A classified toolkit for potentially accessing US military intelligence networks was left exposed to the public internet, for anyone to find, according to security researchers today.
A Linux-based virtual machine designed to safely receive and handle secret material, and connect to protected Pentagon computers, was discovered, we’re told, in a misconfigured cloud storage service. Anyone with an Amazon Web Services account could have found and delved into the unsecured AWS S3 silo and pulled out the US government’s software files.
This does not mean the code, when run, would grant automatic access to US Department of Defense networks; merely, it’s a software kit for officials and agents to log into government computers to download sensitive reports, presumably while in the field. There were hashed passwords, and private keys belonging to a US military contractor, found alongside the code. However, it is unclear how useful these would have been to miscreants.
The find comes hot on the heels of the US military accidentally spilling the guts of its global social-media spying program onto the web from a badly configured AWS S3 bucket, which we reported earlier this month.
This latest exposed file store, in a silo marked “inscom,” belonged to the US Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department intelligence gathering group. The documents – 47 viewable and three downloadable – were labeled a mix of classified, top secret – and NOFORN, meaning so secret that they couldn’t be shared with America’s foreign allies.
The virtual machine was an Oracle virtual appliance that ran on the database giant’s VirtualBox hypervisor. The VM’s hard drive had six partitions, varying in size from 1GB to 69GB. There was also some documentation, and custom code for training g-men on how to categorize classified materials.
勿让新员工成为信息安全短板
Uncle Sam’s privates were glimpsed by Upguard’s Chris Vickery, a master at discovering misconfigured S3 buckets. He made this find on September 27, before Amazon introduced new controls to prevent people from leaving their S3 buckets open to the world, and promptly alerted the US government. The exposed silo has now vanished from public view.
Don’t panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records
READ MORE
The software appeared to have been collated by Invertix, a military contractor that has since merged with another biz. The bucket included the private keys of Invertix administrators and hashed passwords.
Several documents in the bucket appeared to be related to the US military’s Red Disk system, a $5bn boondoggle that was sold as a way to bring real-time information to troops in the field. It never worked properly, and served only to enrich military contractors – who it seems were as good at security as they were at product development.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” Upguard’s Dan O’Sullivan explained in a blog post.
“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.”
Describing the contents of the file store, O’Sullivan said: “The largest file is an Oracle Virtual Appliance (.ova) file titled ‘ssdev,’ which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location.
“While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket.”
A spokesperson for INSCOM was not available for immediate comment. ®
携带您自己的设备BYOD进入工作区域,确实会带来一些好处,不过同时也加大了安全风险,在工作场所设备丢失,公司机密数据从私人设备中外泄,都算谁的责任呢?
公司在制定社会媒体政策之前,需要询问七个关键问题,包括社交媒体的战略、政策制定人选、员工的职责以及员工社交行为的监控负责人。

猜您喜欢

【早报】iPhone X 或用上国产屏 / 三星 S9 真机曝光 / 红米全面屏千元…
互联网金融行业信息安全意识
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
41岁马伊琍短发+破洞裤酷炫十足 大步流星气场全开
ERAGEM TUSKER
全民网络安全意识教育策略与资源