Classified U.S. Army Data Found on Unprotected Server

Tens of gigabytes of files apparently belonging to the United States Army Intelligence and Security Command (INSCOM), including classified information, were stored in an unprotected AWS S3 bucket, cyber resilience firm UpGuard reported on Tuesday.
According to the company, its director of cyber risk research, Chris Vickery, discovered the data on an AWS subdomain named “inscom” in late September.
Fort Belvoir, Virginia-based INSCOM is an intelligence command operated by both the U.S. Army and the National Security Agency (NSA).
The AWS storage container found by UpGuard included, among others, a virtual machine image that may have been used to send, receive and handle classified data. Some of the files contained in the VM were marked as “Top Secret” and “NOFORN,” which indicates that the information cannot be shared with foreign nationals.
Metadata found by researchers indicated that a now-defunct defense contractor named Invertix had worked in some capacity on the data stored in the virtual machine. The files in the bucket also included Invertix private keys and other data that could have provided access to the contractor’s internal systems, UpGuard said.
The exposed files also included information on a failed Army program named “Red Disk.” The $93 million program, designed to allow troops to exchange information in real time, was a cloud computing component of the Distributed Common Ground System–Army (DCGS-A) intelligence platform. The misconfigured container also stored details on the DCGS-A itself.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” said UpGuard’s Dan O’Sullivan.
公司应该建立恶意代码防范管理制度,并部署防恶意代码软件,对防恶意代码软件的授权使用、恶意代码库升级、定期汇报等做出明确规定,采取管理与技术措施,确保具备主动发现和有效阻止恶意代码传播的能力。
“It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as ‘Top Secret’ and ‘NOFORN’ provide all the indications necessary to determine how seriously this data was taken by the Defense Department,” he added.
INSCOM has not responded to SecurityWeek’s request for comment. The data is no longer accessible, but it’s still unclear who is responsible for exposing it.
This is not the first time UpGuard claims to have found data belonging to the Pentagon and other U.S. government organizations. The list of impacted agencies includes the National Geospatial-Intelligence Agency (NGA), the Central Command (CENTCOM) and the Pacific Command (PACOM), the Secret Service, and the Department of Homeland Security (DHS).
位置定位服务LBS泄漏私密信息
The common denominator in these incidents were unprotected S3 buckets operated by third-party contractors.
Related: AWS Bucket Leaks Viacom Critical Data
Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket
跟踪软件会帮助找回失窃的电脑,但是不少跟踪软件的合法性受到大众的质疑,应制定相应的规范。

猜您喜欢

生物制品行业周报:两部委发文:医械临床试验机构将实行备案管理
又是欠费又是涉嫌洗钱
LMS学习管理系统管理员快速操作指南
走上国际T台 旭说新车之领克01
TRAVELEX-INSURANCE TWOMINUTESPERDAY
为何中国公司较少遭遇黑客攻击