In 2013 Booz employee and NSA contractor Edward Snowden flew to Hong Kong after leaking huge quantities of highly classified NSA documents, proving that even the NSA is challenged to keep secrets under wraps. Those documents are still being dribbled out today.
Earlier this year, when the FBI was trying to track down the Shadow Brokers NSA tools leak, they came across Harold Martin III. Another Booz employee, Martin was found to have 50 gigabytes of highly classified information in his house, car and backyard sheds. 50 gig is the equivalent of a half billion typed pages. While the FBI has not said that he was selling stuff to the Ruskies or Chinese, they are certainly not happy with him stealing all that stuff from the N.S. of A.
Last week security analyst Chris Vickery was scanning Amazon S3 storage “buckets”, as they are called, and came across an unprotected one in the public area of Amazon’s East Coast Data Center US-East-1.
As he was rummaging around in this bucket he found the public and private SSH keys of a Booz engineer. This engineer, located in Alexandria, Virginia, near Fort Belvoir, home to many sensitive projects including the National Geospacial-Intelligence Agency or NGA.
Among the other things in this bucket were the master credentials to a datacenter operating system (what exactly that is is not clear, but certainly not good). Also there were access credentials to the GEOAxIS authentication portal, a highly sensitive Pentagon system.
Also in the bucket were access credentials to another S3 bucket, but since this one had a password on it, Chris didn’t want to stretch his luck – and likely break the law by using those credentials he found to log in there. If a hacker had come across this bucket before Chris, the hacker’s ethics probably would not have prevented him from exploring this other password protected bucket. I am sure that everyone is trying to figure out who else -like the Russians – knew about this unprotected bucket.
Chris thinks this lines up with another Amazon bucket he found in April that had in it, among other things, an application security risk assessment listing 3,000+ security issues with a program’s source code.
One would think, password or no password, this stuff probably belongs in Amazon’s walled garden (the one with the snipers on the roof) called Gov Cloud. Gov Cloud is designed to be more difficult for snoopers like Chris to find because you and I can’t even get through the front door, never mind wander around aimlessly. But, this stuff was not there.
Finding this stuff and thinking this is not good, Chris emailed Booz’s Chief Information Security Officer. For 24 hours he did not receive a response.
So, Chris went nuclear. He reached out to the National Geospacial-Intelligence Agency directly. NINE MINUTES LATER, the bucket was secured. That’s got to be a record. This was on a Thursday.
On Friday, a government agency that asked not to be named (but, of course, is likely one of the three letter agencies) reached out to Chris’s employer, Upguard, and asked them to preserve all evidence, which I am sure they will do.
After the article was published, Booz issued a statement saying that no classified data was stored in this unprotected, not-approved-to-store-anything-classified Amazon cloud (that’s encouraging). They said that they took action to secure it as soon as they learned about it and that may be true, even though Booz did not seem to do anything with Chris’s email until he contacted the NGA.
Likely, especially compared to Ed Snowden and Hal Martin, this is small change, but still, it is embarrassing.
If Booz had privately discovered it and told the gov, it probably would have been chalked up to the mistake that it was, but because they were publicly called out – both Booz and NGA – the investigation will likely go deeper and take longer.
The government does reserve the right to spank contractors who breach security, but that spanking, if it does occur, will likely occur in private.
But besides it being embarrassing to Booz and their customer, it should be a wake-up call for all companies.
Here’s why. Can you say with any certainty exactly what data of yours lives somewhere in the cloud – maybe on an employee’s personal cloud account like personal Dropbox? Possibly without a password. Possibly without any permission or approval.
If you are a company larger than a dozen people and you answer that you do have certainty, I suggest that you are fooling yourself. Those with less than a dozen employees – still not clear.
If you don’t have a process for managing your company owned cloud services, you, too, could be in the same boat that Booz was – publicly publishing stuff that should not be public, but not knowing it.
That is a task that is not easy to deal with but if you manage sensitive data – whether that data belongs to you or a client of yours, it is important to know the answer. We see WAY too many incidents of companies accidentally exposing data that they did not mean to expose.
Information for this post came from Gizmodo.