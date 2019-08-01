Amazon: No evidence companies named in leaked Capital One files were breached
Amazon claims that there is no evidence that companies named in the leaked Capital One bank files have been breached. The company has contacted the companies cited, which include Ford and Italian banking giant UniCredit to reassure them that it has found no proof that they, too, may have suffered a data breach.
News of the Capital One data breach emerged on Monday this week when the hacker, a former Amazon Web Services (AWS) employee called Paige Thompson, appeared in court, charged with the attack.
Haha. I doubt the breach is related to them being a former employee btw, as that was years ago, although prudent to check.— Kevin Beaumont (@GossiTheDog) July 31, 2019
The bigger problem is there's a few basic config errors you can make with AWS. I guess it's possible she knew about them from time at Amazon tho. Dunno.
She had first gained access to the S3 bucket operated by Capital One in March this year, exploiting a misconfigured firewall, downloading files in April and hosting them on an account on GitHub.
Capital One only became aware of the breach on 17 July when it was informed via email. Thompson, however, had left a trail of evidence pointing in her direction, leading to her arrest.
The insider knowledge seems limited to just knowing that people often leave buckets vulnerable and having a solid knowledge of the APIs to find them.— Cut and Pastryarch (@amias) July 31, 2019
Doesn't seem like any creds where a ubused.
Ultimately capital one should not store that type of data in buckets unencrypted.
In a Slack message posting, Thompson had indicated that Capital One wasn't the only company on AWS hosting insecure databases, according to Bloomberg, which was passed a copy of the conversation.
The Slack posting indicating that other organisations might have been targetted by the alleged Capital One hacker
However, a spokesperson for AWS told Bloomberg that the company had "reached out to the customers mentioned in online forums by the perpetrator to help them assess their own logs for any evidence of an issue".
I'm willing to bet almost every org hasn't got control of their S3 bucket monitoring, since logging is disabled by default.— Kevin Beaumont (@GossiTheDog) July 31, 2019
So if there's one learning point everybody should take away, it's ‘do we actually feed these logs into SIEM?' and ‘Do we have any alerts for bad usage'?
He added: "We do not have proof that the perpetrator in the Capital One incident found similar application flaws in a few other customers."
AWS, though, has been criticised for disabling logging by default, while making just a few configuration errors on an AWS set-up can, likewise, expose a critical corporate system or database. AWS does, though, provide instructions for enabling server-access logging for S3 buckets to help organisations monitor for unauthorised access.
