A contractor misconfigured an Amazon Web Services storage "bucket", exposing top secret information from the U.S. Army's Intelligence and Security Command (INSCOM):
UpGuard's director of cyber risk research, Chris Vickery, discovered the publicly accessible S3 storage "bucket" on September 27 in the AWS subdomain "inscom." INSCOM is the US Army's Intelligence and Security Command, the Army's internal operational intelligence branch based at Fort Belvoir in Virginia. INSCOM is also integrated into the National Security Agency's Central Security Service—connecting the Army's signals intelligence operations to the NSA.
The public bucket was accessible via the Web and had "47 viewable files and folders in the main repository, three of which were also downloadable," UpGuard reported in a blog post today. The largest downloadable file was an Open Virtual Appliance file named "ssdev.ova," which contained a virtual hard drive and configuration data for a Red Hat Linux-based virtual machine. "While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems—an intrusion that malicious actors could have attempted had they found this bucket," UpGuard's research team noted.
Still, the contents of the virtual hard drive itself were highly sensitive. Some of the files were marked as "Top Secret/NOFORN"—meaning that they were not to be shared even with US allies. Metadata on the virtual drive shows that "the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner," including private encryption keys used for hashed passwords and for accessing DCGS that belonged to Invertix system administrators.
Also at Techdirt, TechCrunch, and The Next Web.
(Score: 5, Informative) by edIII on Friday December 01 2017, @07:55PM (1 child)
Actually, the data center was likely very well guarded. Most of I've been too have extreme physical security. To get into a place where I was sysadmin'n, I went through the following steps:
The guards all seemed to be those wonderfully stable ex-military types from Afghanistan/Iraq/{HellHole} that have no problems whatsoever laying their hands on their weapons at their hips while asking you to put the equipment back down. Seriously, they're all well armed and not shy about telling you what to do at the point of a gun. Rubbed a lot of sysadmins the wrong way, but that's another story.
Physical security is most likely not the problem. Cyberspace is the problem, combined with piss poor sysadmin work. The odds of me getting my hands on an U.S Air force server and getting out of that building without being shot is very low. There was an incident were a bunch of thugs tried storming a less well protected data center, and before they could get through the 2nd door of the mantrap, found themselves face to face with ex-military holding semi-auto assault rifles on them.
That being said, some kid in a basement can apparently "hack" top secret data because it's been made public in a cloud provider that has ZERO business serving the government. What complete utter moronic shit. If Amazon was better at making and managing a platform than the government (most likely true), then they should run a special one just for the government that is absolutely separate from the rest of Amazon.
This was the equivalent of a teenager taking out the Death Star.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by MichaelDavidCrawford on Friday December 01 2017, @09:06PM
Today I read an article about the movie "The Day After" in which a midwestern city gets nuked in a nuclear war.
Everyone expects movies to have Hollywood endings but this didn't.
Yes I Have No Bananas. [gofundme.com]