[HN Gopher] Fintech App Switch Leaks Users' Transactions and Per...
___________________________________________________________________
Fintech App Switch Leaks Users' Transactions and Personal IDs
Author : digitalrealme
Score : 96 points
Date : 2022-04-27 15:01 UTC (7 hours ago)
(HTM) web link (vpnoverview.com)
(TXT) w3m dump (vpnoverview.com)
| djohnston wrote:
| Web2 is going great! Molly write about it!
| rvz wrote:
| They won't despite the fact that such information is going to
| be leaked and forever cached, crawled, copied and archived all
| over the internet.
|
| Good luck playing whack-a-mole with your leaked personal
| information.
| tomatowurst wrote:
| Without harsh enforcement, this type of negligence will just
| continue.
| MikeDelta wrote:
| Amazing that it took Grink 22 days to secure the files.
| jgaa wrote:
| They are soc 2 compliant - so it must be OK ;)
|
| I mean, they can prove on paper that they are secure. Who cares
| about reality any more.
| dvtrn wrote:
| Boxes: Checked.
|
| I've grown a bit cynical as time goes on about this sort of
| stuff; not the need for the kinds of controls and checks behind
| SOC2, but cynical towards the lip service I continue to hear
| about it from the executives and leaders I find in many shops.
|
| The "InfoSec/CyberSecurity/DevSecOps" director is often a
| glorified send button. "The SIEM said do this, send to Devops,
| the auditor said do this, send to Dvops, the vulnerability
| monitor noticed this, send to Devops, we were asked to provide
| evidence of this, send to Devops"...etc.
|
| 3 of the last 5 jobs I've been in since 2016 have had dedicated
| personnel with the words "Information Security" in their job
| titles, and all 3 of them were really good at sending me shit
| to do, talking about what they read in some infosec blog, and a
| CVE they read about.
|
| But here's the thing, I think I have a really good reason for
| this cynicism and I don't know what how to resolve it:
|
| I don't know how confident I would be if these individuals were
| actually expected to build and contribute to the security
| effort beyond "send to Devops", but maybe they're not supposed
| to? Are "DevSecOps" people expected to actually...be involved
| in engineering too? Or do they just sit at the periphery
| throwing vulnerability assessments and threat modeling work?
| I've honestly only ever had the latter.
|
| Tried having this conversation with a friend who just finished
| an MSc in Cybersecurity and he seemed a bit offended by my
| inquiry, so I dropped it...but I am still insanely curious to
| know because I really doubt this experience is unique.
| gdfgjhs wrote:
| Same experience. It is so hard to have a conversation about
| any of the security requirements with our security team
| because they have no idea what they are asking.
|
| They only know to press some buttons and then send some
| reports.
| dvtrn wrote:
| I'm in the wrong daggone field, man.
| stock_toaster wrote:
| Yeah, this hits hard. Same experience here.
| htrp wrote:
| The Security guy has no responsibility without authority....
| his role exists because some regulation/best practice says it
| needs to exist and therefore it is created. Security is
| almost always relegated to an afterthought and as a result
| you end up receiving an e-mail.
| ROARosen wrote:
| This artice just begs more questions:
|
| Why did they store PII, Identity documents unencrypted?
|
| What exactly was the reason for this breach?
|
| Why did it take VPNOverview's team a day to notify them?
|
| What did VPNOverview do with all that data until they notified
| Grink and afterwards?
|
| Why did it take Grink 22 days to secure the files?
|
| Why does the article describe the above as "as swiftly as
| possible"?
|
| Can Grink be fined/sued over this, or is that only possible once
| there is 'actual damage' proven?
| TedDoesntTalk wrote:
| > Why did they store PII, Identity documents unencrypted?
|
| Because it's easier to store and retrieve them unencrypted than
| encrypted
|
| > Why did it take VPNOverview's team a day to notify them?
|
| Sure, shoot the messenger. It does not say 24 hours. Maybe they
| discovered the breach at 10:00 PM local time and sent a
| notification at 6:00 AM the next morning.
| VWWHFSfQ wrote:
| a plaintiff would have to prove actual damage. otherwise what
| would their claim be
| duxup wrote:
| >they closed the breach as swiftly as possible
|
| >Grink updated their bucket security 22 days after we notified
| them of the breach.
