This article is more than 1 year old
Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's AWS S3 buckets got hacked?
Senator Wyden fears tech may be insecure by design, urges billionaire to answer a few Qs
After last week's revelations that a hacker stole the personal details of 106 million Capital One credit card applicants from its Amazon-hosted cloud storage, a US Senator has demanded Amazon CEO Jeff Bezos explain what exactly what went wrong.
The sensitive information was siphoned from Capital One's Amazon Web Services S3 buckets by a former AWS engineer, who was arrested and charged at the end of July.
On Monday this week, Senator Ron Wyden (D-OR) asked Bezos how exactly the data was stolen beyond the scant details released by the bank that it was all due to a "firewall misconfiguration."
Wyden is particularly concerned that other companies that store their data in the AWS cloud may have been hit in the same way by the suspected Capital One thief, Seattle-based software engineer Paige Thompson. He cited reports that Ford, the University of Michigan, the Ohio Department of Transportation, and others may have suffered similar losses of information at the hands of Thompson, and that this may point to a systemic weakness in Amazon's security.
"When a major corporation loses data on 100 million Americans because of a configuration error, attention naturally focuses on that corporation's cybersecurity practices," Wyden wrote [PDF].
"However, if several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and if the company that makes it shares responsibility for the breaches."
In particular, Wyden wants to know if Amazon-hosted systems or customers potentially suffer from server-side request forgery (SSRF) vulnerabilities: this type of hole can be exploited by miscreants to trick other people's servers into executing commands, or coughing up data, they shouldn't. The senator has urged the Amazon billionaire to let him know, by August 13, if any organizations, including Capital One, have had their Amazon-hosted data stolen via an SSRF exploit in the past two years.
Wyden is also investigating claims from a Netflix engineer that the streaming biz asked Amazon for help in preventing SSRF-based attacks and was ignored. Wyden wants to know what movement has been made on this front, seeing as Netflix is an AWS customer case study.
In other words, it is feared that AWS-hosted services can be misconfigured or programmed by some customers – and AWS has more than 1,000,000 active customers – so that they can be infiltrated via SSRF attacks. Wyden wants to know if Amazon can do anything to actively block SSRF exploitation, or put other barriers in place to prevent data theft.
In case the senator doesn't get an answer from AWS, here's a technical summary of the attack on Capital One's cloud infrastructure.
Lest you think Wyden is a knee-jerk Luddite picking on President Trump's least favorite tech leader, he's actually one of the most technologically literate Congresscritters out there. He's strong on encryption and privacy, and, as a senior member of various finance and intelligence congressional committees, he is more than willing to shaft a UK-US free trade deal if Brits dare slap a two-per-cent levy on his digital chums. ®
Updated to add
AWS has responded [PDF] to the senator's letter, the key parts being:
The attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended.
After gaining access through the misconfigured firewall and having broader permissions to access resources, we believe a SSRF attack was used (though is one of several ways an attacker could have potentially gotten access to data once they got in through the misconfigured firewall).
SSRF was not the primary factor in the attack. We are not aware of any other noteworthy SSRF compromises of AWS customers.
Biting the hand that feeds IT
