Capital One hacker Paige A. Thompson has been found guilty. A jury didn’t buy the defense story of a mere ethical hacker embarrassing a big corporation.
But it has to be said that Capital One’s security design was absolutely awful. In 2019, Thompson leaked the data of more than 100 million Capital One customers. And the firm is hardly the only guilty user of AWS to misuse identity and access management (IAM) features.
Sentencing is in 90 days. In today’s SB Blogwatch, we debate how lenient Judge Robert S. Lasnik should be.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: FRASIER (2022).
‘Ethical Hacker,’ said Failed Defense Plea
What’s the craic? Kate Conger reports— “Ex-Amazon Worker Convicted in Capital One Hacking”:
“She had bragged to her online friends”
A Seattle jury found that Paige Thompson, 36, had violated the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. … The jury deliberated for 10 hours before finding Ms. Thompson guilty of five counts of gaining unauthorized access to a protected computer and damaging a protected computer, in addition to the wire fraud charges. … The jury found her not guilty of identity theft and access device fraud.
Her legal team argued that she had used the same tools and methods as ethical hackers. … Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in “good-faith security research.”
But the Justice Department said… Ms. Thompson had never planned to alert Capital One to the problems [and] she had bragged to her online friends about the vulnerabilities she uncovered and the information she downloaded:… “Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency. … Far from being an ethical hacker… she exploited mistakes to steal valuable data and sought to enrich herself. ”
How did she do it? Edward Moyer— “Ex-Amazon Cloud Worker Found Guilty in Capital One Hack”:
“Faces up to  years in prison”
Thompson, a former systems engineer at Amazon Web Services, used a self-made tool to detect misconfigured AWS accounts and then use those accounts to hack into the systems of more than 30 organizations, including Capital One. … In addition to downloading data, she planted cryptocurrency mining software on servers and directed crypto to her online wallet. … Amazon said she’d left the company three years before the hack took place.
Thompson is scheduled to be sentenced Sept. 15… and faces up to 20 years in prison for wire fraud. Illegally accessing a protected computer and damaging a protected computer are punishable by up to five years in prison.
Let’s go deeper, Eric Kedrosky— “Former Amazon Engineer Convicted”:
“Capital One failed to establish effective risk assessment”
What exactly happened in this data breach? March In March of 2019… to get unlimited access to very sensitive data… a malicious action exploited a misconfigured open-source web application that Capital One was using as part of its operations hosted in AWS.
At the time, Capital One investigated the incident and corrected the vulnerability promptly. However, despite receiving credit for its customer notification and remediation efforts, the Office of the Comptroller of the Currency (OCC) issued a Consent Order… including a civil money penalty of $ 80,000,000. … The OCC linked the data breach to problems with Capital One’s cloud migration plan. Back in 2015, Capital One failed to establish effective risk assessment… including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.
Much deeper, please? This Anonymous Coward obliges:
“Horrible security model”
Once able to exploit the WAF due to the misconfiguration, the main data access was enabled by the fact Capital One leveraged AWS IAM and only AWS IAM for protecting bucket contents. This was a deliberate design decision.
The great flaw in IAM-based protections is that most authorization is instance-based. Compromise the instance and get access to make really any network call and you can use that instance’s profile, regardless of which user you’re running as within the instance.
This is a horrible security model and it was for the overwhelming majority of AWS customers at the time their only security model. … It is possible to provide an additional, secondary layer of protection, [which] enables separation of duties and makes exfiltrated S3 data useless. Most AWS users choose not to do this.
There’s a hole in the bucket, dear Virtucon, a hole:
While I applaud the conviction, does it bother anybody that Ford, U Mich, Capital One, et al. had insecure data in AWS?
Yes, it most certainly does. But don’t expect the situation to improve, thinks thereddaikon:
We aren’t going to see real change until vendors start facing consequences for their negligence. Yes the criminals who exploit these vulnerabilities should go to prison but there also needs to be consequences for companies that don’t bother patching vulnerabilities when they know better.
Who is this caped crusader? Steve King hired her at Netswitch— “Inside the Mind of the Capital One Hacker”:
“Suicide by law enforcement”
I hired Paige Thompson as a contractor in early 2014 to… work on a cybersecurity media platform we were developing. … Over the ensuing months, I got to know Paige and her outlook on life pretty well. [I’d] characterize the attack as motivated by… the need to make a big, bold and dramatic statement.
Maybe Paige’s hacks could be seen as a portfolio of public service warnings. … It is clear to me that these hacks were the culmination of years of frustration over what she would call our, “stupid approaches to cybersecurity.”
She was willing to risk her life and a future locked behind bars for a long time in exchange. Essentially, Paige exhibited all of the classic signs of someone seeking suicide by law enforcement.
Regardless, lock her up. That’s andy 103’s opinion, anyway:
Throw away the key. … She planted cryptocurrency mining software on new servers:… That’s where it goes from – you should be grateful that somebody has found this security hole (and yes, at that point the company should be 100% liable) – to zero tolerance or respect for the person who “found” said hole.
Meanwhile, jalino23 doesn’t know what they’re doing:
This is why, as a frontend developer, I’m scared to deploy to AWS. There are so many things in the dashboard to get it wrong — if you don’t know what you’re doing. And I don’t know what I’m doing.
The ultimate dark reboot
Hat type: Ambegris
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Sauce image: Paige A. Thompson