720-891-1663
Last week Capital One announced a breach of over 100 million credit card applications plus a smaller number of socials. They haven’t explained why there was not a one-to-one relationship since I have never seen a credit card application that didn’t ask for a social, but that is what they say.
Time after time we see cloud breaches; this one is also a cloud breach. And again, it does not appear that there was a flaw or compromise in the cloud infrastructure. What there was was a problem between the keyboard and the chair.
So what do we know so far:
So what was the misconfiguration?
The IAM – Identity and Access Management – service was accessible from outside the Amazon environment and even more importantly, from outside Capital One’s little world inside AWS, allowing the hacker to use the vulnerability to obtain a set of credentials that granted her access to a number of S3 buckets. Since the service was accessible from any where on the planet, the hacker was able to download Capital One’s data.
What is the lesson?
The misconfiguration of cloud services is likely VERY common. The hacker’s knowledge of where to look is what allowed allowed her to exploit the vulnerability. Whether she guessed the misconfiguration or knew about it from her time at Amazon is unclear.
What is important is to spend the effort to set up the systems, processes and penetration tests, on a regular basis, to look for configuration holes.
Certainly starting with the holes that have been exploited before might be smart.
For the rest of the details of this attack, read the source article linked below.
Source: Cloudsploit