Capital One数据泄露，西雅图黑客泄露1亿条记录

Barely a week after the Equifax data breach was settled for nearly $650 million dollars, there appears to be news of an almost equally large mega-breach which was announced today by Capital One. Capital One said in a statement that this breach has affected approximately 100 million individuals in the United States and approximately 6 million in Canada. This breach appears to be largely related to credit card application data as the statement notes “The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”

根据 已记录投诉资料 在华盛顿西区的联邦检察官办公室工作, 从西雅图的软件工程师变成了黑客, 佩吉·汤普森(又名“古怪”), is being charged for involvement in the unlawful access and exfiltration of this data under the Computer Fraud and Abuse Act (CFAA).

On July 17, 2019, Capital One was notified of the potential breach through an email address ((电子邮件保护)) which it uses to solicit disclosures of actual or potential vulnerabilities in its computer systems. 下面显示的屏幕截图来自投诉文档, 您可以看到它注意到存在潜在的“泄露的s3数据”.”

The moniker “s3” stands for Simple Storage Service and it is a service hosted by Amazon Web bet9平台游戏 (AWS). 也是根据投诉, a firewall misconfiguration was to blame for the initial allowed interaction between the hacker and the system.

There are a few extraordinary circumstances surrounding this case that are unusual for cybercrime/breach issues that have really piqued my interest:

• 一名嫌疑人已被拘留. 通常, many of these large breaches can only postulate with a certain degree of certainty who the bad actor was. 在这种情况下，他们指控某人犯罪，并迅速采取行动. 这似乎是有可能的，因为坏演员公开吹嘘. 这很奇怪，有几个原因, (1) bad people don’t like to get caught and that would be a dumb move and (2) why use a TOR node to exploit the environment if you were going to publically boast about it anyways?
• 嫌犯来自美国，其动机尚不清楚. Many breaches that we are accustomed to hearing about in the news have foreign based actors and different motives behind the attacks. This attack appears to have occurred from a bad actor within our borders and there doesn’t appear to be any disclosure of the data as the Capital One press release notes, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.“也许执法部门的迅速行动阻止了这些数据的泄露.
• It appears somewhat likely that the bad actor may have exploited commercial infrastructure that she had helped to build. 跟着我看一会儿. The US attorney complaint notes that information posted on a GitLab page had them believe the bad actor worked for a cloud computing company at one point as a “systems engineer” from 2015-2016. 然而，起诉书并没有指明这位前雇主是谁. A 在GitLab上快速搜索“佩奇·汤普森” produces a resume for a woman named Paige Thompson that notes that she worked at AWS from 2015-2016 as a “Systems Engineer Lvl. 4”用于Amazon AWS S3部门. Her experience notes that she “Assisted in the build-out and deployment of new load balancing capacity for S3.”

While there is undoubtedly much more to come on this event, the initial details are very interesting. From a business standpoint, there are many lessons learned that can be gleaned from this event. 定期对所有资产进行安全审计和渗透测试, 包括云基础设施, is a highly recommended and valuable exercise that can bring serious issues that can lead to events like these to light. 除了安全审计和渗透测试之外, 有几个应该被记录的不良活动的迹象被遗漏了, 识别并提醒. 例如, 投诉提到了在日志中发现的以下不良活动, 来自IPredator匿名bet9平台游戏的VPN连接, TOR出口节点连接, 以及很少使用的账户的异常行为. Be sure to learn from others’ mistakes to strengthen your own environment and help avoid issues like this.

Tips like these and others are mentioned in a recent white paper that I authored with along with our Incident Response Leader, 大卫·墨菲, 可以在这里找到: http://945996.com/10-things-companies-wish-they-did-before-a-breach