入侵Capital One的黑客是如何从云端窃取数据的？

PHOTO: JOHANNES EISELE/AGENCE FRANCE-PRESSE/GETTY IMAGES

The woman who allegedly pulled off one of the largest-ever bank-data heists appeared to have exploited a vulnerability in the cloud that security experts have warned about for years.

一名女性被指实施了有史以来最大的银行数据盗窃案之一，而她似乎是利用了安全专家多年来一直在提醒人们要警惕的一个云端漏洞。

Paige A. Thompson, a former employee at Amazon.com Inc. ’s cloud-computing unit who was arrested July 29, is accused of carrying out the massive theft of 106 million Capital One Financial Corp. records.

这名女性名叫佩姬·汤姆森，是亚马逊(Amazon.com Inc., AMZN)云计算部门的前雇员，她于7月29日被捕，罪名是盗窃了Capital One Financial Corp.的1.06亿条记录。

Capital One has said “a specific configuration vulnerability” led to the data loss.

Capital One方面称，“一个配置漏洞”导致了这次数据失窃。

Ms. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation. Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.

根据《华尔街日报》(Wall Street Journal)对汤姆森成百上千条网络留言进行的分析以及对了解此次调查的人士进行的采访，汤姆森据称能够发现Capital One系统的一个入口，并利用某些配置错误的网络中的弱点钻了空子。而多年来，安全专业人士一直在警告这个漏洞，网络留言和对上述人士的采访显示，她利用这个空子骗过了云上的一个系统，找到获取大量消费者记录所需的敏感的身份验证信息。

Ms. Thompson, in online messages in accounts that prosecutors have said were hers, claimed to have also applied those techniques to access a trove of online data from other organizations. The messages were posted in online forums.

汤姆森在用多个账号发布在网络论坛上的留言中称，她还利用这些技术手段获取了其他机构的大批网络数据。检方表示，这几个账号都是她的。

Ms. Thompson’s lawyer didn’t respond to requests for comment. She remains in detention and is scheduled for a bail hearing on Aug. 15.

汤姆森的律师没有就此事置评。她目前仍被羁押，保释聆讯在8月15日举行。

At the heart of the digital break-in was Ms. Thompson’s apparent ability to tap into a central piece of Amazon’s cloud technology known as its metadata service. It holds the credentials and other data needed to manage servers in the cloud. The credentials effectively are the computer world’s equivalent to the keys to a bank vault.

这次数据侵入的关键在于汤姆森能够接触到亚马逊云科技的核心，即元数据服务。这一服务保存著管理云上服务器所需的身份验证信息和其他数据。在计算机世界里，这些身份验证信息在实质上就等同于打开银行金库的钥匙。

In the first step of her alleged hack that began in March, according to her online postings, Ms. Thompson ran a scan of the internet to find vulnerable computers that could give her access to a company’s internal networks. Effectively, she knocked on many front doors to hunt for ones that were unlocked.

据她发布在网上的帖子，此次被指控的侵入行为开始于今年3月。她的第一步行动是在互联网上搜索存在漏洞的计算机，从而使她可以进入一家公司的内网。换句话说，她敲了很多家公司的“前门”，看看有哪些没锁门。

In the case of Capital One, she found that a computer managing communications between the company’s cloud and the public internet was misconfigured—effectively it had weak security settings—according to people familiar with the investigation. The door was open.

据了解此次调查的人士透露，在Capital One一案中，汤姆森发现一台管理企业云与公共网络之间通讯的计算机存在错误配置，实际上，这台计算机的安全设置很薄弱。那扇门是开着的。

Through that opening, she was successfully able to request the credentials needed to find and read Capital One’s cloud-stored data from a system on the Amazon cloud, called the metadata service, where that information is stored, the people said.

这位人士说，通过这个入口，汤姆森能成功从亚马逊云上一个称为元数据服务的系统发出请求，要求获得存储在那里的身份验证信息。这些身份验证信息是寻找并读取Capital One的云存储数据所必不可少的。

“Dude so many people are doing it wrong,” Ms. Thompson said in a June 27 online message, referring to how some companies were incorrectly configuring their servers.

汤姆森在6月27日的一条网络留言中说，“哥们儿，很多人干的活儿都不对啊”，她指的是一些公司错误配置了服务器。

Once she found the Capital One data, she was able to download it, the people familiar with the investigation said. All, apparently, without triggering any alerts.

该了解调查的人士称，她一旦找到了Capital One的数据，就能够下载它。显然，所有这一切都没有触发任何警报。

Amazon said in a statement that none of its services—including the metadata service—were the underlying cause of the break-in and that it offers monitoring tools designed to detect this type of incident.

亚马逊在一份声明中称，其包括元数据服务在内的所有服务都不是造成此次侵入的根本原因，而且该公司提供了检测这类事故的监控工具。

It is unclear why none of these alerting tools appear to have triggered alarm bells at Capital One.

目前还不清楚这些预警工具为什么似乎都没有触发Capital One的警报。

A Federal Bureau of Investigation affidavit said a Capital One error enabled the breach. Capital One said it now has fixed the configuration problem.

美国联邦调查局(Federal Bureau of Investigation，简称FBI)在一份书面证词中称，是Capital One的一个失误让这次侵入成为可能。Capital One方面称，目前已经对配置问题进行了修复。

Some security experts say that Amazon should do more to alert its customers about these configuration errors. Others say, given that cloud security is a shared responsibility, corporate customers have to do their part.

一些安全专家称，亚马逊应该就这些配置错误加强客户预警工作。另一些人则表示，鉴于云安全是一项共同责任，企业客户也应做好自己的份内事。

Amazon has said it has several tools to help mitigate configuration slip-ups.

亚马逊已表示，该公司有多种工具可以帮助降低配置失误风险。

Prosecutors have said that Ms. Thompson began her hacking on March 12, but Capital One didn’t learn of it until it was tipped off by an outside researcher 127 days later.

检方表示，汤姆森的侵入行为始于3月12日，但Capital One一直被蒙在鼓里，直到127天后得到一名外部调查人员的通风报信。

Security professionals have known about one of these misconfiguration problems—the ability to pilfer credentials from the metadata service—since at least 2014, said Scott Piper, who advises companies on their Amazon cloud security. Amazon has considered it the customer’s responsibility to eradicate them, he said, and some customers have failed to do so.

为企业提供亚马逊云顾问服务的Scott Piper称，至少从2014年开始，网络安全专业人士就知道其中一个配置错误问题，即从元数据服务盗取身份验证信息。他表示，亚马逊一直认为根除这些问题的责任在于客户，而一些客户并没有做到这一点。

Brennon Thomas, a security researcher, conducted an internet scan in February and found more than 800 Amazon accounts that allowed similar access to the metadata service. Amazon’s cloud-computing service boasts more than one million users.

今年2月份，安全调查人员Brennon Thomas在互联网上做了一次检测，发现超过800个亚马逊账户允许类似的访问元数据服务的行为。亚马逊云计算服务宣称自己拥有一百多万用户。

That Capital One was a victim has surprised some researchers. The bank performed extensive due diligence before deciding, in 2015, to embrace the cloud, company officials have said. “Capital One is well-known among people that do cloud security for having one of the strongest teams out there,” Mr. Piper said.

Capital One沦为此次事件受害者让一些调查人员感到意外。该公司管理层曾表示，2015年该行在决定接入云服务之前进行了大量的尽职调查。Piper称，“Capital One在云安全专业人士中以拥有最强大的团队之一著称。”

The Capital One data breach isn’t the first time data stored in the cloud has been stolen. But the fact that the fifth-largest U.S. credit-card issuer has become a victim is reviving concerns about cloud computing. Capital One was an early adopter of cloud computing and is featured as a case study on the AWS website.

此次Capital One的数据侵入事件并非云端数据首次被盗。但这家美国第五大信用卡发行方成为受害者的事实却再次引发人们对云计算的担忧。Capital One是云计算的早期用户，并在AWS网站上作为案例研究被重点展示。

The Federal Reserve, independent of the hack, has already been scrutinizing the use of the cloud to store sensitive financial records, the Journal has reported.

《华尔街日报》曾报道称，置身于这次入侵事件之外的美国联邦储备委员会(Federal Reserve, 简称∶美联储)已经对使用云技术存储敏感财务记录的行为展开了审查。

Ms. Thompson, in a posting from one of the accounts that prosecutors said was hers, implied that she used such techniques to target other companies’ cloud-computing accounts, including Italian bank UniCredit SpA and Ford Motor Co. Both companies have said they are looking into it. The FBI has opened an investigation into the other targets that it suspects Ms. Thompson might have hit.

汤姆森曾通过一个账号发帖，暗示其他公司的云计算账户也成了她故技重施的目标，其中包括意大利裕信银行(UniCredit SpA)和福特汽车公司(Ford Motor Co.)。检方认定这个账户属于汤姆森。裕信和福特表示他们正在调查此事。FBI怀疑汤姆森可能还攻击了其他目标，并就此启动了一项调查。

Ms. Thompson’s alleged actions may have gone unnoticed for far longer if she hadn’t posted details of her hack online.

如果不是汤姆森在网上发布了她非法侵入的细节，她被指控的这些行为恐怕还会在相当长时间内不被察觉。

Robert McMillan

Updated Aug. 14, 2019 6:21 pm ET

（本文版权归道琼斯公司所有，未经许可不得翻译或转载。）