In the latest edition of “uh-oh, we left that just sitting out in the open,” a batch of NSA and Army files were discovered on a cloud storage server with no password protection, accessible to anyone with the URL. Chris Vickery of security firm UpGuard found the files on an unlisted Amazon Web Services S3 cloud storage server belonging to the United States Army Intelligence and Security Command (INSCOM), an intelligence gathering and security command that operates jointly out of the U.S. Army and the NSA.
Within the bucket of data, Vickery found 47 viewable files and three downloadable files, some of which contained information designated as “Top Secret” or “NOFORN,” a security term that stipulates that material should not be shared with foreign allies. As UpGuard’s report details, Vickery also found “a virtual hard drive used for communications within secure federal IT environments” and “details concerning the Defense Department’s battlefield intelligence platform” known as DCGS-A and information on Red Disk, “a troubled Defense Department cloud intelligence platform” that integrates into Red Disk. The breach also included private keys belonging to Invertix, a defense contractor that works with INSCOM. The files in question were stored on a subdomain labeled “INSCOM.”
“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data,” UpGuard notes.
This kind of misconfigured storage server is becoming a common cautionary tale in the security world lately. Earlier this year, the same researcher discovered a set of sensitive files belonging to defense contractor Booz Allen Hamilton left out on a similarly unsecured server. Of course, the issue isn’t that security firms are digging up these unprotected pockets of classified material, it’s that we have no way of knowing who else is.