According to KrebsOnSecurity.com (8/2/2019 blog post), the massive Capital One security breach started with a misconfigured WAF site running ModSecurity, which was running on Amazon Web Services. My summary of his report: An AWS employee exploited the WAF misconfiguration to get application-identity credentials assigned to the WAF site or its server. The application-identity credentials were used to query the Amazon metadata information. The application-identity account was overconfigured, so it gave her keys to the kingdom instead of limiting her to the data the application need to reference. She took full advantage of the keys. Since our WAF log files make it painfully obvious that UTM uses ModSecurity under the covers, I have been hoping someone (Sophos) could provide some information to assure us that a similar compromise is not feasible in the appliance environment, as well as guidance to ensure that it is not accidentally possible in the cloud environment. Maybe its too soon to tell since details are hard to come obtain in a situation like this, bu tI can hope. (For AWS users, the KrebsOnSecurity article refers to some Amazon utilities that can help check for configuration best practices.)

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Responding to the Capital One security breach?

According to KrebsOnSecurity.com (8/2/2019 blog post), the massive Capital One security breach started with a misconfigured WAF site running ModSecurity, which was running on Amazon Web Services. My summary of his report:

An AWS employee exploited the WAF misconfiguration to get application-identity credentials assigned to the WAF site or its server.
The application-identity credentials were used to query the Amazon metadata information.
The application-identity account was overconfigured, so it gave her keys to the kingdom instead of limiting her to the data the application need to reference.
She took full advantage of the keys.

Since our WAF log files make it painfully obvious that UTM uses ModSecurity under the covers, I have been hoping someone (Sophos) could provide some information to assure us that a similar compromise is not feasible in the appliance environment, as well as guidance to ensure that it is not accidentally possible in the cloud environment. Maybe its too soon to tell since details are hard to come obtain in a situation like this, bu tI can hope.

(For AWS users, the KrebsOnSecurity article refers to some Amazon utilities that can help check for configuration best practices.)

This thread was automatically locked due to age.

0 Jaydeep over 4 years ago

Hi DouglasFoster

Do you have the link of that article? For any official word or guide, you would require to create a case with Sophos Support and get that information. I will check with our team and see if there's anything we need to take care of in regards to this issue.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 4 years ago in reply to Jaydeep

I try to avoid including non-Sophos links in my posts, partly as a courtesy and partly because I thought the moderation rules restricted doing so. Based on some of the spam entries I have encountered, it appears that such a restriction is not actually in place, but perhaps badly needed. However, since you asked, this is the link to the full article.

https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/#more-48424

I read Krebs intermittently, but I have found his blog to be well informed. The website has ads, but I have not detected threat content in any of the ads.
Cancel
Vote Up 0 Vote Down

Cancel