back to article Capital One: Convicted techie got in via 'misconfigured' AWS buckets

A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court. The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured …

  1. Pascal Monett Silver badge

    "Quite an expensive misconfiguration"

    Indeed.

    And I fail to see how a "financial giant" doesn't have personnel sufficiently trained to set up a server.

    Ten years ago I set up a website for the company I was an associate in. It took me all of an hour to find the data to understand and properly lock down the .htaccess file to ensure that the entire file structure of our server would not be accessible.

    I'm not an engineer, just a University-level graduate. It's not rocket science.

    1. Mike 137 Silver badge

      Re: "Quite an expensive misconfiguration"

      "It's not rocket science"

      Nor is a pre-live pen test. But many of my clients have considered that to be an unnecessary expense.

      1. Throatwarbler Mangrove Silver badge
        Thumb Up

        Re: "Quite an expensive misconfiguration"

        And this is one of the strangest paradoxes of IT at financial companies. You would think it would be well-funded, especially with regard to security, but the problem with working for bean counters is that they are penurious to a fault.

      2. EricB123 Bronze badge

        Re: "Quite an expensive misconfiguration"

        Who in the world would downvote a post about a financial firm being cheap with security?

        Perhaps cybercriminals read The Register too?

    2. Anonymous Coward
      Anonymous Coward

      Re: "Quite an expensive misconfiguration"

      >It took me all of an hour to find the data to understand and properly lock down the .htaccess file to ensure that the entire file structure of our server would not be accessible.

      This may not surprise you, given you've already admitted your own lack of expertise, but this would not have protected against the attack in question. The breach was against more than 700 S3 buckets, not the server's negligible local storage. We're not talking about a toy blog running on httpd here; we're talking about the entire data & analytics infrastructure for a tier one bank. The scale of the failure here should not be misunderstood or understated.

      Once able to exploit the WAF due to the misconfiguration, the main data access was enabled by the fact Capital One leveraged AWS IAM and only AWS IAM for protecting bucket contents. This was a deliberate design decision to simplify integrations. The great flaw in IAM-based protections is that most authorization is instance-based. Compromise the instance and get access to make really any network call and you can use that instance's profile, regardless of which user you're running as within the instance. If that instance has bucket access you have bucket access. If that instance can launch other instances you can launch other instances.

      This is a horrible security model and it was for the overwhelming majority of AWS customers at the time their only security model. Its success depends entirely on you designing your instance profile privileges to absolute perfection. It is possible to provide an additional, secondary layer of protection not dependent on AWS IAM through the implementation of client-side encryption. This enables separation of duties and makes exfiltrated S3 data useless. Most AWS users choose not to do this.

      So they "misconfigured their WAF", but they also "chose a security model that abandons every layer of protection above the OS" and they also "chose not to implement a technical control that would have completely prevented this attack" and "lacked auditing to detect an internal user running unauthorised penetration scans" so on and so on and so on.

      1. Claptrap314 Silver badge

        Re: "Quite an expensive misconfiguration"

        I think you have misaprehended what exactly can be meaningfully done in a multi-tenant environment. Let's go down before we go up. Microprocessors can operate in different modes. For simplicity, let's call them, "privileged" (P) and "not privileged" (NP). It comes a surprise to many people, but when you sudo su - root, you are still running NP. The entire concept of "users" is an OS-level concept, and the root user is simply the one that the OS is happy to grant full access to the system.

        There is a HUGE effort that goes into making sure that code running in NP does not get access to P resources, but none of that matter if the OS gets it wrong. Security is a "shared responsibility" between the processor and the OS. I'm no great student of processor designs, but I have a hard time imagining a system in which the processor managed thousands of security realms. It doesn't really make sense.

        It is the job of the processor to provide the facilities to the OS to restrict access to general hardware resources. The actual management rests entirely on the OS. That includes the network card, and whatever is on the other side.

        Now, suppose you have two computers connected via network cards. Each has their own OS, and each OS is responsible to decide what gets to the other computer, and what to do with what comes from the other computer. I hope you don't have a problem with the processor doing nothing but preventing NP access to the network card.

        Hypervisors bring a new player to the table. Now, the hypervisor runs (often) in P mode, and the OS is kept in NP. In practice, of course, modern processors support three modes, H, P, and NP, but in the end, only the most-privileged mode get access to the network card, so for this discussion, it's accurate to consider the OS as just another NP process that the hypervisor gives special treatment to in the same way that the OS favors processes running as root.

        So I ask: "What business is it of the hypervisor as to which users requests have been forwarded to it by the OS?"

        Is not that AWS's IAM is a lousy model--it's that AWS is in no position to extend the OS-level concept of user (and remember, they are happy to run Windows, Mac, and a dozen distributions of Linux) to their hypervisors. A Lambda or EC2 instance is designed to be running a single (primary) application. Security groups and IAM roles are supposed to lock down everything not needed by that application or its helpers.

        If you mix applications on a single instance, I submit that you are almost certainly doing it wrong.

        If you create long-running processes which are accessing segmented data according to external input, (also know as a web server) you better not have a Bobby Tables problem--or any other.

        In the cloud, YOU ARE NOT ROOT. You have to design your processes to account for this, not demand that you get a bespoke security model.

        And IAM roles are enough of a pain as it is--I would argue that adding yet another layer of complexity to them would likely reduce end security. People seem to have enough trouble with the concept of "private" verses "public" on S3 buckets...

        1. Anonymous Coward
          Anonymous Coward

          Re: "Quite an expensive misconfiguration"

          This has got naff all to do with hypervisors or root or anything else at the OS level or below. S3 is an HTTP-based protocol and AWS IAM very definitely has the concept of users, groups and roles.

          It's also worth stating that it now has concepts like service control policies for MAC, and ABAC which didn't really exist when all of this happened.

      2. Richocet

        Re: "Quite an expensive misconfiguration"

        So why did the bank use cloud services to run its major business functions?

        Either to save money or they felt that it was expected because it was best practice.

        If it was to save money, that would explain declining client-side encryption and not paying for the very best security design money could buy.

        Cutting costs improves profits, unless something goes wrong and there is an expensive mess to clean up.

      3. sniperpaddy

        Re: "Quite an expensive misconfiguration"

        Agreed. For a bank using external cloud services, client-side encryption should be an absolute no-brainer.

        Pure incompetence.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Quite an expensive misconfiguration"

      Really, using "the cloud" for something that should be secured, is like a bank that has its vault open onto the high street, then is surprised that one day an employee doesn't lock the door properly.

      Especially when you need to be highly trained to actually make sure the lock is really closed. And the lock, is really a series of locks one after the other in a chain.

  2. Mike 137 Silver badge

    "She wanted data, she wanted money, and she wanted to brag"

    One incompatible purpose there. Bragging invites discovery.

    1. Alan Brown Silver badge

      Re: "She wanted data, she wanted money, and she wanted to brag"

      Time and time again we run into cases where the miscreant would have escaped without detection (or gotten away for it for far longer, or been essentially untraceable) if they'd kept their mouth shut

      1. Nifty Silver badge

        Re: "She wanted data, she wanted money, and she wanted to brag"

        Assumption that profit is the only possible goal for a hack? Tsk.

  3. andy 103
    WTF?

    Throw away the key (no pun intended)

    Anyone who's suggesting the companies should be liable might want to re-read this sentence:

    "she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."

    That's where it goes from - you should be grateful that somebody has found this security hole (and yes, at that point the company should be 100% liable) - to zero tolerance or respect for the person who "found" said hole.

    There's a clear difference between people who find security breaches, report them and move on... to this.

    They should lock the bastard up and ensure she's never allowed to use a computer again. Send a clear message.

    1. VoiceOfTruth Silver badge

      Re: Throw away the key (no pun intended)

      Over the top, your response?

      -> They should lock the bastard up and ensure she's never allowed to use a computer again. Send a clear message.

      The same doesn't happen to murderers, rapists, etc. But because this person started "mining" some crypto currency you get all Puritan? 'Tis the work of Beelzebub, I tell you.

      1. andy 103
        Facepalm

        Re: Throw away the key (no pun intended)

        @VoiceOfTruth exactly, the crimes you've mentioned aren't punished anywhere near strongly enough. The same goes for electronic/cyber crimes. It's seen as victimless when in this case it has the potential to impact hundreds of thousands if not millions of people. So not it's not over the top at all and that's very much the problem.

        1. VoiceOfTruth Silver badge

          Re: Throw away the key (no pun intended)

          Ah, thanks for showing your hand. I've met a few swivel eyed people like you in my time.

          Burning at the stake? That's being generous to them, it is! Andy 103 becomes Prime Minister and announces the creation of the Really Painful and Longlasting Bodily Punishments Ministry. Immediate tenders are invited for all manner of sharp objects, pliers, blow torches, and the like.The Ministry's motto: We do our absolute worst.

          1. andy 103
            FAIL

            Re: Throw away the key (no pun intended)

            @VoiceOfTruth It's interesting because all of those suggested practices are ones that have come from you. I didn't mention burning anyone at the stake.

            The only part of what you've said that's anywhere near the truth is that some crimes - murder etc - aren't always punished sufficiently. The same is certainly true of cyber crime. I think there is a happy medium between a slap on the wrist/fine and burning people at the stake, but I'm not sure you'd be able to figure out where the line is.

    2. Anonymous Coward
      Anonymous Coward

      Re: Throw away the key (no pun intended)

      "With some of her illegal access," wrote the office, "she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."

      "Ms Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,"

      Re-read indeed!

      On first read I thought the miners were actually executed on Capital One's servers. On second read, it makes more sense that Capital One's unsecured S3 was only used to distribute the miners.

  4. Tom 38

    Misconfigured or..

    Misconfigured or configured for public access. How can one tell the difference?

    1. vogon00

      Re: Misconfigured or..

      Misconfigured or configured for public access.

      How can one tell the difference? You can't because there is no difference, especially given given the nature of the owning entity (A Bank) and the type of data.

      IMHO 'Configured Correctly' in this case means 'Configured for authenticated partner access', meaning only people on the list, from the correct institutions/entity etc. have access. If that's too hard, inconvenient or costly to implement....tough titty, it's your job to secure shit like that. Public access is the easy option chosen by wankers idiots.

      Please, someone hammer Capital One with a meaningful fine - say 1 or 2% of last FY's net profits?

  5. Anonymous Coward
    Anonymous Coward

    Just an FYI

    The perpetrator is a trans person who identifies as woman but is a male. I only bring it up because it is very notable to have a high profile female hacker, but this fact was excluded from the article.

    1. IGotOut Silver badge

      Re: Just an FYI

      Ommited because its irrelevant perhaps?

    2. diodesign (Written by Reg staff) Silver badge

      "this fact was excluded from the article"

      Because it's not relevant. We don't feel the need to say "born a man" or "born a woman" in all our other hacking stories, so why would we start here?

      I'm being rhetorical, BTW.

      C.

      1. david 12 Silver badge

        Re: "this fact was excluded from the article"

        The original author thought it relevant to report the gender of the criminal. I don't think it any less relevant to report that the criminal had made a choice about change of gender.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just an FYI

      "The perpetrator is a trans person"

      I don't think that is the misconfiguration to which others refer.

      1. Paul Hovnanian Silver badge
        Coat

        Re: Just an FYI

        Ms. Configured?

  6. VoiceOfTruth Silver badge

    Keeping data indefinitely?

    -> credit card hopefuls between 2005 and early 2019

    How about Capital One purge data after 10 years? I have no idea if records must be kept this long, but it seems that keeping an application after 17 years seems a bit over the top.

  7. Anonymous Coward
    Anonymous Coward

    But but

    The Cloud is more secure

  8. First Light

    one out of 30

    What were the other 29 entities she hacked? Did Capital One only get sued because they acknowledged the hack?

  9. Anonymous Coward
    Paris Hilton

    Is it just me?

    Or do most breaches follow the word 'misconfigured' with 'AWS'?

  10. Marty McFly Silver badge
    Stop

    Take the 'cyber' out of this crime..

    Look at this as if it was the physical world:

    The side door of a building was unlocked and propped open. Most people only looked at the locked main entrance and assumed the building was secure, but one observant person looked around the side out of curiosity.

    They proceeded to enter the unlocked building where they found confidential information laying around. They grabbed the documents and tossed them out in the street for everyone else to see, but did not use the information to their own financial advantage. And they also spray painted some graffiti in the hallways for good measure.

    That's what we are looking at here. Not even "breaking and entering". Just trespassing. Some petty theft of unsecured items, and some vandalism.

    Absolutely, no doubt. all convictable offenses. But the punishment should really match the crime. A crime which would have never occurred if the responsible parties shut the door in the first place.

  11. Marty McFly Silver badge
    Facepalm

    "used her hacking skills to steal the personal information of more than 100 million people"

    So with an unsecured repository, those "hacking skills" would be a copy/paste operation. Got it.

  12. Emilydavis

    credit card

    I will always recommend secure data when it comes to credit related problems and clearing of debt , removal of evictions, collections, late payments etc.

    He increased my scores from 496 to 795 and and cleared all my credit card debt he did it professionally and it took him one week to finish up,

    ­he is a life saver guys. You can reach out and tell him i referred you securedataaccess At gmail Dot Com

  13. Emilydavis

    I will always recommend secure data when it comes to credit related problems and clearing of debt , removal of evictions, collections, late payments etc.

    He increased my scores from 496 to 795 and and cleared all my credit card debt he did it professionally and it took him one week to finish up,

    ­he is a life saver guys. You can reach out and tell him i referred you securedataaccess At gmail Dot Com

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like