A contractor misconfigured an Amazon Web Services storage "bucket" [arstechnica.com], exposing top secret information from the U.S. Army's Intelligence and Security Command (INSCOM):
UpGuard's director of cyber risk research, Chris Vickery, discovered the publicly accessible S3 storage "bucket" on September 27 in the AWS subdomain "inscom." INSCOM is the US Army's Intelligence and Security Command [army.mil], the Army's internal operational intelligence branch based at Fort Belvoir in Virginia. INSCOM is also integrated into the National Security Agency's Central Security Service—connecting the Army's signals intelligence operations to the NSA.
The public bucket was accessible via the Web and had "47 viewable files and folders in the main repository, three of which were also downloadable," UpGuard reported in a blog post today [upguard.com]. The largest downloadable file was an Open Virtual Appliance file named "ssdev.ova," which contained a virtual hard drive and configuration data for a Red Hat Linux-based virtual machine. "While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems—an intrusion that malicious actors could have attempted had they found this bucket," UpGuard's research team noted.
Still, the contents of the virtual hard drive itself were highly sensitive. Some of the files were marked as "Top Secret/NOFORN"—meaning that they were not to be shared even with US allies. Metadata on the virtual drive shows that "the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner [nypost.com]," including private encryption keys used for hashed passwords and for accessing DCGS that belonged to Invertix system administrators.