Again, it’s Facebook, that made news with a data breach. TechCrunch reported first about midnight Euroean time, but it’s all over the news by today, noon. It’s time to realize social media is a mistake.
Earlier this week, it became public that Capital One was victim to a privacy leak, affecting more than 100 million of their customers. News revealed details about the source of the attack, that apparently an individual conducted and bragged about it publicly.
Now, a few days later and more facts known, the always excellent Krebs on Security blog offers some lessons learned from the incident. It has good statements from Netflix, CloudFlare, DisruptOS and AWS personnel, including citations about the involvement of IAM, EC2 and WAF. In particular, it points out mitigations that AWS recommends in response to Server Side Request Forgery (SSRF).
Interesting is the conclusion that Rich Mogull comes to, that the industry is facing a major gap in skills, related to this kind of cloud security. Basic skill and availability thereof has always been a major gap in the entire industry. Only with the arrival of cloud it becomes more sparse. Mostly, because corporations maintain both their existing data centers and new cloud infrastructure, leaving out on the opportunity to become more secure in the cloud.
In short: because there is no reliable metric to make the impact transparent to shareholders and customers.
Students at the “Universität des Saarlandes” found almost 40k MongoDB instances, apparently with no security at all. Access to these databases includes write credentials.