Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's ...
After last week's revelations that a hacker stole the personal details of 106 million Capital One credit card applicants from its Amazon-hosted cloud storage, a US Senator has demanded Amazon CEO Jeff Bezos explain what exactly what went wrong.
The sensitive informationwas siphoned from Capital One's Amazon Web Services S3 buckets by a former AWS engineer, who wasarrested and charged at the end of July.
On Monday this week, Senator Ron Wyden (D-OR) asked Bezos how exactly the data was stolen beyond the scant details released by the bank that it was all due to a "firewall misconfiguration."
Wyden is particularly concerned that other companies that store their data in the AWS cloud may have been hit in the same way by the suspected Capital One thief, Seattle-based software engineer Paige Thompson. He cited reports that Ford, the University of Michigan, the Ohio Department of Transportation, and others may have suffered similar losses of information at the hands of Thompson, and that this may point to a systemic weakness in Amazon's security.
"When a major corporation loses data on 100 million Americans because of a configuration error, attention naturally focuses on that corporation's cybersecurity practices," Wyden wrote [PDF].
"However, if several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and if the company that makes it shares responsibility for the breaches."
Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning lightREAD MORE
In particular, Wyden wants to know if Amazon-hosted systems potentially suffer from server-side request forgery ( SSRF ) vulnerabilities: this type of hole can be exploited by miscreants to trick other people's servers into executing commands, or coughing up data, they shouldn't. The senator has urged the Amazon billionaire to let him know, by August 13, if any organizations, including Capital One, have had their Amazon-hosted data stolen via an SSRF exploit in the past two years.
Wyden is also investigating claims from a Netflix engineer that the streaming biz asked Amazon for help in preventing SSRF-based attacks and was shunned. Wyden wants to know what movement has been made on this front, seeing as Netflix is an AWS customer case study .
In other words, it is feared that AWS-hosted services can be misconfigured or programmed by some customers – and AWS has more than 1,000,000 active customers – so that they can be infiltrated via SSRF attacks. Netflix wanted an anti-SSRF HTTP header added to its AWS-hosted web servers, and was apparently ignored. Wyden wants to know if Amazon can do anything to actively block SSRF exploitation, or put other barriers in place to prevent data theft.
Lest you think Wyden is a knee-jerk Luddite picking on President Trump's least favorite tech leader, he's actually one of the most technologically literate Congresscritters out there. He's strong on encryption and privacy, and, as a senior member of various finance and intelligence congressional committees, he is more than willing to shaft a UK-US free trade deal if Brits dare slap a two-per-cent levy on his digital chums. ®
- Migration Complete – Amazon’s Consumer Business Just Turned off its Final Oracle Database
- CHEAP: Stop staring, the Amazon Fire TV stick 4K is really selling for just $35
- Smart home startup Level Home emerges from stealth with $71M and a new take on the smart lock
- Hulu rolls out 4K content to Xbox One, with Amazon Fire TV and others coming ‘soon’
- Amazon is selling individual $1 items with free one-day Prime delivery
- “电子商务 区块链”：颠覆亚马逊的时机已到？
- 亚马逊全面回应：涵盖人脸识别、假货等 10 个问题
- Alexa now speaks Spanish, including in multi-lingual mode