Senators Push for FTC Probe Into Amazon Over Capital OneLawmakers Ask FTC to Investigate Whether Amazon Broke Federal Law
Democratic lawmakers are urging the U.S. Federal Trade Commission to open an investigation into whether Amazon violated federal law by failing to the prevent Capital One's devastating data breach.
See Also: Role of Deception in the 'New Normal'
In a letter Thursday to FTC Chairman Joseph Simons, Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.) contend that Amazon was aware of the dangers of a server-side request forgery flaw - the type security vulnerability that lead to the breach - as far back as 2014.
"Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks," they write. "Although Amazon's competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public."
Amazon officials couldn't immediately be reached for comment. But the company told The Wall Street Journal that the letter marked a "baseless and a publicity attempt from opportunistic politicians." It dismissed the importance of the SSRF issue in Capital One's breach, saying that "was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods."
SSRF: Gaining Credentials
Capital One's data breach sent a wave of fear through the financial sector. The company has aggressively embraced technology, including cloud computing.
But secure cloud computing also depends much on the service provider. Amazon draws strict lines over what is its responsible and what its clients are responsible for maintaining. Still, cloud computing is a relatively new field, and the security requirements and controls are ever changing, which can prove challenging for administrators.
Amazon has indicated errors on the part of Capital One led to the breach. The breach exposed more than 106 million customer financial records, including credit card applications, in the U.S. and Canada, dating back to 2005.
Paige A. Thompson, 33, of Seattle, who was arrested and charged in connection with the breach, has pleaded not guilty. Thompson, who worked for about a year Amazon in its web services and storage division, is additionally accused of stealing data from more than 30 other businesses and organizations (see: Alleged Capital One Hacker Pleads Not Guilty).
An SSRF attack involves tricking a server into accessing a resource it shouldn't be touching on behalf of the attacker. In the Capital One breach, it appears the company misconfigured a firewall and also allotted too many permissions to it. Then, it is believed the attacker successfully exploited an SSRF vulnerability to gain credentials for a role via AWS's metatdata service, which doles out fresh credentials (see Capital One's Breach May Be a Server Side Request Forgery).
From there, the attacker listed the storage buckets behind the firewall and copied more than 700 folders hosted on Amazon's S3, security experts believe.
Amazon: 'Humans Make Mistakes'
Amazon likely knew that AWS was vulnerable to SSRF "since the first high-profile demonstration by a cybersecurity researcher in 2014, the company has certainly known since mid-2018 at the latest," Wyden and Warren allege.
"In August of 2018, Amazon's security team was contacted by email by a cybersecurity expert who recommended that Amazon adopt the same cybersecurity defense against SSRF attacks already used by Google and Microsoft," they write.
The letter includes redacted emails from late August sent to Amazon by someone who warned that it should use host headers like Google does in order to protect AWS metadata services.
In response to an earlier inquiry from Wyden, Amazon told him in a letter on Aug. 13 that "we are not aware of any other noteworthy SSRF compromises of AWS customers. It's possible that there have been small numbers of these that haven't been escalated to us, but none that we have confirmed at any significant scale beyond Capital One."
Amazon maintained that the first line of defense is a properly configured firewall. Also, Amazon says it gives its customers clear guidance on how to protect themselves from SSRF attacks. "We also offer our own AWS web application firewall, which has expansive capabilities through which customers can completely block SSRF and other attacks," it said.
Amazon said Capital One is a "sophisticated and thoughtful company" but "sometimes humans make mistakes."