|
| Open S3 bucket, 22 day to fix is "as swiftly as possible"?
| justinjlynn wrote:
| "as swiftly as possible" means nothing. Unless the announcement
| specifies a time, it's just the opinion of a party with an
| obvious conflict of interest. Either they list explicit dates
| and times or it's a worthless waste of text that makes me
| respect and trust the party even less.
| vorpalhex wrote:
| I'm starting to think we should just not allow developers to use
| s3 anymore. Despite Amazon plastering it with warnings, these
| breaches keep happening.
|
| That or we need to start fining heavily for breaches.
| ceejayoz wrote:
| > I'm starting to think we should just not allow developers to
| use s3 anymore.
|
| I don't know that the alternatives would be much better. People
| have inadvertently made folders on Apache wide open for decades
| now.
|
| AWS does more than average to combat it, I'd say. E-mail
| notifications, default configs, scary warnings, etc.
| figassis wrote:
| I still don't get the s3 breach issue. I mean, buckets are
| private by default. Why would anyone take any action to open an
| s3 bucket that stores logs? If you do nothing you're already
| halfway there. Or is there a failure mode that I'm not aware
| of?
| dragonwriter wrote:
| I'm guessing that there are lots of (public and internal)
| tools, documented workflows, etc., dealing with S3 buckets
| that implement very bad security defaults because it
| streamlines getting something apparently functional and
| working on it in a dev environment, even though AWS itself
| has secure defaults, and using those easy-for-dev approaches
| with live PII of otherwise critical data is a recipe for
| disaster.
|
| People often aren't starting with the AWS defaults, they are
| starting with an IaC (Cloud formation, CDK, Terraform)
| template they got from some other project.
| zo1 wrote:
| My take: S3 buckets have an "air" or "impression" of being
| easy to "host" publicly available "things". It's even one of
| their selling points, IIRC. I.e. hosting a PWA/index.html
| website on a bucket.
| e2le wrote:
| I suspect there is a degree of "not-caring" and/or incompetence
| among at least some of these developers. Banning their use of
| s3 likely isn't a solution, it's a culture problem.
| selecsosi wrote:
| You can enable public file ACL access restriction at the
| account level and issue authenticated/signed links for file
| access if required for general consumption. The idea that your
| data layer shouldn't be open to unauthenticated read from the
| public shouldn't be new to people but persists with somewhat
| "easy" buttons to enable behaviors.
|
| For static sites or other public access required files setting
| up cloudfront with an authenticated origin pull is pretty
| straightforward and in our case we use a terraform module to
| provision and secure the bucket/distribution. I think this come
| when you get dev/biz users with console access who are trying
| to "just get it done" when you are dealing with highly
| confidential or sensitive data, it's a recipe for leak.
| [deleted]
| jabbany wrote:
| There seem to be a bunch of leaks related to improper ACLs on S3
| instances...
|
| I wonder if there should be some kind of channel to report this
| to AWS instead so they can temporarily shut off public access
| rather than wait for the service to get around to it. This
| doesn't seem too far fetched, since copyright holders are
| currently able to go after the hosting company for things like
| DMCA violations and PII seems more important than pirated movies
| whatnot.
|
| (Obviously, this would likely break the outward facing part of
| the AWS customer's application, so there'd need to be
| verifications to prevent using the reports to DoS a service.)
| A4ET8a8uTh0 wrote:
| This is basically why I keep hesitating when I see all those
| building blocks just glued together in presentation to executives
| and clearly done in a hurry.
|
| I shit you not. The other day, almost finished project was shown
| to our team to sign off on. It is only after some basic questions
| about the 'how exactly does it work' and some 'umms' from
| salesguy, we got a separate meeting with an actual tech guy, who
| started incorporating our requirements as a draft... and that was
| the end of the project. We actually have project manager after us
| for holding them back.
|
| And this is not an unregulated Fintech.. I shudder to think what
| happens elsewhere.
| vmception wrote:
| Sales and Business Development people are just a waste of
| breath on tech products
|
| I thought oxygen was going to get scarce enough for them to get
| triaged out of the queue a few years back, but that didnt pan
| out
___________________________________________________________________
(page generated 2022-04-27 23:01 UTC)