Cybersecurity

Security firm reveals another NSA leak

Shutterstock image: open lock. 

The National Security Agency has suffered another major security breach after a trove of classified and sensitive Army documents were left on a public Amazon Web Services cloud server for anyone to download.

The leak, discovered in September 2017 by Chris Vickery, director of cyber risk research at UpGuard, was detailed on the firm's breach analysis blog and first reported by ZDNet.

"Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint U.S. Army and National Security Agency Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection," wrote Vickery and Dan O'Sullivan, a cyber resilience analyst at UpGuard.

Vickery discovered 47 files, three of which were downloadable, in a public cloud storage bucket hosted by AWS. All three files contained national security data, some of it explicitly classified and marked "TOP SECRET." The bucket was apparently listed under the AWS subdomain "inscom," and Vickery was able to access the files by entering the URL directly.

The decision to name the subdomain after INSCOM "provides little ambiguity to any bad guys seeking to determine the data's significance," the researchers said.  

Among the files supposedly made public was a virtual hard drive containing classified documents labeled "NOFORN," materials so secret that the U.S. does not even share their contents with foreign allies. It also housed sensitive details about the Army's Distributed Common Ground System, a battlefield intelligence system that allows commanders in the field real-time access to classified operational intelligence. The files contained private keys and passwords used to access distributed intelligence systems. Those keys and passwords bore markings indicating that they were used by Invertix, a former government contractor that merged with Near Infinity in 2013 and now goes by the name Altamira.

Vickery and O'Sullivan said they believe the exposure happened when the government transferred the data to Invertix and said it demonstrates how poor risk-management protocols for third-party vendors is often a "silent killer" for enterprise cybersecurity.

"Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible," Vickery and O'Sullivan wrote.

The incident  is the latest in a series of high-profile leaks of government secrets traced back to the NSA and is likely to intensify criticisms that the agency is incapable of safeguarding its sensitive data. It has the potential to affect several policies the government is currently pushing around encryption regulation, surveillance, vulnerability disclosures and cyber threat information sharing with the private sector, that all at least partially hinge on the government's ability to credibly argue it can keep sensitive internal data from leaking to the public.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.