•   0 Followers
  •   Numbers of essay: 75
  • Today Visitors: 11
  • Total Visitors: 45097
  • About Me
  • Capital One Data Theft Impacts 106M People — Krebs on Security

      
      65
      0
      0
    Capital One Data Theft Impacts 106M People — Krebs on Security
    Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.Paige “erratic” Thompson, in an undated photo posted to her Slack channel.On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.The tip that alerted Capital One to its data breach.The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.A copy of the complaint against Thompson is available here.Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.” Tags: Capital One breach, GitHub, Masergy, Paige A. Thompson, Ray Watson, Slack, twitter This entry was posted on Tuesday, July 30th, 2019 at 9:59 am and is filed under Data Breaches, Ne'er-Do-Well News. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed. Am I missing something here? How did she exploit the actual WAF? People are suggesting she used the default admin credentials? But.. wouldn’t the admin console of a WAF only way accessible from the internal network? Kinda like your home router admin console can only accessed by the private IP. The only other thing I can think of using is malformed requests like sql injection to elevate. Was the WAF not configured to block that?I don’t think they did.As I read the complaint, they ran a simple, three line program (using aws cli or one of the libraries like the powershell one) that used API credentials, did a “list buckets” then a “sync bucket”the credentials were for “ISRM-WAF-Role” but an actual WAF wasn’t touched.Speculation (and it’s just that at this time) is that “credentials” (access tokens, etc) were retrieved from the AWS Metadata API via a web application with a SSRF vulnerabilty. I guess the idea is that the WAF, if properly configured, should have prevent the SSRF exploit? Do a search on “exploiting AWS metadata service” for more infos.Yup. Seen a few comments that make sense there; the WAF was apparently a third party, marketplace instance rather than AWS’ own, and for such instances, if you can induce them to connect to the http://169.254.169.254/ meta-data endpoint on your behalf, you can pull ephemeral API keys to use with AWS CLI.VPC = Amazon VPN essentially. She was on the VPC.Actually, VPC = Virtual Private Cloud. That’s effectively the equivalent of a virtual datacenter within AWS. Customers can carve out multiple VPCs and have totally isolated environments. One of several AWS services that allows customers to create a connection back to their on premise datacenter is a CGW (Customer Gateway) and is typically associated with either a site to site VPN or AWS DirectConnect. DirectConnect is a private MPLS connection whereas the VPN would be an IPSec tunnel back to VPN gateway on the remote end. Of course the VPN connected to the VPC is across the Internet. Guys, keep in mind that even though they were using a WAF, the WAF is only as good as the security policy applied to it. WAFs can be very complex to manage and maintain and, in many cases, require the configuration to be modified as there are changes to the web application it’s protecting. If the customer makes changes to the application but doesn’t modify the WAF policy, they might be vulnerable to attacks focused in areas the WAF doesn’t know to protect. There are WAFs on the market that don’t require constant care and feeding, but who knows which product they were actually using.Please don’t comment if you have no clue what you’re talking about. VPC is a Virtual Private Cloud, not VPN. As others mentioned, it’s basically a virtual datacenter. Thanks for fake news.I don’t really care about the breach.I care that twitter memory-holed the perpetrator’s account for no reason other than being accused of a crime. Tangentially, Erratic is no she. He clearly is a dude in costume.If this individual tweeted about anything political that wasn’t left-leaning they’d have deleted that individuals account quickly. I don’t trust twitter and no one else should either. This individual needs mental help. Perhaps jail can be the start of the reform this individual needs.how is this relevant or important? “Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”Because these are what are known as “indicators” of terrorists and other potential criminal activity, according to my annual IA awareness training. Those who express frustration of their situations, inability to cope with life circumstances, or expressions of suicidal thoughts. All indications that the person is unstable and likely to make poor judgement decisions.BS… I take the same awareness training, and I know the cheesy vignette you are talking about. It does NOT lump all mental health problems as indicators. There are none that mention gender identity or even depression. They do, however, mention divorce and other financial stressors as indicators to look out for when it comes to insider threats.REally you were trained? it does not sound like it, sounds like you need a lot more…. WOW!Yes kid… I have taken the annual training many many times. Sick of it frankly.But a kid of your age wouldn’t even be old enough to be included in the training. Since you don’t know what is even being discussed here… let me break it down.It is about spotting behavioral indicators of insider threats. Divorce, personal debt and gambling problems are big indicators. Being disgruntled at work definitely. There are several others. But none of them are based on depression, suicidal thoughts or gender identity. That is just bigotry being expressed and trying to tie that to the training.Luckily, there is other training available for that. See your SHARP advisor.It is important to note because 40% of the transgender community successfully deploy the suicide module to their production code base. Its clear this person and the larger community as a whole are seriously mentally ill. Why as a society we are expected to buy into this delusion by using “she” for what is obviously a dude is beyond me.If you want to malign the transgender community, then do it from a position of facts and not opinions. Every reputable medical organization has said that it is NOT a mental disorder and WPATH has changed it so it is no longer a mental illness.Why can we pretend we’re another gender, but we can’t pretend we’re another age or species? I’d love to collect Social Security at 35 years old, but I can’t “identify” as an age I’m not. I’d also love to pretend I’m a grizzly bear, eat salmon all day, and not have to pay taxes because I’m not a human, but I can’t “identify” as a species I’m not. Why are we allowing this delusion to continue? You’d think people were mentally unstable which do the two things I laid out, correct? Why is this any different? People are literally mutilating themselves to change something they are born as because they “identify” as something else. That’s not a mental illness?! Come on, it’s pure logic.If you serious want a scientific answer… but I fear you don’t…“Why can we pretend we’re another gender, but we can’t pretend we’re another age or species?”https://www.sciencealert.com/watch-we-were-once-all-female “It may come as a surprise to some of our male readers, but you all actually started out as females – physically and phenotypically speaking. So how is this possible? Well, we all know that when a man and a woman make a tiny human, they each provide 23 chromosomes. One pair of chromosomes helps to determine the baby’s sex – two X chromosomes and it’ll be a female and an X chromosome from the mother and a Y chromosome from the father and it’ll be a male. The key here, explains the episode of AsapSCIENCE above, is that the Y chromosome doesn’t kick in right away. ”https://www.ncbi.nlm.nih.gov/books/NBK222286/ “All human individuals—whether they have an XX, an XY, or an atypical sex chromosome combination—begin development from the same starting point. During early development the gonads of the fetus remain undifferentiated; that is, all fetal genitalia are the same and are phenotypically female. ”—————It is not a conscience choice, it is not “pretend”. There is a LOT that happens during fetal development and development all the way to adolescence… that determines the hormonal and emotional identity in the brain to match genitalia. If all humans started out from conception, as Grizzly Bears… then yes, a certain percentage of the adult population would identify as such. So it is only ignorance that we all start out female…. that fuels your lack of understanding and that ridiculous comparison that keeps getting repeated.Why are humans the only mammals that go through this then? Wouldn’t that mean that every single male would, at some point, struggle with an attraction to the same sex and want to identify as the opposite sex? What I’m getting at is this: Is the science behind what