Security firm reveals another NSA leak

The National Security Agency has suffered another major security breach after a trove of classified and sensitive Army documents were left on a public Amazon Web Services cloud server for anyone to download.

The leak, discovered in September 2017 by Chris Vickery, director of cyber risk research at UpGuard, was detailed on the firm's breach analysis blog and first reported by ZDNet.

"Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint U.S. Army and National Security Agency Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection," wrote Vickery and Dan O'Sullivan, a cyber resilience analyst at UpGuard.

Vickery discovered 47 files, three of which were downloadable, in a public cloud storage bucket hosted by AWS. All three files contained national security data, some of it explicitly classified and marked "TOP SECRET." The bucket was apparently listed under the AWS subdomain "inscom," and Vickery was able to access the files by entering the URL directly.

The decision to name the subdomain after INSCOM "provides little ambiguity to any bad guys seeking to determine the data's significance," the researchers said.  

Among the files supposedly made public was a virtual hard drive containing classified documents labeled "NOFORN," materials so secret that the U.S. does not even share their contents with foreign allies. It also housed sensitive details about the Army's Distributed Common Ground System, a battlefield intelligence system that allows commanders in the field real-time access to classified operational intelligence. The files contained private keys and passwords used to access distributed intelligence systems. Those keys and passwords bore markings indicating that they were used by Invertix, a former government contractor that merged with Near Infinity in 2013 and now goes by the name Altamira.

Vickery and O'Sullivan said they believe the exposure happened when the government transferred the data to Invertix and said it demonstrates how poor risk-management protocols for third-party vendors is often a "silent killer" for enterprise cybersecurity.

"Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible," Vickery and O'Sullivan wrote.

The incident  is the latest in a series of high-profile leaks of government secrets traced back to the NSA and is likely to intensify criticisms that the agency is incapable of safeguarding its sensitive data. It has the potential to affect several policies the government is currently pushing around encryption regulation, surveillance, vulnerability disclosures and cyber threat information sharing with the private sector, that all at least partially hinge on the government's ability to credibly argue it can keep sensitive internal data from leaking to the public.