US intel agency leaked classified info via AWS S3

By on
US intel agency leaked classified info via AWS S3

Researchers found virtual hard drive for comms with Pentagon.

A United States joint intelligence agency stored sensitive material on an Amazon Web Services cloud storage facility without any access controls, sparking concerns that classified material may have leaked to unknown parties.

Security vendor Upguard revealed the information leak it discovered in an open AWS Simple Storage Service (S3) bucket belonging to the US Army Intelligence and Security Command (INSCOM).

INSCOM is jointly run by the US Army and the National Security Agency (NSA), and is tasked with collecting intelligence for the American military. 

Upguard found 47 viewable files and folders in the S3 bucket, three of which were downloadable.

One was an Oracle Virtual Appliance file, which Upguard said contained a virtual hard drive and a Linux-based operating system.

The virtual hard drive was likely used to receive US Defence Department data from remote locations, and contained files marked as top secret and NOFORN, meaning they contain sensitive material to be viewed by US eyes only.

The information in the AWS repository was easily accessible through a web browser.

"... the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser," Upguard wrote.

The time and date stamps on the files in the repository are mostly from 2012 and 2013, with the newest being from October 2014. Metadata for the files shows they appear to have been worked on by now-defunct defence contractor Invertix. 

More than 100 gigabytes of data was left unsecured.

Digital keys and hashed passwords for Invertix administrators accesssing distributed intelligence systems were also left on the virtual hard drive.

Earlier this month, Upguard discovered another AWS S3 storage repository that contained what appeared to be internet surveillance data left wide open by the US Department of Defence's Central and Asia-Pacific Commands.

Organisations failing to secure data in AWS S3 buckets has been a recent problem for Amazon, which has issued warnings and tweaked S3 security in a bid to stop any more high-profile leaks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
awscloud computingnsas3securityupguard

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data

Log In

  |  Forgot your password?