you said true? Sure. However, you don’t see every single male wanting to be a female; or every single male attracted to other males. So, what happens in between? What causes this to be the case in a minority of males? There are many studies which show how there is some form of abuse (unfortunately, it’s usually sexual in nature) that occurs with people in the LGBTQ community.https://www.ncbi.nlm.nih.gov/m/pubmed/20658803/?i=3&from=/25942288/related If you plant a seed, you get a tree. Is that tree still considered a seed when it sprouts branches and leaves? No, the seed played a large role in determining the development of the tree. It’s no longer a seed and it can’t identify as a seed any longer. If you abuse the tree when it’s still maturing (e.g., snap some branches, bend the trunk, etc.) you will get a MUCH different looking tree later down the road.People aren’t trees. Plants are WAY different. They don’t even have a sex identity… what’s your point with that silly comparison?There is a LOT of complexity in human development. Yet you insist with over-simplification.And yes, in the animal kingdom there is lots of variation in sexual behavior. Of course we have not yet met an animal on the same level of intelligent communication to get an idea of percentage of gender identity.But we do not many animals are gay and have somewhat of a spectrum. https://en.wikipedia.org/wiki/List_of_animals_displaying_homosexual_behaviorGlad you posted a link… but the fact that they are often abused, isn’t relevant to the conversation. Unless you are comparing many of the comments here as examples of the abuse that trans people face, and that are a major cause for the mental health issue they display. Their “difference” from the norm causes insecure people to lash out, family to disown, and society to ignorantly ridicule. No wonder they have mental issues… when the society of highly social creatures, reject an individual… that is a critical blow to the psyche.. and often fatal.– “If you want a scientific answer, but I fear you don’t” – “Glad you posted a link…”There’s no need for condescending, ad hominem attacks, Joe. If you want to have a serious discussion, I’m all for it. But, let’s keep it to the topic instead of being condescending. It absolutely is relevant. This was my whole point which sparked you to chime in: “Why can we pretend we’re another gender, but we can’t pretend we’re another age or species?”Then you had posted that males start out as females, and that proved transgenderism is normal, unlike being a grizzly bear catching salmon all day because we don’t start out as grizzly bears. What I had brought up (pointing back to my original argument) was the “why” behind it. I had told you I agreed about the science; however, it’s not that simple. If it was, then every single male would be either trans or attracted to the same sex. Since that’s clearly not the case, my whole entire point of the “why” the science may be true, but misleading in your argument, was because of some form of abuse, usually at a young age, which forces that unnatural behavior; not some biological reasoning of males starting as females — which somehow proves your point.To your other point, if I am not allowed to use a tree as an example, then wouldn’t you agree that, if you had two dogs: one was abused since it was a puppy and the other was not, these dogs would have wildly different behaviors?My comment comes across as condescending in the same way your question came off as sarcastic and disingenuous.Getting back on topic…“If it was, then every single male would be either trans or attracted to the same sex.”That is absolutist. “Every”… implies deterministic and definite processes at work. But this is biology. Variability is inherent… and there are numerous factors that contribute to probabilities that aren’t absolute.Your argument about abuse seems like the classic nature vs nurture. But like the previous… reality isn’t absolute. It isn’t one or the other… it is usually some combination of both. Specifically for sexual/gender identity, the abuse comes AFTER the behavioral differences manifest. Feminine males are ridiculed, as are masculine females. So the “why” is probably way more on the “nature” side. Which means yes, they are born that way. But puberty takes a while to fully manifest sexual behavior and identity… so its a delayed reaction to the probabilities in development in the womb, over years.To your dog analogy… it is still an over simplified comparison that attempts to make it easy for a layperson to understand, but in doing so, lacks any science. By forcing non-human comparisons, you remove critical context. It is absolutely crucial to compare like sexual development. Not just generic “behavior”. In this case, no simple comparison will be adequate. You have to actually study and understand human biology and psychology.So essentially, the “abuse as a cause” argument is not valid. The gender identity comes before the abuse. And the “every single ___ would ___” argument is also completely wrong, as it is absolutist and not in line with the science of biology.That depression comes from uninformed people like you treating them like they are mentally ill for just being themselves.This thread requires Moderation. None of this discussion is relevant to the crimeI know, right? I get some of the discussion about indicators for insider threat, but the thread seem to have taken a ‘Jerry Springer’ tone to it. I’m feeling the need to use one of my shoes to throw at someone while the rest of the thread chants: “Bri-an!””Bri-an!”Unfortunately there remains a large number of scientifically illiterate, misogynistic, and hateful individuals in the information security community.I don’t know what Brian’s moderation guidelines look like, but there are more than a few individuals who regularly visit this site that could use an extended timeout until they can learn to keep their vitriolic opinions to themselves.He’s probably too busy writing the next article to swing the banhammerI swear the moment any transgender topic comes up, everyone loses 50 IQ points.Get over it no one cares that you all hate transgender people.Right? Jesus I stepped into a whole hotbed of hatred. So as an information security professional I am supposed to be on the lookout for trans folk because they are the biggest hacking threat? What garbage is being spewed here.‘Being themselves’ would be however they popped out of the womb. Your enablement of their delusion is what fosters the instability. I hope you’re happy.The “Popping out” part of human development may be a nice milestone for the parent… but sexual development is a long process… much of it done way before birth, and some well after birth.All males were initially female. The Y chromosome kicks in later, and the hormonal/emotional aspects take years to fully develop. Read a book (a science book), before you set arbitrary landmark moments to declare identity.Thats a whole lot of prejudice and ignorance for only 3 sentences.Transgenderism a mild psychosis, like biting your nails, that doesn’t inhibit your ability to function in society and therefore is not a mental illness in the DSM.HOWEVER, it can progress to Gender Dysphoria, which is indeed a mental illness with a suicide rate of 40%, and is listed in the DSM as a mental illness.And yes, it is a warning indicator.Gender dysphoria, like any other crisis of identity becomes critical and life threatening when they feel that they cannot integrate into a society without wearing a mask. It breaks down the mind, to constantly try to be something they are not. Just because of a disparity between outward physical appearance and hormonal emotional identity.Just like with homosexuality, which had a high suicide rate as well… it drastically falls when they find acceptance in a society that won’t keep trying to define them by appearance.I fully agreeNo, ~40% _attempt_ suicide. Far, far less are successful. And on top of that, most attempts are before transition, not after.(IIRC, the number I usually see is 41% for trans women and 44% for trans men)Because she has mental issues dude! Not that it does not forgive her for the crime but it does maybe explain WHY she did it! Unhappiness, not maliciousness there is a HUGE difference… Maybe she was not in full control? Who knows..