ProHoster > Pūnaewele > Nā Administration > Nā kikoʻī kikoʻī o ka hack Capital One ma AWS

Nā kikoʻī kikoʻī o ka hack Capital One ma AWS

Nā kikoʻī kikoʻī o ka hack Capital One ma AWS

Ma Iulai 19, 2019, ua loaʻa iā Capital One ka ʻōlelo e makaʻu ai kēlā me kēia ʻoihana hou - ua loaʻa kahi ʻikepili. Ua hoʻopilikia ʻia ma mua o 106 miliona mau kānaka. 140 mau helu mālama ola kanaka ʻAmelika, hoʻokahi miliona helu mālama ola kanaka Kanada. 000 waihona waihona. ʻAʻole ʻoluʻolu, ʻaʻole anei ʻoe e ʻae?

ʻO ka mea pōʻino, ʻaʻole i loaʻa ka hack ma Iulai 19th. E like me ka mea i ʻike ʻia, ʻo Paige Thompson, a.k.a. Hewa, hana ia ma waena o Malaki 22 a me Malaki 23, 2019. ʻo ia aneane ʻehā mahina i hala. ʻO ka ʻoiaʻiʻo, ʻo ia wale nō me ke kōkua o nā mea kūkākūkā o waho i hiki ai iā Capital One ke ʻike i kekahi mea i hana.

Ua hopu ʻia kekahi limahana Amazon kahiko a loaʻa i kahi $250 uku a me ʻelima mau makahiki i loko o ka hale paʻahao ... No ke aha mai? No ka mea he nui nā ʻoihana i loaʻa i nā hacks e hoʻāʻo nei e haʻalele i ke kuleana no ka hoʻoikaika ʻana i kā lākou ʻoihana a me nā noi ma waena o ka piʻi ʻana o ka cybercrime.

Eia nō naʻe, hiki iā ʻoe ke google i kēia moʻolelo. ʻAʻole mākou e hele i ka hana keaka, akā e kamaʻilio e pili ana ʻenehana aoao o ka mea.

ʻO ka mea mua, he aha ka mea i hana?

Loaʻa iā Capital One ma kahi o 700 S3 bākeke e holo ana, a Paige Thompson i kope a hoʻopau.

ʻO ka lua, he hihia ʻē aʻe kēia o ke kulekele bakeke S3 i kuhi hewa ʻia?

ʻAʻole, ʻaʻole i kēia manawa. Maʻaneʻi ua loaʻa iā ia ke komo i kahi kikowaena me kahi pā ahi i hoʻonohonoho hewa ʻia a hoʻokō i ka hana holoʻokoʻa mai laila.

E kali, pehea e hiki ai?

ʻAe, e hoʻomaka kākou ma ke komo ʻana i loko o ke kikowaena, ʻoiai ʻaʻole nui nā kikoʻī. Ua haʻi wale ʻia iā mākou ua hana ʻia ma o kahi "pale ahi i kuhi hewa ʻia." No laila, he mea maʻalahi e like me nā hoʻonohonoho pūʻulu palekana kūpono ʻole a i ʻole ka hoʻonohonoho ʻana o ka pā ahi noi pūnaewele (Imperva), a i ʻole ka pā ahi pūnaewele (iptables, ufw, shorewall, etc.). Ua ʻae wale ʻo Capital One i kona hewa a ʻōlelo ʻo ia ua pani i ka lua.

Ua ʻōlelo ʻo Stone ʻaʻole i ʻike mua ʻo Capital One i ka nāwaliwali o ka pā ahi akā ua hana wikiwiki ʻo ia i ka wā i ʻike ai. Ua kōkua maoli ʻia kēia e ka hacker i haʻalele ʻia i ka ʻike e ʻike ai i ka ʻike i ka lehulehu, wahi a Stone.

