-coaster that a lot of people can’t understand. Oh, and Capital One.
Does she just want fame, or did she want to show them?
Maybe not though.
Probably lots of vulnerable setups out there unless C1 brewed its own, which doesn’t sound like it’s the case.
It's unclear why the resource couldn't widthstand attack, maybe it had known vulerable software, a weak password, I'm not sure it's been published, but something happened.
Whatever it is was able to assume the *-WAF-Role which had an amazing amount of access.
Given the name of the role and the stupid amount of access, I'd wager it was some shitty security product, but who knows. Maybe we'll find out.
But actually, giving a hacked product access to all data forever is a terrible practice, thus you ask what would the motivation be of doing so.
So either, it's epic fail for being so open with the role, or the role is for a product that asks for all data so it can scan and scrub, for example. i.e. Shitty security product.
Also, sure, it's up to them, but should it be if they can't secure other peoples data?
Something commercial that was bought by a ciso or security person who has no common sense, that asks to specifically be configured with access to that much data.
That's my bet.
Why a WAF role needed so much access to data is something that's hard to explain, and would suggest a major fuckup by the teams involved.
That being said, breaking into an instance with a bad S3 role is a foregone conclusion once on that EC2 instance. It will be interesting to learn details.
Common mistake is allowing S3 policies and other IAM policies in general from any was account ID not just "yours" which might explain the TFA and other threads here that indicate the accused somehow has data from other companies not just C1.
Maybe instead of waf:* for the action, it was just * ?
The lack of security seems like she all but wanted to get caught, or actually did.
The person in that link, SandboxEscaper, made similar comments. For a week or two she was releasing some stuff and then stopped. She would often make some odd comments in her posts.
Lots of crumbs left all over social media.
42lines.net, apperian.com, globalgarner.com, astem.net, ford, identiphy (not clear which), codecademy.com, safesocial.media, starofservice.us, unicreditgroup.eu
There are other files in the dump, but it's not clear which companies they are.
But she was basically asking to go to jail and this could have easily gotten her some good money if she reported it responsibly. Either as an infosec worker or through vuln rewards programs.
She doesn’t sound like the most... neurotypical, and US courts really hate that.
For security to improve, there needs to be a "mess up tolerance" of more than one (i.e. if a single mistake/vulnerability causes a major loss, you're in trouble)
Mistakes happen, vulnerabilities happen, security required defense in depth to be effective.
You, the sec-ops engineer, propose your pie-in the sky, compartmentalized fortress. There is no one security domain, but many, with barriers in between them, so that having one part of your org compromised leaves the rest intact.
Then, you talk to your peers, and have many discussions of the form, "yes, that's secure, but it's really annoying to work with, and my engineers won't be able to monkey-patch the production environment to test stuff". you say, that's the point, the CTO says, you can't slow down dev.
So, you come up with something that's as secure as you can make it within the limited ability you have to impose inconvenience. Then it comes to implementing the thing.
You don't have time to implement everything yourself, so you delegate. Some people now have credentials to the production systems, and to ease their own debugging, or deployment, spin up little helper bastion instances, so they don't have to use 2FA each time to use SSH or don't have to deal with limited-time SSH cert authorities, or whatever. They roll out your fairly secure design, and forget about the little bastion they've left hanging around, open to 0.0.0.0 with the default SSH private key every dev checks into git. So, any former employee can get into the bastion.
Now, that's what happens when someone designs something secure from the outset.
When you start out with everything being in the default VPC, initially brought up by hand, with a subnet setting which default-assigns public IP addresses, you're basically boned, but that's where most companies which roll service in the cloud start.
okay I'm dying laughing here, so much win and fail at the same time.
> Quan, who was convicted of being a felon in possession of explosives in 1983 and being a felon in possession of an unregistered machine gun in 1991, was arrested and charged Monday with being a felon in possession of a firearm, federal court records show.
> In the 1983 criminal case, Quan and two co-conspirators were linked to a failed contract killing using a truck bomb made of dynamite, according to court records and news reports. The bomb, which the would-be victim found attached to the underside of his pickup in Ocean Shores, Grays Harbor County, had malfunctioned, The Seattle Times reported at the time.
There are no words...
Well it's not as if you can just break into any old gun store or rural home and find a select-fire weapon.
Then you have to have an opinion on using a warrant on a non-target in the dwelling, and seeing the risk of renting your house out
Then you have to have an opinion on the specific weapons found and how they were acquired
An opinion on felons not being able to have a 2nd amendment right for the rest of their life for somethings that happened 30 and nearly 40 years ago
AND THEN not wanting to really advocate that when you read about the failed bomb hitman plot in 1983 that created the noncompliance, which is some ACME level wiley coyote goof
All while wondering “so were we unsafe? Would the alternative make us safer if both felons and non-felons peacefully have this kind of weaponry? People have this kind of weaponry?”
why isn't this just the usual "we got breached" "Collection #3 available on Empire.onion" "sign up for another $125"