>how is this relevant or important? >“Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”>They do, however, mention divorce and other financial stressorsIf depression, suicidal thoughts, and lack of employment are not financial stressors I’m not sure what are.I suppose someone can take this as a “glass half empty” comment of criticism of an individual.One could also take it as a “glass half full” criticism of society that if someone is pushed, or when clearly vulnerable is not given proper support their actions can spiral out of control.The fact that, when I first saw her Twitter account, I thought, “Well that’s a heroin-addicted tranny having a mental breakdown” doesn’t necessarily mean an unsympathetic or in-compassionate response from me — it means I’ve seen people in similar situations and recognized someone in need of help. The heroin is the only thing so far without further supporting evidence that I’ve seen published. To say such observations should not be voiced out loud is to encourage ignoring struggling people for the sake of political correctness.That someone has gender dysphoria doesn’t mean they are a security risk; however if they have gender dysphoria and a lack of a social support net they have enhanced vulnerablity to situations (like financial distress) known to be security risks.Not everyone will be able or willing to accept extra help, but when you see someone who is extra vulnerable then extra help should be offered. That isn’t open ended and at some reasonable point bad employees do need to be fired, but that isn’t the first option to go to in these situations.Matt, the comments about indicators of insider threats should not be taken out of context. It was in response to the specific annual training program for IA (information assurance). It is not so much for the corporate environment, but rather protection of classified information. The training is geared toward those susceptible to becoming an insider threat because of significant debt or ideological coercion. It is actually a counter-intelligence tool mostly. Not really the kind of financial strain that would only cause someone to want to make some money on the side… but rather the kind of detrimental situation that a FIS would want to pay someone to be a traitor.The indicators are more about DIRECT financial stressors. Not some “slippery slope” argument that depression could lead to social problems and lack of employment, which lead to falling behind on bills.This is why depression isn’t itself an indicator of becoming an insider threat.Depression, suicidal thoughts… are NOT indicators of any kind. In fact, if a manager would want to dismiss someone for that… HR would have to intervene. That would be discrimination. Lack of employment could eventually lead to such financial stress as to present a corrupting influence. But she never mentioned being in severe debt.A person can be well employed, all the time… and have instant severe debt that is a MUCH higher indicator. Divorce can take 1/2 of one’s assets. Gambling problems can amplify too. Being out of work in itself, isn’t an indicator.Be careful not to project something onto a short tweet, as if you really know someone.People of today use all those reasons after they commit a crime in order to get a less sentence. No one wants to take responsibility for their actionsShe was an insider threat aka this was an insider job. She already had the creds to move about.If this hack was facilitated by insider knowledge, it seems to me that CapitalOne made a mistake by stating that Amazon was not at all responsible. Especially so early in the investigation. From a legal perspective, it seems to me it would have been better to keep quiet.Completely agree… why is there not more in the mainstream news about Amazon’s role in this?Also, did you notice is the criminal complaint that it references “the Cloud Computing Company” throughout the document and does not once mention AWS or Amazon. Why?Did you hear Amazon is about to be awarded a fed gov. contract in upcoming months, think about it!!!!!!Looks like that’s on hold for now: https://www.nytimes.com/2019/08/01/us/politics/amazon-pentagon-contract.html?action=click&module=Top%20Stories&pgtype=HomepageWhen I read the “insider threat” mention in this article my sales jargon BS meter when red. She worked at Amazon, so what? Unless they can say she used some secret Amazon backdoor or some unprovisioned rights from her time of employment then it isn’t an “insider threat”. It seems more likely that she was someone that had in depth knowledge of this public cloud computing platform that she was able to leverage to easily pivot and exfiltrate data via some (speculated) weak configuration management practices by CapitalOne. So, under that logic anyone that has used AWS that has a knowledge of the platform and tools could be seen as an “insider” which is a I feel is a bit of an excessive stretch of that term. I’d be willing to bet once all the facts come to light this will likely be another instance of a breach caused by cloud consumer misconfiguration of a cloud platform vs a directly attributable breach due to the provided cloud infrastructure. If that is true, I think the silver lining here is from what I have read thus-far it sounds like CapitalOne wasn’t extremely negligent opposed to most other reported breaches caused due to setting data buckets to public access.Some random security researcher said it’s an insider threat. That doesn’t make it so.She hasn’t worked at AWS for 3 years. AWS employees do not have access to customer IAM credentials, which would be necessary to pull this off. Nevermind the fact the credentials compromised were IAM role credentials. Those rotate every 12 hours. So even if she had credentials by virtue at working at AWS (she doesn’t, as I know from experience), they would have been invalid no later than 12 hours after she stopped working for AWS.The only thing working at AWS may have helped her with is knowing how the services work. But this is the exact same experience you would get working as an AWS architect for a third-party company.how is this relevant or important? “Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”She’s actually a HE… don’t let the media fool you!I fully agreeEff her. She has “emotional” issues and screws over millions of people? Throw her in the can for 20 years, 30 years. Throw away the key. What an A-hole. Capital One should forgive all my debt as a penalty to them for leaving my info unsecured.I want my Data Back! This is the third breach of information I’ve been involved in. 1.) OPM (Office of Personal Management) Chinese 2.) Equifax 3.) Capital One VISAWe need strong Federal Laws protecting citizens from company collecting & storing any personal data.Period!I understand your frustration, but don’t miss the fact that these companies are being victimized by criminals. Would you expect to be prosecuted for letting someone break into your home?If I kept the personal belongings of 106M people in my home with the understanding I’d be keeping them all safe, then yes I might expect some repercussions.Which is not to deny the culpability of a bad actor, but to *also* consider the culpability of a victim who has taken on responsibilities regarding the assets they hold on behalf of others. Essentially there were two ‘crimes’ taking place here.If I store your stuff in my home and then let someone stroll in and take a bunch of it without even locking the door, then yes I would expect to be prosecuted.You’ve probably been involved in far more, just not knowingly. There’s been over a thousand in last year.The real story here is the essential slap on the wrist penalty level for a crime that could result in ruined lives for innocent people. Even if found guilty and given the maximum penalty, there is little real punishment. There should be one count of the crime for each individual whose information was breached. It should be a capital crime. Treating such serious acts as if they are juvenile pranks is a big part of the problem.Anyone know of a way to get or search the leaked data? Capital One claimed to the CFPB and the court they did not have application data in 2017 but this data leak may show otherwise. After the move to the cloud Capital One started to send cash advance checks to someone who’s account was closed 2 years before the cloud move (per public state court records) so this cloud move had problems.This is how a hacker screams for help…I am disappointed on how liberal (linient?) the prosecutor is. This person (he/she?) is just a small fish. The whole incident shows a systematic failure at the bank. The regulators must create an example by forcing the so called bank go out of business, that way other banks will learn hard lesson and start focusing on protecting their customer data. The very way such high quantity of data got breached looks silly to me. Could have easily stopped it with simple counter measures.Modify the post date please it is saying July 19 while the actual report date is 29.General Bill, the date on the post is done in the following format:DAY (DD – in big font) Month (MMMM – in small font) Year (YY – in small font)That 19 you are looking at is July 2019, not July 19, 2019CapOne continually sends out invitations to apply for their CC products. They – and all the other marketers of FinSvcs buy mailing lists that include all sorts of PII – and those DM lists are available from many sources. Why should we believe that our PII is safe in the hands of CapOne – or any other entity that stores our aggregated infos?Brian thanks for putting this information together and sharing with the community at large. As with any breach we all can learn from this incident. Looking for techniques that can be deployed to prevent a similar incident if anyone cares to share their thoughts.I heard a security guy on the radio this morning discussing how AWS has a default configuration for convenience and easy use, rather than being geared towards security. Apparently it cuts down on support costs.I don’t know if that is true, but I imagine that it’s not too smart to leave things in their default state.The other thing the guy mentioned is that the stolen data would’ve been in more than one folder or server. (Not sure which, it went over my head). He was suggesting that the data theft couldn’t have been done by just one person with 3 years old credentials. So maybe it’s a bigger story.That’s not true, Amazon’s defaults are reasonable. On the other hand, their S3 bucket permissions model and access control (IAM) is the most baroque misbegotten overengineered monstrosity imaginable, and it’s actually surprising misconfigurations like these aren’t found and exploited on a hourly basis.That security guy has very little experience, from what I can tell.1.) The default security group for the default VPC allows all traffic on all ports, sure. But if you’re deploying resources for a large bank, you would know to secure your stuff.2.) IAM roles have no permissions by default. Meaning you can’t do anything to it. You have to specifically add permissions to allow it to do anything.3.) ‘3 year old security credentials’ doesn’t make sense. This is an IAM role we’re talking about. IAM roles use temporary credentials that rotate every 12 hours. There’s absolutely no way the credentials were 3 years old.The 3 year thing is likely alluding to the fact she worked for AWS as recently as 2016. But AWS employees, even those who work in security and IAM, don’t have access to IAM credentials for user accounts. And if a customer accidentally gives their credentials to AWS (say, when engaging AWS Support), AWS immediately scrubs that information from its servers and tells the customer to rotate their credentials.Her experience at AWS may have given her some insight on some common misconfigurations and holes to poke at, but it wouldn’t get her access to customer credentials. And even if somehow she did get those credentials 3 years ago, the role credentials would’ve been good for precisely 12 hours.I know all this from experience.well that is all auditable in AWS SecretsBut I think the Complaint said she had inside info… and maybe that’s how the DOJ deduced thisIn this interview, Capital Ones CEO brags that their software “encrypts ALL data going to the cloud”. What happened, Rob?https://www.wsj.com/amp/articles/BL-CIOB-11029?responsive=yDetails are not clear, but even if the data was encrypted, she may have known how to extract decryption keys from applications which accessed the data, based on insider knowledge.From Capital Ones CIO interview in the Wall Street journal: “We launched a tool called Cloud Custodian that we built to ensure that we encrypt all data that goes to the cloud. Cloud Custodian monitors our deployment in the public cloud to make sure all the things we deploy comply. If something’s not encrypted, it will automatically encrypt it.”If “all data” was encrypted, then there was no actual breach, correct? Or did this banking executive, tell a bold faced lie to the American people?I mean this could be a systematic failure where the encryption checkbox wasn’t selected during the creation of the bucket. Especially since the level of effort required by Paige thompson was very little. She claims she didn’t even know she was accessing unencrypted data.So, um, just curious… Which prison will they be sending Ms. Erratic to? Men’s or womens?I suspect she would find herself highly UNappreciated in a women’s prison. But she would probably be greeted with a warm reception in a men’s prison.what does their gender have to do with this breach or blog post? you snow flakes always get so triggered by people who have a gender identity that offends youSince the crime was committed in Washington, it would fall under their state laws:https://www.aclu-wa.org/docs/rights-transgender-people-washington-stateThis case is federal, not prosecuted by the state of Washington.Also, crime is considered to happen where the victim lives, not the origin of the perpetrator. With computer crime, it is not feasible to consider the location of servers, victim company HQ, or possible distributed victims… so it’s just federal.“You don’t hack a bank across state lines from your house, you’ll get nailed by the FBI” -best movie of all timeThe title of the e-mail alerting Capital One says “Leaked s3 data” and s3 is Amazon’s Simple Storage Service. Correct me if I’m wrong.If other data stores were also accessed through Capital One’s s3 instance, that means that the internal security of the cloud has significant vulnerabilities. It reminds me of the Chinese CloudHopper campaign that was revealed a couple of years ago after having romped about in many cloud provider’s infrastructure for about five years.I’m not persuaded that cloud providers are any better at security than the city of Baltimore.There are a lot of transphobic comments on this article. This website is for computer security, comment on the crime at hand and post all of your transphobic nonsense on your own alt-right platform.Brian Krebs has deleted some of it, but I think he’s getting overwhelmed trying to keep track and moderate.I agree with that. What is relevant here is : what was extracted; how it was done; what configuration weaknesses allowed this to happen; who may have accessed the exfiltrated data; and what harm may have resulted from any third-party access to that data.All discussions about the personal life of the former Amazon-employed systems engineer are irrelevant. Discussions about detecting possible “insider threats” from current or former employees may be relevant but are likely to go rapidly off-topic.Brian is perhaps best placed to comment on the possible uses – or rather misuses – of the classes of data relating to individual applicants. Identity theft and fraud seem the most likely.The breach began in March, and went undetected through Mid july? Was there no form of monitoring on their S3 buckets to check for unusual traffic patterns or behavior? And no form of threat intelligence program in place to monitor social media, forums, dark web, etc for hints of breaches? The only thing in place was a tip line/tip email box to place the burden of intel on random tipsters? As a large financial with customers sensitive info across the USA and Canada? Seriously?Great points! She did a service to society by exposing CapitalOne’s negligence in protecting our personal information.For a company whose CIO and CEO have been constantly boasting about being first to cloud, cloud journey, cloud transformation (all while simultaneously proclaiming that their customers data was infinitely more secure in the cloud than in their private data centers), this is a huge black eye to Rich and Rob’s professional legacy’s. If only they would have spent some of that boasting effort towards ensuring that basic security practices were consistently being practiced on their cloud based infrastructures, this would not have happened. One of them (both?) needs to accept accountability and full responsibility for this massive breach.When you put mission critical information into a cloud “bucket” called “Simple Storage”, maybe you should re-think the risk. That PII information should have been stored in an encrypted database with iron clad access control. The fact that *anyone* outside of Capital One’s team could possibly access the storage and read the contents is a HUGE security failure.Name (required) Email (required) Website CommentClick image for my skimmer series.A New York Times Bestseller! Badguy uses for your PCTools for a Safer PC Spammers Duke it OutYour email account may be worth far more than you imagine.eBanking Best Practices for BusinessesInnovations from the UndergroundID Protection Services ExaminedThe reasons for its declineFile 'em Before the Bad Guys Can A crash course in carding. Sign up, or Be Signed Up! Finding out is not so easy. ...For Online Safety. © 2019 Krebs on Security.  Powered by WordPress.  Privacy Policy
    krebsonsecurity.com
    Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.Paige “erratic” Thompson, in an undated photo posted to her Slack channel.On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.The tip that alerted Capital One to its data breach.The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.A copy of the complaint against Thompson is available here.Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.”


