Once again the US government displays a level of ineptitude that can only be described as ‘Equifaxian‘ in nature. An AWS bucket with 47 viewable files was found configured for “public access,” and containing Top Secret information the government designated too sensitive for our foreign allies to see.
The entire internet was given access to the bucket, owned by INSCOM (a military intelligence agency with oversight from the US Army and NSA), due to what’s probably just a good old-fashioned misconfiguration. Someone didn’t do their job properly, again, and the security of our nation was breached. Again.
Chris Vickery, the internet super sleuth who works for Upguard, found this breach the same way he found the Department of Defense one, and the one from Accenture, and countless others: with a regular web browser.
So, how bad is this one?
In this case, the data exposed was of the highest sensitivity, labeled “Top Secret” in some cases. The digital tools needed to potentially access the networks relied upon by multiple Pentagon agencies to disseminate information were publicly available to anyone with a web browser, a level of access that could create unknown harm or disruption to some of our nation’s most important intelligence operations.
This particular exposure and the danger associated with it brings to light a much more concerning question: If even our most prestigious institutions are unable to keep sensitive data secure, what can our expectations be for corporations and public entities? The cyber risk surface for sensitive data is only increasing, and identifying a solution needs to be a major priority for policy-makers and security professionals alike.
We’re not trying to kick anyone while they’re down, but whoever is responsible for leaving an Amazon Web Services bucket with Top Secret information in a public access configuration really shouldn’t have that job anymore.
It’s unclear exactly how or why this keeps happening. We previously spoke with Vickery on the topic of breaches and he doesn’t think there’s any actual malice or ill-intent involved, merely human error.
And while none of us are perfect, there’s a specific – and simple – chain of events that must be considered.
- Someone put Top Secret Data in an AWS bucket
- That bucket was either never secured, or changed from secure to publicly accessible
Amazon doesn’t get any of the blame here either — the option to secure buckets is there. In fact, we recently reported the company added new features to save crappy administrators from their own mistakes.
It feels like the NSA, the Pentagon, and the White House don’t take computer security very seriously. This isn’t about the government being at the mercy of superior technology or know-how — it would be excusable if it was.
It’s about failing to take the most basic of precautions with data that would only be marked as Top Secret if it’s nature presented the possibility for the loss of American life if it fell into the wrong hands.
We’re not at risk of having our Top Secret data stolen – we’re giving anyone with a computer the opportunity to get a copy of it.
It’s terrifying to know that the security of our nation can be compromised – over and over – by someone with nothing but a web browser.