DOD and NSA Internet Surveillance Archives Not Secured

Many companies and organization are moving their data repositories to the cloud, to places such as Amazon Web Services (AWS).  Hopefully, if your company is moving to the cloud, you are doing a better job securing this information than the Department of Defense or the National Security Agency.

The first story involves a trove of data left on AWS servers, and discovered by security researcher Chris Vickery from UpGuard.  The first question is what the DOD and Centcom were doing running surveillance operations against American citizens on social media platforms?  When the operation was over, this data was left on AWS in a state where it could be access by UpGuard.  Granted, what UpGuard did was technically a violation of computer law, but the point is that if UpGuard could do it, then the same access would be available to be exploited by foreign intelligence organizations and cyber-criminal groups.

UpGuard’s comment on this information:

“The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world. Among those are many apparently benign public internet and social media posts by Americans, collected in an apparent Pentagon intelligence-gathering operation, raising serious questions of privacy and civil liberties.”

The second story is about another leak from the NSA.  With the information already leaked by Edward Snowden, and the cyber-underground group The Shadow Brokers, you might think there was little left to lose.  That was not the case.  Another trove of information on AWS was discovered by Chris Vickery and UpGuard.

“On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.

The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.

The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket.”

UpGuard had notified the government of of this find back in October.

The take away here is not about your government spying on you.  It is that if your organization is putting data into Amazon Web Services, make sure everything is properly secured, using strong passwords and two-factor authentication.  It would be better if your information was encrypted, too.

I know that Amazon can be a simple way to spin up servers and web applications for testing, or to build a proof of concept.  Just make sure that you sanitize everything when you are done.

More information:

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment