A contractor misconfigured an Amazon Web Services storage "bucket", exposing top secret information from the U.S. Army's Intelligence and Security Command (INSCOM):
UpGuard's director of cyber risk research, Chris Vickery, discovered the publicly accessible S3 storage "bucket" on September 27 in the AWS subdomain "inscom." INSCOM is the US Army's Intelligence and Security Command, the Army's internal operational intelligence branch based at Fort Belvoir in Virginia. INSCOM is also integrated into the National Security Agency's Central Security Service—connecting the Army's signals intelligence operations to the NSA.
The public bucket was accessible via the Web and had "47 viewable files and folders in the main repository, three of which were also downloadable," UpGuard reported in a blog post today. The largest downloadable file was an Open Virtual Appliance file named "ssdev.ova," which contained a virtual hard drive and configuration data for a Red Hat Linux-based virtual machine. "While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems—an intrusion that malicious actors could have attempted had they found this bucket," UpGuard's research team noted.
Still, the contents of the virtual hard drive itself were highly sensitive. Some of the files were marked as "Top Secret/NOFORN"—meaning that they were not to be shared even with US allies. Metadata on the virtual drive shows that "the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner," including private encryption keys used for hashed passwords and for accessing DCGS that belonged to Invertix system administrators.
Also at Techdirt, TechCrunch, and The Next Web.
(Score: 1, Insightful) by Anonymous Coward on Friday December 01 2017, @09:12AM (1 child)
This is especially true of a monopoly that arises by the barrel of a gun, rather than by profitable business.
You know what the NSA/Army needed? MORE MONEY! That's all they were missing; they just didn't have enough money to do it right.
(Score: 3, Touché) by DeathMonkey on Friday December 01 2017, @06:57PM
This is especially true of a monopoly that arises by the barrel of a gun, rather than by profitable business.
Damn, I heard Amazon's Jeff Bezos is a tough negotiator but damn!
(Score: 5, Insightful) by Rosco P. Coltrane on Friday December 01 2017, @10:52AM (1 child)
Even my company, which is a small company in the middle of nowhere important, and a pure Windows outfit full of MCSE-holding halfwits, isn't all that keen on giving into the whole cloud concept and turning control over company data and applications over some unaccountable provider halfway across the intarweb. You'd think the NSA and the US army would know better...
(Score: 2) by Gaaark on Friday December 01 2017, @12:29PM
"You'd think the NSA and the US army would know better..."
Yes! Yes you would.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Friday December 01 2017, @12:55PM (1 child)
Misread "Top Secret/NOFORN" as "Top Secret/NOPORN", yeah.... that would have helped. ;-)
(Score: 0) by Anonymous Coward on Friday December 01 2017, @03:17PM
Doesn't NOFORN mean "NO FORNICATING KIDDING!"?
(Score: 3, Funny) by looorg on Friday December 01 2017, @01:04PM (4 children)
Isn't the first lesson at spook school to cover your tracks and not leave sensitive materials out and about?
(Score: 3, Insightful) by takyon on Friday December 01 2017, @01:23PM (2 children)
Mistakes are the greatest learning experience.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by looorg on Friday December 01 2017, @02:25PM
True. But you normally prefer to learn from your small mistakes and not the large epic once.
(Score: 2) by edIII on Friday December 01 2017, @07:31PM
Normally though that results in a star on the wall, not epic level fuckups with top secret data.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Touché) by Anonymous Coward on Friday December 01 2017, @02:44PM
Except they only teach offense these days... NSA policy.
(Score: 3, Funny) by Anonymous Coward on Friday December 01 2017, @01:18PM (2 children)
Lock Her ...
Wait, nevermind. I just got a little triggered for a second.
(Score: 0) by Anonymous Coward on Friday December 01 2017, @02:39PM (1 child)
If they find a lowly guy to blame for this, they may well lock him up.
(Score: 3, Informative) by bob_super on Friday December 01 2017, @07:55PM
You have to hope for the person who transferred classified data to AWS, that (s)he kept a hard copy of the order to do so.
When I was supporting military suppliers, they couldn't even have classified discussions with us in their own building. Now we have classified info being piped to random servers which could get duplicated or moved anywhere in the world...
(Score: 1, Interesting) by Anonymous Coward on Friday December 01 2017, @02:52PM
You can't be too careful in keeping the secure stuff behind the firewall.
It would be interesting to see what logic allowed it to be outside.
Maybe the same at that controlling seamanship in the Navy.
That is, focus on mission prevented focus on reality.
(Score: 3, Insightful) by MichaelDavidCrawford on Friday December 01 2017, @04:40PM (5 children)
"... we have to wait six months for an expert to fly out from Washington, then wait another month until he blesses it."
The Hell is classified information doing on a server in an unsecured data center? What if one of the employees stole the box then sold it to the Soviets... er... ah... I mean the Russian Federation.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Insightful) by Geezer on Friday December 01 2017, @05:44PM (2 children)
One way or another somebody will find some kind of Russia angle to all this, and the media will go apeshit.
Maybe somebody at Amazon uses Kaspersky or listens to Borodin.
Nothing sells papers/clicks like "Teh Rushins dood it!!!1!!1!
(Score: -1, Offtopic) by Anonymous Coward on Friday December 01 2017, @06:26PM
Not to mention triggering old farts before the stories even run!
(Score: 2) by maxwell demon on Saturday December 02 2017, @06:47AM
You mean, it might turn out that Bezos is actually a Russian? Did anyone check his birth certificate? ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Informative) by edIII on Friday December 01 2017, @07:55PM (1 child)
Actually, the data center was likely very well guarded. Most of I've been too have extreme physical security. To get into a place where I was sysadmin'n, I went through the following steps:
The guards all seemed to be those wonderfully stable ex-military types from Afghanistan/Iraq/{HellHole} that have no problems whatsoever laying their hands on their weapons at their hips while asking you to put the equipment back down. Seriously, they're all well armed and not shy about telling you what to do at the point of a gun. Rubbed a lot of sysadmins the wrong way, but that's another story.
Physical security is most likely not the problem. Cyberspace is the problem, combined with piss poor sysadmin work. The odds of me getting my hands on an U.S Air force server and getting out of that building without being shot is very low. There was an incident were a bunch of thugs tried storming a less well protected data center, and before they could get through the 2nd door of the mantrap, found themselves face to face with ex-military holding semi-auto assault rifles on them.
That being said, some kid in a basement can apparently "hack" top secret data because it's been made public in a cloud provider that has ZERO business serving the government. What complete utter moronic shit. If Amazon was better at making and managing a platform than the government (most likely true), then they should run a special one just for the government that is absolutely separate from the rest of Amazon.
This was the equivalent of a teenager taking out the Death Star.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by MichaelDavidCrawford on Friday December 01 2017, @09:06PM
Today I read an article about the movie "The Day After" in which a midwestern city gets nuked in a nuclear war.
Everyone expects movies to have Hollywood endings but this didn't.
Yes I Have No Bananas. [gofundme.com]