FileHippo News

The latest software and tech news

Classified data from a joint program run by the US National Security Agency (NSA) and the US Army has been found online and may... Classified Pentagon Data Fully Accessible In Public Cloud

Classified data from a joint program run by the US National Security Agency (NSA) and the US Army has been found online and may have been accessible for years, say researchers.

According to new research published by Cybersecurity firm UpGuard, around 100GB of data from a now redundant and failed joint intelligence-sharing program between the NSA and the US Army, from 2013, was found to have just been sitting on an unlisted but public Amazon Web Services storage server.

UpGuard researchers discovered the data, stored on an Amazon Web Services Cloud Storage bucket, without any sort of security or password. While the web address of the cloud server wouldn’t have shown up in Google Search results, anyone on the internet, from anywhere in the world, including China and Russia, could have easily seen and searched its contents. More worryingly, it would only need someone with limited technical knowledge of how such things work to have gained access. Essentially, anyone with knowledge of the Cloud Server’s URL, could have copied or viewed all 100 gigs of classified data.

While their data may have been left sitting unsecured on the internet for years, the shadow puppet branch have been working on their skills instead. This one is supposed to be a dog, I think. Maybe a spider….I can’t tell.

Blog update

Upguard’s blog post states: “On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access…” reads Upguard’s blog post on the subject. “…the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.”

Vickery then notified the Pentagon of the data exposure in late September after verifying the integrity of the data, and was subsequently informed on October 10th, that the open data had been secured.

Bucket list

UpGuard were however, unable to identify the creator of the Amazon Storage bucket. If the US Government know themselves, they have not said. UpGuard’s cyber-resilience analyst, Dan O’Sullivan, noted: “While the specific purpose of the virtual drive’s partitions are unclear, the file appears to be of use for receiving, transmitting, and handling classified data. A folder within the hard drive reveals a human-configured installation of files for use with Red Disk, a troubled Defense Department cloud intelligence platform partially integrated into the Pentagon’s DCGS-A program…

“…Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser.”

Worryingly for the US Government, the data was apparently accessible on the open internet for years before Upguard’s discovery.

At the time of writing, no official response from either the Pentagon, NSA, or US Army, has been received.

And just because US Government bodies don’t take care of their important data doesn’t mean you shouldn’t. Check out some of these great security software options to help you with your important data, right here, on FileHippo.com