US defense contractor stored intelligence data on Amazon server without a password

About 28GB of sensitive US intelligence data was discovered on a publicly-accessible Amazon Web Services’ S3 storage bucket. The cache, containing over 60,000 files, was linked to defense and intelligence contractor Booz Allen Hamilton, which was working on a project for the US National Geospatial-Intelligence Agency (NGA). NGA provides satellite and drone surveillance imagery for the Department of Defense and the US intelligence community.

The unsecured data was discovered by Chris Vickery, who now works as a cyber risk analyst for the security firm UpGuard.

According to UpGuard, the “information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.”

Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.

Both Booz-Allen and NGA claim the storage was not connected to classified networks.

NGA told Gizmodo it is still evaluating the incident to decide upon the right course of action, but added, “It’s important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA.” That doesn’t mean the agency will let it slide either as it “reserves the right to ‘address any violations or patterns of non-compliance appropriately’.”

Booz Allen, which is no stranger to security blunders (including pilfered documents by Snowden and Hal Martin as well as being pwned by Anonymous Antisec hackers), failed to respond when Vickery emailed the firm’s CISO about the potential data breach on May 24. However, when Vickery emailed the NGA on the morning of May 25, the NGA cut off access to the exposed data within nine minutes. Booz Allen finally got around to acknowledging the breach notification that evening, almost seven hours after the NGA had secured the repository.

“NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” an agency spokesperson said.

Booz Allen, which is also investigating the security snafu and “takes any allegation of a data breach very seriously,” told Gizmodo, “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Yet Gizmodo noted that the Booz Allen server also “contained master credentials to a datacenter operating system—and others used to access the GEOAxIS authentication portal, a protected Pentagon system that usually requires an ID card and special computer to use. Yet another file contained the login credentials of a separate Amazon bucket, the contents of which remain a mystery; there’s no way to verify the contents legally since the bucket is secured by a password, and thus not open to the public.”

The AWS bucket was reportedly also tied to Metronome, which is another known NGA contractor. UpGuard found Google search results for the defense contractor advertising Viagra and Cialis, which may indicate a semi-recent malicious attack on its site. “Unless a defense contractor tasked with assisting in geospatial intelligence operations chose to voluntarily poison their own website with ads for erectile dysfunction pills, this is a troubling omen,” UpGuard said.

As UpGuard pointed out:

Vendor risk is as real as any internal risk, if the vendor is relied upon in any serious way. While it is not every day that such a risk might affect questions about international stability in East Asia, or warfare in the Middle East, the lessons of such failings of cyber resilience are relevant to any IT operation.