For a spy agency that has the word 'security' in its title, the National Security Agency seems to be worse than a teenager downloading MP3s from LimeWire. The NSA has been busted again exposing top secret data to people, this time on the cloud.
UpGuard Director of Cyber Risk Research Chris Vickery discovered back on September 27 an Amazon Web Services S3 cloud storage bucket that was configured for totally open public access. This means that anyone can enter the URL and see what's inside of trhe bucket, which was located on the AWS subdomain "inscom". This folder had 47 viewable files and other folders inside, three of which could be downloaded.
INSCOM is the intelligence command that is controlled by both the US Army, and the NSA. The worst part of this news is that the folder wasn't password protected, which seems awfully stupid (there are worse words) of the NSA.
Inside of the folder is some super-secret NSA contents, with an Oracle Virtual Appliance (.ova) that was titled "ssdev". Vickery loaded this file in VirtualBox discovering that it contained a virtual HDD with a Linux-based OS that he reports was "likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket".
Vickery discovered that there were hundreds of gigabytes of data from something called Red Disk, an Army intelligence program, that was completely open - without any password protection. The disk image itself belonged to the US Army's Intelligence and Security Command (INSCOM).
UpGuard also found:
- Virtual hard drive used for classified communications within secure federal IT environments
- Details concerning the Defense Department's battlefield intelligence platform known as DCGS-A
- Information on Red Disk, "a troubled Defense Department cloud intelligence platform"
- Private keys belonging to Invertix, a defense contractor that works with INSCOM
It's almost unbelievable that there was top secret information from the US Army and the NSA, all available on a public platform and without any password protection. Unbelievable.