The GAP in NSA Security – Top Secret Files Found Open and Available online

 In Technology

NSA Security – holes in the system: Sensitive top secret files belonging to INSCOM (an intelligence group of the US Army and NSA) were found in an ‘S3 bucket’ in the Cloud – open and available to anyone with an internet connection. Deja Vu – it happened back in June 2017 as well, when Defense Contractors Booz Allen and Metronome did the same thing. Third party vendors, someone in IT somewhere who wasn’t thinking clearly? Or was it deliberate?

Upguard reported,

On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.

The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified…

Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser. Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.

It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as “Top Secret” and “NOFORN” provide all the indications necessary to determine how seriously this data was taken by the Defense Department. Finally, the subdomain name for the S3 bucket, “INSCOM,” provides little ambiguity to any bad guys seeking to determine the data’s significance.

UpGuard’s Director Chris Vickery also discovered the leak in June.   “NOFORN” is a  designation that is so sensitive it cannot be revealed even to foreign allies.

UpGuard works with companies and governments to try and mitigate cyber leaks and problems. They even have a specific questionaire designed to weed out potential vendor risks. In this case, the data had been worked on by a 3rd party vendor named Invertix (now Altimira). According to UpGuard such 3rd party vendors remain the cause of most cyber security breaches. Maybe the NSA and Army Intelligence should maintain full oversight of all vendors before anyone is allowed to work on classified/top secret/sensitive files?



Leave a Comment

Start typing and press Enter to search