Capital One Breach: What Security Teams Can Do Now ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

tdsan,
User Rank: Ninja
8/27/2019 | 10:18:55 AM

Re: Some people

"Amazon Web Services "was not compromised in any way and functioned as designed," Amazon said in a statement, adding that the reason for the breach was a misconfiguration of firewall settings managed on the cloud server by Capital One, not a vulnerability in the cloud server itself."

This was done intentionally because of the WAF's configuration, it has to be configured to allow such entry (she had insider knowledge). She intentionally modified permissions from the AWS WAF-Role to allow for this type of attack. One thing that they left out, how did she gain access to the AWS cloud environment when the SG (Security Groups) and VPN access should have blocked this intrusion from an mgmt standpoint (again another area of weak security rules and no one reviewing the work).

Also, there is something that was left out, if they (Capital-One) were not notified of the incident and she did not share her experience online, then how long would this have gone on before they would have known (years)?

This is what I mean by organizations who have been lax in their security mechanisms even though they profess to ensure data integrity at all costs (why didn't they know about customer account data being moved or copied, NSA had the same problem with Ed Snowden, if he had not said anything to the public, they would have never known, seems as though history is repeating itself and we continue to miss our lessons-learned).

T

Reply | Post Message | Messages List | Start a Board

100%

tdsan,
User Rank: Ninja
8/25/2019 | 9:16:30 AM

Excellent write up

Excellent write-up, you brought up some valid and key points. One thing that may have been overlooked by Capital one is that this may have been planned from the beginning. But I do think the infiltration or compromise was much easier than that.

When she worked for capital one, she intentionally created a back door where she had implemented credentials under another name as well as misconfigured the WAF intentionally; remember, she had full access to the security section of AWS therefore she had access to all of the access and secret keys. But it will be interesting to see what unfolds in the next few months as more case information is brought to the public.

T

Reply | Post Message | Messages List | Start a Board

Editors' Choice

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Robert Lemos, Contributing Writer, 4/1/2021

Inside the Ransomware Campaigns Targeting Exchange Servers

Kelly Sheridan, Staff Editor, Dark Reading, 4/2/2021

Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain

Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia, 3/30/2021

Live Events

Webinars

Cybersecurity Risk Management FREE Event 4/22

Earn (ISC)2 CPEs at Interop Digital, April 29

More Informa Tech Live Events

White Papers

What Elite Threat Hunters See That Others Miss: Case Study

Are We Cyber-Resilient? The Key Question Every Organization Must Answer

10 Must-Have Capabilities for Stopping Malicious Automation Checklist

SANS 2021 Cyber Threat Intelligence Survey

What is Pure Signal RECON?

More White Papers

Cartoon

Post a Comment

Cartoon Archive

Current Issue

2021 Top Enterprise IT Trends

We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Battle for the Endpoint

How to build a new cyber strategy for 2021 and beyond.

Download Now!

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-22879
PUBLISHED: 2021-04-14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

CVE-2021-27989
PUBLISHED: 2021-04-14

Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.

CVE-2021-25316
PUBLISHED: 2021-04-14

A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...

CVE-2021-28797
PUBLISHED: 2021-04-14

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (an...

CVE-2020-36323
PUBLISHED: 2021-04-14

In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]