ProHoster > Ibhulogi > Ulawulo > Iinkcukacha zobuchwephesha ze-Capital One hack kwi-AWS

Iinkcukacha zobuchwephesha ze-Capital One hack kwi-AWS

Iinkcukacha zobuchwephesha ze-Capital One hack kwi-AWS

NgoJulayi 19, 2019, iCapital One yafumana umyalezo wokuba yonke inkampani yanamhlanje iyoyika-ukwaphulwa kwedatha. Yachaphazela abantu abangaphezu kwezigidi ezili-106. I-140 yamanani okhuseleko loluntu lwase-US, isigidi seenombolo zokhuseleko loluntu lwaseKhanada. 000 yeeakhawunti zebhanki. Ayimnandanga, awuvumi?

Ngelishwa, i-hack ayizange yenzeke ngoJulayi 19. Njengoko kuvela, uPaige Thompson, aka. Impazamo, iyenze phakathi kwe-22 kaMatshi kunye ne-23 kaMatshi, ngo-2019. Yiyo i phantse kwiinyanga ezine ezidlulileyo. Enyanisweni, kwaba kuphela ngoncedo lwabacebisi bangaphandle apho i-Capital One yakwazi ukufumanisa ukuba kukho into eyenzekayo.

Owayesakuba ngumsebenzi wase-Amazon wabanjwa kwaye ujongene nesohlwayo se-250 yeedola kunye neminyaka emihlanu entolongweni ... kodwa kusekho ukungakhathali okuninzi. Ngoba? Kuba iinkampani ezininzi eziye zakhathazwa ziiHacks zizama ukurhoxa uxanduva lokomeleza amaziko azo kunye nezicelo phakathi kokunyuka kolwaphulo-mthetho kwi-cyber.

Ngapha koko, unokuGoogle ngokulula eli bali. Asiyi kungena kwidrama, kodwa sithethe ngayo zobugcisa icala lomcimbi.

Okokuqala, kwenzeka ntoni?

I-Capital One yayineebhakethi ze-700 ze-S3 ezisebenzayo, apho uPaige Thompson wayikopisha kwaye wayikhupha.

Okwesibini, ngaba le yenye imeko yomgaqo-nkqubo webhakethi ye-S3 engalunganga?

Hayi, hayi ngeli xesha. Apha uye wafumana ufikelelo kumncedisi nge firewall engalungiswanga kakuhle kwaye wenza umsebenzi wonke ukusuka apho.

Yima, inokwenzeka njani loo nto?

Ewe, masiqale ngokungena kwiseva, nangona singenazo iinkcukacha ezininzi. Sixelelwe kuphela ukuba yenzeke β€œnge-firewall engalungiswanga kakuhle.” Ke, into elula njengoseto lweqela lokhuseleko olungachanekanga okanye uqwalaselo lwe-firewall yesicelo sewebhu (Imperva), okanye i-firewall yenethiwekhi (iptables, ufw, shorewall, njl.). ICapital One ivume nje ubutyala bayo yathi iwuvalile umngxuma.

UStone uthe iCapital One khange iqale iqaphele ukuba sesichengeni somlilo kodwa isebenze ngokukhawuleza yakuba iyazi. Ngokuqinisekileyo oku kwancedwa yinto yokuba umgebenga kutyholwa ukuba ushiye ulwazi oluphambili lokuchonga kwindawo yoluntu, utshilo uStone.

Ukuba uyazibuza ukuba kutheni singangeni nzulu kweli candelo, nceda uqonde ukuba ngenxa yolwazi olunqongopheleyo sinokuqikelela kuphela. Oku akukho ngqiqweni xa kujongwa ukuba i-hack ixhomekeke kumngxuma oshiywe yiCapital One. Kwaye ngaphandle kokuba basixelela ngakumbi, siza kudwelisa zonke iindlela ezinokubakho i-Capital One ishiye iseva yabo ivuliwe ngokudityaniswa nazo zonke iindlela ezinokuthi umntu asebenzise enye yezi ndlela zahlukeneyo. Ezi mpazamo kunye nobuchule bunokuqala ukusuka kubudenge obungenangqondo ukuya kwiipateni ezinzima kakhulu. Ukunika uluhlu lwamathuba, oku kuya kuba yi-saga ende engenasiphelo sokwenyani. Ngoko ke, makhe sigxile ekuhlalutyeni indawo esinezibakala.

Ke into yokuqala oyithathayo yile: yazi ukuba iifirewall zakho zivumela ntoni.

Ukuseka umgaqo-nkqubo okanye inkqubo efanelekileyo yokuqinisekisa ukuba KUPHELA oko kufuneka kuvulwe kuvulwa. Ukuba usebenzisa izibonelelo ze-AWS ezifana namaQela oKhuseleko okanye ii-ACL zeNethiwekhi, ngokucacileyo uluhlu lokutshekisha ukuphicothwa lunokuba lude ... kodwa njengokuba izixhobo ezininzi zenziwe ngokuzenzekelayo (oko kukuthi i-CloudFormation), kunokwenzeka kwakhona ukuzenzekelayo uphicotho lwabo. Ingaba isikripthi esenziwe ekhaya esihlola izinto ezintsha ngenxa yeziphene, okanye into efana nophicotho lokhuseleko kwinkqubo yeCI / CD ... kukho iindlela ezininzi ezilula zokuphepha oku.

Into "ehlekisayo" yebali kukuba ukuba i-Capital One yayivale umngxuma kwasekuqaleni ... kwakungekho nto. Kwaye ke, ngokungafihlisiyo, kuhlala kusothusa ukubona ukuba injani into ngokwenene ilula kakhulu iba sesona sizathu sokuba inkampani iqhekezwe. Ingakumbi enye enkulu njengeCapital One.

Ke, i-hacker ngaphakathi - kwenzeka ntoni emva koko?

Ewe, emva kokuqhekeza kumzekelo we-EC2 ... kuninzi kunokungahambi kakuhle. Uhamba kwincam yemela ukuba uyeka umntu ukuba ahambe kakhulu. Kodwa ingene njani kwiibhakethi ze-S3? Ukuqonda oku, masithethe ngeendima ze-IAM.

Ke, enye indlela yokufikelela kwiinkonzo ze-AWS kukuba nguMsebenzisi. Kulungile, le icacile. Kodwa kuthekani ukuba ufuna ukunika ezinye iinkonzo ze-AWS, ezinje ngeeseva zesicelo sakho, ukufikelela kwiibhakethi zakho ze-S3? Yiloo nto indima ye-IAM. Zibandakanya amacandelo amabini:

  1. Umgaqo-nkqubo wokuThemba - zeziphi iinkonzo okanye abantu abanokusebenzisa le ndima?
  2. Umgaqo-nkqubo weeMvume - le ndima ivumela ntoni?

Ngokomzekelo, ufuna ukwenza indima ye-IAM eya kuvumela iimeko ze-EC2 ukuba zifikelele kwibhakethi ye-S3: Okokuqala, indima imiselwe ukuba ibe noMgaqo-nkqubo weTrust ukuba i-EC2 (inkonzo iyonke) okanye iimeko ezithile zinokuthi "zithathe" indima. Ukwamkela indima kuthetha ukuba banokusebenzisa iimvume zendima ukwenza iintshukumo. Okwesibini, uMgaqo-nkqubo weeMvume uvumela inkonzo/umntu/umthombo β€œoye wathatha indima” ukwenza nantoni na kwi-S3, nokuba ifikelela kwibhakethi ethile ethile... okanye ngaphezulu kwe-700, njengakwimeko ye-Capital One.

Nje ukuba ukwimeko ye-EC2 ngendima ye-IAM, unokufumana iziqinisekiso ngeendlela ezininzi:

  1. Ungacela umzekelo wemetadata apha http://169.254.169.254/latest/meta-data

    Phakathi kwezinye izinto, unokufumana indima ye-IAM nayo nayiphi na yezitshixo zokufikelela kule dilesi. Ngokuqinisekileyo, kuphela ukuba ukwimeko ethile.

  2. Sebenzisa i-AWS CLI...

    Ukuba i-AWS CLI ifakiwe, ilayishwe ngeziqinisekiso ezivela kwiindima ze-IAM, ukuba zikhona. Ekuphela kwento eseleyo kukusebenza NGOMZEKELO. Ewe, ukuba iPolisi yabo yokuTrumba yayivulekile, uPaige wayenokwenza yonke into ngokuthe ngqo.

Ke undoqo weendima ze-IAM kukuba zivumela ezinye izibonelelo ukuba zisebenze NGENXA YAKHO KWEZINYE IZIXHOBO.

Ngoku uyaziqonda iindima ze-IAM, sinokuthetha malunga nento eyenziwa nguPaige Thompson:

  1. Ufumene ufikelelo kumncedisi (umzekelo weEC2) ngomngxuma kwifirewall

    Nokuba ibingamaqela okhuseleko/ii-ACL okanye ezabo iifirewall zesicelo sewebhu, umngxuma wawulula kakhulu ukuwuplaga, njengoko kuchaziwe kwiirekhodi ezisemthethweni.

  2. Kanye kwiseva, wayekwazi ukwenza "ngokungathi" wayengumncedisi ngokwakhe
  3. Ekubeni indima yomncedisi we-IAM ivumele ukufikelela kwe-S3 kula mabhakethi angama-700+, ikwazile ukufikelela kuzo

Ukususela ngaloo mzuzu ukuya phambili, ekuphela kwento ekwakufuneka ayenze yayikukuqhuba umyalelo List Bucketskwandule ke umyalelo Sync ukusuka kwi-AWS CLI...

I-Capital One Bank iqikelela ukuba umonakalo osuka kuqhekezo ube phakathi kwe- $100 kunye ne-150 yezigidi zeedola.. Ukuthintela umonakalo onjalo kutheni iinkampani zityala imali eninzi kukhuseleko lweziseko zelifu, i-DevOps, kunye neengcali zokhuseleko. Kwaye ixabiseke kangakanani kwaye inexabiso elisebenzayo eliya kwilifu? Kangangokuba nangona ujongene nemiceli mngeni yokhuseleko lwe-cyber Iyonke imakethi yefu yoluntu ikhule nge-42% kwikota yokuqala ka-2019!

Ukuziphatha kwebali: khangela ukhuseleko lwakho; Ukuqhuba uphicotho rhoqo; Hlonipha umgaqo welona lungelo lincinci lemigaqo-nkqubo yokhuseleko.

(kuyinto Ungajonga ingxelo epheleleyo yezomthetho).

umthombo: www.habr.com

Yongeza izimvo