Capital One, Amazon, Cats, and the Common Infrastructure Play

July 31, 2019

I read “Hacking Suspect Acted Oddly Online.” (Note: the online story is paywalled by Rupert Murdoch. You may  be able to get a peek at the dead tree version of this story in the Wall Street Journal for July 31, 2019.) Yep, Internet cat angle, self incrimination, and public content dissemination. That’s a plot hook which may make a great Lifetime or Netflix program. Amazon is likely to pass on funding the film version of this now familiar story.

Here’s the plot:

There’s the distraught financial institution, in this case, the lovable Capital One. This is the outfit known for “what’s in your pocket”? Good question. The financial outfit teamed up with Amazon in 2015, and according to the “real news” outfit:

In 2015, Capital One Chief Information Officer Rob Alexander said, “The financial services industry attracts some of the worst cyber criminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

That sounds darned good, but data affecting about 100 million people was breached. That number has not been verified to my satisfaction, and DarkCyber awaits additional data. But 100 million is a good enough number for the story.

Next we have a protagonist with some employment history at Amazon. Remember that this is the cloud service which was in the chain of data compromise. But — and this is important — Amazon was not at fault. The security problem was a is configured bit of “infrastructure.” Plus, the infrastructure which was the point of weakness is “common to both cloud and on premises data center environments.”

The story ends with a suspect. If the program becomes a mini series, we will follow the protagonist with empathy for cats through a trial, and perhaps a variation on the story weaving of “Orange Is the New Black.”

What’s missing from the analysis in the “real news” outlets? Here in Harrod’s Creek, Kentucky, we think of Amazon as an outfit with nifty white Mercedes Benz vans and fast moving van drivers.

But a couple of the pundits lounging in the convenience story / tavern floated some ideas:

  1. Why is Amazon not providing a system to address misconfiguration? It seems that 100 million people are now aware of this dropped ball.
  2. Why is an Amazon person, presumably with Amazon expertise, behaving in a manner that appears problematic? If the person was hired, what’s the flaw in the Amazon hiring process? If the person was terminated for a germane reason, why was the person not given appropriate “support” to make the transition from Amazonian to a person with unusual online activities? How does Amazon prevent information from being used by a former employee? What can be improved? Are there other former Amazon employees who are able to behave in an allegedly problematic way?
  3. Why is the problem “common” to use Capital One’s alleged word quoted in the WSJ story? There are dozens upon dozens of firms which are marketing themselves as cyber safeguard providers. Are these services used by Amazon, or is Amazon relying on home grown solutions. There are indeed Amazon’s own security tools. But are these findable, usable, reliable, and efficacious? Security may be lost in the thicket of proliferating Amazon products, services, and features. In effect, is it possible that Amazon is not doing enough to prevent such security lapses associated closely with its cloud solutions.

Stepping back, let’s think about this incident in a cinematic way:

  1. A giant company offering services which are so complex that problems are likely to result from component interactions, blundering customers, and former employees with a behavior quirk.
  2. A financial services firm confident of its technical competence. (Note that this financial firm with a previous compliance allegation which seemed to pivot on money laundering and ended with a $100 million fine. See “Compliance Weaknesses Cost Capital One $100M”, October 23, 2018. You will have to pay to view this allegedly accurate write up.
  3. A protagonist who seemed to send up distress flags via online communication channels.

What’s the big story?

Maybe there’s a “heart of darkness” with regard to security within the Amazon jungle.

To which jungle was Joseph Conrad, author of the “Heart of Darkness” referring?

“Nowhere did we stop long enough to get a particularized impression, but the general sense of vague and oppressive wonder grew upon me. It was like a weary pilgrimage amongst hints for nightmares.”

Psychological, digital, or financial? With the JEDI contract award fast approaching, will the procurement officials interpret the Capital One breach as a glimpse of the future. Maybe Oracle is correct in its view of Amazon?

Stephen E Arnold, July 31, 2019

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta