Leaky AWS Storage Bucket Spills Military Secrets, Again


For the second time in ten days, researchers at UpGuard released sensitive data belonging to the United States Defense Department that was stored insecurely online. This time it was nearly 100 GB of critical data belonging to the United States Army Intelligence and Security Command (INSCOM).
Some of data included information labeled “top secret” and “NOFORN” (no foreign nationals) and mostly pertained to a project called Red Disk, a proposed plan to offer cloud-computing capabilities to a U.S. military intelligence network known as the Distributed Common Ground System (DCGS).
Related Posts
年报速递:国农科技2016年盈利3929.93万元,同比增长3051.21%
“INSCOM’s web presence provides troubling indications of gaps in their cybersecurity – exemplified by the presence of classified data within this publicly accessible data repository,” wrote UpGuard in a report outlining its findings on Tuesday.
The data was found on an Amazon S3 storage bucket publicly accessible to the internet. According to UpGuard, the AWS storage bucket belonged to a now-defunct third-party defense contractor named Invertix, a  past INSCOM partner.
Requests for comment made to INSCOM were not returned. The NSA an U.S. Army referred all questions on the matter to INSCOM. INSCOM is an intelligence command overseen by both the U.S. Army and the NSA.
The data leak follows a number of previous embarrassing leaks for the Defense Department where sensitive data was also left on publicly accessible servers. Last week, UpGuard reported it found a massive archive of 1.8 billion publicly accessible social-media posts on the Amazon S3 storage buckets that belonged to a Pentagon contractor.
UpGuard Director of Cyber Risk Research, Chris Vickery, is credited for finding both leaky servers. According to the UpGuard, the INSCOM data was found on Sept. 27, 2017 on an AWS storage bucket configured for public access.
“Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain ‘inscom,’ contained 47 viewable files and folders in the main repository, three of which were also downloadable,” UpGuard reported Tuesday. UpGuard said that three of the downloadable files contained “highly sensitive” data that was explicitly classified.
Aside from information about Red Disk, a virtual hard drive and Linux-based operating system was also publicly accessible. The hard drive contains six partitions, varying in size from 1 GB to 69 GB.
“The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location,” researchers said. 
“While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket,” researchers noted.
信息安全和个人隐私是许多外企在国际投资和建设中最为关注的问题之一。
Also exposed were private keys used for accessing distributed intelligence systems, belonging to Invertix administrators, as well as hashed passwords which, if still valid and cracked, could be used to further access internal government systems.
Just how sensitive is the data exposed is unclear.
“It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as ‘Top Secret’ and ‘NOFORN’ provide all the indications necessary to determine how seriously this data was taken by the Defense Department,” UpGuard wrote.
The leak is just the latest in a long string of incidents where data has been exposed to the public internet via misconfigured servers. As of September 2017, IBM X-Force said 1.3 billion records tied to 24 incidents have been exposed. Accenture, Verizon, Dow Jones and Deep Root Analytics are just a few of the firms in the past year when it comes to the millions of private records and sensitive enterprise data exposed on cloud backends this year.
UpGuard said it worked with INSCOM to remove and secure the data.
手机SIM卡遭恶意补卡时有发生,部分手机用户反映,他们的手机SIM卡不但被停用,与之绑定的QQ和银行卡等信息也遭到窃取。手机用户也要提高保护个人隐私的意识,避免个人信息泄漏。

猜您喜欢

信息安全意识教育动画——我在多利宝里的钱哪儿去了?
随机密码生成器、密码卡、密码文件、本地还是在线存储
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
詹韦连线瞬间斯帅一脸苦涩 热火王朝没崩该有多好
AUCTIONHOUSE HOBBYBUILD
巨变中的信息安全,勿让人员安全意识成为短板