Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

U.S. Defense Contractor Exposes Sensitive Military Data

Sensitive data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) was left exposed on the Internet by defense and intelligence contractor Booz Allen Hamilton, a security firm revealed on Wednesday.

Sensitive data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) was left exposed on the Internet by defense and intelligence contractor Booz Allen Hamilton, a security firm revealed on Wednesday.

The NGA is a combat support and intelligence agency working under the Department of Defense. The geospatial intelligence provided by the organization is used by policymakers, the military, intelligence professionals and first responders.

Chris Vickery, a researcher who in the past identified billions of records exposed online due to weak configurations, discovered an unprotected Amazon S3 bucket containing tens of thousands of potentially sensitive files. Accessing the files did not require a password and all data was stored in clear text.

The data, belonging to the NGA, was connected – based on domain registration details and credentials – to Booz Allen Hamilton and another one of the agency’s contractors, Metronome. The files, some of which were marked as “top secret,” included military information, SSH keys belonging to a Booz Allen engineer, and admin credentials for a system housed by one of the contractor’s data centers.

Vickery, who recently joined cyber resilience firm UpGuard as a risk analyst, found the files on May 22 and notified Booz Allen two days later. After receiving no response from the company, Vickery alerted the NGA directly on May 25, and the exposed repository was secured within minutes. An unnamed government regulatory agency has asked UpGuard to hold on to the data.

The NGA said it immediately revoked affected credentials, but described the exposed files as “sensitive but unclassified information.” Booz Allen also claimed there was no evidence that any classified information or systems were exposed.

This is not the first time Vickery has discovered a data leak involving Booz Allen Hamilton. In late 2016, he reported that one of the company’s subcontractors, Potomac Healthcare Solutions, had leaked military healthcare worker data.

The intelligence contractor itself was involved in several security incidents in the past years, including a 2011 attack by Anonymous hacktivists, the Edward Snowden leaks, and the alleged theft of classified material by Harold Thomas Martin III.

Advertisement. Scroll to continue reading.

The findings of Vickery and other researchers over the past years have demonstrated the risks posed by misconfigured AWS S3 buckets, but many organizations still fail to protect data stored in the cloud.

“AWS S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors,” explained Zohar Alon, Co-Founder and CEO of Dome9.

“This type of oversight exemplifies the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world,” Alon added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.