NgoJulayi 19, 2019, iCapital One yafumana umyalezo wokuba yonke inkampani yanamhlanje iyoyika-ukwaphulwa kwedatha. Yachaphazela abantu abangaphezu kwezigidi ezili-106. I-140 yamanani okhuseleko loluntu lwase-US, isigidi seenombolo zokhuseleko loluntu lwaseKhanada. 000 yeeakhawunti zebhanki. Ayimnandanga, awuvumi?
Ngelishwa, i-hack ayizange yenzeke ngoJulayi 19. Njengoko kuvela, uPaige Thompson, aka. Impazamo, iyenze phakathi kwe-22 kaMatshi kunye ne-23 kaMatshi, ngo-2019. Yiyo i phantse kwiinyanga ezine ezidlulileyo. Enyanisweni, kwaba kuphela ngoncedo lwabacebisi bangaphandle apho i-Capital One yakwazi ukufumanisa ukuba kukho into eyenzekayo.
Owayesakuba ngumsebenzi wase-Amazon wabanjwa kwaye ujongene nesohlwayo se-250 yeedola kunye neminyaka emihlanu entolongweni ... kodwa kusekho ukungakhathali okuninzi. Ngoba? Kuba iinkampani ezininzi eziye zakhathazwa ziiHacks zizama ukurhoxa uxanduva lokomeleza amaziko azo kunye nezicelo phakathi kokunyuka kolwaphulo-mthetho kwi-cyber.
Ngapha koko, unokuGoogle ngokulula eli bali. Asiyi kungena kwidrama, kodwa sithethe ngayo zobugcisa icala lomcimbi.
Okokuqala, kwenzeka ntoni?
I-Capital One yayineebhakethi ze-700 ze-S3 ezisebenzayo, apho uPaige Thompson wayikopisha kwaye wayikhupha.
Okwesibini, ngaba le yenye imeko yomgaqo-nkqubo webhakethi ye-S3 engalunganga?
Hayi, hayi ngeli xesha. Apha uye wafumana ufikelelo kumncedisi nge firewall engalungiswanga kakuhle kwaye wenza umsebenzi wonke ukusuka apho.
Yima, inokwenzeka njani loo nto?
Ewe, masiqale ngokungena kwiseva, nangona singenazo iinkcukacha ezininzi. Sixelelwe kuphela ukuba yenzeke βnge-firewall engalungiswanga kakuhle.β Ke, into elula njengoseto lweqela lokhuseleko olungachanekanga okanye uqwalaselo lwe-firewall yesicelo sewebhu (Imperva), okanye i-firewall yenethiwekhi (iptables, ufw, shorewall, njl.). ICapital One ivume nje ubutyala bayo yathi iwuvalile umngxuma.
UStone uthe iCapital One khange iqale iqaphele ukuba sesichengeni somlilo kodwa isebenze ngokukhawuleza yakuba iyazi. Ngokuqinisekileyo oku kwancedwa yinto yokuba umgebenga kutyholwa ukuba ushiye ulwazi oluphambili lokuchonga kwindawo yoluntu, utshilo uStone.
Ukuba uyazibuza ukuba kutheni singangeni nzulu kweli candelo, nceda uqonde ukuba ngenxa yolwazi olunqongopheleyo sinokuqikelela kuphela. Oku akukho ngqiqweni xa kujongwa ukuba i-hack ixhomekeke kumngxuma oshiywe yiCapital One. Kwaye ngaphandle kokuba basixelela ngakumbi, siza kudwelisa zonke iindlela ezinokubakho i-Capital One ishiye iseva yabo ivuliwe ngokudityaniswa nazo zonke iindlela ezinokuthi umntu asebenzise enye yezi ndlela zahlukeneyo. Ezi mpazamo kunye nobuchule bunokuqala ukusuka kubudenge obungenangqondo ukuya kwiipateni ezinzima kakhulu. Ukunika uluhlu lwamathuba, oku kuya kuba yi-saga ende engenasiphelo sokwenyani. Ngoko ke, makhe sigxile ekuhlalutyeni indawo esinezibakala.
Ke into yokuqala oyithathayo yile: yazi ukuba iifirewall zakho zivumela ntoni.
Ukuseka umgaqo-nkqubo okanye inkqubo efanelekileyo yokuqinisekisa ukuba KUPHELA oko kufuneka kuvulwe kuvulwa. Ukuba usebenzisa izibonelelo ze-AWS ezifana namaQela oKhuseleko okanye ii-ACL zeNethiwekhi, ngokucacileyo uluhlu lokutshekisha ukuphicothwa lunokuba lude ... kodwa njengokuba izixhobo ezininzi zenziwe ngokuzenzekelayo (oko kukuthi i-CloudFormation), kunokwenzeka kwakhona ukuzenzekelayo uphicotho lwabo. Ingaba isikripthi esenziwe ekhaya esihlola izinto ezintsha ngenxa yeziphene, okanye into efana nophicotho lokhuseleko kwinkqubo yeCI / CD ... kukho iindlela ezininzi ezilula zokuphepha oku.
Into "ehlekisayo" yebali kukuba ukuba i-Capital One yayivale umngxuma kwasekuqaleni ... kwakungekho nto. Kwaye ke, ngokungafihlisiyo, kuhlala kusothusa ukubona ukuba injani into ngokwenene ilula kakhulu iba sesona sizathu sokuba inkampani iqhekezwe. Ingakumbi enye enkulu njengeCapital One.
Ke, i-hacker ngaphakathi - kwenzeka ntoni emva koko?
Ewe, emva kokuqhekeza kumzekelo we-EC2 ... kuninzi kunokungahambi kakuhle. Uhamba kwincam yemela ukuba uyeka umntu ukuba ahambe kakhulu. Kodwa ingene njani kwiibhakethi ze-S3? Ukuqonda oku, masithethe ngeendima ze-IAM.
Ke, enye indlela yokufikelela kwiinkonzo ze-AWS kukuba nguMsebenzisi. Kulungile, le icacile. Kodwa kuthekani ukuba ufuna ukunika ezinye iinkonzo ze-AWS, ezinje ngeeseva zesicelo sakho, ukufikelela kwiibhakethi zakho ze-S3? Yiloo nto indima ye-IAM. Zibandakanya amacandelo amabini:
- Umgaqo-nkqubo wokuThemba - zeziphi iinkonzo okanye abantu abanokusebenzisa le ndima?
- Umgaqo-nkqubo weeMvume - le ndima ivumela ntoni?
Ngokomzekelo, ufuna ukwenza indima ye-IAM eya kuvumela iimeko ze-EC2 ukuba zifikelele kwibhakethi ye-S3: Okokuqala, indima imiselwe ukuba ibe noMgaqo-nkqubo weTrust ukuba i-EC2 (inkonzo iyonke) okanye iimeko ezithile zinokuthi "zithathe" indima. Ukwamkela indima kuthetha ukuba banokusebenzisa iimvume zendima ukwenza iintshukumo. Okwesibini, uMgaqo-nkqubo weeMvume uvumela inkonzo/umntu/umthombo βoye wathatha indimaβ ukwenza nantoni na kwi-S3, nokuba ifikelela kwibhakethi ethile ethile... okanye ngaphezulu kwe-700, njengakwimeko ye-Capital One.
Nje ukuba ukwimeko ye-EC2 ngendima ye-IAM, unokufumana iziqinisekiso ngeendlela ezininzi:
- Ungacela umzekelo wemetadata apha
http://169.254.169.254/latest/meta-data
Phakathi kwezinye izinto, unokufumana indima ye-IAM nayo nayiphi na yezitshixo zokufikelela kule dilesi. Ngokuqinisekileyo, kuphela ukuba ukwimeko ethile.
- Sebenzisa i-AWS CLI...
Ukuba i-AWS CLI ifakiwe, ilayishwe ngeziqinisekiso ezivela kwiindima ze-IAM, ukuba zikhona. Ekuphela kwento eseleyo kukusebenza NGOMZEKELO. Ewe, ukuba iPolisi yabo yokuTrumba yayivulekile, uPaige wayenokwenza yonke into ngokuthe ngqo.
Ke undoqo weendima ze-IAM kukuba zivumela ezinye izibonelelo ukuba zisebenze NGENXA YAKHO KWEZINYE IZIXHOBO.
Ngoku uyaziqonda iindima ze-IAM, sinokuthetha malunga nento eyenziwa nguPaige Thompson:
- Ufumene ufikelelo kumncedisi (umzekelo weEC2) ngomngxuma kwifirewall
Nokuba ibingamaqela okhuseleko/ii-ACL okanye ezabo iifirewall zesicelo sewebhu, umngxuma wawulula kakhulu ukuwuplaga, njengoko kuchaziwe kwiirekhodi ezisemthethweni.
- Kanye kwiseva, wayekwazi ukwenza "ngokungathi" wayengumncedisi ngokwakhe
- Ekubeni indima yomncedisi we-IAM ivumele ukufikelela kwe-S3 kula mabhakethi angama-700+, ikwazile ukufikelela kuzo
Ukususela ngaloo mzuzu ukuya phambili, ekuphela kwento ekwakufuneka ayenze yayikukuqhuba umyalelo List Buckets
kwandule ke umyalelo Sync
ukusuka kwi-AWS CLI...
Ukuziphatha kwebali: khangela ukhuseleko lwakho; Ukuqhuba uphicotho rhoqo; Hlonipha umgaqo welona lungelo lincinci lemigaqo-nkqubo yokhuseleko.
(
umthombo: www.habr.com