[HN Gopher] Fintech App Switch Leaks Users' Transactions and Per... ___________________________________________________________________ Fintech App Switch Leaks Users' Transactions and Personal IDs Author : digitalrealme Score : 96 points Date : 2022-04-27 15:01 UTC (7 hours ago) (HTM) web link (vpnoverview.com) (TXT) w3m dump (vpnoverview.com) | djohnston wrote: | Web2 is going great! Molly write about it! | rvz wrote: | They won't despite the fact that such information is going to | be leaked and forever cached, crawled, copied and archived all | over the internet. | | Good luck playing whack-a-mole with your leaked personal | information. | tomatowurst wrote: | Without harsh enforcement, this type of negligence will just | continue. | MikeDelta wrote: | Amazing that it took Grink 22 days to secure the files. | jgaa wrote: | They are soc 2 compliant - so it must be OK ;) | | I mean, they can prove on paper that they are secure. Who cares | about reality any more. | dvtrn wrote: | Boxes: Checked. | | I've grown a bit cynical as time goes on about this sort of | stuff; not the need for the kinds of controls and checks behind | SOC2, but cynical towards the lip service I continue to hear | about it from the executives and leaders I find in many shops. | | The "InfoSec/CyberSecurity/DevSecOps" director is often a | glorified send button. "The SIEM said do this, send to Devops, | the auditor said do this, send to Dvops, the vulnerability | monitor noticed this, send to Devops, we were asked to provide | evidence of this, send to Devops"...etc. | | 3 of the last 5 jobs I've been in since 2016 have had dedicated | personnel with the words "Information Security" in their job | titles, and all 3 of them were really good at sending me shit | to do, talking about what they read in some infosec blog, and a | CVE they read about. | | But here's the thing, I think I have a really good reason for | this cynicism and I don't know what how to resolve it: | | I don't know how confident I would be if these individuals were | actually expected to build and contribute to the security | effort beyond "send to Devops", but maybe they're not supposed | to? Are "DevSecOps" people expected to actually...be involved | in engineering too? Or do they just sit at the periphery | throwing vulnerability assessments and threat modeling work? | I've honestly only ever had the latter. | | Tried having this conversation with a friend who just finished | an MSc in Cybersecurity and he seemed a bit offended by my | inquiry, so I dropped it...but I am still insanely curious to | know because I really doubt this experience is unique. | gdfgjhs wrote: | Same experience. It is so hard to have a conversation about | any of the security requirements with our security team | because they have no idea what they are asking. | | They only know to press some buttons and then send some | reports. | dvtrn wrote: | I'm in the wrong daggone field, man. | stock_toaster wrote: | Yeah, this hits hard. Same experience here. | htrp wrote: | The Security guy has no responsibility without authority.... | his role exists because some regulation/best practice says it | needs to exist and therefore it is created. Security is | almost always relegated to an afterthought and as a result | you end up receiving an e-mail. | ROARosen wrote: | This artice just begs more questions: | | Why did they store PII, Identity documents unencrypted? | | What exactly was the reason for this breach? | | Why did it take VPNOverview's team a day to notify them? | | What did VPNOverview do with all that data until they notified | Grink and afterwards? | | Why did it take Grink 22 days to secure the files? | | Why does the article describe the above as "as swiftly as | possible"? | | Can Grink be fined/sued over this, or is that only possible once | there is 'actual damage' proven? | TedDoesntTalk wrote: | > Why did they store PII, Identity documents unencrypted? | | Because it's easier to store and retrieve them unencrypted than | encrypted | | > Why did it take VPNOverview's team a day to notify them? | | Sure, shoot the messenger. It does not say 24 hours. Maybe they | discovered the breach at 10:00 PM local time and sent a | notification at 6:00 AM the next morning. | VWWHFSfQ wrote: | a plaintiff would have to prove actual damage. otherwise what | would their claim be | duxup wrote: | >they closed the breach as swiftly as possible | | >Grink updated their bucket security 22 days after we notified | them of the breach. | | Open S3 bucket, 22 day to fix is "as swiftly as possible"? | justinjlynn wrote: | "as swiftly as possible" means nothing. Unless the announcement | specifies a time, it's just the opinion of a party with an | obvious conflict of interest. Either they list explicit dates | and times or it's a worthless waste of text that makes me | respect and trust the party even less. | vorpalhex wrote: | I'm starting to think we should just not allow developers to use | s3 anymore. Despite Amazon plastering it with warnings, these | breaches keep happening. | | That or we need to start fining heavily for breaches. | ceejayoz wrote: | > I'm starting to think we should just not allow developers to | use s3 anymore. | | I don't know that the alternatives would be much better. People | have inadvertently made folders on Apache wide open for decades | now. | | AWS does more than average to combat it, I'd say. E-mail | notifications, default configs, scary warnings, etc. | figassis wrote: | I still don't get the s3 breach issue. I mean, buckets are | private by default. Why would anyone take any action to open an | s3 bucket that stores logs? If you do nothing you're already | halfway there. Or is there a failure mode that I'm not aware | of? | dragonwriter wrote: | I'm guessing that there are lots of (public and internal) | tools, documented workflows, etc., dealing with S3 buckets | that implement very bad security defaults because it | streamlines getting something apparently functional and | working on it in a dev environment, even though AWS itself | has secure defaults, and using those easy-for-dev approaches | with live PII of otherwise critical data is a recipe for | disaster. | | People often aren't starting with the AWS defaults, they are | starting with an IaC (Cloud formation, CDK, Terraform) | template they got from some other project. | zo1 wrote: | My take: S3 buckets have an "air" or "impression" of being | easy to "host" publicly available "things". It's even one of | their selling points, IIRC. I.e. hosting a PWA/index.html | website on a bucket. | e2le wrote: | I suspect there is a degree of "not-caring" and/or incompetence | among at least some of these developers. Banning their use of | s3 likely isn't a solution, it's a culture problem. | selecsosi wrote: | You can enable public file ACL access restriction at the | account level and issue authenticated/signed links for file | access if required for general consumption. The idea that your | data layer shouldn't be open to unauthenticated read from the | public shouldn't be new to people but persists with somewhat | "easy" buttons to enable behaviors. | | For static sites or other public access required files setting | up cloudfront with an authenticated origin pull is pretty | straightforward and in our case we use a terraform module to | provision and secure the bucket/distribution. I think this come | when you get dev/biz users with console access who are trying | to "just get it done" when you are dealing with highly | confidential or sensitive data, it's a recipe for leak. | [deleted] | jabbany wrote: | There seem to be a bunch of leaks related to improper ACLs on S3 | instances... | | I wonder if there should be some kind of channel to report this | to AWS instead so they can temporarily shut off public access | rather than wait for the service to get around to it. This | doesn't seem too far fetched, since copyright holders are | currently able to go after the hosting company for things like | DMCA violations and PII seems more important than pirated movies | whatnot. | | (Obviously, this would likely break the outward facing part of | the AWS customer's application, so there'd need to be | verifications to prevent using the reports to DoS a service.) | A4ET8a8uTh0 wrote: | This is basically why I keep hesitating when I see all those | building blocks just glued together in presentation to executives | and clearly done in a hurry. | | I shit you not. The other day, almost finished project was shown | to our team to sign off on. It is only after some basic questions | about the 'how exactly does it work' and some 'umms' from | salesguy, we got a separate meeting with an actual tech guy, who | started incorporating our requirements as a draft... and that was | the end of the project. We actually have project manager after us | for holding them back. | | And this is not an unregulated Fintech.. I shudder to think what | happens elsewhere. | vmception wrote: | Sales and Business Development people are just a waste of | breath on tech products | | I thought oxygen was going to get scarce enough for them to get | triaged out of the queue a few years back, but that didnt pan | out ___________________________________________________________________ (page generated 2022-04-27 23:01 UTC)