NSA/Army's INSCOM leaks top secrets via AWS bucket—look, ma, no password!

Another day, another unsecured Amazon Web Services storage bucket. And this one literally contains top-secret data, known as Red Disk.

The NSA and US Army appear to have stored 100GB of unencrypted secrets in an AWS S3 bucket—with no password. And it isn’t the first time we’ve seen this kind of awful cloud-security faux pas from the feds.

Egg, meet face (again). In this week’s Security Blogwatch, we learn from others’ mistakes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Which Star Trek captain would you want to serve under?

State of Security Operations 2017

What’s the craic, Zack? Mister Whittaker scribbles New NSA leak exposes Red Disk:

[It] contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." [It] belongs to … INSCOM, a division of both the Army and the NSA.

The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme.

The leak marks yet another exposure of classified government data. … An NSA spokesperson did not return a request for comment. An INSCOM spokesperson was unable to comment.

Red Disk … was slated to complement the Army's so-called distributed common ground system (DCGS) … for processing and sharing intelligence, surveillance, and reconnaissance information. [But it] struggled to scale to the number of troops who need it. … A memo from 2014 … said the system was "a major hindrance to operations."

Chris Vickery [at] UpGuard found the data. … "What are we doing wrong when 'top secret' data is literally two mouse clicks away from worldwide exposure? … How did we get here, and how do we find a way out?"

When will people learn? Iain Thomson blabs about a leaky S3 silo:

Anyone with an Amazon Web Services account could have found and … pulled out the US government's software files. [And] there were hashed passwords and private keys belonging to a US military contractor found alongside the code.

The find comes hot on the heels of the US military accidentally spilling the guts of its global social-media spying program … from a badly configured AWS S3 bucket.

The documents … were labeled a mix of classified, top secret — and NOFORN … so secret that they couldn't be shared with America's foreign allies.

So what does Dan “@Viss” Tentler think?

while there are arguably a handful of folks that actually care about security that work in the .gov space, the vast vast vast majority … give next to zero ****s.

[At] the nsa booth at shmoocon 2 years ago, i decided to stop and ask a couple questions, and when the subject of pay came up their response was something like "do it for your country. be patriotic". yeah, patriotism doesn't pay the rent or the car payment, does it?

and what that telegraphs to me is "management doesn't care enough to line their people up to sort this problem out". because if they cared, it wouldn't be a problem.

hands down, the biggest problem with security globally is that too many ****ing people who have no place to be touching computers in the first place are the ones who make the rules.

But Ron “@ron_miller” Miller puts it more succinctly:

There’s really no excuse for this. … Everyone should be aware and AWS even has alerting tools now to help.

So who gets the blame? Derek B. Johnson thinks he knows:

The files contained private keys and passwords [that] bore markings indicating … they were used by Invertix, a former government contractor that merged with Near Infinity in 2013 and now goes by the name Altamira.

UpGuard … said they believe the exposure happened when the government transferred the data to Invertix and said it demonstrates how poor risk-management protocols for third-party vendors is often a "silent killer" for enterprise cybersecurity.

The incident … has the potential to affect several policies the government is currently pushing around encryption regulation, surveillance, vulnerability disclosures and cyber threat information sharing with the private sector, that all at least partially hinge on the government's ability to credibly argue it can keep sensitive internal data from leaking to the public.

It’s unintentionally hilarious, says raxadian:

You know at this rate comedians will have to work at something else because reality is starting to look like comedy gold.

When one thinks "No way they can be that stupid!" it turns out that "Yeah they were that stupid!"

But MrMatarazzo pauses to think:

As a former intel analyst for the Army, all I can think is... please be a honeypot, PLEASE be a honeypot...

As does wrj3m:

If I worked in the intelligence community, I would … seek to diminish … leaks and hacks by tasking a contractor with gathering a ****load of mostly random but somewhat targeted data and then leave it in an unsecured place. Hostile elements could then discover this worthless goldmine of intelligence and spend ages pouring over it.

Or, maybe the contractors that gladly take billions of taxpayer money are truly inept.

Meanwhile, William “@billyquaide” McQuaid‏ asks:

When the intelligence community becomes the #1 enemy of Americans by supporting Wall Street's tyranny, what's the next step?

The moral of the story? Is any of your data wide open in an open S3 bucket? Would you even know if it was?

And finally …

Which Star Trek captain would you want to serve under?


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Barrett “popofatticus” Hall (cc:by)

State of Security Operations 2017
Topics: Security