Intelligence data, security credentials found exposed in the Amazon cloud
A data cache containing highly sensitive US military data has inadvertently been exposed online, UpGuard cyber risk analyst Chris Vickery has discovered last week.
After downloading and analyzing the data, he tied it to the US National Geospatial-Intelligence Agency (NGA), and guessed that it likely belonged to private intelligence contractor Booz Allen Hamilton.
The contents of the cache
Located on an unsecured, publicly accessible Amazon server, the repository included some 60,000 files that, among other things, contained passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton.
According to Gizmodo, the cache also contained “at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.”
“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” noted UpGuard analyst Dan O’Sullivan.
“Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.”
Another interesting thing is that the bucket in question is not located in the AWS GovCloud, “a gated community for workloads with direct or indirect ties to US government functions or services.”
Notifying the data owners
Vickery first notified Booz Allen Hamilton of his finding, then the NGA. While the former took a while to respond, the NGA did it almost instantly, and secured the Amazon S3 bucket in question in a matter of minutes.
Both entities are investigating the issue, and have confirmed that the data was not connected to classified systems. The compromised access credentials have since been revoked.
“This exposure of systems used to provision servers designed for handling intelligence data up to the classification of Top Secret serves to highlight the even more common and potentially grave threat vectors presented by cyber risk — a state of affairs in which simple human error can be as damaging as outright malice,” O’Sullivan pointed out.
“While it is unknown at this time who has had access to these passwords, it is clear that sensitive information was not properly protected,” commented Vishal Gupta, CEO of Seclore.
“Collaboration and the use of third-party contractors are necessary, it’s an important reminder for organizations to treat classified US information as if it is their own. This was likely a simple mistake that could have major consequences. Taking a data-centric approach to security is a necessary last line of defense when all other security measures fail, or a mistake is made.”