A classified toolkit for potentially accessing US military intelligence networks was left exposed to the public internet, for anyone to find, according to security researchers today.
A Linux-based virtual machine designed to safely receive and handle secret material, and connect to protected Pentagon computers, was discovered, we’re told, in a misconfigured cloud storage service. Anyone with an Amazon Web Services account could have found and delved into the unsecured AWS S3 silo and pulled out the US government’s software files.

This does not mean the code, when run, would grant automatic access to US Department of Defense networks; merely, it’s a software kit for officials and agents to log into government computers to download sensitive reports, presumably while in the field. There were hashed passwords, and private keys belonging to a US military contractor, found alongside the code. However, it is unclear how useful these would have been to miscreants.
The find comes hot on the heels of the US military accidentally spilling the guts of its global social-media spying program onto the web from a badly configured AWS S3 bucket, which we reported earlier this month.
This latest exposed file store, in a silo marked “inscom,” belonged to the US Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department intelligence gathering group. The documents – 47 viewable and three downloadable – were labeled a mix of classified, top secret – and NOFORN, meaning so secret that they couldn’t be shared with America’s foreign allies.
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
The virtual machine was an Oracle virtual appliance that ran on the database giant’s VirtualBox hypervisor. The VM’s hard drive had six partitions, varying in size from 1GB to 69GB. There was also some documentation, and custom code for training g-men on how to categorize classified materials.
Uncle Sam’s privates were glimpsed by Upguard’s Chris Vickery, a master at discovering misconfigured S3 buckets. He made this find on September 27, before Amazon introduced new controls to prevent people from leaving their S3 buckets open to the world, and promptly alerted the US government. The exposed silo has now vanished from public view.
不管我们的数据在哪儿,都应该得到适当的保护,事实上也是如此,不能因为有了安全的防火墙就可高枕无忧,边界安全面临挑战,云计算、社交网络、消费电子、移动应用让我们的数据已经而且越来越会变得无处不在。
Don’t panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records
READ MORE
The software appeared to have been collated by Invertix, a military contractor that has since merged with another biz. The bucket included the private keys of Invertix administrators and hashed passwords.
Several documents in the bucket appeared to be related to the US military’s Red Disk system, a $5bn boondoggle that was sold as a way to bring real-time information to troops in the field. It never worked properly, and served only to enrich military contractors – who it seems were as good at security as they were at product development.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” Upguard’s Dan O’Sullivan explained in a blog post.
“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.”
Describing the contents of the file store, O’Sullivan said: “The largest file is an Oracle Virtual Appliance (.ova) file titled ‘ssdev,’ which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location.
“While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket.”
A spokesperson for INSCOM was not available for immediate comment. ®
互联网安全全球合作,所有的利益相关者要紧密合作,有效能和效率地处理这些长期问题,进而建立一个全球的在线法规遵循机制。

猜您喜欢

国家工信部工业互联网与网络信息安全调研组调研亨通
云计算安全的出路在“共享职责”
网络安全法培训短片
中国最宜养老的地方!被称“长寿岛” 景点还特多
BBLOGI WPIMAGESUITE
互联网金融“宝宝们”的信息安全敌手并非黑客