318 comments

[ 3.3 ms ] story [ 272 ms ] thread
(comment deleted)
Anyone have a copy of the complaint handy? I'd love to read the Government's allegations in more detail.

(Edited: complaint, not indictment.)

DOJ press release:

https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arr...

""" A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.

According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. """

intrusion occurred through a misconfigured web application firewall

The affidavit states “exfiltrating and stealing information, including credit card applications and other documents”.

She used a particular role to exfill from an S3 bucket. Not sure how she got the creds for the role she used to execute List Buckets, etc...

Affidavit shows the accused was an employee at the unnamed cloud vendor (clearly AWS at this point) from 2015 - 2016.

Either that or an open MongoDB with default credentials. Again.
(comment deleted)
Sounds less like intrusion and more like accidental exposure by Capital One.
(comment deleted)
It sounds like an internal threat to me (she was an employee at Amazon).
Not at the time of the hack. Insider access was not used.
Why, exactly, did she "post[ed] on the information sharing site GitHub about her theft of information from the servers storing Capital One data" ?

That seems... unwise. Anyone have a pointer to the github post? Would be interesting to see if it was a "Haha! Look what I did!" kind of thing, or a "Crap, CapOne has an open S3 bucket" kind of post.

"ORDER APPOINTING FEDERAL PUBLIC DEFENDER appointing Christopher Sanders for Paige A Thompson. On the basis of the defendant's sworn financial statement, the court finds that he/she is financially unable to retain counsel."

Oh, dear.

>the information sharing site GitHub

I mean if that's what some legal news site calls it… :P

So, in other words, you’re asking the government “what’s in your docket?”
User iancarroll was kind enough to post the complaint from PACER.
> Capital One Financial Corp. lost data from as many as tens of millions of credit card applications after a Seattle woman hacked into a cloud-computing company server

> The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers

I can’t tell whether the company virtual server got hacked or whether the cloud provider was who got breached. Hopefully just the vm

Well, the main cloud Capital One uses is Amazon as far as I know.

If you think about the attack vectors here, it was most definitely the virtual server that got attacked. If it was the cloud provider (Amazon), there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen.

This is a huge blow for the public cloud and financial services companies, unfortunately.

Edit: Seemingly a WAF firewall issue. I wonder what happened. These rules should be applied automatically for Capital One using Cloud Custodian [0], so a config issue definitely occurred somewhere.

Final edit: A leaked account with access to IAM permissions. Good lord was occam's razor correct here.

[0] https://github.com/cloud-custodian/cloud-custodian

"there are a lot of safeguards that these banks use to make sure that any data that touches the shared server persistent storage is encrypted. And when I say safeguards, I mean automation to make sure that this sort of scenario shouldn't ever happen." ROTFLMAO....you have clearly never worked for a bank, no offense mate. Capital left this shit in plain text on an S3 bucket, I guarantee you
If you took ten seconds to look at the posted source note above, you would see Cloud Custodian has a policy to enforce bucket encryption.
Bucket encryption doesn't protect against anything except someone getting access to the hard drives underlying S3 and somehow recovering data.

If you've somehow left access to a bucket open the odds are that you also have it configured to let anyone with access to the bucket decrypt the files. AWS calls this server side encryption, where S3 automatically encrypts and decrypts files for you. You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application.

I am well aware how S3 works, I just mean you can use custodian to enforce SSE on the bucket as well as KMS based encryption, so the original commenter is just being a troll was the point I was getting at.
Default bucket encryption would require you to misconfigure two controls instead of one. S3 only automatically decrypts if you are an authorized principal on the KMS key, having S3 permission is not enough.
"You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application."

Well,SSE-KMS is not difficult to manage if you have sensitive customers data like Capital One does. I use it all the time. You can pretty much audit the buckets and see what is going on.

And if Capital One has used SSE-KMS on the buckets,we might not be talking about this data breach today.Incompetence? Complacency?

And if you knew anything of what you were talking about, you would see how easy it is for an engineer to make a mistake and there is 0 auditing or oversight. Also, if YOU actually took 10 seconds, you would see all the data was un-encrypted and in plain text. So where is all this "safety" the dude is speaking of? Cloud Custodian does shit when implemented incorrectly -and that's my point. You think banks are making all this effort, but in reality, the security team is completely understaffed, often not listened to, and in the end - we find this stuff happening all the time.

There, I gave you more than 10 seconds. Trying keeping up.

AWS has Macie to catch this sort of thing, not to mention the usual AWS security automation tools available like Security Monkey. Or the fact that a pen test should have caught this, or employees following the data use policy.
Where did you see it was a leaked account?
Attacker had access to the account. It is in the complaint posted by user iancarroll.
so I wrote the majority of cloud custodian and still maintain it. I no longer work at capitalone (since jan 2019). afaics the suspect (https://www.linkedin.com/in/paige-t-704a29188/) worked at AWS 3 years ago is also irrelevant which its why its not part of the filing.

the best link for understanding what happened is actually the court case filing not the media reports. https://www.justice.gov/usao-wdwa/press-release/file/1188626...

so this isn't a case of s3 bucket being public/wide open, its a case of a waf iam permissions being overly broad if I'm parsing the filing correctly. Its unclear how the waf product was hacked/bypassed and its credentials obtained.

wrt to custodian in this equation, its not really related afaics, custodian has lots of filters to help determine stuff like is my ec2 or anything with iam role (lambda, etc) overly permissive wrt to permissions (check-permissions filter). it also has the ability to filter individual statements and access on any resource (s3, lambda, etc there are many) with an embedded iam policy on a fine grained basis (allow y accounts but not x accounts) to protect against account level access (cross-account filter). And the ability on ec2 via guard duty alerts to auto remediate (suspend, memory snapshot, yank role, volume snapshot). its used by lots of users/enterprises across the governance, security, cost-optimization domains because its flexible and supports many clouds.

Thanks for writing Cloud Custodian. What are you working on these days?
Still working on custodian, k8s integration up next. else atm. trying to ensure that the next 20 years of opensource are open.
> hacked into a cloud-computing company server, federal prosecutors in Seattle said

> the cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.

Does this feel like it was just an S3 bucket with permissions set incorrectly? I've come across sensitive documents in S3 buckets with a well crafted google search.

Given that they're on AWS and "The intrusion occurred through a misconfigured web application firewall that enabled access to the data" thats what im betting too.
Well, if it was a misconfigured WAF (which usually is just a reverse proxy with mod_proxy) to an application then you would not need to gain access to any Tokens, etc. all you would need to do is gain access to the server. Or be able to use that WAF as a proxy to gain access to other http bound resources?

From there any IAM role access the underlying server had, you would now have as well. And that would work with any sort of access (don't need root, etc.)

(comment deleted)
Kind of like the AT&T "hack" wherein just changing the url leaked other customers info.

They were still successfully prosecuted though. And AT&T received no punishment.

When a company says jump the USG asks how high.

No way...I don't remember hearing about this. You mean changing the URL from like /data/customer/1 to /data/customer/2 ? And the person who did this was prosecuted? Jeez.
Misconfigured WAF - see my comment elsewhere here.

Correction: according to the complaint, the defendant is alleged to have assumed an IAM role in the context of Capital One's account whose policy provided access to the S3 bucket in question. So it wasn't that the S3 bucket was public, but rather, that there was some vulnerability she took advantage of by which she obtained indirect credentials to it.

(Complaint, page 6, lines 14-27.)

I wonder what data was in the bucket?
> The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history.

> About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.

I haven't yet read (all of) the complaint but I presume it goes into even more detail than the article did.

(comment deleted)
Might have been an SSRF exploit if the WAF was accepting parameter values that were then used to expose IAM credentials via the EC2 metadata service. See https://ejj.io/blog/capital-one for a good write-up.
If the Seattle "Paige T." is the person with a public Linkedin profile, their recent job history includes "Systems Engineer" at AWS. That could be connected with the breach.
Woah man.

You could be costing some unfortunate woman her job here man. Kind of like when that lady cop broke into that black guy's apartment and blew him away. Then all these people on social media started posting pictures of his coworker on social media and almost cost the woman her position at PwC.

We should try to be a little more responsible than that.

Wasn't her name that the parent comment referenced originally posted in the news article? If that's the case, I would blame the news article and not the parent. Especially since they said "could" and not "yep, that's her".
I think you're overreacting. Their name is public, and I didn't link to the public profile, nor did I say the public profile was the person in question. Only that if it is them, then having a work history of AWS adds an interesting dimension.
The court filing directly says "s3", so yeah, it's Amazon.
(comment deleted)
Per the complaint, it doesn't sound like the bucket was exposed to the world. Rather, security credentials were "obtained":

> Capital One determined that the first command, when executed, obtained security credentials for an account named XXXX-WAF-Role, that in turn, enabled access to certain of Capital One's folders at the Cloud Computing Company.

Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.

* edited to reflect this is lifted from the complaint, not indictment.

I recall a newbie dev at our company some years back accidentally posted creds in code to github. I have talked about this here before - but - we had paid for 200 repos.. problem was he made a new repo, which became 201 - which since we had only paid for 200, github auto makes the next one public. Bots slurp these and hunt...

They used those creds to launch like 1700 gpu machines across the globe for a bitcoin mining network...

The culprit was from germany...

We got it cleared and AWS forgave all the charges.

It doesn’t matter. There is never a reason for credentials to be anywhere near your repository. If you’re running locally, you should have your credentials in your home directory (via aws configure). If you are running your code on AWS either on an EC2 instance, lambda, or Docker you should be using the role associated with the execution environment.

Every SDK that I have used let’s you use a constructor without a parameter and can get your credentials from the config file/role.

i know, this was a few years ago, and these types of practices were still being developed out in the greater community (lambda didnt exist yet, dockeer was still nascient etc)
I’m sympathetic in that a lot of people started learning this on the fly but that was widely recognized as bad practice even before Amazon was founded and various patterns for doing it right were widely established.

(If anyone needs me, I’m busy feeling old after remembering having this conversation with a new PHP developer in 1998)

Haha, agreed...

He was a remote worker and aparently had a poor handler on our end. I was head of ops not in dev, so i just had to deal with the fallout.

> Unsure how one would obtain credentials for an IAM Role, but the above verbatim from the complaint.

You use your own credentials and issue an API call to do it. If you're using the AWS CLI, it's "aws sts assume-role".

We do something similar with our accounts. You can place a restriction on the role that an MFA token must be used while assuming the role, so this allows you to give out longer-term credentials to your devs/admins that can then be used (with an MFA token) to assume a more privileged role.

The role itself needs to be configured with a trust relationship that allows for this, and many roles are restricted to AWS services (i.e. you are authorizing an AWS service to assume the role--not a specific user). I've never used WAF before though, so I'm not sure if it's typical for the WAF role to have that trust relationship or not.

Actually looks like she worked for Amazon on S3. So there might have been some insider knowledge. From the complaint below, and googling her name you can find her resume

I won't link it here, but here's a screenshot of a snippet: https://i.imgur.com/NezWVKw.png

Looks well qualified to run the coding bootcamp in her prison.
Only facing up to 5 years apparently. I wonder if that will change over time. Considering her hack is worse than what Aaron Swartz hacked (not PII) I cant believe she only gets 5 years.
> worse than what Aaron Swartz hacked (not PII)

Violation of copyright would appear to be a significantly worse offense according to present US law.

IANAL, but I believe part of the issue is that breaching a hundred million records is one data breach, but exfiltrating a few thousand journals is one infringement per journal.

In point of fact, the prosecutor on Swartz case (Stephen Heymann) had previous authored an article describing how the Internet age allowed crime to scale, enabling hackers to commit thousands of criminal acts per second. It's my personal belief that Heymann wanted to use Swartz' case as a validation of this belief.

(Source: The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, ISBN 978-1476767727)

Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?
> Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?

The last commit in the Git repository where her resume is located shows this:

    commit 44e40140ab1ccdd47d8b56a8a78fc532d5b3386d
    (HEAD -> master, origin/master, origin/HEAD)
    Author: Paige Thompson <paige********@gmail.com>
    Date:   Thu Jan 10 14:38:02 2019 -0800
    
        update linkedin address
    
    diff --git a/cv.pdf b/cv.pdf
    index bf26140..add1ea9 100644
    Binary files a/cv.pdf and b/cv.pdf differ
If we assume this is the only repository she has, then the resume seems to be up to date.
Oh cool I use the same LaTeX template as her for my resume. Mine is blue instead of pink though! https://github.com/posquit0/Awesome-CV
Don’t forget to mention that on your next interview!
I feel modern CV is a little clumsy. Especially how it handles columns. You like this better? The example provided I don't love, but I'm not a designer, it looks good enough I think.
I use it too. I think it looks good enough, definitely better than my last horrible-looking resume. It seems to work well with a bit more text compared to many.
Unlikely. S3 was publicly rebuilt in the wake of the 2017 S3pocalypse.
What does this refer to?
Some S3 eng accidentally dropped a big chunk of the servers that were the s3 equivalent of an hdfs nameserver, ie mapping blob name to location info, as part of an unrelated config change.

While attempting to recover, the s3 team discovered and/or decided the nameserver needed a full restart. That's when they discovered the info in the nameserver had grown so large since the last full restart years previous that it took far longer than expected to restart the nameserver. Right around that point in time my guess is they realized just how shit their morning was going to be. And their afternoon.

Somewhere in there, they realized that their health dashboard depended on s3 working.

Though to be fair, as an aws customer, we -- along with the rest of internet -- were well aware that stuff was badly broken.

I feel terribly for whoever did this, because IIRC, he or she just fat fingered part of a command in a standard playbook, and the config script had no safeguards. I personally took down a company you've heard of in the exact same way; I knocked all pops off the internet because the config script had a hard requirement around certain values that was neither communicated to me nor checked. And I was trying to figure out wtf I did to a system that I was not particularly familiar with while receiving forwarded texts from the CEO about cascading datacenter down alerts.

If you don't mind me asking, what was the punishment for what you did?
Just taking the company dark and being personally embarrassed. There was no punishment, though there was a lot of teasing. Also spending 4-ish weeks cleaning up the mess that was made.
Are Git and SVN really considered IDEs?
Not to anyone even remotely in the industry.

I think the minimum to be considered an IDE, you need to be able to edit, possibly compile depending on the language, and run/debug from within the same tool. By last loose definition, I've joked my most used "IDE" would be bash. I can edit with vim, compile/link with make/gcc/ld, and debug using gdb or run my bins directly.

I mean it's an integrated development environment in that I can access all of my tools from one centralized location, the bash shell, but certainly not integrated in the sense that I have a GUI that hides the nuances of commands of various tools behind menus and friendlier non-command-line names and making it appear that the half dozen or so tools are a single entity.

I also use Visual Studio for Windows development and I've been switching between VS Code and PyCharm for Python development.

But are git and svn an IDE? No. They are both merely source control management systems.

Are they even considered programs?
yes, they are programs. They, like most of the truly important software, don't have a UI, but they run none the less.
My point was going to be that these are concepts and protocols rather than programs, and that you would use an actual program (eg TortoiseGit) to actually use it.

But then I read your comment and realised in *nix the program is actually called "git". So I concede :-)

Pretty much doubt there'd be much insider knowledge, guessing in 2015 a L4(entry) System engineer is going to be pretty much spending 80% of their time building new regions by hand...

Not much really there to learn

If you put data in the cloud, make sure you encrypt with keys only you have even when they promise all sorts of assurances of oversight and process in addition to “we use AES”.
This right here. Take away any outsiders ability to access things. I also feel AWS and the rest should be able to notify you when files untouched en masse for years are being accessed and it should set off alarms like crazy. If not acted upon then its the issue of whoever got those emails.
You can. It’s cloudwatch. Also at least put these things in glacier so you have some time between the download request and when they get the file to hopefully stop it.
If you put data in the cloud...

assume it is no longer private.

As opposed to on your computer connected to the internet?
I know that reading the actual linked content on HN is verboten, but the Bloomberg story says

"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."

The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.
“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)

The AWS spokesman quoted in the article also explicitly says it wasn't a vulnerability.
Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.

Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.
It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.

Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.

(comment deleted)
Not sure if this is a reputable source: https://heavy.com/news/2019/07/paige-adele-thompson/

But sounds like she's an engineer that used to work in aws, specifically S3. If true, seems likely as she would have insider knowledge of existing attack vectors and possibly vulns. Maybe even using something we discovered while on the job.

If this is true, this is a great reason for people to stop using S3 or to start doing daily bucket audits. Or you know, not store PII in the cloud poorly.
Really, sensitive data should not be stored unencrypted. It just shouldn't.
Or on S3, because unencrypted is just an API call away.
The suspect had previously worked for AWS as well.
(comment deleted)
I downloaded the indictment (edit: complaint, not indictment) from PACER: https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl...
It's a wild ride. Who hacks in via Tor and then posts the data to a GitLab account under their own name?
Could be a frame job, remorse, freakout, or some kind of dissociative or other personality disorder.
Or simply the age old quest to become (in)famous.
A news-source I won't mention, because it's trash, did a full stalk of her on social media, and she seemed to be in an _erratic_ state of mind, but maybe that's just her personality.
A lot of crime would go unsolved if people just kept their mouths shut. There's a human tendency to need to talk about things you've done, I guess, especially stuff that will get you "street cred".
A lot of crime does indeed go unsolved because of people keeping their mouths shut.
Good lord.

-Paige left code used in the "attack" on her GitHub.

-Paige left text files with unencrypted data there, too.

-Paige openly posted about it in an open (!!!) Slack channel and publicly named her VPN service of choice, which of course, matched access logs AND GitHub server logs. (Also tor, which the FBI agent was able to confirm and add yet another data point)

-Paige said "I have a leak proof IPredator router setup." nice.

Nice opsec there. Sheesh.

EDIT: Thanks for the PACER share, by the way.

It says she posted on "social media" (Twitter) about it, claiming to have Capital One information, "and that she recognizes that she acted illegally".

Nothing about Opsec here. She basically asked them to arrest her. Probably had some of the usual motivations: "look at me I'm clever", "look at this stupid big company with bad security", or maybe used the opportunity for some political thing with banks. Not the sophisticated hacker type. But who knows.

Edit: originally I asked about her Github profile listed in the complaint as paigea(5x * characters)thompson but was iffy on whether that was okay on HN.

Almost certainly deactivated/seized and part of evidence. With some googling you can find her Keybase and other pages aplenty if you like. Almost all her content is scrubbed from the Internet, however.

(this person's original comment was asking for her github profile)

(comment deleted)
That also links to her gitlab profile which contains her resume/CV in PDF format (among other OSS work).

She did indeed work at Amazon on AWS in 2016 , specifically on s3:

https://i.imgur.com/DRBKYsc.png

That PDF also contains her home address and other personal information so I'd rather not link directly.

Generally having a screenshot of someone telling you "don't go to jail plz" in a criminal complaint against you is not ideal.
(comment deleted)
I hope the reality is that criminals are really dumb and not that we only catch the really dumb ones.
Heh, not even close. I know several individuals who should be in prison for their cyber crimes. But the fact is, not only have they never been caught, the victims probably don’t even know that anything happened.

There is such a lack of talent out there right now in the cybersecurity industry that it’s very easy for criminals to slip around undetected. You’d have to be a total idiot to get caught, or catch the attention of someone really motivated to catch someone.

Why do you use first name here instead of last?

No one calls Snowden just Edward, this comes across as a form of degrading women to girls.

Mostly people call me by my first name and I do the same to most people (likely more to men than women, if I had to guess). People call Edward Snowden by his last name because it's unique and catchy.

Theo de Raadt is often just called "Theo" here for similar reasons. Rarely if ever have I seen him called "de Raadt" on this forum.

Your comment is unfortunately typical of drive-by Internet outrage these days.

Love that the FBI agent can't even spell the company's name correctly.
Intersting. She ran three commands - the first downloaded IAM credentials and the second then listed buckets using those credentials.

I'm curious about what the first command could have been

Also this all unfurled after a report to their security line from someone monitoring gists - that public feed as well as text dump sites have always been a good source of new vulnerabilities

(comment deleted)
If I came across an s3 bucket with my credit application details and I could delete it, I would probably do it and then report to their security team. It’s MY data security they’re being casual with.

It occurs to me now that if I did that it would likely be a crime because of the harm to the company. The irony.

Who cares if it has your data in it or not. Just report it to authorities and the guy who runs haveibeenpwned.

Plus what are you going to do with credit card applications anyway? Sell them to a marketing company with some phony story? Or the 'sell them on the darknet to fraudsters in Russia' angle? Unless you're already involved in some dirty business already this isn't very valuable.

I would imagine complete credit card applications contain the type of information identity thieves would be willing to pay good money for.
By now everyone's identity data is already widely disseminated, no?
The old joke.. "DDon't worry, the NSA made a backup for you"

But now its more like "Don't worry The 5Eyes have made back for everyone"

I operate under the assumption my name, address, email, social media profiles, social security number, place of birth, and mother's maiden name are all easily available in the wild. I've bought one of those online background checks before, at the very least I can be confident the info on that report is available to anyone.
I think the point is: unless the hacker is already aware of how to sell PII of this nature and how to move "good money" then a hack like this is for naught.

Reading the mistakes made in the hack itself makes me wonder if black markets and money laundering are a skill they posses.

I think you could just sign up on one of the onion drug/fraud markets for ~$500 vendor deposit and put up a listing for those profiles at like $5-10 a pop.

If you were lazy you could just hit up an existing vendor and ask them to sell your data in batches.

I’m not saying this would be a good idea, but it certainly wouldn’t be very difficult.

Then Capital One will find out immediately because banks hire firms to watch darknet markets. JP Morgan discovered a breach when they found data being sold on one of those forums and that was years ago.

This will just intensely increase the scrutiny of where the data came from and they'd likely be caught anyway, unless they did a very clean job security-wise. Which very few people seem to be able to do when the feds really want you.

Moving to Russia or another country without extradition treaties would probably be a good first step of that plan.

Whats funny to me about this statement is it would propose an interesting legal question in the EU due to GDPR. You certainly do have your right to delete it there.... Despite it being unconventional.
> and I could delete it, I would probably do it

In the UK this would definitely open you up to the Computer Misuse act, and I imagine the police would have something to say to you about evidence tampering too.

Having wide open access to customer details with full ability to read/write on the open internet..? That seems like it should be stretching the Computer Misuse too far, but yes, your're right.
Dear "Seattle Woman": while you're in there, please dump Capital One's junk mail database, and set their address label printer on fire.

Sincerely, another Seattle resident with a mailbox.

They really do send out a whole lotta junk mail, even here in Canada. I don't see other banks doing that.
Having a bigger marketing budget than everyone else is Capital One’s approach to banking.
Their mobile apps are top notch though. I used a card in the past and it came with free credit scoring and the mobile apps were better designed (UI and performance) than most. At least here in my country.

It even had automatic categorization of spending in a Mint.com style.

I took down the mailbox at my house and now use my business address for all my mail, because bulk junk mail doesn't get delivered to business addresses. Targeted credit offers do still get delivered, unfortunately. But the amount of junk mail in general is about 10% of what it was.

Works well, though I do often get accused of being a Unibomber type when I tell people they can't send mail to my house address because I removed my mailbox. The bank that holds my mortgage also came calling because the USPS declared my lot "vacant" to HUD after I did it, and that confused everybody.

> I took down the mailbox at my house

Serious question... is this legal?

Why would it be illegal to not have a mailbox?

It's your property. Do whatever you please.

Mailboxes live in this weird property-right limbo (that I don’t know really anything about) where the homeowner buys it but it is “property of” the US Postal Service. I found this[1] Supreme Court case that sort of touches on how the property rights work.

[1] https://supreme.justia.com/cases/federal/us/453/114/

I don't think that's what they're saying though. They're talking about what the mailbox while it's in use. I didn't find anything mentioning boxes being property of the USPS, they use the term "authorized repository." When it's in use, it's still property of the private entity, but it's usage is subject to the rules of USPS. (I'm not a lawyer)

My understanding it they can remove the USPS box (looking at what postal workers said on Quora), but they wouldn't be part of the mail system anymore. I guess they could have mail forwarded to a new box, or else it'd be undeliverable.

https://www.nytimes.com/1981/06/26/us/justices-upholds-law-p...

> Writing for the majority, Associate Justice William H. Rehnquist said that no one was required to receive mail or to have a mailbox but that once a postal customer provides a box for receiving mail he implicitly agrees to abide by postal regulations on its use.

Audio/transcript: https://www.oyez.org/cases/1980/80-608

CO finally stopped sending me junk mail after I'd send back their offers with "stop sending me these" written in red crayon across the application form. I did it for months.
Generally it's not a good idea to sabotage your employer's clients, but I wonder how many engineers across the Big 3 US cloud providers have the know-how to exploit holes in how Forture 500 companies use their platforms.
This is a legitimate risk.

At a minimum, AWS Support has near complete read access to AWS accounts in connection with support cases.

It would be interesting to hear from an AWS employee how access to customer information is controlled.

Metadata, yes. But not content. So they can see you have 200 c5.9xlarges running in 3 AZs in 3 subnets in one VPC, for example.

But they can't see what you have on the volumes attached to those instances, what processes are running, etc.

I've had AWS support tell me exactly what processes are running on my instance. They do seem to have some visibility beyond metadata.
I'm an Amazon employee here - but my words don't represent the company.

Internally we also talk to AWS support. They absolutely don't have much visibility into our accounts at all - much to my frustrations. They only see metadata - even for internal accounts.

The only teams that have some access to such information is security team, or when you Grant access explicitly to the other person via standard AWS auth mechanism (IAM)

(comment deleted)
Seems vanishingly unlikely, unless you're using a service (SSM Inventory or similar) that would reflect what you have running/installed.

I'm at AWS and we have basically zero insight into these things.

If you include professional services in that list then the number is quite high. Also, keep in mind that many AWS services are composed of other AWS services, and in that composition there are services and infrastructure operating within AWS to manage it. All of that will operate on some type of maturity curve and sometimes be backed by an alarmingly small team.

So my recommendation is only use AWS services that have been included in compliance certifications that are important to you: https://aws.amazon.com/compliance/services-in-scope/

That of course doesn't mean you won't get hacked, but there's at least some evidence that the service is operated in accordance within AWS control standards, which are generally quite good and should minimize your exposure to rogue admins run amok.

I guess this is how we all finally get paid for our data. Just continually file for our $125 check as every company that exists is hacked over the next decade.
FYI, getting a $125 check from Equifax is contingent on most of the people that are eligible to get one not actually requesting it. It'll probably be less
Yeah, there's only $31M allocated for those payouts :/
Incredible, ~147 million people's data was exposed and they've only allocated 248,000 people's worth of checks. That's 0.17% of the victims..
Because most people won't qualify to get the payout. It's just restitution for people who responded to the news of the breach by paying for credit-monitoring services. If you didn't do that, you don't get paid. You just get free credit-monitoring service.
Our society should give up expecting these things to stay private, secure, secret etc and figure out how to do financial things another way.
dont you mean $2 check? Equifax settlement is capped at ~30mil
After reading the affidavit it was a former AWS employee. The accused worked there from 2015-2016 and it’s not immediately clear that it was a misconfigured S3 bucket. There’s a particular IAM role she used to execute API commands (ListBuckets, etc..). The buckets contained credit card applications and other data including DOB and SSN. She gloated about it on Slack and said she was using a VPN and Tor.

The affidavit is a good read. Linked elsewhere in this thread.

"According to Capital One, its logs show a number of connections or attempted connections to Capital One’s server from TOR exit nodes"

Now there's a fail.

How's that a fail?
You probably want your corp firewall to block/deflect connections from TOR exit node IPs.
They should not be letting egress traffic through to a Tor node.
What sort of rule or policy would you put into play to detect that a connection was a TOR node?
Tor node IPs are published, so you can just block that list. There's probably a way to detect them too, but I don't think an exit node can be secret.
(comment deleted)
Commenting on you because I can't comment below:

Tor node IPs are published, so you can just block that list.

You can reply to deep-nested posts by clicking into their permalink.
Do you mean ingress? You probably wouldn’t want to allow ingress or egress, but the statement says connecting from a TOR exit node to CapitalOne, not the other way around.
Sometimes the best way to handle "bad" traffic is not to reject/block it, but to respond to it incredibly slowly, or divert to an uninteresting flaky phantom server, or reject every login attempt (even with correct credentials) to divert attacker's attention.

The ingress was okay, but the egress flow was very very bad!

That seems like a great way to waste your own time accomplishing nothing.
I think it was a part of mailinator’s approach to running a disposable email server.

The operator’s approach to bad actors was to respond as slowly as possible instead of quickly rejecting.

Is there enough space in an S3 bucket access policy to include DENY rules for every known Tor IP address?
By the sounds of it, the s3 bucket was internally accessible only. But attacker connected through the corp's Web Application Firewall after grabbing the credentials to login to the S3 bucket.
"Internally accessible only" just means you have to have credentials to access it.

You can also add IP address restrictions to a bucket access policy; this was obviously not done here because once she had the credentials, it didn't matter where she was accessing from.

Looks to me that it should rather be using an IP white list. It's not like their systems would need access to these documents from an dynamic IP dial up connection.
Ah, I thought this was meant from the attacker's perspective.
How is this person's information wiped off the Internet? I literally cannot find anything related to her. Is it just me?
It might just be you. I was able to find some info about her with Google pretty easily.
Just keep refreshing this page, people seem to have no problem linking her information all over this thread.

I get that much of this info is already public, but this feels like borderline doxxing.

"I sincerely apologize for the understandable worry this incident must be causing those affected." - CEO

He worded it carefully. He's not apologizing for the actual and potential harm of the breach so as to not take responsibility for it. Not a real, sincere, apology, but just a legally defensive move.

I sincerely hope that this is not our government harassing someone because of their gender transition, or because they look weird, etc. The indictment appears to lay out what might appear at first sight to be an iron-clad case against Ms. Thompson, but we haven't heard from her defense yet, and prosecutors love to go after people who don't fit in. I feel that Judges should always consider leniency in these cases, remembering that the DSM-5 has listed gender dysphoria as a serious mental illness since 2013.
Uh, I don't see anything in the article that indicates she is transgender.
See the Twitter account mentioned above. Keep scrolling back to around July 20th.
sdinsn is commenting on the (startling) omission of the journalist who wrote the particular article here and not on my post. The information is already reported widely elsewhere.

In fact, I'm very surprised that my post highlighting the bullying actions of prosecutors against transgender people was flagged. This is a very real issue, as anyone with any experience of the criminal justice system is aware.

(comment deleted)
Why am I finding out about this from the news and not an email from Capital One themselves? I wish there was legal liability to inform customers in the event of a data breach.
They are legally obligated, especially in California, to disclose part or all of this breach to customers. But that obligation is not immediate. Give it some time.
Do they need to notify those of us not located in California?
Nope. You're irrelevant unless they legally have to talk to you /s.
YMMV, but all 50 U.S. states require some sort of notice for security breaches.
According to the Daily Mail article linked above, they've known since mid-July. They could have issued a statement today if they wanted to. I can understand why they didn't do it earlier, to minimize the number of press cycles with their name attached to this incident.

But if this were my credit card company, I would be pretty irked to be finding out about it weeks after the company knew, from the news.

The FBI is probably to blame there, announcing before charges files would be interfering with their investigation
If this is the case, they should have had an announcement ready to go for yesterday. The absence of a response makes it seem like either they’re not taking the incident seriously enough, or they still don’t know the full scope and want to delay their announcement until then.

Either way, not good.

Let me play this sad violin music for them
Apparently she used "erratic" as a pseudonym.

After reading through some of the complaint, it seems quite fitting.

Quite possibly self-aware of their own ups and downs.

But that can get you in trouble when you're playing with fire.

Well, on the bright side it's a woman in IT. If only she were being recognized for something good, not bad.
I think it’s a transgender.
I was there when C1 negotiated that deal with Amazon and they swore it couldn't happen but of course, we all know that's false.
Miss the LevelMoney folks...

Yeah AWS can’t protect you against a misconfigured environment

The problem with AWS (and other cloud providers) is that it's nearly impossible to properly configure an environment because of how many different methods there are to gain access to resources.

Capital One has been all in on AWS and has dedicated an immense amount of time and money to developing systems for managing their AWS resources (Cloud Custodian for instance) and yet they still couldn't protect their data. What chance is there that anyone else could?

The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products as well as trying to limit your costs. With that sort of open-ended system, unless everyone is always thinking security first and okay with the inevitable slow downs associated with a highly locked down system then you will more than likely always run the risk of this sort of situation.
> The whole point of moving to a cloud provider it allow the quick setup and deployment of new projects/products

There is nothing approaching quick setup and deployment at large banks.

Not Citibank, but previously worked for a financial firm that sold a copy of it's back office fund administration stack. Large, on site deployment. It would take a month or two to make a simple DNS change so they could locate the services running on their internal network. The client was a US depository trust with trillions on deposit. No, I wont name any names. But getting our software installed and deployed was as much fun as extracting a tooth with a dull wood chisel and a mallet.

This is my experience with one very large bank, but from speaking with others that have worked for/with other large banks, their experience has largely echoed mine. They tend to be very risk averse with external IT products, such as deferring critical security updates because they can't be sure what it could break and also likely don't have end to end tests for critical systems that could cost a lot of money if the upgrade fails.

I know this first hand, because you dont always know or understand whats going on in 3rd party systems. I once screwed up a 3rd party system hosted on site. I was testing an upgrade on a dev server. Part of it invovled schema changes, and I had dbo rights on both production and development servers. The hidden part that I didn't realize is that the 3rd party tool stored DB settings in your Windows roaming profile. So, because we only had 1 Windows AD domain and no otherwise network separation, even though I was on a dev box, I was talking to the prod DB. Didnt even realize it (wasn't directly evident unless you dug deep into settinga) until I started getting calls from my users, complaining of errors. This was on the 3rd of July in the US. By the time I figured out the issue, it was about 3-4am on the 4th of July.

Had to make the call of rolling forward or back. But, the supplied installer was missing some packages, so couldn't complete the install. If we rolled back, an entire days worth of tedious work by a 10 person team would have been lost. Worse yet, the tool was used by traders in Europe who were about to start their day. Being early in the morning on a US holiday, I couldnt reach their support. Couldnt even get of their EU support. I was on the phobe with my boss, his boss and the head of back office at the wee hours of the morning on a holiday.

Decision was made to hold off on doing anything until we could talk to the vendor on the 5th. Ended up rolling forward and completing the install, but I was nearly shutting myself. We were handling somewhere around 25B USD notional in bank debt for several days (which caused huge issues in PNL - proffit and loss - reporting for several business days) that we coyld take no action on.

Thought for sure I was going to be fired. But, in the post mortem, I explained everything, and it was agreed that while I shared some blame, the totality of it wasn't my fault and that because I had diagnosised it and fixed it in the most timely manner I could, I was ok. IIRC, I think the only real remediation we took to prevent a similar mishap was to disable roaming profiles on the dev server and delete all existing profiles on the dev servers...

Yep, sounds like a bank to me. I worked at one of the big 4 for 6 years (way too long, I know) and the experience was horrible. It once took us a full year (no exaggeration) to get a single server allocated...and my group was actually one of the well funded teams
Funding wasn't a problem for the client in my story. They were happy to spend money. I think the initial contract was for X million USD that would have covered something like 5000 support hours on our end (was based on time spent, not per incident) and then after, it was like 300 USD per hour.

Separate project, I know I was billed out at 500 USD per hour 10 years ago. That was working with an exchange. Initially a joint venture, my company decided to divest itself. We sold all the source for the system that we developed and theyd be running to the exchange. We clearly documented our "build" process and requirements. The core part of the system (and as far as I know the only part that ever went live) was a Python app that used very specific modules, but we also had some patches that were submitted upstream, but not yet in public distributions. So, we were very explicit that you need exactly these versions of Python, these explicit versons of the libs and you need to apply our patches to the libs. We had also only developed and tested on a specific version of linux, and made the indication they should use the same, or we couldnt guarantee the software.

Well, we handed all of the source and documentation to the exchange. They, in turn, hired an outside consulting group. For the life of them, they could not get it to work. First question asked was: did you follow the instructions? Response was "of course, do you think we're idiots?"

The assertion that they followed the instructions exactly sent me down around a 3 week debugging session, attempting to reproduce the issues they were having in our office. Starting from scratch and the exact instructions I had written up for them (I was the only author of the Python app that was failing), I could not reproduce the issue.

After 3 weeks of back and forth, escalations on all sides and some thinly veiled accusations of sabotage, I went on site, sat down with the consultant, told him to start from scratch and show me what he'd been doing.

First thing I notice is that he installs the latest version of Python, and latest version of all the extra libs we needed. He'd completely ignored all of our instructions despite telling us the exact opposite!

It took all of 15 minutes to identify and correct the issue. Ended up billing close to 40K USD in support because the contractor didnt follow instructions and, well, lied (intentional or not) about having done so. Never heard a peep about it from management about the hours or questioning the resolution, and as far as I know the exchange paid the bill without question, even in the height of the aftermath of the 2008 crash.

Having everything locked down by default on AWS/Azure/GCP would go a long way to improving the security of the internet. Centralisation isn't healthy, but at least these companies could make a credible impact on data security by pushing the mentality.
All AWS APIs are deny-by-default. Only if a pertinent policy (IAM or resource policy) grants access is it allowed.

IME, the usual mistake many implementors make is that they inadvertently grant too many privileges and often to the wrong audience.

Are there AWS experts who can do some sort of quick audit or "sanity check" of an environment's configurations? AWS almost makes it too easy for someone who only sort of knows what they're doing (like me) to get things up and running.
I don't know that there's a "quick audit", there are too by vectors for any single professional to check. You'd be best served by using an auditing or monitoring solution. Even then, you're really just auditing _known_ vectors as it's likely impossible to cover all possible ones.

I used to work on an auditing and monitoring platform, there really are too many vectors.

AWS locks everything down by default. As far as I know, there is no direct way through the GUI to make a bucket public, you have to know how to add the JSON policy and even then you get a very noticeable warning.
Check out the Trusted Advisor dashboard, GuardDuty is also a good thing to have running in your account
There are many different automated systems for checking for misconfigurations in your AWS organization. Capital One even developed a very popular one (Cloud Custodian). Like most automated configuration checkers or monitoring systems they rely on being configured by experts because at their default settings they are mainly a source of annoying alerts that end up auto-filed to email folders you never look in because this is agile and we can rationalize the alert rules in the next iteration (we won't). They can also auto apply actions. Have fun debugging your Cloud Formation stack that failed because the automated checker system terminated the instance without notifying anyone because it was missing a required tag.

As useless as these checkers are, the main problem is that there are so many different ways to gain access to resources that it's almost impossible to have a system that's useful to the business while also provably secure either manually or automatically.

Don't forget even AWS themselves created a "managed" policy for some minor service which accidentally gave users root access in the account: https://medium.com/ymedialabs-innovation/an-aws-managed-poli...

(comment deleted)
(comment deleted)
Basically, no. AWS is flexible enough to let you set it up in any complicated way you want, meaning it gives you plenty of rope to hang yourself with. It's arguably much easier to audit a random Linux box for security than an AWS account.
AWS roles and access are incredibly complex to configure and audit though. Needlessly so.
I don't trust in the U.S. justice system to handle every crime and person as it should but for us, context is important: This person's Twitter is 0xA3A97B6C, y'all can go there and get a better picture of the situation.
So much evidence of mental illness there (see also Facebook). I hope this person gets help, but given their claim to also be in the country illegally (Tuvalu), who knows.

I was ready to think this person was being set up by someone who didn't like her, given how exposed she was to being identified, but the Twitter and FB posts strongly suggest a vulnerable person making poor decisions instead.

Given that Ms. Thompson is transgender [0], it's likely a lot was stacked against her emotionally. 40% of trans-identifying individuals to attempt suicide [1]. This is a disappointing omission from the reporting and the road that lies ahead for Ms. Thomson in the hands of the federal prison system is surely horrifying.

[0] https://twitter.com/0xA3A97B6C/status/1152518528907354112 [1] https://transequality.org/sites/default/files/docs/usts/USTS...

I wonder if it could be an effective legal defense for her, akin to plot of Soderbergh Side Effects (2013). "not guilty by reason of insanity" due to hormonal treatment, there are precedents

https://www.charlotteobserver.com/news/local/crime/article64...

https://ps.psychiatryonline.org/doi/full/10.1176/appi.ps.53....

https://www.mercurynews.com/2012/08/21/man-acquitted-after-a...

Maybe drs shouldn't prescribe meds in such doses if they have such harmful effects?
It's really tough, because not treating gender dysphoria properly can be much more dangerous. It's a severe disorder thats made much, much worse by discrimination.

It really seems like a lot of cases of gender dysphoria is more society driven. Younger trans or non-binary kids I know seem to be quite a bit happier than trans folks I know in their 30's. Gender is not inherently tied to sex, and variation in gender expression is normal and not unhealthy at all (societies all around the world recognize it). I think improving attitudes might really be having an effect of reducing the amount of gender dysphoria.

I recommend researching and listening to the growing group of young people (mostly women) who are talking about their experience with desistance.
As a transgender person, I can tell you that estradiol absolutely cannot induce insanity. At the absolute most, it can screw with your emotions in the same exact ways as PMS (and PMS is indeed caused by hormonal fluctuations).

The idea that it's on the same level as ambien is absurd.

NGRI is just a legal term covering committing a crime while not in full possession of ones faculties, not limited to the put me in the cuckoo house stuff people tend to associate with the word.
Interestingly the Daily Mail had this detail, and I wondered why they felt the need to include it; at first glance it didn't seem at all relevant. My belief is that the small number of trans people I know would rather be judged by their actions in an absolute sense, rather than "well this is kinda excusable because he/she is trans", but maybe I need to re-examine that.
The Tuvalu thing was obviously a joke.

But yes, those tweets do show that this person is clearly experiencing a mental health crisis.

>Erratic finally got arrested?

>Jesus christ, how many times did she come back into Discord rooms she was banned from under new names, just to brag about how she "snuck in," like within two weeks, and of course getting banned again. Being a desperate attention whore is bad opsec.

>I guess she's finally getting all that attention she's been begging for.

>She pulled the same shit with our tiny IRC network nobody on earth could possibly give a shit about. I don't know how a person can be this insane. Relentless stalking of individual users, histrionic rants, literally attempting to dox randos and flooding the server with spambots, you fucking name it.

Sounds like personality disorder.

>Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

Cool, just other stuff, such as name, address, income, credit score, transaction history, payment history, ya know, nothing too important or personal..

Arguably the least important data element is the account number...

I wonder why data security professionals don't practice compartmentalization. 100 million accounts should not be accessible from one account. It should be like watertight compartments in a ship. Breaching one doesn't sink the ship.
I worked at a tech company, three times my personal data was put at risk because someone at HR left their laptop in their car during a night on the town.

I asked if my personal data was stored in files downloaded to the laptop, they said yes.

When I asked why my data needed to be downloaded to the laptop and not limited to just online access they stopped responding.

This of course was the same company who mailed me my co-workers salary in spreadsheet form, twice because my name was similar to another manager.

Why that was necessary was beyond me too.

Data security professionals don’t make these decisions, random developers do. And they do what is easiest.
At most large companies, IT sets the policy and developers are required to work within that policy. I've worked at about 10 jobs. The only one where devs could write their own ticket was a startup
IT doesn’t have any involvement when it comes to S3 buckets at any company I’ve seen. Anything in a cloud tenancy is devops acting with autonomy. Sometimes they have a security person review it, but many companies don’t do that, and the ones that do have way more moving parts than their security engineers are capable of reviewing, so stuff gets through.

Even then, it’s unlikely that a security person would recommend compartmentalizing this particular data set. Any application that needs access to some of it probably needs access to all of it, and it makes little difference if you compromise a server and get one key or if you get 30 keys. The trust boundaries haven’t moved, so it would increase cost without really mitigating any threats.

I don’t think they even had a legitimate reason to keep this data around. Surely they aren’t all active accounts and s3 isn’t a place the data likely needs to be long term.
They have to keep the data at least 7 years because of some regulation(s)

Doesn’t excuse what happened, obviously