Security

Security company finds unsecured bucket of US military images on AWS

You're only as secure as your suppliers and some military contractors look to be well leaky


“Cyber resilience” company UpGuard claims to have found a publicly-accessible AWS S3 bucket full of classified US intelligence data.

The company's Dan O'Sullivan says colleague Chris Vickery found an “unsecured Amazon Web Services 'S3' bucket” and that the firm's “Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD).”

O'Sullivan's post says “information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.”

The post says “domain registrations and credentials within the data set point to private-sector defense firm Booz Allen Hamilton (BAH), as well as industry peer Metronome ” as the likely renters of the bucket. O'Sullivan goes on to explain that UpGuard contacted BAH on may 24th, received no response, and on the 25th approached the NGA directly.

Nine minutes after that second approach the bucket was secured. BAH got in touch later that day and “made no apparent indication they were aware that the exposure had already been plugged — itself a noteworthy event.”

UpGuard makes the point that configuration errors are as likely to cause security breaches as determined efforts by criminals, and that this incident shows that any organisation's security is only as good as its suppliers'. Neither of which will be news to Reg readers. Nor, sadly, will be the fact that even organisations that should know better, like defense contractors, can make stupid errors.

At the time of writing, BAH and the NGA both appear not to have made any public comment on the mess. ®

Send us news
31 Comments

US Army orders next-gen robot mule to haul a literal ton of gear

Soldiers' new best friend does all the heavy lifting

US Army drafts AI to combat recruitment shortfall

No more cold calls: Recruit 360 pinpoints top prospects from millions

China claims Starlink signals can reveal stealth aircraft – and what that really means

If this really was that useful, they wouldn't be telling us

Pentagon has little to show for two decades of GPS modernization work

Not even the venerable expertise of the US Space Force is enough to push progress

Defense AI models 'a risk to life' alleges spurned tech firm

Chatterbox Labs CEO claims Chief Digital and Artificial Intelligence Office unfairly cancelled a contract then accused him of blackmail

Green Berets storm building after compromising its Wi-Fi

Relax, it's just a drill. This time at least

110K domains targeted in 'sophisticated' AWS cloud extortion campaign

If you needed yet another reminder of what happens when security basics go awry

America's new Sentinel nukes mushroom 81% in cost. Pentagon says it's all good

Minuteman replacement to hit $141B as officials promise good ol' 'restructure'

US Army: We want to absorb private-sector AI 'as fast as y'all are building them'

How about a nice game of chess instead?

Engineers risk blasting US missile defense to smithereens, say auditors

Now the 2028 deadline is at risk

Britain's Ministry of Defence accused of wasting £174M on 'external advice'

Morpheus comms system online by 2025? You must be dreaming

Airbus shows off uncrewed AI-powered Wingman for fighter pilots

I feel the need, the need for ... a Euro-made military drone