Capital One's move the Cloud is providing to be eventful. They just announced that they shut down a hacker that was living in their systems for 5 months! They lost sensitive customer data on more than 100 million USA and 6 million Canadian customers and CC applicants.
The modus operandi of the accused is describe in this court document.
@denbesten wrote:Krebs has a write up with some more "techie" detail.
The Krebs article linked by William adds good information to the earlier reports that Rachel @AppDefects provided.
There is a very important distinction about Thompson's hacks and intrusions, relative to both criminal enterprise and nation-state breach activities. If what we can see about Thompson so far is accurate and nominally complete, she is an ego-driven techie who wanted to prove her hacker chops to herself and an online community, a techie without any sense of ethical or legal responsibility. She was not breaching the myriad databases for financial gain (the criminal goal) or for intelligence and subversion goals (the nation-state purposes).
Had this been a criminal or intelligence breach, all of the wide open announcements and clues in social media would not have existed. Yes, it is good that the company and law enforcement tracked her down and caught her. However, it is no feather in the cap of any of them for identifying her under these circumstances. Threat analysts should keep this distinction in mind as they support their enterprises and clients.
Interesting take from Lauren Weinstein (who always has an interesting take ...)
@CraginS wrote:...it is no feather in the cap of any of them for identifying her under these circumstances...
Regardless of motive, incident response was required; there was an information disclosure, victims had identifying information fall into unauthorized hands, a vulnerability was closed, and Capital One is experiencing real financial loss. Had the perpetrator not been stopped, who knows what "criminal" might have picked up the data dump and used it in a more sinister fashion.
Yes, the perpetrator's mistakes made the investigator's job easy, but that in no way means that we should downplay our appreciation. I'd be happy to buy them a feather. And, two feathers for the "ordinary hero" who had the sense-of-mind to report the observation through Capital One's responsible disclosure channels.
Yes, Lauren has an interesting take and yes, BeyondCorp is interesting too. I do however think it a bit premature to conclude that "If Capital One had been following BeyondCorp principles...."
My money currently is on Capital having stored S3 credentials in a config file that turned out to be Internet accessible, which they "mitigated" by filtering the relevant URL in their web application firewall.
If so, the issue is not one of "a hard candy shell", which is the problem with perimeter firewalls and what BeyondCorp addresses. Instead, we are looking at a case of credential disclosure, to which even BeyondCorp is vulnerable.
I'm hoping I lose the bet because credentials should not be stored in config files, because config files should not be in "web space", and because firewalls (including WAF) should be default-deny.
The funniest thing I have read about this to date, if anything about a breach this side is funny, is that she outed herself with sloppy Github hygiene, pointing to the leaked data store that she had posted, LEAVING HER OWN CONTACT INFORMATION EXPOSED! That is too amusing, as so many of us fight the accidental disclosure of secrets, etc. in git repos and other places. A very talented hacker, capable of successfully breaching one of the larger financial institutions, was sloppy, and gave it all away.
https://www.secureworldexpo.com/industry-news/8-facts-revealed-capital-one-cloud-hack-breach