Hacker News new | past | comments | ask | show | jobs | submit login
Capital One attacker may have breached other major corporations (krebsonsecurity.com)
205 points by panarky 20 days ago | hide | past | web | favorite | 60 comments

From the snippets of text I've seen in various articles, it just sounds like she was bored? I imagine she had worked for a number of years and saved up a decent amount of money and decided to leave her job, had nothing to do all day and just posted at a Starbucks working on personal projects, which ended up including hacking into large corporations...?

Reminds me of my first manager, who was mid/late 30s and could've retired very comfortably long ago, and his primary motivation for working was because boredom, for him, would've been (in his words) a dangerous thing.

"I imagine she had worked for a number of years and saved up a decent amount of money"

This is incorrect.

Is it paranoid to consider if this was a government actor? Boredom is plenty to keep someone from retiring, but digging into private customer data I'd think would take a pretty serious motivation. If I had the resources and wanted to wreck some havoc on the US economy data security (ie lack thereof) would certainly seem like a weak point worth prodding.

I don’t think a government actor would put them on the same public github that is linked to their resume.. The only way I can see can see her being so smart and yet so dumb is if she didn’t think much of what she was doing.

Probably had moments of insight and lapses of insight at different times.

It’s a roller-coaster that a lot of people can’t understand. Oh, and Capital One.

Possibly just slowly lost it because of what they see is a terrible industry with terrible practices. The suicide vest comments suggests she knew what she was doing.

Does she just want fame, or did she want to show them?

Maybe not though.

Or knew what she did, but there was no going back.

Does anyone know how she gained the IAM role? Many comments mention her exploiting a misconfigured WAF to gain the role needed to access the S3 bucket, but that is not enough detail to understand the attack.

This is the only question that matters and the lack of information is interesting.

It sounds to me like she got access to an instance running on AWS and used its role to access S3. How she got access to that instance hasn't been revealed but likely to be vulnerable software running on it that would have been protected by the WAF. All assumptions but my guess is that the particular vulnerability exploited is probably not that relevant to people in general.

It sounds like that’s the critical detail that is unknown or deliberately being withheld.

Probably lots of vulnerable setups out there unless C1 brewed its own, which doesn’t sound like it’s the case.

What are the best practices when advising IT? iAm and SSO and windows authentication stuff are strange other worlds to this firmware dweeb

FBI Report suggests something, probably an instance, was left opened to the world. Misconfigured firewall is what they said.

It's unclear why the resource couldn't widthstand attack, maybe it had known vulerable software, a weak password, I'm not sure it's been published, but something happened.

Whatever it is was able to assume the *-WAF-Role which had an amazing amount of access.

Given the name of the role and the stupid amount of access, I'd wager it was some shitty security product, but who knows. Maybe we'll find out.

WAF stands for Web Application Firewall - as to how much access this role have, that should be entirely up to Capital One.

I'm aware.

But actually, giving a hacked product access to all data forever is a terrible practice, thus you ask what would the motivation be of doing so.

So either, it's epic fail for being so open with the role, or the role is for a product that asks for all data so it can scan and scrub, for example. i.e. Shitty security product.

Also, sure, it's up to them, but should it be if they can't secure other peoples data?


Doubt it. Modsec wouldn't need access to all your data, would it?

Something commercial that was bought by a ciso or security person who has no common sense, that asks to specifically be configured with access to that much data.

That's my bet.

What's wrong with modsec?

Nothing. The problem here was not the waf, but the credential/role being compromised.

Apparently it was both. The WAF was used to SSRF the metadata service which would have exposed the role.

Why a WAF role needed so much access to data is something that's hard to explain, and would suggest a major fuckup by the teams involved.

I'd be curious to know since C1 is responsible for a popular open source tool for reporting and remediation of AWS configuration, security and otherwise. Look up cloudcustodian.

That being said, breaking into an instance with a bad S3 role is a foregone conclusion once on that EC2 instance. It will be interesting to learn details.

Common mistake is allowing S3 policies and other IAM policies in general from any was account ID not just "yours" which might explain the TFA and other threads here that indicate the accused somehow has data from other companies not just C1.

Well let's look at some of the policies typically attached to a WAF (https://docs.aws.amazon.com/waf/latest/developerguide/access...)

Maybe instead of waf:* for the action, it was just * ?

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "waf:*" ], "Resource": [ "arn:aws:waf::444455556666:webacl/112233d7c-86b2-458b-af83-51c51example" ] } ] }

Basked on the slack comments and her behavior described in other stories ... it seems like she was struggling with life and ultimately chose some self destructive behavior.

The lack of security seems like she all but wanted to get caught, or actually did.

I wonder if she is this person - https://www.bleepingcomputer.com/news/security/two-more-wind...

The person in that link, SandboxEscaper, made similar comments. For a week or two she was releasing some stuff and then stopped. She would often make some odd comments in her posts.

I read she literally posted stolen data to github. Might as well have called up the FBI herself

Some other evidence was on GitLab too...

Lots of crumbs left all over social media.

Not only that, it was the same github profile that contained her resume!

Krebs claims "there is evidence to suggest we may hear similar disclosures from other companies soon".


From the article, there are a few other company names listed in the screenshot (caveat: these are just based on filenames, it's not 100% clear that these are the exact companies, they just seem to match):

42lines.net, apperian.com, globalgarner.com, astem.net, ford, identiphy (not clear which), codecademy.com, safesocial.media, starofservice.us, unicreditgroup.eu

There are other files in the dump, but it's not clear which companies they are.

Well hopefully this turns into a helpful public service in the end since she didn't try to sell them or use them for fraud. So most will probably just get fixed, again I hope.

But she was basically asking to go to jail and this could have easily gotten her some good money if she reported it responsibly. Either as an infosec worker or through vuln rewards programs.

Hopefully she has foiled a malware attack or two in her past. Otherwise it’s not looking good for her future.

She doesn’t sound like the most... neurotypical, and US courts really hate that.

infoblox is a company that does DNS, DHCP, and IPAM management. I think the big concern there is that it is at least named to look like it is their CTO's files, so who knows what is in there.

It's interesting that we're still in a place in 2019, where one motivated attacker, can compromise the security of major corporations, and access sensitive systems and data, and that those corporations don't realise/react to the breach until notified by external parties.

For security to improve, there needs to be a "mess up tolerance" of more than one (i.e. if a single mistake/vulnerability causes a major loss, you're in trouble)

Mistakes happen, vulnerabilities happen, security required defense in depth to be effective.

As someone responsible for Cloud security for the last several years at a couple of companies, I can tell you exactly how this happens.

You, the sec-ops engineer, propose your pie-in the sky, compartmentalized fortress. There is no one security domain, but many, with barriers in between them, so that having one part of your org compromised leaves the rest intact.

Then, you talk to your peers, and have many discussions of the form, "yes, that's secure, but it's really annoying to work with, and my engineers won't be able to monkey-patch the production environment to test stuff". you say, that's the point, the CTO says, you can't slow down dev.

So, you come up with something that's as secure as you can make it within the limited ability you have to impose inconvenience. Then it comes to implementing the thing.

You don't have time to implement everything yourself, so you delegate. Some people now have credentials to the production systems, and to ease their own debugging, or deployment, spin up little helper bastion instances, so they don't have to use 2FA each time to use SSH or don't have to deal with limited-time SSH cert authorities, or whatever. They roll out your fairly secure design, and forget about the little bastion they've left hanging around, open to with the default SSH private key every dev checks into git. So, any former employee can get into the bastion.

Now, that's what happens when someone designs something secure from the outset.

When you start out with everything being in the default VPC, initially brought up by hand, with a subnet setting which default-assigns public IP addresses, you're basically boned, but that's where most companies which roll service in the cloud start.

did anyone notice the landlord got arrested too? when you see it...


okay I'm dying laughing here, so much win and fail at the same time.

> While federal agents were sweeping the three-bedroom house where Thompson lives they discovered 20 firearms — both assault-style rifles and handguns — as well as firearm accessories, including bumpstocks, scopes, grips and ammunition, in another bedroom, according to a separate complaint filed against the homeowner, 66-year-old Park Quan.

> Quan, who was convicted of being a felon in possession of explosives in 1983 and being a felon in possession of an unregistered machine gun in 1991, was arrested and charged Monday with being a felon in possession of a firearm, federal court records show.

> In the 1983 criminal case, Quan and two co-conspirators were linked to a failed contract killing using a truck bomb made of dynamite, according to court records and news reports. The bomb, which the would-be victim found attached to the underside of his pickup in Ocean Shores, Grays Harbor County, had malfunctioned, The Seattle Times reported at the time.

There are no words...

If you are already a felon for owning a gun, why the hell would you own a bumpstock? Just go full giggle at that point.

> Just go full giggle at that point.

Well it's not as if you can just break into any old gun store or rural home and find a select-fire weapon.

Just put a lightning link into your AR style rifle, and voilà, you have a full auto gun.

Pretty sure a lightning link is more "elect-fire", not select-fire. Not to mention much more dangerous than the relatively well documented and simple (highly illegal without an SOT) procedure that can be easily found to do a proper conversion.

I certainly hope that level of military response was a result of the landlord's prior weapons charges, and not simply standard protocol for a 33 yr old woman's arrest warrant for a non-violent offense.

Yeah its pretty wild because you have to have an opinion on the hacker’s case and Capital One’s negligence

Then you have to have an opinion on using a warrant on a non-target in the dwelling, and seeing the risk of renting your house out

Then you have to have an opinion on the specific weapons found and how they were acquired

An opinion on felons not being able to have a 2nd amendment right for the rest of their life for somethings that happened 30 and nearly 40 years ago

AND THEN not wanting to really advocate that when you read about the failed bomb hitman plot in 1983 that created the noncompliance, which is some ACME level wiley coyote goof

All while wondering “so were we unsafe? Would the alternative make us safer if both felons and non-felons peacefully have this kind of weaponry? People have this kind of weaponry?”

The thing that sticks out most to me is that from what’s been disclosed, she didn’t need any insider AWS knowledge or access to achieve these attacks.

I'm sure it didn't hurt to have the in-depth knowledge of AWS from working on their team.

Many articles are suggesting that she was able to do this due to her insider knowledge, this is untrue and shifts the blame off of C1.

She posted a lot of her technique on Twitter. If there were other breaches, they might have been copy cat attacks.

Those arent exactly novel techniques.

so this attack is different because the culprit got caught? or am I missing something

why isn't this just the usual "we got breached" "Collection #3 available on Empire.onion" "sign up for another $125"

if one individual can attain access to all of that data that "easily", it makes me flabbergasted at the type of data we and other countries are "acquiring" in our new age cyber warfare...

I wonder how Capital One could have been GDPR compliment. Surely they weren’t going into these S3 files and deleting customer data when asked to.

Tangentially related, half of those comments are yikes-tier.

Oof, I regret you posting this comment because I had to go look. Rampant litigation of gender pronouns, if me saying that saves someone else some time and brain melt.

One of many examples why not enabling comments if you have the option to is probably a good idea.

Why are so many people in that forum contradicting themselves? Like they say something criticizing the prior person's opinion on gender and then say something completely intolerant. Is this a running gag? I never seen people misunderstand a topic so... halfway? Its usually more like "okay I'm learning" or "I completely reject this line of reasoning", but these comments are like something else

As with so many internet comment sections, sometimes, rather than trying to understand, it's best for your own mental health if you close the window, throw your computer in the trash, and go for a walk.

The people on the internet are not the people outside is how I always think of it. Too bad the internet denizens so frequently shape and mold the conversation.

Definitely an important thing to remember. I wonder what percentage of people out there are effectively "read-only" with regard to the public internet, never signing up for accounts (other than personal stuff like email) or leaving comments on news stories.

I think the majority tend to be lurkers for the most part. I believe the Pareto principle (80% of effects come from 20% of causes) maps pretty well to internet cultures based on statistics curated from some of the forums and aggregators around. Can't provide a source for that though.

Far less than half, I'm actually pleasantly surprised.


not helpful or productive.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact