Capital One US and Canada breach

[Kevin Beaumont 96]

Indictment PDF: https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl=0

A bunch of things stand out:

• Why did the WAF account apparently have access to the S3 storage buckets?
• Why wasn't the data of hundreds of millions of people's credit checks encrypted?  Should that kind of data have been left for so long in cloud buckets?
• Why didn't they notice all these S3 buckets being sync'd to a random VPN IP address?  It happened 4 months ago.
• Why didn't they notice the Gitlab pages listing their config?
• Why didn't they notice until somebody random emailed them to tell them?

I don't know if more details will go public (they probably don't want it to get to trial for obvious reasons).

I guess lessons learned from outside looking in is:

- Monitoring.  Ingest your cloud logs.  Alert against them.  Monitor sites like Github and Gitlab for obviously sensitive information, e.g. usernames, bucket names etc.

And yes, this is the kind of incident that would (and still will) catch many orgs with their pants down, Capital One aren't alone.  It looks like the same person behind this one hit other fintech orgs too, looking at their online files - I'm going to guess they haven't noticed yet either.

[Eoin Keary 2]

Yep the fact there was no encryption (RDS/KMS is easy to use) is unfortunate. 

[allison nixon 9]

https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/