Musi waChikunguru 19, 2019, Capital One yakagamuchira meseji iyo kambani yega yega yemazuva ano inotya - kutyorwa kwedata kwakaitika. Yakabata vanhu vanopfuura mamiriyoni e106. 140 US nhamba dzekuchengetedza magariro evanhu, miriyoni imwe yeCanada nhamba dzekuchengetedzwa kwevanhu. 000 maakaundi ekubhangi. Hazvinakidzi, haubvumi here?
Nehurombo, hack haina kuitika muna Chikunguru 19. Sezvazvinoitika, Paige Thompson, aka. Kukanganisa, akazviita pakati paKurume 22 naKurume 23, 2019. Ndizvozvo inenge mwedzi mina yapfuura. Muchokwadi, kwakangove nerubatsiro rwevanopa mazano vekunze kuti Capital One yakakwanisa kuona kuti pane chakaitika.
Mumwe aimbova mushandi weAmazon akasungwa uye akatarisana nefaindi yemadhora mazana maviri nemakumi mashanu uye makore mashanu mutirongo ... Sei? Nekuti makambani mazhinji akatambura ne hacks ari kuyedza kubvisa basa rekusimbisa zvivakwa zvavo uye maapplication ari pakati pekukwira kwecybercrime.
Zvakadaro, unogona nyore google iyi nyaya. Hatisi kuzopinda mumutambo, asi kutaura nezvazvo technical divi renyaya.
Kutanga, chii chakaitika?
Capital One yaive neanosvika mazana manomwe eS700 mabhaketi achimhanya, ayo Paige Thompson akateedzera nekubvisa.
Chechipiri, iyi ndiyo imwe nyaya yeisina kurongeka S3 bucket policy?
Kwete, kwete nguva ino. Apa akawana mukana kune sevha ine firewall yakagadziriswa zvisizvo uye akaita basa rese kubva ipapo.
Mirira, zvinogoneka sei?
Zvakanaka, ngatitange nekupinda muserver, kunyangwe isu tisina ruzivo rwakawanda. Isu takangoudzwa kuti zvakaitika kuburikidza ne "misconfigured firewall." Saka, chimwe chinhu chakareruka senge isiriyo chengetedzo yeboka marongero kana kumisikidzwa kwewebhu application firewall (Imperva), kana network firewall (iptables, ufw, shorewall, nezvimwewo). Capital One yakangobvuma mhosva yayo ndokuti yavhara gomba.
Stone akati Capital One haina kutanga yaona kusadzivirirwa kwefirewall asi yakaita nekukurumidza payakangoziva nezvazvo. Izvi zvechokwadi zvakabatsirwa nenyaya yekuti mubiki uyu anonzi akasiya ruzivo rwakakosha muruzhinji, akadaro Stone.
Kana iwe uchinetseka kuti sei tisiri kupinda mukati mechikamu ichi, ndapota nzwisisa kuti nekuda kweruzivo rushoma tinogona kungofungidzira. Izvi hazvina musoro kupihwa kuti hack yaienderana negomba rakasiiwa neCapital One. Uye kunze kwekunge vakatiudza zvimwe, isu tinongonyora nzira dzese dzinobvira Capital One yakasiya server yavo yakavhurika mukubatana nese dzingaite nzira dzekushandisa imwe yeidzi sarudzo dzakasiyana. Aya zvikanganiso uye matekiniki anogona kubva kubva kuhupenzi kutarisisa kusvika kumaitiro akaomarara. Tichifunga nezve huwandu hwemikana, iyi ichava saga refu isina mhedziso chaiyo. Naizvozvo, ngatitarisei pakuongorora chikamu chatinowana chokwadi.
Saka chekutanga chekutora ndechekuti: ziva izvo firewalls yako inobvumidza.
Gadzira mutemo kana nzira yakakodzera yekuona kuti CHETE zvinoda kuvhurwa zvinovhurwa. Kana iwe uri kushandisa zviwanikwa zveAWS seSecurity Groups kana Network ACLs, zviripachena kuti cheki chekuongorora chinogona kureba...asi senge zviwanikwa zvakawanda zvinogadzirwa zvoga (kureva CloudFormation), zvinogonekawo kuita otomatiki kuongorora kwavo. Ingave script yekumba iyo inoongorora zvinhu zvitsva zvezvikanganiso, kana chimwe chinhu senge chengetedzo yekuongorora muCI / CD maitiro ... pane zvakawanda zviri nyore sarudzo kudzivirira izvi.