Inā ʻoe e noʻonoʻo nei i ke kumu ʻaʻole mākou e hele hohonu i kēia ʻāpana, e ʻoluʻolu e hoʻomaopopo ma muli o ka ʻike liʻiliʻi hiki iā mākou ke noʻonoʻo wale. ʻAʻole kūpono kēia no ka mea ua hilinaʻi ka hack i kahi lua i waiho ʻia e Capital One. A inā ʻaʻole lākou e haʻi hou mai iā mākou, e papa inoa mākou i nā ala āpau i waiho ai ʻo Capital One i kā lākou kikowaena me ka hui pū me nā ala āpau e hiki ai i kekahi ke hoʻohana i kekahi o kēia mau koho like ʻole. Hiki i kēia mau hemahema a me nā ʻenehana ke ʻano mai nā hiʻohiʻona naʻaupō a hiki i nā hiʻohiʻona paʻakikī. Hāʻawi ʻia i ka laulā o nā mea hiki, e lilo kēia i saga lōʻihi me ka hopena ʻole. No laila, e kālele kākou i ka nānā ʻana i ka ʻāpana i loaʻa iā mākou nā ʻike.

No laila, ʻo ka lawe mua ʻana: e ʻike i ka mea e ʻae ʻia e kāu pā ahi.

E hoʻokumu i kahi kulekele a i ʻole kaʻina hana kūpono e hōʻoia i ka WALE wale nō ka mea e wehe ʻia. Inā ʻoe e hoʻohana nei i nā kumuwaiwai AWS e like me Security Groups a i ʻole Network ACLs, maopopo ka lōʻihi o ka papa inoa e hoʻopaʻa ʻia ai ka loiloi ... akā e like me ka hana ʻana o nā kumuwaiwai he nui (ʻo ia hoʻi, CloudFormation), hiki nō hoʻi ke hoʻomaʻamaʻa i kā lākou loiloi. Inā he palapala i hana ʻia i ka home e nānā ana i nā mea hou no nā hemahema, a i ʻole kekahi mea e like me ka loiloi palekana ma kahi kaʻina CI / CD ... he nui nā koho maʻalahi e pale aku i kēia.

ʻO ka ʻāpana "ʻakaʻaka" o ka moʻolelo ʻo ia inā ua hoʻopili ʻo Capital One i ka lua ma kahi mua ... ʻaʻohe mea i hiki. A no laila, ʻoiaʻiʻo, haʻalulu mau ke ʻike i ke ʻano maoli o kekahi mea maʻalahi loa ʻo ia wale nō ke kumu no ka hacked ʻana o kahi ʻoihana. ʻOi aku ka nui e like me Capital One.

No laila, hacker i loko - he aha ka mea ma hope?

ʻAe, ma hope o ka haki ʻana i kahi hiʻohiʻona EC2 ... hiki i ka nui ke hele hewa. Ke hele nei ʻoe ma ka ʻaoʻao o ka pahi inā hoʻokuʻu ʻoe i kekahi e hele i kēlā mamao. Akā pehea i komo ai i loko o nā bākeke S3? No ka hoʻomaopopo ʻana i kēia, e kūkākūkā kākou i nā kuleana IAM.

No laila, hoʻokahi ala e hiki ai i nā lawelawe AWS ke lilo i mea hoʻohana. ʻAe, maopopo loa kēia. Akā pehea inā makemake ʻoe e hāʻawi i nā lawelawe AWS ʻē aʻe, e like me kāu mau kikowaena noi, ke komo i kāu mau bākeke S3? ʻO ia ke kumu o nā kuleana IAM. Aia lākou i ʻelua mau ʻāpana:

  1. Kulekele Trust - he aha nā lawelawe a i ʻole nā ​​​​kānaka e hiki ke hoʻohana i kēia kuleana?
  2. Kulekele ʻae - he aha ka ʻae ʻia o kēia kuleana?

No ka laʻana, makemake ʻoe e hana i kahi kuleana IAM e hiki ai i nā manawa EC2 ke komo i kahi bakeke S3: ʻO ka mea mua, ua hoʻonohonoho ʻia ke kuleana e loaʻa i kahi Kulekele Trust e hiki ai iā EC2 (ka lawelawe holoʻokoʻa) a i ʻole nā ​​manawa kikoʻī ke "lawe" i ka hana. ʻO ka ʻae ʻana i kahi kuleana, hiki iā lākou ke hoʻohana i nā ʻae o ke kuleana e hana i nā hana. ʻO ka lua, ʻae ke Kulekele ʻae i ka lawelawe/kanaka/kumu i "lawe i ke kuleana" e hana i kekahi mea ma S3, inā paha e komo ana i hoʻokahi bākeke kikoʻī ... a i ʻole 700, e like me ka hihia o Capital One.

Ke hele nei ʻoe i kahi hiʻohiʻona EC2 me ka hana IAM, hiki iā ʻoe ke loaʻa nā hōʻoia ma nā ʻano he nui:

  1. Hiki iā ʻoe ke noi i kahi metadata ma http://169.254.169.254/latest/meta-data

    Ma waena o nā mea ʻē aʻe, hiki iā ʻoe ke loaʻa ka hana IAM me kekahi o nā kī komo ma kēia helu wahi. ʻOiaʻiʻo, inā wale nō ʻoe i kahi laʻana.

  2. E hoʻohana i ka AWS CLI...

    Inā hoʻokomo ʻia ka AWS CLI, ua hoʻouka ʻia me nā hōʻoia mai nā kuleana IAM, inā aia. ʻO nā mea a pau e koe, ʻo ia ka hana ma o ka hana. ʻOiaʻiʻo, inā wehe ʻia kā lākou Trust Policy, hiki iā Paige ke hana pololei i nā mea āpau.

No laila, ʻo ke kumu o nā kuleana IAM ʻo ia ka ʻae ʻana i kekahi mau kumuwaiwai e hana ma kāu inoa ma nā kumuwaiwai ʻē aʻe.

I kēia manawa ua maopopo iā ʻoe nā kuleana o IAM, hiki iā mākou ke kamaʻilio e pili ana i ka mea a Paige Thompson i hana ai:

  1. Ua loaʻa iā ia ke komo i ka kikowaena (EC2 instance) ma o ka lua o ka pā ahi

    Inā he mau pūʻulu palekana / ACL a i ʻole kā lākou pānaehana noi pūnaewele ponoʻī, maʻalahi paha ka lua e hoʻopili, e like me ka ʻōlelo ʻana ma nā moʻolelo kūhelu.

  2. I ka manawa ma ke kikowaena, hiki iā ia ke hana "me he mea lā" ʻo ia ke kikowaena ponoʻī
  3. Ma muli o ka ʻae ʻana o ka server IAM i ke komo ʻana iā S3 i kēia mau bākeke 700+, hiki iā ia ke komo iā lākou

Mai ia manawa mai, ʻo kāna hana wale nō ke holo i ke kauoha List Bucketsa laila ke kauoha Sync mai AWS CLI...

Manaʻo ʻo Capital One Bank i ka pōʻino mai ka hack ma waena o $100 a me $150 MILLION. ʻO ka pale ʻana i kēlā pōʻino ke kumu e hoʻolilo nui ai nā ʻoihana i ka pale ʻana i ke ao, DevOps, a me nā loea palekana. A pehea ka waiwai a me ke kumu kūʻai e neʻe ai i ke ao? No laila, ʻoiai ke alo o ka nui o nā pilikia cybersecurity Ua piʻi ka mākeke kapuaʻi ākea ma 42% i ka hapaha mua o 2019!

Moʻolelo o ka moʻolelo: e nānā i kou palekana; Hana i nā loiloi maʻamau; E mālama i ke kumu o ka pono liʻiliʻi no nā kulekele palekana.

(he mea Hiki iā ʻoe ke nānā i ka hōʻike kānāwai piha).

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka