A short overview of the Capital One Data Breach. This presentation was a component of an online webinar for the Caribbean Developer Month 2019 hosted by the Caribbean Developers Group.
3. THE
BACKGROUND
• Capital One is a banking holding company that provides credit
cards, auto loans, banking and savings accounts. In 2015, Capital
One announced that all new and existing applications would be
hosted on AWS.
• Between March and July 2019, an unauthorized user (or hacker)
accessed data stored in AWS S3 buckets belonging to Capital
One.
• The hacker exfiltrated the data containing 100 mil customer
records and stored it on GitHub under their real name, Paige
Thompson and boasted about it on their Slack channel under the
username “erratic”.
• Once Capital One learnt about the breach, they contacted the FBI
who arrested the hacker and changed them for “computer fraud
and abuse”.
4. THE HACK
While searching for AWS instances, the attacker found an EC2
instance working as a reverse proxy.
Using a custom header, the attacker exploited the proxy and
made a service request to enumerate an IAM role, and another
request to obtain the Access Key ID and Secret Access Key
The attacker was able to obtain AWS keys for an IAM role called
****-WAF-Role.
The attacker used the stolen AWS keys to list S3 buckets that
were accessible to that role.
The attacker used AWS CLI sync command to copy data from
the S3 buckets that were accessible to that role.
5. THE END
• The root cause of this hack was a misconfiguration
of the IAM role permissions for the EC2 instance.
• This hack could have been prevented through an
AWS penetration test.
• The hacker would likely get up to 5 years in prison
and a USD $250,000 fine.
• “Security in the Cloud” is increasingly important as
more companies expand into public / hybrid cloud
offerings.
6. THANK YOU
Presenter: Obika Gellineau
Twitter: @AntiPhishClub
References:
• The Capital One Breach &
“cloud_breach_s3” CloudGoat Scenario,
Rhino Security Labs,
https://rhinosecuritylabs.com/aws/capital-
one-cloud_breach_s3-cloudgoat/
• Capital One on AWS, AWS,
https://aws.amazon.com/solutions/case-
studies/innovators/capital-one/