“Cyber resilience” company UpGuard claims to have found a publicly-accessible AWS S3 bucket full of classified US intelligence data.
The company's Dan O'Sullivan says colleague Chris Vickery found an “unsecured Amazon Web Services 'S3' bucket” and that the firm's “Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD).”
O'Sullivan's post says “information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.”
The post says “domain registrations and credentials within the data set point to private-sector defense firm Booz Allen Hamilton (BAH), as well as industry peer Metronome ” as the likely renters of the bucket. O'Sullivan goes on to explain that UpGuard contacted BAH on may 24th, received no response, and on the 25th approached the NGA directly.
Nine minutes after that second approach the bucket was secured. BAH got in touch later that day and “made no apparent indication they were aware that the exposure had already been plugged — itself a noteworthy event.”
UpGuard makes the point that configuration errors are as likely to cause security breaches as determined efforts by criminals, and that this incident shows that any organisation's security is only as good as its suppliers'. Neither of which will be news to Reg readers. Nor, sadly, will be the fact that even organisations that should know better, like defense contractors, can make stupid errors.
At the time of writing, BAH and the NGA both appear not to have made any public comment on the mess. ®