Iyo "inosetsa" chikamu chenyaya ndechekuti dai Capital One yakavhara gomba pakutanga ... hapana chaizoitika. Uye saka, kutaura chokwadi, zvinogara zvichikatyamadza kuona kuti chinhu chaicho sei yakanaka nyore inova chikonzero chega chekuti kambani ibirwe. Kunyanya imwe yakakura se Capital One.
Saka, hacker mukati - chii chakazoitika?
Zvakanaka, mushure mekuputsa muchiitiko cheEC2 ... zvakawanda zvinogona kuipa. Unenge uchifamba pamucheto webanga kana ukarega mumwe munhu achienda kure kudaro. Asi yakapinda sei mumabhaketi eS3? Kuti tinzwisise izvi, ngatikurukurei IAM Mabasa.
Saka, imwe nzira yekuwana maAWS masevhisi ndeye kuve Mushandisi. Okay, ichi chiri pachena. Asi ko kana iwe uchida kupa mamwe masevhisi eAWS, senge maseva ako ekushandisa, kuwana mabhaketi ako eS3? Ndizvo zvinoitirwa mabasa eIAM. Izvo zvinoumbwa nezvikamu zviviri:
- Trust Policy - ndeapi masevhisi kana vanhu vanogona kushandisa basa iri?
- Permissions Policy - basa iri rinobvumira chii?
Semuenzaniso, iwe unoda kugadzira basa reIAM rinobvumira zviitiko zveEC2 kuwana bhaketi reS3: Kutanga, basa rakagadzirirwa kuve neTrust Policy iyo EC2 (sevhisi yese) kana zviitiko zvakananga zvinogona "kutora" basa. Kugamuchira basa kunoreva kuti vanogona kushandisa mvumo yebasa kuita zviito. Chechipiri, iyo Permissions Policy inobvumira iyo sevhisi/munhu/sosi βyakatora basaβ kuita chero chinhu paS3, ingave iri kuwana imwe chaiyo bhaketi... kana kupfuura mazana manomwe, sezvakaita Capital One.
Paunenge uchinge wave mune EC2 chiitiko nebasa reIAM, unogona kuwana zvitupa munzira dzakati wandei:
- Unogona kukumbira muenzaniso metadata pa
http://169.254.169.254/latest/meta-dataPakati pezvimwe zvinhu, unogona kuwana basa reIAM nechero makiyi ekuwana pakero ino. Zvechokwadi, chete kana iwe uri mune imwe muenzaniso.
- Shandisa AWS CLI...
Kana iyo AWS CLI yakaiswa, inoremerwa nemagwaro kubva kuIAM mabasa, kana iripo. Chasara ndechekushanda KUBVIRA muenzaniso. Ehe, kana Trust Policy yavo yakavhurika, Paige aigona kuita zvese zvakananga.
Saka musimboti wemabasa eIAM ndewekuti vanotendera zvimwe zviwanikwa kuti zviite PANE ZVIMWE ZVINHU.
Zvino zvawanzwisisa mabasa eIAM, tinogona kutaura nezve zvakaitwa naPaige Thompson:
- Akawana mukana kune sevha (EC2 muenzaniso) kuburikidza negomba mune firewall
Angave ari mapoka edziviriro/ACLs kana yavo padandemutande firewalls, gomba racho raigona kunge riri nyore kubaya, sezvakataurwa mumarekodhi epamutemo.
- Pane imwe sevha, akakwanisa kuita "sokunge" ndiye aive sevha pachake
- Sezvo iyo IAM server basa yakabvumira S3 kuwana kune aya mazana manomwe+ mabhakiti, yakakwanisa kuwana iwo
Kubva panguva iyoyo zvichienda mberi, chaaifanira kuita kwaive kumhanya kuraira List Bucketsuyezve murayiro Sync kubva kuAWS CLI...
. Kudzivirira kukuvadzwa kwakadaro ndosaka makambani anodyara zvakanyanya mukudzivirira kwezvivakwa zvegore, DevOps, uye nyanzvi dzekuchengetedza. Uye zvakakosha sei uye zvinodhura zviri kufamba kune gore? Zvekuti kunyangwe takatarisana nematambudziko akawanda ecybersecurity !
Tsika yenyaya: tarisa kuchengeteka kwako; Kuita ongororo nguva dzose; Remekedza musimboti weiyo rombo rombo rekuchengetedza marongero.
( Iwe unogona kuona iyo yakazara yemutemo mushumo).
Source: www.habr.com