2019-07-31 16:16 美国新闻网 - 1588
云计算巨头亚马逊已经远离了资本一公司客户数据的大规模泄露,称客户对自己的应用负责。
昨天,金融服务公司证实该漏洞影响了美国大约1亿人和大约600万加拿大人。被盗数据包括信用卡客户的140,000个社保号码和80,000个银行账号。
据《第一资本》报道,细节在三月份通过一个配置错误的防火墙被窃取。个人数据与申请公司信用卡产品的人有关。
事件发生后,亚马逊拒绝为此次入侵承担任何责任,因为纽约时报据报告的。杰夫贝佐斯拥有的科技巨头在一份声明中表示,没有证据表明其云计算服务受到黑客的攻击。
亚马逊网络服务发言人告诉记者新闻周刊* "自动气象站没有受到任何损害,并按设计发挥作用。肇事者通过网络应用程序的错误配置而不是底层的基于云的基础设施获得了访问权限。正如资本一在其披露中明确解释的那样,这种类型的漏洞并不局限于云。”
AWS桶泄漏是近年来令人震惊的大量不必要数据泄露的原因。7月,网络安全公司UpGuard透露一家名为Attunity的信息技术承包商有一台配置错误的服务器,暴露了包括网飞和福特在内的许多其他公司的客户数据。2017年,文件从一个不安全的数据库中泄露,暴露了近两亿美国选民。
亚马逊一直强调,AWS为其客户提供了存储和保护个人或敏感信息的完全“所有权和控制权”。它声称提供“复杂的技术和物理控制”,旨在帮助打击任何未经授权的访问。
亚马逊在其关于云服务的网站上表示:“作为一个客户,您对自己的内容保持完全的控制,并负责配置对AWS服务和资源的访问。”此外,亚马逊还增加了一条免除泄密责任的关键词:“您可以选择如何保护您的内容。”
事实上,在许多情况下,AWS数据暴露不是技术黑客技巧的结果。彭博指出,例如,在阿蒂尼案中,这些文件是公开的,可以以纯文本形式看到。在2017年的选举泄密事件中,网络研究人员称这些文件没有密码保护。
联邦调查局逮捕了与首都一号事件有关的33岁嫌疑犯佩奇·汤普森,并指出她在网上使用了“古怪”这个名字。
一项刑事指控称,汤普森曾在亚马逊工作,威胁要分发从该银行获得的数据。嫌疑人据称在6月份的一次闲聊中写道:“我基本上已经用炸弹背心绑好了自己,他妈的扔了大写的dox并承认了这一点。我想先分发这些桶。”她说文件包含社会保险号、全名和出生日期。
汤普森被指控犯有一项计算机欺诈和滥用罪。根据司法部的说法,这种欺诈行为将被处以最高五年的监禁和25万美元的罚款。汤普森的听证会将于8月1日举行。
官员们表示,泄露的第一资本数据最初被上传到一个名为GitHub的代码库网站,促使一个人在7月17日提请管理员注意。
联邦特工昨天搜查了嫌疑犯在西雅图的家,并声称已经没收了数字存储设备,其中包括一个包含一份已过滤的银行数据的副本。投诉称汤普森“承认她有非法行为”
第一资本的首席执行官理查德·费尔班克(Richard Fairbank)表示:“虽然我很感激肇事者已经被抓,但我对所发生的一切深感抱歉。我真诚地为这起事件给受影响者带来的可以理解的担忧表示歉意,我致力于纠正这一问题。”
Cloud computing giant Amazon has distanced itself from the massive leak of customer data from Capital One, saying clients are responsible for their own applications.
Yesterday, the financial services company confirmed the breach impacted roughly 100 million individuals in the U.S. and approximately six million people in Canada. Data stolen included 140,000 social security numbers of credit card customers and 80,000 bank account numbers.
According to Capital One, the details were stolen in March via a misconfigured firewall. The personal data was related to people who had applied for the company's credit card products.
In the wake of the incident, Amazon has refused any blame for the intrusion, as The New York Times reported. The Jeff Bezos-owned technology giant said in a statement there was no evidence that its cloud computing services had been compromised by hackers.
An Amazon Web Services spokesperson told Newsweek: "AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."
Leaky AWS buckets have been responsible for a stunning amount of unwanted data disclosures in recent years. In July, cybersecurity company UpGuard revealed that an IT contractor called Attunity had a misconfigured server which exposed customer data from a number of other firms, including Netflix and Ford. In 2017, files were leaked from an unsecured database that exposed data of nearly 200 million U.S. voters.
Amazon has always stressed that AWS provides its clients with full "ownership and control" of how they store—and protect—personal or sensitive information. It claims to offer "sophisticated technical and physical controls" that are designed to help combat any unauthorized access.
"As a customer, you maintain full control of your content and responsibility for configuring access to AWS services and resources," Amazon says on its website about the cloud service, adding a single key line that absolves it of leak-blame: "You choose how your content is secured."
Indeed, in many cases AWS data exposures are not the result of technical hacking tricks. In the Attunity case, for example, the files were public and visible in plain text, Bloomberg noted. In the 2017 election leak, cyber researchers said the files were not protected by a password.
The FBI has arrested a 33-year-old suspect, Paige A. Thompson, in relation to the Capital One incident, noting she used the name "erratic" online.
A criminal complaint said Thompson, who formerly worked at Amazon, had threatened to distribute data obtained from the bank. The suspect allegedly wrote during a Slack conversation in June: "I've basically strapped myself with a bomb vest, fucking dropping capital ones dox and admitting it. I wanna distribute those buckets I think first." She said files contained social security numbers, full names and dates of birth.
Thompson has been charged with one count of computer fraud and abuse. According to the Department of Justice (DoJ), the fraud is punishable by up to five years in prison and a $250,000 fine. Thompson's hearing will take place August 1.
Officials said leaked Capital One data was initially uploaded to a code repository website known as GitHub, prompting an individual to bring it to administrators' attention on July 17. Federal agents searched the suspect's Seattle home yesterday and claimed to have seized digital storage devices, including one that contained a copy of the exfiltrated bank data. The complaint said Thompson "recognizes that she has acted illegally."
Richard Fairbank, CEO of Capital One, said: "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
声明:文章大多转自网络,旨在更广泛的传播。本文仅代表作者个人观点,与美国新闻网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。如有稿件内容、版权等问题请联系删除。联系邮箱:uscntv@outlook.com。
上一篇:以一己之力黑了上亿用户数据 前亚马逊变性员工被控罪 下一篇:伊丽莎白·沃伦在民主辩论中战胜了大学生
本网站所刊载信息,不代表美国新闻网的立场和观点。 刊用本网站稿件,务经书面授权。
美国新闻网由欧洲华文电视台美国站主办 www.uscntv.com
[部分稿件来源于网络,如有侵权请及时联系我们] [邮箱:uscntv@outlook.com]