Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's ...
After last week's revelations that a hacker stole the personal details of 106 million Capital One credit card applicants from its Amazon-hosted cloud storage, a US Senator has demanded Amazon CEO Jeff Bezos explain what exactly what went wrong.
The sensitive informationwas siphoned from Capital One's Amazon Web Services S3 buckets by a former AWS engineer, who wasarrested and charged at the end of July.
On Monday this week, Senator Ron Wyden (D-OR) asked Bezos how exactly the data was stolen beyond the scant details released by the bank that it was all due to a "firewall misconfiguration."
Wyden is particularly concerned that other companies that store their data in the AWS cloud may have been hit in the same way by the suspected Capital One thief, Seattle-based software engineer Paige Thompson. He cited reports that Ford, the University of Michigan, the Ohio Department of Transportation, and others may have suffered similar losses of information at the hands of Thompson, and that this may point to a systemic weakness in Amazon's security.
"When a major corporation loses data on 100 million Americans because of a configuration error, attention naturally focuses on that corporation's cybersecurity practices," Wyden wrote [PDF].
"However, if several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and if the company that makes it shares responsibility for the breaches."
Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning lightREAD MORE
In particular, Wyden wants to know if Amazon-hosted systems potentially suffer from server-side request forgery ( SSRF ) vulnerabilities: this type of hole can be exploited by miscreants to trick other people's servers into executing commands, or coughing up data, they shouldn't. The senator has urged the Amazon billionaire to let him know, by August 13, if any organizations, including Capital One, have had their Amazon-hosted data stolen via an SSRF exploit in the past two years.
Wyden is also investigating claims from a Netflix engineer that the streaming biz asked Amazon for help in preventing SSRF-based attacks and was shunned. Wyden wants to know what movement has been made on this front, seeing as Netflix is an AWS customer case study .
In other words, it is feared that AWS-hosted services can be misconfigured or programmed by some customers – and AWS has more than 1,000,000 active customers – so that they can be infiltrated via SSRF attacks. Netflix wanted an anti-SSRF HTTP header added to its AWS-hosted web servers, and was apparently ignored. Wyden wants to know if Amazon can do anything to actively block SSRF exploitation, or put other barriers in place to prevent data theft.
Lest you think Wyden is a knee-jerk Luddite picking on President Trump's least favorite tech leader, he's actually one of the most technologically literate Congresscritters out there. He's strong on encryption and privacy, and, as a senior member of various finance and intelligence congressional committees, he is more than willing to shaft a UK-US free trade deal if Brits dare slap a two-per-cent levy on his digital chums. ®
- Bookshop 和 Libro.fm 凭什么挑战亚马逊？
- 比 Netflix 更有性价比的流媒体服务，Amazon Prime Video 订阅指南
- Amazon plans summer sale for June 22 to 'jumpstart sales' after coronavirus crunch
- Amazon sees strong demand for pepper spray and Black Lives Matter merchandise as protests rage