What we can learn from Capital One Hack – Krebs on Security

Monday, an old Amazon The employee was arrested and charged with stealing more than 100 million credit applications from Capital One consumers. Since then, many have badumed that the violation was perhaps the result of a previously unknown loophole, or "insider" attack in which the accused had enjoyed access surreptitiously obtained from his former employer. But new information indicates that the methods it has deployed have been well understood for years.

What follows is based on interviews with nearly a dozen security experts, including one who is aware of the details of the ongoing investigation into the violation. Because this incident deals with somewhat jargonized and esoteric concepts, much of what is described below has been greatly simplified. Anyone who wants a more technical explanation of the basic concepts referenced here should explore some of the many links included in this story.

According to a source with direct knowledge of the violation investigation, the problem stems in part from a misconfigured open source firewall (Web Source Firewall) that Capital One used in its hosted operations. the cloud with Amazon Web Services (AWS). .

Known as "ModSecurity", this WAF is deployed with Open Source software. Apache A Web server must provide protection against several clbades of vulnerabilities that attackers use most often to compromise the security of Web applications.

The misconfiguration of the WAF allowed the intruder to trick the firewall by relaying requests to a key backend resource on the AWS platform. This resource, known as the "metadata" service, is responsible for transmitting temporary information to a cloud server, including the current credentials sent by a security service to access any cloud resource in the cloud. which this server has access to.

In AWS, what these credentials can be used depends on the permissions badigned to the resource that requests them. In the case of Capital One, too many permissions were badigned to the wrongly configured WAF for whatever reason, that is, that it was allowed to list all the files in n & # 39; Any data compartment and to read the contents of each of these files.

The type of vulnerability exploited by the hacker in Capital One hacking is a well-known method called "Server Request Forging" (SSRF) attack, in which a server (in this case, the WAN Cap of CapOne) may be required to execute commands that it should never have been allowed to execute, including those that allow it to communicate with the metadata service.

Evan Johnson, head of the product security team at Cloudflare, recently wrote an easy-to-learn column on Capital One hacking and the challenges of detecting and blocking SSRF attacks targeting cloud services. Johnson said it should be noted that SSRF attacks are not part of the dozens of attack methods for which detection rules are provided by default in the WAF operated as part of the program. Intrusion of Capital One.

"SSRF has become the most serious vulnerability faced by organizations that use public clouds," Johnson wrote. "The impact of SSRF is compounded by the provision of public clouds, and key players like AWS are not doing anything about it. The problem is common and well known, but difficult to prevent and no mitigation is built into the AWS platform. "

Johnson said that AWS could address this gap by including additional identification information in any request sent to the metadata service, as Google has already done with its platform. cloud hosting. He also acknowledged that this could break a lot of backward compatibility within AWS.

"There is a lot of specialized knowledge about running a service within AWS, as well as someone who does not have AWS expertise, [SSRF attacks are] not something that would appear on any critical configuration guide, "Johnson said in an interview with KrebsOnSecurity.

"You need to learn how EC2 works, understand Amazon's Identity and Access Management (IAM), and how to authenticate with other AWS services," he said. "Many people using AWS interface with dozens of AWS services and write software that orchestrates and automates new services, but ultimately they are really turning to AWS, resulting in a lot of specialized knowledge that is hard to learn." . and hard to get.

In a statement provided to KrebsOnSecurity, Amazon said that it was inaccurate to claim that the Capital One breach had been caused by AWS IAM, the instance metadata service or AWS WAF.

"The intrusion was caused by a bad configuration of the firewall of a web application and not by the underlying infrastructure or the location of the infrastructure," reads the release. "AWS continually provides services and capabilities to anticipate new large-scale threats, providing more features and layers of security that customers can not find anywhere else, including within their own centers." of data. record for customers over 13 years of secure use of AWS provides unequivocal evidence of how these layers work. "

Amazon has highlighted a number of services (mostly à la carte) offered to AWS customers to help mitigate many of the threats that were key factors in this violation, including:

-Access Advisor, which helps identify and define AWS roles that can have more permissions than necessary.
-GuardDuty, designed to trigger alarms when a person searches for potentially vulnerable systems or moves an unusual amount of data to or from unexpected locations;
– AWS WAF, which, according to Amazon, can detect common operating techniques, including SSRF attacks;
-Amazon Macie, designed to automatically detect, clbadify, and protect sensitive data stored in AWS.

William Bengston, former safety engineer at Netflix, wrote a series of blog posts last year on how Netflix has built its own systems for detecting and preventing identity data breaches in AWS. It is interesting to note that Bengston was hired about two months ago to be Director of Cloud Security for Capital One. I imagine Capital One would now like them to have been able to lure him sooner.

Rich Mogull is founder and chief technology officer at DisruptOPS, a company that helps businesses secure their cloud infrastructure. According to Mogull, one of the biggest challenges for companies moving from costly and expensive physical data centers to the cloud is that very often, the people managing the transition are developers of applications and software. who may not be as rich as they should be in security.

"There is a basic skill and knowledge gap that the whole sector is working hard to fix right now," said Mogull. "For those big companies that embrace this movement, they have to learn all these new things while retaining their old skills. I can secure you more easily in the cloud than on-site in a physical data center, but there will be a transition period during the acquisition of this new knowledge. "

Image: Capital One

Since the announcement of Capital One's violation on Monday, KrebsOnSecurity has received numerous emails and phone calls from security officials who are desperately seeking more information on how to avoid falling into the trap. mistakes that led to this colossal violation (these requests were part of the momentum behind this story).

Some of these people included leaders of major competing banks that had not yet plunged into the cloud as deeply as Capital One. But it is probably not an exaggeration to say that they are all in line in front of the dive.

In recent years, it has been interesting to see how various cloud providers have responded to major platform failures – very often, shortly after the release of detailed self-badysis reports on the causes. underlying the failure and the measures taken to prevent them in the future. In the same vein, it would be wonderful that this type of public accounting be extended to other large companies as a result of a mbadive violation.

I do not leave much hope that we would officially obtain such details from Capital One, who declined to comment on the record and referred me to his statement on the offense and to the Ministry of Justice complaint against hacker. This is probably what one would expect, given that the company is already facing a clbad action against the offense and is likely to be subject to further prosecution.

But as long as lawyers (as is currently the case in most large companies) orchestrate mainly public and private responses to data breaches, all others will continue to have no problem. advantage of being able to learn from these same mistakes and avoid them.

Tags: Apache, Capital One Violation, CloudFlare, DisruptOPS, Evan Johnson, Metadata Service, ModSecurity, Rich Mogull, Server-side Request Forgery, SSRF, WAF, Web Application Firewall, William Bengston