More US Lawmakers Questioning Capital One, Amazon
August 7, 2019 / Source: Bank Info Security
More US Lawmakers Questioning Capital One, Amazon
Massive Data Breach Draws Bipartisan AttentionAkshaya Asokan (asokan_akshaya) • August 7, 2019
A little more than a week after the data breach at Capital One was revealed, more U.S. lawmakers are raising questions about what happened at the bank, including what role, if any, Amazon Web Services and its cloud technologies and services played in opening the door to the intrusion.
U.S. Sen. Ron Wyden, D-Oregon, is the latest lawmaker to raise questions about what happened at Capital One and what security precautions were taken when it comes to Amazon's cloud services.
See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions
Wyden's concerns come a few days after a some Republican congressmen raised concerns and asked for a briefing.
Questions Posed to Bezos
In a letter to Amazon CEO Jeff Bezos, Wyden questions the security practices followed by Amazon Web Services and how the company secures its cloud-based AWS Simple Storage Service, also known as an S3 bucket.
The FBI alleges that the Capital One hacker bypassed a misconfigured firewall within the bank's network and then gained access to where data was stored within the cloud infrastructure the company used.
Although not named in any court documents, published reports say that Capital One used AWS for its cloud infrastructure, storing data in S3 buckets. In his letter, Wyden notes that media reports indicate that other organizations – such as Ford, the Ohio Department of Transportation and Michigan State University – that have used Amazon's cloud services are also investigating if the same hacker attempted to access data stored in their cloud infrastructure.
Amazon's customers are responsible for securing their S3 buckets, but Wyden in his letter asks Amazon why it's not doing more to ensure security.
“If Amazon's cloud services are found to be the common element in a series of high-profile hacks targeting large corporations, it would raise serious questions about whether other corporations and government entities that use Amazon's cloud computing products are also vulnerable,” Wyden writes.
The senator also takes issue with how Amazon places the security burden on its customers, noting: “If several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer and whether the company that makes it shares responsibility for the breaches.”
Wyden Presses for Clarity
In his letter, Wyden raises four questions regarding Amazon's cloud computing services. He asks for a response by Aug. 13.
Wyden asks whether Amazon is aware of a web application vulnerability called a server side request forgery. Some media reports speculate that Thompson may have leveraged this vulnerability in the breach of Capital One, and Wyden wants to know if any other Amazon customers may have been affected by this vulnerability or raise concerns to the company about such a flaw (see: Capital One's Breach May Be a Server Side Request Forgery).
The Wyden letter also questions whether any other Amazon customers experienced a breach related to issues within the company's metadata services.
Wyden also points to a deleted tweet from a Netflix security software engineer, who had requested an additional layer of protection to help secure Amazon's metadata services against these types of server side request forgery vulnerabilities.
“Please confirm whether or not Amazon in fact received a request from Netflix to add such security protection and describe what steps, if any, Amazon took after receiving this feature request,” Wyden asks in his letter.
Capital One Fallout
The data breach, which affected nearly 106 million U.S. and Canadian residents, led to the arrest on July 29 of Paige A. Thompson. Thompson, who lives in the Seattle area, worked for Amazon Web Services for a short time (see: Woman Arrested in Massive Capital One Data Breach).
The breach has already led to several class-action lawsuits against Capital One, as well as GitHub, the online code repository where Thompson allegedly posted some details of the intrusion (see: Capital One Data Breach Spurs More Lawsuits ).
In addition to the FBI, the New York Attorney General's office is investigating the breach (see: NY Attorney General Investigates Capital One; Lawsuits Loom).
The data breach – and what Capital One and Amazon could have done to prevent it – has drawn attention from lawmakers on both sides of the aisle who want to question executives from both companies.
In an Aug. 1 statement, Republicans on the House Oversight Committee raised concerns with Bezos and Amazon Web Service over security protocols and requested the full committee thoroughly review the data breach.
The Republicans have asked for a briefing by Aug. 15.
“Because AWS will provide the trusted internet connection and cloud support for the 2020 Census and could potentially run the Department of Defense's Joint Enterprise Defense Infrastructure cloud computing system, the committee may carefully examine the consequences of this breach,” the Republicans wrote in their letter to Bezos.
An Amazon spokesperson could not be immediately reached for comment.