From the snippets of text I've seen in various articles, it just sounds like she was bored? I imagine she had worked for a number of years and saved up a decent amount of money and decided to leave her job, had nothing to do all day and just posted at a Starbucks working on personal projects, which ended up including hacking into large corporations...?
Reminds me of my first manager, who was mid/late 30s and could've retired very comfortably long ago, and his primary motivation for working was because boredom, for him, would've been (in his words) a dangerous thing.
Is it paranoid to consider if this was a government actor? Boredom is plenty to keep someone from retiring, but digging into private customer data I'd think would take a pretty serious motivation. If I had the resources and wanted to wreck some havoc on the US economy data security (ie lack thereof) would certainly seem like a weak point worth prodding.
I don’t think a government actor would put them on the same public github that is linked to their resume.. The only way I can see can see her being so smart and yet so dumb is if she didn’t think much of what she was doing.
Possibly just slowly lost it because of what they see is a terrible industry with terrible practices. The suicide vest comments suggests she knew what she was doing.
Does she just want fame, or did she want to show them?
Does anyone know how she gained the IAM role? Many comments mention her exploiting a misconfigured WAF to gain the role needed to access the S3 bucket, but that is not enough detail to understand the attack.
FBI Report suggests something, probably an instance, was left opened to the world. Misconfigured firewall is what they said.
It's unclear why the resource couldn't widthstand attack, maybe it had known vulerable software, a weak password, I'm not sure it's been published, but something happened.
Whatever it is was able to assume the *-WAF-Role which had an amazing amount of access.
Given the name of the role and the stupid amount of access, I'd wager it was some shitty security product, but who knows. Maybe we'll find out.
But actually, giving a hacked product access to all data forever is a terrible practice, thus you ask what would the motivation be of doing so.
So either, it's epic fail for being so open with the role, or the role is for a product that asks for all data so it can scan and scrub, for example. i.e. Shitty security product.
Also, sure, it's up to them, but should it be if they can't secure other peoples data?
Doubt it. Modsec wouldn't need access to all your data, would it?
Something commercial that was bought by a ciso or security person who has no common sense, that asks to specifically be configured with access to that much data.
It sounds to me like she got access to an instance running on AWS and used its role to access S3. How she got access to that instance hasn't been revealed but likely to be vulnerable software running on it that would have been protected by the WAF. All assumptions but my guess is that the particular vulnerability exploited is probably not that relevant to people in general.
I'd be curious to know since C1 is responsible for a popular open source tool for reporting and remediation of AWS configuration, security and otherwise. Look up cloudcustodian.
That being said, breaking into an instance with a bad S3 role is a foregone conclusion once on that EC2 instance. It will be interesting to learn details.
Common mistake is allowing S3 policies and other IAM policies in general from any was account ID not just "yours" which might explain the TFA and other threads here that indicate the accused somehow has data from other companies not just C1.
Basked on the slack comments and her behavior described in other stories ... it seems like she was struggling with life and ultimately chose some self destructive behavior.
The lack of security seems like she all but wanted to get caught, or actually did.
The person in that link, SandboxEscaper, made similar comments. For a week or two she was releasing some stuff and then stopped. She would often make some odd comments in her posts.
From the article, there are a few other company names listed in the screenshot (caveat: these are just based on filenames, it's not 100% clear that these are the exact companies, they just seem to match):
Well hopefully this turns into a helpful public service in the end since she didn't try to sell them or use them for fraud. So most will probably just get fixed, again I hope.
But she was basically asking to go to jail and this could have easily gotten her some good money if she reported it responsibly. Either as an infosec worker or through vuln rewards programs.
infoblox is a company that does DNS, DHCP, and IPAM management. I think the big concern there is that it is at least named to look like it is their CTO's files, so who knows what is in there.
It's interesting that we're still in a place in 2019, where one motivated attacker, can compromise the security of major corporations, and access sensitive systems and data, and that those corporations don't realise/react to the breach until notified by external parties.
For security to improve, there needs to be a "mess up tolerance" of more than one (i.e. if a single mistake/vulnerability causes a major loss, you're in trouble)
Mistakes happen, vulnerabilities happen, security required defense in depth to be effective.
As someone responsible for Cloud security for the last several years at a couple of companies, I can tell you exactly how this happens.
You, the sec-ops engineer, propose your pie-in the sky, compartmentalized fortress. There is no one security domain, but many, with barriers in between them, so that having one part of your org compromised leaves the rest intact.
Then, you talk to your peers, and have many discussions of the form, "yes, that's secure, but it's really annoying to work with, and my engineers won't be able to monkey-patch the production environment to test stuff". you say, that's the point, the CTO says, you can't slow down dev.
So, you come up with something that's as secure as you can make it within the limited ability you have to impose inconvenience. Then it comes to implementing the thing.
You don't have time to implement everything yourself, so you delegate. Some people now have credentials to the production systems, and to ease their own debugging, or deployment, spin up little helper bastion instances, so they don't have to use 2FA each time to use SSH or don't have to deal with limited-time SSH cert authorities, or whatever. They roll out your fairly secure design, and forget about the little bastion they've left hanging around, open to 0.0.0.0 with the default SSH private key every dev checks into git. So, any former employee can get into the bastion.
Now, that's what happens when someone designs something secure from the outset.
When you start out with everything being in the default VPC, initially brought up by hand, with a subnet setting which default-assigns public IP addresses, you're basically boned, but that's where most companies which roll service in the cloud start.
> While federal agents were sweeping the three-bedroom house where Thompson lives they discovered 20 firearms — both assault-style rifles and handguns — as well as firearm accessories, including bumpstocks, scopes, grips and ammunition, in another bedroom, according to a separate complaint filed against the homeowner, 66-year-old Park Quan.
> Quan, who was convicted of being a felon in possession of explosives in 1983 and being a felon in possession of an unregistered machine gun in 1991, was arrested and charged Monday with being a felon in possession of a firearm, federal court records show.
> In the 1983 criminal case, Quan and two co-conspirators were linked to a failed contract killing using a truck bomb made of dynamite, according to court records and news reports. The bomb, which the would-be victim found attached to the underside of his pickup in Ocean Shores, Grays Harbor County, had malfunctioned, The Seattle Times reported at the time.
Pretty sure a lightning link is more "elect-fire", not select-fire. Not to mention much more dangerous than the relatively well documented and simple (highly illegal without an SOT) procedure that can be easily found to do a proper conversion.
I certainly hope that level of military response was a result of the landlord's prior weapons charges, and not simply standard protocol for a 33 yr old woman's arrest warrant for a non-violent offense.
Yeah its pretty wild because you have to have an opinion on the hacker’s case and Capital One’s negligence
Then you have to have an opinion on using a warrant on a non-target in the dwelling, and seeing the risk of renting your house out
Then you have to have an opinion on the specific weapons found and how they were acquired
An opinion on felons not being able to have a 2nd amendment right for the rest of their life for somethings that happened 30 and nearly 40 years ago
AND THEN not wanting to really advocate that when you read about the failed bomb hitman plot in 1983 that created the noncompliance, which is some ACME level wiley coyote goof
All while wondering “so were we unsafe? Would the alternative make us safer if both felons and non-felons peacefully have this kind of weaponry? People have this kind of weaponry?”
if one individual can attain access to all of that data that "easily", it makes me flabbergasted at the type of data we and other countries are "acquiring" in our new age cyber warfare...
Oof, I regret you posting this comment because I had to go look. Rampant litigation of gender pronouns, if me saying that saves someone else some time and brain melt.
Why are so many people in that forum contradicting themselves? Like they say something criticizing the prior person's opinion on gender and then say something completely intolerant. Is this a running gag? I never seen people misunderstand a topic so... halfway? Its usually more like "okay I'm learning" or "I completely reject this line of reasoning", but these comments are like something else
As with so many internet comment sections, sometimes, rather than trying to understand, it's best for your own mental health if you close the window, throw your computer in the trash, and go for a walk.
The people on the internet are not the people outside is how I always think of it. Too bad the internet denizens so frequently shape and mold the conversation.
Definitely an important thing to remember. I wonder what percentage of people out there are effectively "read-only" with regard to the public internet, never signing up for accounts (other than personal stuff like email) or leaving comments on news stories.
I think the majority tend to be lurkers for the most part. I believe the Pareto principle (80% of effects come from 20% of causes) maps pretty well to internet cultures based on statistics curated from some of the forums and aggregators around. Can't provide a source for that though.
Reminds me of my first manager, who was mid/late 30s and could've retired very comfortably long ago, and his primary motivation for working was because boredom, for him, would've been (in his words) a dangerous thing.