SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The personal details of thousands of individuals who submitted job applications to an international security firm were exposed online due to an unprotected storage server set up by a recruiting services provider.
Chris Vickery of cyber resilience firm UpGuard discovered on July 20 an Amazon Web Services (AWS) S3 storage bucket that could be accessed by anyone over the Internet. The server stored more than 9,400 documents, mostly representing resumes of people who had applied for a job at TigerSwan, an international security and global stability firm.
The documents included information such as names, physical addresses, email addresses, phone numbers, driver's license numbers, passport numbers and at least partial social security numbers (SSNs). In many cases, the resumes also provided information on security clearances from U.S. government agencies, including the Department of Defense, the Secret Service, and the Department of Homeland Security. Nearly 300 of the exposed resumes listed the applicant as having a "Top Secret/Sensitive Compartmented Information" clearance.
According to UpGuard, a majority of the individuals whose information was compromised were military veterans, but hundreds of resumes belonged to law enforcement officers who had sought a job at TigerSwan, a company recently described by The Intercept as a "shadowy international mercenary and security firm."
Source: http://www.securityweek.com/details-us-top-secret-clearance-holders-leaked-online
(Score: 2) by Grishnakh on Wednesday September 06 2017, @01:41PM (4 children)
What exactly is the point of having classified material, and security clearances, if as a nation you're too incompetent to properly protect them and the people who have this privileged access?
(Score: 5, Interesting) by stormreaver on Wednesday September 06 2017, @02:05PM (2 children)
I think the objective here to is make such incompetence seem so commonplace and inevitable that people turn off their brains even more than they already have; and just accept that this is how, "Cloud Computing" works, and that there is nothing that they can do about it. That approach made Microsoft monumentally wealthy, and people buy into it even today.
(Score: 3, Insightful) by Grishnakh on Wednesday September 06 2017, @02:41PM
If you're saying that this is the conspiracy the vendors are working on, there may be some merit to that. The military lately is on a giant "cloud" push; they want to push everything they possibly can into the cloud now. Sure reeks of payola.
(Score: 1) by khallow on Wednesday September 06 2017, @03:44PM
(Score: 2) by FatPhil on Wednesday September 06 2017, @11:06PM
you're going to hand out the highest level of clearance to *millions* of people.
With the unbelievable equidistribution of those, you have little podunk shitholes with a dozen people that have top secret clearance, and a scores of thousands of them in a large metropolis. Without equidistribution, some parts of the country will be even more endowed.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday September 06 2017, @01:57PM (1 child)
I wouldn't trust that security firm to actually provide security after this.
Yes, they didn't expose that data themselves. But part of security is to decide what data needs to be secured, and who is trustworthy enough to handle your secure data. An evaluation of that recruiting service surely would have revealed that the data is stored on AWS; even if configured correctly I doubt that would be acceptable, since I doubt the people operating AWS have the security clearance to work with that data; but they actually do so if the data is stored on AWS, even if they themselves don't know it.
(Score: 5, Insightful) by MrGuy on Wednesday September 06 2017, @04:36PM
The fundamental problem is that it takes only one person to slip up, just once, to expose information. The increased rise of more sophisticated hacking tools and the increased sophistication with which everything that is ever exposed online is indexed and searchable by people with bad intentions means the size of the slip-up required is increasingly getting smaller and smaller.
Target was compromised because of a vulnerability in their gorram vendor's climate control system, coupled with an admittedly poor decision to let the climate control system have access to the in-store network because, come on, why should I be afraid of the climate control system?
If you work in an environment where you deal with a lot of data that has to be secured (I've worked with clients that have HIPPA-impacted medical information), it's terrifying. You can build secure, audited systems to hold the data, with state-of-the-art controls on who can access which data. But then you have to worry about all the potential leakage out of that system. Did someone cut-and-paste a bunch of data into a spreadsheet that they shouldn't have? Did someone save some files for offline usage? Are all the machines on our network secure? All the hard drives encrypted? All physically secured? What about the network? Do you have any outside partner companies that can access any of this information? Are THEIR systems as secure as ours? For any machine that can possibly hold sensitive data, are those machines backed up? If so, are the backups secure? Do we use any third-party software or systems that we don't control? If anything is hosted offsite and/or in the cloud, how secure is it? Who configures the systems? How trained are they on secure setup? Could they ever slip up? Again, if vendors are involved, who should we trust them? Are our defenses in depth sufficient that compromise of one node on the system can't compromise sensitive data?
And all it takes is one slip up by the weakest link in the chain for all your careful planning and security to be for naught. A case I encountered was a company that partnered with a health care company. One of their employees had a laptop that could access sensitive data, and occasionally did. The laptop was well locked down. The sensitive data was deleted after it was used. But the user used a USB hard drive for backing up the machine, and they forgot to click the "encrypt the backups" box. And they had run a backup while the sensitive data was on the machine. Briefcase containing secure laptop and insecure backup drive went missing from an airport. Data compromised. Avoidable? Sure, in theory. But expecting something like this to NEVER happen in a large ecosystem is a tall ask. Because it only takes once.
I'm not saying that a company trusted with secret data shouldn't be expected to be really, really good at this. And that maybe they should have done more to investigate their vendor's security. They might have shown a lack of vigilance in choosing who to trust with their data. But it could also be the case that they're really, really careful, and despite assurances from the vendor, and reviews of the vendor's practices, in this case the vendor screwed up. Once.
It's easy to say "you should never be trusted again after any slip up." But you'll run out of potential partners really quickly.
(Score: 0) by Anonymous Coward on Wednesday September 06 2017, @02:02PM (1 child)
How does that old, silly saying goes? If you have nothing to hide, you have nothing to fear?
Or perhaps "Maybe you shouldn't do things that require secrecy" ? Or maybe we should just accept that big dumb governments erosion of individual privacy goes both ways? he he he.
Basically, im advocating the increased suffering of government employees with top secret clearances. Get rekt, useless garbage.
(Score: 5, Insightful) by Phoenix666 on Wednesday September 06 2017, @02:21PM
You took the words right out of my mouth: "If they have nothing to hide, they have nothing to fear."
Yes the spooks, bureaucrats, and politicians need to be spied on, have their privacy thoroughly invaded, and doxxed until they begin to understand the tech they're pushing to control us can and will be turned around on them. They are stupid, stupid creatures so I don't actually expect them to ever learn that lesson, but it will be sweet revenge to visit upon them what they have so merrily visited upon us.
Washington DC delenda est.
(Score: 0) by Anonymous Coward on Wednesday September 06 2017, @03:05PM
Is "global stability" a product or a service? Probably better if I don't even want to know, seeing how being employed to provide "global stability" requires a security clearance...
(Score: 2) by nobu_the_bard on Wednesday September 06 2017, @05:31PM (1 child)
The US at any given time, has very roughly 5 million people with similar security clearance. 300 were leaked? Pfft! 5 million people is roughly the population of Denmark.
Maybe we should just give everyone in Denmark security clearance. Outsource it. Not our problem now!
(Score: 3, Funny) by realDonaldTrump on Wednesday September 06 2017, @06:06PM
Look what happened in Sweden. Sweden put all its cyber in the cloud. All its secret cyber. Very bad! 🇺🇸
(Score: 2, Informative) by Beau Slim on Wednesday September 06 2017, @10:14PM
Part of the lack of the general knowledge of this comes from a "first rule of clearance is that you don't talk about your clearance" thing. Many people believe that someone with a Top Secret clearance gives them access to all the Top Secrets. It doesn't.
All it means is that they have been vetted (via background checks, interviews of family and past associates, etc.) to assure that they are trustworthy and won't disclose any sensitive information needed to do their job. What they have access to is always on an as-needed basis. So, for example, a diplomatic officer working in foreign country will get a clearance to know how to use the crypto communications gear used to send sensitive information to the home office and they will work with sensitive information local to their post as part of doing their job. But that's it. And when they leave, they lose access to all information, even if their clearance is still valid. And then all clearances expire after a certain period of time.
I'm sure they're just putting past clearance on a resume much like a plumber tells people they're bond-able.