WELCOME TO EHOST.COM.NP

Wednesday, May 31, 2017

Top Defense Contractor Left Sensitive Pentagon Files On Amazon Server With No Password 

ads space

Sensitive files tied to a US military project were leaked by a multi-billion dollar firm once described as the world’s most profitable spy operation, Gizmodo has confirmed.

A cache of more than 60,000 files were discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

The exposed credentials could potentially grant their holders further access to repositories housing similarly sensitive government data.

Countless references are made in the leaked files to the US National Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract (around £66.8m). Often referred to as the Pentagon’s “mapmakers,” the combat support agency works alongside the Central Intelligence Agency, the National Reconnaissance Office, and the Defense Intelligence Agency to collect and analyse geospatial data gathered by spy satellites and aerial drones.

The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed. “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” an agency spokesperson said. The Amazon server from which the data was leaked was “not directly connected to classified networks,” the spokesperson noted.

Some of the passwords are encrypted using a hash protocol that’s difficult but not impossible to crack. (UpGuard)

UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data. Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud — a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East-1,” chiefly comprised of public and commercial data.

Yet the files bore some hallmarks of a government project. First, Vickery spotted the public and private SSH keys of a Booz Allen employee, identified by his LinkedIn page as a lead senior engineer in Virginia — also home to the NGA’s Fort Belvoir campus. “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities,”he said.

SSH keys employ what’s called public-key cryptography and challenge-response authentication. Essentially, Booz Allen stores sensitive data in the cloud, and before the engineer can access it, his private key must pair successfully with a public key on Booz Allen’s server. This protocol only really works, however, so long as the employee’s private key remains a secret.

The public and private SSH keys for a Booz Allen engineer were discovered in the dataset. (UpGuard)

“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesman told Gizmodo on Tuesday. “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Mark Zaid, a Washington lawyer who specialises in national security cases, said the incident is likely to dredge up bad memories of the company. “The first thing that jumps to mind,” he said, is “Oh, no. It’s Booz Allen again.”

Zaid was referring to Edward Snowden, the former NSA contractor who worked for Booz Allen when he fled to Hong Kong in 2013 with a trove of classified material. Another of the firm’s employees, Harold Martin III, was arrested last year and charged under the Espionage Act after federal agents discovered over 50 terabytes of classified data in his residence, the trunk of his car and in an unlocked outdoor shed.

“Obviously, Booz Allen is a large company and a well-respected defense contractor,” Zaid added. “And none of these cases are necessarily related to one another. But it still raises some real serious concerns about what’s going on with Booz Allen’s security protocols.”

In addition to keys, the Booz Allen server contained master credentials to a datacenter operating system — and others used to access the GEOAxIS authentication portal, a protected Pentagon system that usually requires an ID card and special computer to use. Yet another file contained the login credentials of a separate Amazon bucket, the contents of which remain a mystery; there’s no way to verify the contents legally since the bucket is secured by a password, and thus not open to the public.

Moreover, a categorisation script found in one of the Booz Allen files indicates the system under construction is at least designed to handle classified information. And while Vickery didn’t realise its significance at the time, the leaked files also appear connected to a third server he found open last month.

In April, he discovered an Amazon bucket with no password containing a review of what he now believes is the same NGA system. An “application security risk assessment,” carried out using HP software called Fortify, detailed 3039 issues within the program’s source code (only 7 were described as critical). “I’m reading the report,” he says, “and the code snippets line up with code from the second bucket.”

The mission of UpGuard’s Cyber Risk Team is to locate and secure leaked sensitive records, so Vickery’s first email on Wednesday was to Joe Mahaffee, Booz Allen’s chief information security officer. But after received no immediate response, he went directly the agency. “I emailed the NGA at 10:33am on Thursday. Public access to the leak was cut off nine minutes later,” he said.

A reference to classified material from a leaked configuration file. (UpGuard)

“You can have fantastic cybersecurity, but if you’re using IT systems to share information with a partner whose cybersecurity isn’t up to snuff, then your protection measures don’t mean very much,” says Paulo Shakarian, a cybersecurity fellow at the Washington think-tank New America. The big unresolved question, he says, is whether Booz Allen had proper security protocols in place for its contractors working on the NGA project. “And likewise, what has NGA done to ensure that the proper protective measures were in place.”

NGA informed Gizmodo that it was still evaluating the incident and had yet to determine a proper course of action. “It’s important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA,” the agency said, adding that it reserves the right to “address any violations or patterns of non-compliance appropriately.”

On Friday, UpGuard was contacted by a government agency and asked to preserve all of its records related to Vickery’s find. The company said it is abiding by a request not to reveal the agency’s name at this time.

[UpGuard Cyber Risk Team]

Source link

ads space
ADS SPACE

0 comments:

Post a Comment

Categories

Article How-to All Posts WordPress Android Web design Blogger Plugins CSS Google JQuery Plugins Programming Reviews Web Hosting Blogger Blogging Blogging Tips Tricks Web Development Facebook Git Internet Make Money Online Social Plugins Tips Tips and Tricks Tools Tutorials Windows WordPress Plugins Blogging Tips and Tricks Freebies GSM Google Analytics HTML How To's JavaScript Plugin Development S.E.O SEO SMS SmartPhone Social Media Tips amp; Tricks Top-Most Updates Webmaster Tools Whatsapp Applications Apps Blogger Basics Documentary Downloads Entertainment Gadgets Games Gmail Google AdSense Guest Post IPhone Make Money Blogging SVN Security Softwares Web Hosting Tips and Tricks Wordpress Tips Wordpress Tips and Tricks hostgator iOS Advertising Networks Advertising Technology Affiliates Antivirus Audience amp; Traffic Biography Blog post Blog post Blogger Blogger Errors Blogger Tips Blogger Tools Blogger Widget Blogosphere Bogger Widgets CSS selectors CSS symbols CSS3 Computer amp; Internet Content Writing Coupon Codes Data amp; Analytics Deleted blog Design DoubleClick for Publishers Email and newsletter marketting Email marketing Excel Tips Excel Tips and Tricks Facebook Tricks Feed Feedburner Feedburner subscribers Font Fun GitHub Giveaways Gmail primary inbox Gmail tabs Google sign-in Guides HTML amp; CSS HTML5 Infographics Inspirational Instagram Internet Marketing Internet Tips amp; Tricks Job Listings Knowledge Life Hacks Lists Make-Money Monetization amp; Conversion Monetize Navigation Online Marketing Other PHP Tutorials Passport Publishing amp; Content Quotes RSS Sidebar Smartphones Social Networking Status Tech Tech Blog Technology Telegram Themes UI / UX User Psychology amp; Research VB.Net Web Tools Web browser Widget Windows Tips Windows-10 ad viewability admin notice blogging tools bluehost cherry-pick clone cors custom scrollbar customizer dismissible notices duplicate post feed title git branch git clone gpg gpg2 hybridauth iPad icon font notice responsive wordpress theme same origin policy scrollbar signed git commit smartsvn theme customizer vcs wordpress theme wordpress themes

Blog Archive