News

Bad AWS Configuration Leaves U.S. Army Data Unprotected

Data marked "top secret" was exposed.

The more things change in the IT security field, the more thay stay the same.

It remains true that most security breaches are the result of human error -- failing to apply patches that have been out for months or years, for example. Or not securing obvious attack vectors.

In this case, it was the latter problem that caused a vulnerability that could have serious ramifications.

For the second time in less than two weeks, security researchers at UpGuard have reported the leak of highly classified U.S. military data left on unsecured Amazon S3 storage buckets.

UpGuard has spent the past few months broadcasting instances of organizations, in both the public and private sectors, that have exposed their critical data due to Amazon S3 misconfigurations. On Tuesday, UpGuard reported its latest discovery: classified data from a U.S. military agency stored in an Amazon S3 bucket that was incorrectly configured to allow anyone access.

"Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection," UpGuard researchers wrote.

Researchers found the data back in Sept. 27 in an AWS subdomain named "inscom," which gave an indication of its source. Inside the subdomain was a repository of nearly four dozen viewable files, including three that were downloadable. Inside one of those three files was a virtual hard drive that was "likely used for receiving Defense Department data from a remote location," UpGuard said.

Though the files inside the hard drive were themselves unreadable, UpGuard said their properties clearly labeled them as "top secret" and "NOFORN," which is a classification used by the U.S. government to designate information that cannot be shared with non-U.S. citizens.

Also exposed were private keys and hashed passwords to access some unspecified internal systems, as well as files related to Red Disk, a failed Department of Defense (DoD) cloud computing initiative.

UpGuard noted that the files bore indications of being once accessed by a military contractor previously called Invertix Corp., which is now part of a merged entity called Altamira. The involvement of a third-party contractor underscores the need for organizations to inspect not just their own internal security policies, but also those of their partners.

"Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible," they wrote.

News of the INSCOM data leak came less than two weeks after UpGuard's last Amazon S3 discovery, which also involved the exposure of U.S. military data. Specifically, UpGuard found unsecured buckets containing surveillance data on civilians collected by the DoD.