     Tags: Capital One breach, GitHub, Masergy, Paige A. Thompson, Ray Watson, Slack, twitter

    This entry was posted on Tuesday, July 30th, 2019 at 9:59 am and is filed under Data Breaches, Ne'er-Do-Well News.
    You can follow any comments to this entry through the RSS 2.0 feed.

    You can skip to the end and leave a comment. Pinging is currently not allowed.



    Am I missing something here? How did she exploit the actual WAF? People are suggesting she used the default admin credentials? But.. wouldn’t the admin console of a WAF only way accessible from the internal network? Kinda like your home router admin console can only accessed by the private IP. The only other thing I can think of using is malformed requests like sql injection to elevate. Was the WAF not configured to block that?I don’t think they did.As I read the complaint, they ran a simple, three line program (using aws cli or one of the libraries like the powershell one) that used API credentials, did a “list buckets” then a “sync bucket”the credentials were for “ISRM-WAF-Role” but an actual WAF wasn’t touched.Speculation (and it’s just that at this time) is that “credentials” (access tokens, etc) were retrieved from the AWS Metadata API via a web application with a SSRF vulnerabilty. I guess the idea is that the WAF, if properly configured, should have prevent the SSRF exploit? Do a search on “exploiting AWS metadata service” for more infos.Yup. Seen a few comments that make sense there; the WAF was apparently a third party, marketplace instance rather than AWS’ own, and for such instances, if you can induce them to connect to the http://169.254.169.254/ meta-data endpoint on your behalf, you can pull ephemeral API keys to use with AWS CLI.VPC = Amazon VPN essentially. She was on the VPC.Actually, VPC = Virtual Private Cloud. That’s effectively the equivalent of a virtual datacenter within AWS. Customers can carve out multiple VPCs and have totally isolated environments. One of several AWS services that allows customers to create a connection back to their on premise datacenter is a CGW (Customer Gateway) and is typically associated with either a site to site VPN or AWS DirectConnect. DirectConnect is a private MPLS connection whereas the VPN would be an IPSec tunnel back to VPN gateway on the remote end. Of course the VPN connected to the VPC is across the Internet. Guys, keep in mind that even though they were using a WAF, the WAF is only as good as the security policy applied to it. WAFs can be very complex to manage and maintain and, in many cases, require the configuration to be modified as there are changes to the web application it’s protecting. If the customer makes changes to the application but doesn’t modify the WAF policy, they might be vulnerable to attacks focused in areas the WAF doesn’t know to protect. There are WAFs on the market that don’t require constant care and feeding, but who knows which product they were actually using.Please don’t comment if you have no clue what you’re talking about. VPC is a Virtual Private Cloud, not VPN. As others mentioned, it’s basically a virtual datacenter. Thanks for fake news.I don’t really care about the breach.I care that twitter memory-holed the perpetrator’s account for no reason other than being accused of a crime. Tangentially, Erratic is no she. He clearly is a dude in costume.If this individual tweeted about anything political that wasn’t left-leaning they’d have deleted that individuals account quickly. I don’t trust twitter and no one else should either. This individual needs mental help. Perhaps jail can be the start of the reform this individual needs.how is this relevant or important?
    “Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”Because these are what are known as “indicators” of terrorists and other potential criminal activity, according to my annual IA awareness training. Those who express frustration of their situations, inability to cope with life circumstances, or expressions of suicidal thoughts. All indications that the person is unstable and likely to make poor judgement decisions.BS… I take the same awareness training, and I know the cheesy vignette you are talking about.
    It does NOT lump all mental health problems as indicators. There are none that mention gender identity or even depression.
    They do, however, mention divorce and other financial stressors as indicators to look out for when it comes to insider threats.REally you were trained? it does not sound like it, sounds like you need a lot more…. WOW!Yes kid… I have taken the annual training many many times. Sick of it frankly.But a kid of your age wouldn’t even be old enough to be included in the training. Since you don’t know what is even being discussed here… let me break it down.It is about spotting behavioral indicators of insider threats. Divorce, personal debt and gambling problems are big indicators. Being disgruntled at work definitely. There are several others. But none of them are based on depression, suicidal thoughts or gender identity.
    That is just bigotry being expressed and trying to tie that to the training.Luckily, there is other training available for that. See your SHARP advisor.It is important to note because 40% of the transgender community successfully deploy the suicide module to their production code base. Its clear this person and the larger community as a whole are seriously mentally ill. Why as a society we are expected to buy into this delusion by using “she” for what is obviously a dude is beyond me.If you want to malign the transgender community, then do it from a position of facts and not opinions. Every reputable medical organization has said that it is NOT a mental disorder and WPATH has changed it so it is no longer a mental illness.Why can we pretend we’re another gender, but we can’t pretend we’re another age or species? I’d love to collect Social Security at 35 years old, but I can’t “identify” as an age I’m not. I’d also love to pretend I’m a grizzly bear, eat salmon all day, and not have to pay taxes because I’m not a human, but I can’t “identify” as a species I’m not. Why are we allowing this delusion to continue? You’d think people were mentally unstable which do the two things I laid out, correct? Why is this any different? People are literally mutilating themselves to change something they are born as because they “identify” as something else. That’s not a mental illness?! Come on, it’s pure logic.If you serious want a scientific answer… but I fear you don’t…“Why can we pretend we’re another gender, but we can’t pretend we’re another age or species?”https://www.sciencealert.com/watch-we-were-once-all-female
    “It may come as a surprise to some of our male readers, but you all actually started out as females – physically and phenotypically speaking. So how is this possible? Well, we all know that when a man and a woman make a tiny human, they each provide 23 chromosomes. One pair of chromosomes helps to determine the baby’s sex – two X chromosomes and it’ll be a female and an X chromosome from the mother and a Y chromosome from the father and it’ll be a male. The key here, explains the episode of AsapSCIENCE above, is that the Y chromosome doesn’t kick in right away. ”https://www.ncbi.nlm.nih.gov/books/NBK222286/
    “All human individuals—whether they have an XX, an XY, or an atypical sex chromosome combination—begin development from the same starting point. During early development the gonads of the fetus remain undifferentiated; that is, all fetal genitalia are the same and are phenotypically female. ”—————It is not a conscience choice, it is not “pretend”.
    There is a LOT that happens during fetal development and development all the way to adolescence… that determines the hormonal and emotional identity in the brain to match genitalia. If all humans started out from conception, as Grizzly Bears… then yes, a certain percentage of the adult population would identify as such. So it is only ignorance that we all start out female…. that fuels your lack of understanding and that ridiculous comparison that keeps getting repeated.Why are humans the only mammals that go through this then? Wouldn’t that mean that every single male would, at some point, struggle with an attraction to the same sex and want to identify as the opposite sex? What I’m getting at is this: Is the science behind what you said true? Sure. However, you don’t see every single male wanting to be a female; or every single male attracted to other males. So, what happens in between? What causes this to be the case in a minority of males? There are many studies which show how there is some form of abuse (unfortunately, it’s usually sexual in nature) that occurs with people in the LGBTQ community.https://www.ncbi.nlm.nih.gov/m/pubmed/20658803/?i=3&from=/25942288/related If you plant a seed, you get a tree. Is that tree still considered a seed when it sprouts branches and leaves? No, the seed played a large role in determining the development of the tree. It’s no longer a seed and it can’t identify as a seed any longer. If you abuse the tree when it’s still maturing (e.g., snap some branches, bend the trunk, etc.) you will get a MUCH different looking tree later down the road.People aren’t trees. Plants are WAY different. They don’t even have a sex identity… what’s your point with that silly comparison?There is a LOT of complexity in human development. Yet you insist with over-simplification.And yes, in the animal kingdom there is lots of variation in sexual behavior. Of course we have not yet met an animal on the same level of intelligent communication to get an idea of percentage of gender identity.But we do not many animals are gay and have somewhat of a spectrum.
    https://en.wikipedia.org/wiki/List_of_animals_displaying_homosexual_behaviorGlad you posted a link… but the fact that they are often abused, isn’t relevant to the conversation. Unless you are comparing many of the comments here as examples of the abuse that trans people face, and that are a major cause for the mental health issue they display. Their “difference” from the norm causes insecure people to lash out, family to disown, and society to ignorantly ridicule. No wonder they have mental issues… when the society of highly social creatures, reject an individual… that is a critical blow to the psyche.. and often fatal.– “If you want a scientific answer, but I fear you don’t”
    – “Glad you posted a link…”There’s no need for condescending, ad hominem attacks, Joe. If you want to have a serious discussion, I’m all for it. But, let’s keep it to the topic instead of being condescending. It absolutely is relevant. This was my whole point which sparked you to chime in: “Why can we pretend we’re another gender, but we can’t pretend we’re another age or species?”Then you had posted that males start out as females, and that proved transgenderism is normal, unlike being a grizzly bear catching salmon all day because we don’t start out as grizzly bears. What I had brought up (pointing back to my original argument) was the “why” behind it. I had told you I agreed about the science; however, it’s not that simple. If it was, then every single male would be either trans or attracted to the same sex. Since that’s clearly not the case, my whole entire point of the “why” the science may be true, but misleading in your argument, was because of some form of abuse, usually at a young age, which forces that unnatural behavior; not some biological reasoning of males starting as females — which somehow proves your point.To your other point, if I am not allowed to use a tree as an example, then wouldn’t you agree that, if you had two dogs: one was abused since it was a puppy and the other was not, these dogs would have wildly different behaviors?My comment comes across as condescending in the same way your question came off as sarcastic and disingenuous.Getting back on topic…“If it was, then every single male would be either trans or attracted to the same sex.”That is absolutist. “Every”… implies deterministic and definite processes at work. But this is biology. Variability is inherent… and there are numerous factors that contribute to probabilities that aren’t absolute.Your argument about abuse seems like the classic nature vs nurture. But like the previous… reality isn’t absolute. It isn’t one or the other… it is usually some combination of both.
    Specifically for sexual/gender identity, the abuse comes AFTER the behavioral differences manifest. Feminine males are ridiculed, as are masculine females.
    So the “why” is probably way more on the “nature” side. Which means yes, they are born that way. But puberty takes a while to fully manifest sexual behavior and identity… so its a delayed reaction to the probabilities in development in the womb, over years.To your dog analogy… it is still an over simplified comparison that attempts to make it easy for a layperson to understand, but in doing so, lacks any science.
    By forcing non-human comparisons, you remove critical context. It is absolutely crucial to compare like sexual development. Not just generic “behavior”.
    In this case, no simple comparison will be adequate. You have to actually study and understand human biology and psychology.So essentially, the “abuse as a cause” argument is not valid. The gender identity comes before the abuse. And the “every single ___ would ___” argument is also completely wrong, as it is absolutist and not in line with the science of biology.That depression comes from uninformed people like you treating them like they are mentally ill for just being themselves.This thread requires Moderation. None of this discussion is relevant to the crimeI know, right? I get some of the discussion about indicators for insider threat, but the thread seem to have taken a ‘Jerry Springer’ tone to it. I’m feeling the need to use one of my shoes to throw at someone while the rest of the thread chants: “Bri-an!””Bri-an!”Unfortunately there remains a large number of scientifically illiterate, misogynistic, and hateful individuals in the information security community.I don’t know what Brian’s moderation guidelines look like, but there are more than a few individuals who regularly visit this site that could use an extended timeout until they can learn to keep their vitriolic opinions to themselves.He’s probably too busy writing the next article to swing the banhammerI swear the moment any transgender topic comes up, everyone loses 50 IQ points.Get over it no one cares that you all hate transgender people.Right? Jesus I stepped into a whole hotbed of hatred. So as an information security professional I am supposed to be on the lookout for trans folk because they are the biggest hacking threat? What garbage is being spewed here.‘Being themselves’ would be however they popped out of the womb. Your enablement of their delusion is what fosters the instability. I hope you’re happy.The “Popping out” part of human development may be a nice milestone for the parent… but sexual development is a long process… much of it done way before birth, and some well after birth.All males were initially female. The Y chromosome kicks in later, and the hormonal/emotional aspects take years to fully develop.
    Read a book (a science book), before you set arbitrary landmark moments to declare identity.Thats a whole lot of prejudice and ignorance for only 3 sentences.Transgenderism a mild psychosis, like biting your nails, that doesn’t inhibit your ability to function in society and therefore is not a mental illness in the DSM.HOWEVER, it can progress to Gender Dysphoria, which is indeed a mental illness with a suicide rate of 40%, and is listed in the DSM as a mental illness.And yes, it is a warning indicator.Gender dysphoria, like any other crisis of identity becomes critical and life threatening when they feel that they cannot integrate into a society without wearing a mask. It breaks down the mind, to constantly try to be something they are not. Just because of a disparity between outward physical appearance and hormonal emotional identity.Just like with homosexuality, which had a high suicide rate as well… it drastically falls when they find acceptance in a society that won’t keep trying to define them by appearance.I fully agreeNo, ~40% _attempt_ suicide. Far, far less are successful. And on top of that, most attempts are before transition, not after.(IIRC, the number I usually see is 41% for trans women and 44% for trans men)Because she has mental issues dude! Not that it does not forgive her for the crime but it does maybe explain WHY she did it! Unhappiness, not maliciousness there is a HUGE difference… Maybe she was not in full control? Who knows..>how is this relevant or important?
    >“Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”>They do, however, mention divorce and other financial stressorsIf depression, suicidal thoughts, and lack of employment are not financial stressors I’m not sure what are.I suppose someone can take this as a “glass half empty” comment of criticism of an individual.One could also take it as a “glass half full” criticism of society that if someone is pushed, or when clearly vulnerable is not given proper support their actions can spiral out of control.The fact that, when I first saw her Twitter account, I thought, “Well that’s a heroin-addicted tranny having a mental breakdown” doesn’t necessarily mean an unsympathetic or in-compassionate response from me — it means I’ve seen people in similar situations and recognized someone in need of help. The heroin is the only thing so far without further supporting evidence that I’ve seen published. To say such observations should not be voiced out loud is to encourage ignoring struggling people for the sake of political correctness.That someone has gender dysphoria doesn’t mean they are a security risk; however if they have gender dysphoria and a lack of a social support net they have enhanced vulnerablity to situations (like financial distress) known to be security risks.Not everyone will be able or willing to accept extra help, but when you see someone who is extra vulnerable then extra help should be offered. That isn’t open ended and at some reasonable point bad employees do need to be fired, but that isn’t the first option to go to in these situations.Matt, the comments about indicators of insider threats should not be taken out of context. It was in response to the specific annual training program for IA (information assurance). It is not so much for the corporate environment, but rather protection of classified information. The training is geared toward those susceptible to becoming an insider threat because of significant debt or ideological coercion. It is actually a counter-intelligence tool mostly. Not really the kind of financial strain that would only cause someone to want to make some money on the side… but rather the kind of detrimental situation that a FIS would want to pay someone to be a traitor.The indicators are more about DIRECT financial stressors. Not some “slippery slope” argument that depression could lead to social problems and lack of employment, which lead to falling behind on bills.This is why depression isn’t itself an indicator of becoming an insider threat.Depression, suicidal thoughts… are NOT indicators of any kind. In fact, if a manager would want to dismiss someone for that… HR would have to intervene. That would be discrimination. Lack of employment could eventually lead to such financial stress as to present a corrupting influence. But she never mentioned being in severe debt.A person can be well employed, all the time… and have instant severe debt that is a MUCH higher indicator. Divorce can take 1/2 of one’s assets. Gambling problems can amplify too.
    Being out of work in itself, isn’t an indicator.Be careful not to project something onto a short tweet, as if you really know someone.People of today use all those reasons after they commit a crime in order to get a less sentence. No one wants to take responsibility for their actionsShe was an insider threat aka this was an insider job. She already had the creds to move about.If this hack was facilitated by insider knowledge, it seems to me that CapitalOne made a mistake by stating that Amazon was not at all responsible. Especially so early in the investigation. From a legal perspective, it seems to me it would have been better to keep quiet.Completely agree… why is there not more in the mainstream news about Amazon’s role in this?Also, did you notice is the criminal complaint that it references “the Cloud Computing Company” throughout the document and does not once mention AWS or Amazon. Why?Did you hear Amazon is about to be awarded a fed gov. contract in upcoming months, think about it!!!!!!Looks like that’s on hold for now: https://www.nytimes.com/2019/08/01/us/politics/amazon-pentagon-contract.html?action=click&module=Top%20Stories&pgtype=HomepageWhen I read the “insider threat” mention in this article my sales jargon BS meter when red.
    She worked at Amazon, so what? Unless they can say she used some secret Amazon backdoor or some unprovisioned rights from her time of employment then it isn’t an “insider threat”. It seems more likely that she was someone that had in depth knowledge of this public cloud computing platform that she was able to leverage to easily pivot and exfiltrate data via some (speculated) weak configuration management practices by CapitalOne. So, under that logic anyone that has used AWS that has a knowledge of the platform and tools could be seen as an “insider” which is a I feel is a bit of an excessive stretch of that term.
    I’d be willing to bet once all the facts come to light this will likely be another instance of a breach caused by cloud consumer misconfiguration of a cloud platform vs a directly attributable breach due to the provided cloud infrastructure. If that is true, I think the silver lining here is from what I have read thus-far it sounds like CapitalOne wasn’t extremely negligent opposed to most other reported breaches caused due to setting data buckets to public access.Some random security researcher said it’s an insider threat. That doesn’t make it so.She hasn’t worked at AWS for 3 years. AWS employees do not have access to customer IAM credentials, which would be necessary to pull this off. Nevermind the fact the credentials compromised were IAM role credentials. Those rotate every 12 hours. So even if she had credentials by virtue at working at AWS (she doesn’t, as I know from experience), they would have been invalid no later than 12 hours after she stopped working for AWS.The only thing working at AWS may have helped her with is knowing how the services work. But this is the exact same experience you would get working as an AWS architect for a third-party company.how is this relevant or important?
    “Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”She’s actually a HE… don’t let the media fool you!I fully agreeEff her. She has “emotional” issues and screws over millions of people? Throw her in the can for 20 years, 30 years. Throw away the key. What an A-hole. Capital One should forgive all my debt as a penalty to them for leaving my info unsecured.I want my Data Back!
    This is the third breach of information I’ve been involved in.
    1.) OPM (Office of Personal Management) Chinese
    2.) Equifax
    3.) Capital One VISAWe need strong Federal Laws protecting citizens from company collecting & storing any personal data.Period!I understand your frustration, but don’t miss the fact that these companies are being victimized by criminals. Would you expect to be prosecuted for letting someone break into your home?If I kept the personal belongings of 106M people in my home with the understanding I’d be keeping them all safe, then yes I might expect some repercussions.Which is not to deny the culpability of a bad actor, but to *also* consider the culpability of a victim who has taken on responsibilities regarding the assets they hold on behalf of others. Essentially there were two ‘crimes’ taking place here.If I store your stuff in my home and then let someone stroll in and take a bunch of it without even locking the door, then yes I would expect to be prosecuted.You’ve probably been involved in far more, just not knowingly. There’s been over a thousand in last year.The real story here is the essential slap on the wrist penalty level for a crime that could result in ruined lives for innocent people. Even if found guilty and given the maximum penalty, there is little real punishment. There should be one count of the crime for each individual whose information was breached. It should be a capital crime. Treating such serious acts as if they are juvenile pranks is a big part of the problem.Anyone know of a way to get or search the leaked data? Capital One claimed to the CFPB and the court they did not have application data in 2017 but this data leak may show otherwise. After the move to the cloud Capital One started to send cash advance checks to someone who’s account was closed 2 years before the cloud move (per public state court records) so this cloud move had problems.This is how a hacker screams for help…I am disappointed on how liberal (linient?) the prosecutor is. This person (he/she?) is just a small fish. The whole incident shows a systematic failure at the bank. The regulators must create an example by forcing the so called bank go out of business, that way other banks will learn hard lesson and start focusing on protecting their customer data. The very way such high quantity of data got breached looks silly to me. Could have easily stopped it with simple counter measures.Modify the post date please it is saying July 19 while the actual report date is 29.General Bill, the date on the post is done in the following format:DAY (DD – in big font)
    Month (MMMM – in small font) Year (YY – in small font)That 19 you are looking at is July 2019, not July 19, 2019CapOne continually sends out invitations to apply for their CC products. They – and all the other marketers of FinSvcs buy mailing lists that include all sorts of PII – and those DM lists are available from many sources. Why should we believe that our PII is safe in the hands of CapOne – or any other entity that stores our aggregated infos?Brian thanks for putting this information together and sharing with the community at large. As with any breach we all can learn from this incident. Looking for techniques that can be deployed to prevent a similar incident if anyone cares to share their thoughts.I heard a security guy on the radio this morning discussing how AWS has a default configuration for convenience and easy use, rather than being geared towards security. Apparently it cuts down on support costs.I don’t know if that is true, but I imagine that it’s not too smart to leave things in their default state.The other thing the guy mentioned is that the stolen data would’ve been in more than one folder or server. (Not sure which, it went over my head). He was suggesting that the data theft couldn’t have been done by just one person with 3 years old credentials. So maybe it’s a bigger story.That’s not true, Amazon’s defaults are reasonable. On the other hand, their S3 bucket permissions model and access control (IAM) is the most baroque misbegotten overengineered monstrosity imaginable, and it’s actually surprising misconfigurations like these aren’t found and exploited on a hourly basis.That security guy has very little experience, from what I can tell.1.) The default security group for the default VPC allows all traffic on all ports, sure. But if you’re deploying resources for a large bank, you would know to secure your stuff.2.) IAM roles have no permissions by default. Meaning you can’t do anything to it. You have to specifically add permissions to allow it to do anything.3.) ‘3 year old security credentials’ doesn’t make sense. This is an IAM role we’re talking about. IAM roles use temporary credentials that rotate every 12 hours. There’s absolutely no way the credentials were 3 years old.The 3 year thing is likely alluding to the fact she worked for AWS as recently as 2016. But AWS employees, even those who work in security and IAM, don’t have access to IAM credentials for user accounts. And if a customer accidentally gives their credentials to AWS (say, when engaging AWS Support), AWS immediately scrubs that information from its servers and tells the customer to rotate their credentials.Her experience at AWS may have given her some insight on some common misconfigurations and holes to poke at, but it wouldn’t get her access to customer credentials. And even if somehow she did get those credentials 3 years ago, the role credentials would’ve been good for precisely 12 hours.I know all this from experience.well that is all auditable in AWS SecretsBut I think the Complaint said she had inside info… and maybe that’s how the DOJ deduced thisIn this interview, Capital Ones CEO brags that their software “encrypts ALL data going to the cloud”. What happened, Rob?https://www.wsj.com/amp/articles/BL-CIOB-11029?responsive=yDetails are not clear, but even if the data was encrypted, she may have known how to extract decryption keys from applications which accessed the data, based on insider knowledge.From Capital Ones CIO interview in the Wall Street journal: “We launched a tool called Cloud Custodian that we built to ensure that we encrypt all data that goes to the cloud. Cloud Custodian monitors our deployment in the public cloud to make sure all the things we deploy comply. If something’s not encrypted, it will automatically encrypt it.”If “all data” was encrypted, then there was no actual breach, correct?
    Or did this banking executive, tell a bold faced lie to the American people?I mean this could be a systematic failure where the encryption checkbox wasn’t selected during the creation of the bucket. Especially since the level of effort required by Paige thompson was very little. She claims she didn’t even know she was accessing unencrypted data.So, um, just curious… Which prison will they be sending Ms. Erratic to? Men’s or womens?I suspect she would find herself highly UNappreciated in a women’s prison. But she would probably be greeted with a warm reception in a men’s prison.what does their gender have to do with this breach or blog post? you snow flakes always get so triggered by people who have a gender identity that offends youSince the crime was committed in Washington, it would fall under their state laws:https://www.aclu-wa.org/docs/rights-transgender-people-washington-stateThis case is federal, not prosecuted by the state of Washington.Also, crime is considered to happen where the victim lives, not the origin of the perpetrator.
    With computer crime, it is not feasible to consider the location of servers, victim company HQ, or possible distributed victims… so it’s just federal.“You don’t hack a bank across state lines from your house, you’ll get nailed by the FBI”
    -best movie of all timeThe title of the e-mail alerting Capital One says “Leaked s3 data” and s3 is Amazon’s Simple Storage Service. Correct me if I’m wrong.If other data stores were also accessed through Capital One’s s3 instance, that means that the internal security of the cloud has significant vulnerabilities. It reminds me of the Chinese CloudHopper campaign that was revealed a couple of years ago after having romped about in many cloud provider’s infrastructure for about five years.I’m not persuaded that cloud providers are any better at security than the city of Baltimore.There are a lot of transphobic comments on this article. This website is for computer security, comment on the crime at hand and post all of your transphobic nonsense on your own alt-right platform.Brian Krebs has deleted some of it, but I think he’s getting overwhelmed trying to keep track and moderate.I agree with that. What is relevant here is : what was extracted; how it was done; what configuration weaknesses allowed this to happen; who may have accessed the exfiltrated data; and what harm may have resulted from any third-party access to that data.All discussions about the personal life of the former Amazon-employed systems engineer are irrelevant. Discussions about detecting possible “insider threats” from current or former employees may be relevant but are likely to go rapidly off-topic.Brian is perhaps best placed to comment on the possible uses – or rather misuses – of the classes of data relating to individual applicants. Identity theft and fraud seem the most likely.The breach began in March, and went undetected through Mid july? Was there no form of monitoring on their S3 buckets to check for unusual traffic patterns or behavior? And no form of threat intelligence program in place to monitor social media, forums, dark web, etc for hints of breaches? The only thing in place was a tip line/tip email box to place the burden of intel on random tipsters? As a large financial with customers sensitive info across the USA and Canada? Seriously?Great points! She did a service to society by exposing CapitalOne’s negligence in protecting our personal information.For a company whose CIO and CEO have been constantly boasting about being first to cloud, cloud journey, cloud transformation (all while simultaneously proclaiming that their customers data was infinitely more secure in the cloud than in their private data centers), this is a huge black eye to Rich and Rob’s professional legacy’s. If only they would have spent some of that boasting effort towards ensuring that basic security practices were consistently being practiced on their cloud based infrastructures, this would not have happened. One of them (both?) needs to accept accountability and full responsibility for this massive breach.When you put mission critical information into a cloud “bucket” called “Simple Storage”, maybe you should re-think the risk. That PII information should have been stored in an encrypted database with iron clad access control. The fact that *anyone* outside of Capital One’s team could possibly access the storage and read the contents is a HUGE security failure.Name (required)
    Email (required)
    Website
    CommentClick image for my skimmer series.A New York Times Bestseller! Badguy uses for your PCTools for a Safer PC Spammers Duke it OutYour email account may be worth far more than you imagine.eBanking Best Practices for BusinessesInnovations from the UndergroundID Protection Services ExaminedThe reasons for its declineFile 'em Before the Bad Guys Can A crash course in carding. Sign up, or Be Signed Up! Finding out is not so easy. ...For Online Safety.
    © 2019 Krebs on Security.
     Powered by WordPress.
     Privacy Policy

    Message Board