Cloud Security Fail: Classified U.S. Military Data Exposed in Amazon S3 Bucket

UpGuard security researchers uncovered several unprotected databases in the cloud over the past several months, but their most recent find is particularly striking: on September 27, 2017, the researchers came across classified data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint U.S. Army and National Security Agency (NSA) command focused on intelligence gathering, being stored in an Amazon Web Services S3 bucket configured for public access at the AWS subdomain “inscom.”

“Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN — a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in a blog post detailing the breach.

The exposed data also includes information on the the Distributed Common Ground System – Army (DCGS-A) battlefield intelligence platform and on its cloud component, Red Disk. Private keys used for accessing intelligence systems and hashed passwords were also exposed.

“Plainly put, the digital tools needed to potentially access the networks relied on by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a Web browser,” O’Sullivan wrote. “Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive intelligence data, this is the first time that clearly classified information has been among the exposed data.”

Taking Responsibility

A recent Veritas Technologies survey of 1,200 global business and IT decision makers found that while 69 percent of respondents believe that data protection, data privacy and compliance are entirely the responsibility of the cloud service provider.

Eighty-three percent believe their organization’s cloud service provider is fully responsible for protecting their data in the cloud.

Fifty-four percent of respondents believe cloud security is the responsibility of the cloud service provider to secure the transfer of data between on-premise and cloud, and 51 percent believe it’s the responsibility of the cloud service provider to back up workloads in the cloud.

“Moving services and data to a cloud platform can provide a number of benefits, but you remain responsible for protecting your own data,” Tripwire vice president for product management and strategy Tim Erlin told eSecurity Planet by email. “The cloud isn’t magic and it doesn’t absolve organizations from their responsibilities to their customers.”

“This is an attitude that has to change,” Erlin added. “Cloud adoption isn’t slowing, and organizations that mistakenly believe they’re not responsible for securing their own data are leaving consumers and themselves at risk.”

Basic Web Security

AttackIQ chief revenue officer Carl Wright told eSecurity Planet by email that an alarming number of organizations have been breached recently just because they failed to configure security controls correctly. “This is called a protection failure, and indicates that these organizations are doing little to no testing to validate that existing security controls are working properly,” he said.

“The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach,” Wright added. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”

A recent study of 469 U.S. federal websites conducted by the Information Technology and Innovation Foundation (ITIF) found that 91 percent of federal government websites fail at least one key performance measure, including 36 percent that fail at least one important security measure.

“Despite the common acknowledgement that federal websites fall far short of federal requirements and industry standards, little progress has been made to improve and modernize them over the course of the past year,” ITIF vice president Daniel Castro said in a statement.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles