Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password (gizmodo.com) 88
Sensitive files linked to the National Geospatial-Intelligence Agency -- which works with the nation's intelligence agencies to analyze aerial data -- were apparently left on a public Amazon server by an employee of Booz Allen Hamilton, one of the nation's top defense contractors, reports Gizmodo. From the article: A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton. What's more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance. The exposed credentials could potentially grant their holders further access to repositories housing similarly sensitive government data. Countless references are made in the leaked files to the US National Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract. Often referred to as the Pentagon's "mapmakers," the combat support agency works alongside the Central Intelligence Agency, the National Reconnaissance Office, and the Defense Intelligence Agency to collect and analyze geospatial data gathered by spy satellites and aerial drones. The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed.
An accident? (Score:5, Interesting)
> . . . an employee of Booz Allen Hamilton
Isn't that the company Snowden worked for?
Re: (Score:3)
Re: An accident? (Score:1)
FORMER top defense contractor.
-FTFY
Re: (Score:1)
Incompetently secured is incompetently secured. Her server wasn't 'half pregnant'.
Re: (Score:2)
Re: (Score:3)
Either that, or it was a case of too much Booze, not enough Allen Hamilton. Never attribute to malice what can be explained by drunken carelessness?
Re: (Score:2)
Re:An accident? (Score:4, Informative)
Accidentally, on porpoise?
I had the exact same thought. Let's see if any action at all is taken against this engineer.
> . . . an employee of Booz Allen Hamilton
Isn't that the company Snowden worked for?
Yes.
Re: (Score:3)
What the hell is a "porpoise"?
Re:An accident? (Score:5, Funny)
A porpoise is a fully aquatic marine mammal of the family Phocoenidae, but that is not important right now.
Re: (Score:3)
A better question is: what is a 'covfefe'?
I don't think it is something you grab someone by.
Re: (Score:2)
> What the hell is a "porpoise"?
A better question is: what is a 'covfefe'?
I don't think it is something you grab someone by.
Isn't it a drink to keep you from falling asleep while tweeting?
Re: (Score:2)
Maybe covfefe is a Russian code word that when used on Twitter is intended to trigger some action, such as Putin hinting that Russian private citizens might have had some involvement in influencing US elections.
I can think up crazy insane theories just well as the alt-right nutjobs. Maybe better.
Re: (Score:2)
https://en.wikipedia.org/wiki/Porpoise [wikipedia.org]
It's close to pedantic in the dictionary.
Re: (Score:2)
Re: (Score:2)
If the US gov offers bids to contractors thats full employment in the private sector been paid for by the US tax payer.
The costs allow US political leadership can cling to its "private" sector policy.
With private sector workers all looking at the same US product and US data sets, everything is kept in plain text too. So all the contractors can bid and work with gov/mil data.
If the US gov encrypts its own data then
Re: (Score:2)
It is a good question. Often when "classified material" becomes public knowledge, say by being declassified, it becomes blatantly obvious that there was never any valid reason to classify it. But there really *are* significant secrets that actually shouldn't be revealed. However I don't include internal political advantage as a valid reason.
Re:Accident (Score:4, Informative)
> The NGA on Tuesday confirmed the leak to Gizmodo while stressing
> that no classified information had been disclosed.
So no harm, no foul fowl.
> “NGA takes the potential disclosure of sensitive but unclassified information
> seriously and immediately revoked the affected credentials,”
> an agency spokesperson said.
I feel safer already. They closed the barn door after it came to their attention that the horse had escaped.
> The Amazon server from which the data was leaked was “not directly
> connected to classified networks,” the spokesperson noted.
That makes me wonder how the information got there then. It must have been some really strange kind of unintentional accident if there is no possible connection between the networks.
> Typically, US government servers hosted by Amazon are segregated into
> what’s called the GovCloud—a “gated community” protected by advanced
> cryptography and physical security. Instead, the Booz Allen bucket was found
> in region “US-East-1,” chiefly comprised of public and commercial data.
So however these 60,000 files weighing in at 28 GB, and "contain[ing] at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance", must have gotten there through some amazing series of unintentional accidents.
Will wonders ever cease?
Re:Accident (Score:4, Informative)
> The Amazon server from which the data was leaked was “not directly
> connected to classified networks,” the spokesperson noted.
That makes me wonder how the information got there then. It must have been some really strange kind of unintentional accident if there is no possible connection between the networks.
I don't understand the confusion. The Amazon server was never connected to a classified network and no classified information was leaked. It would be a really strange accident if data had migrated off of a classified network. That didn't happen.
Re: (Score:1)
So no harm, no foul fowl.
Stop trying to make this about fauna you animal!
Suitable Punishment (Score:5, Insightful)
Re:Suitable Punishment (Score:4, Insightful)
Re: (Score:2)
Sir, what you suggest might negatively affect the economies of several congressional districts.
Booz Allen is all over the place. I count 71 offices in 28 states (I counted quickly; I could be a bit off). Most of the stuff that applies to the Pentagon are going to naturally be in their DC, Maryland, and Virginia locations, I suspect. But there are sure to be a lot of wheels for them to grease nonetheless.
Re: (Score:3)
> once described as the world’s most profitable spy operation, Gizmodo has confirmed.
I think that should indicate it won't happen.
Re: (Score:2)
Refuse to allow Booz any new government contracts for their incompetence. (Won't happen)
Good call, then only the companies whose stupid actions haven't been caught yet will get all the contracts. You probably think this is an exceptional level of incompetence, but it is not. Enumerating unsecured, exposed and supposedly temporary dev systems is a very common and lucrative way to collect bug bounties.
Re: (Score:2)
Actually, if a company is flagged with a sufficient number* of security violations, the US.gov will drop current contracts and refuse to issue new ones that require access to classified data.
* The definition of a "sufficient number" is probably extremely flexible.
Re: (Score:2)
That number for a contractor with as much influence as Booz Allen Hamilton being approximately one googleplex.
Re: (Score:2)
Re: (Score:2)
When I held a clearance (thank the FSM I don't anymore), it was drilled into us.
Re: (Score:2)
When I held a clearance (thank the FSM I don't anymore), it was drilled into us.
That's interesting to read but not anything like an answer.
Has anyone else heard of a case where the threat was followed through on? All I keep hearing about is fuckups of this type that get ignored when contracts are renewed. I've seen a few myself and fruitlessly argued to ditch the contractor but not in a security situation.
Re: (Score:2)
No problem. Strangely work that would have gone their way is now instead going to a new corporate entity named AllenBooz which is totally separate and not at all connected.
Mapmaker mapmaker (Score:2)
Re: (Score:2)
. . . . and in the darkness bind them...LOTR
Re:Doesn't matter (Score:4, Insightful)
hillary defense (Score:1, Troll)
let's see how well the hillary defense holds up on this one.
Re: (Score:3)
The Hillary defense goes something like this: . . . . bu, bu, but Hillary's email servers! And Hillary this, and Obama that and Hillary something else! What about those? It's so unfair!
Re:hillary defense (Score:5, Interesting)
The actual Hillary defense would hold up quite well, and always will: you have more dirt on everyone important involved in the process than what you're accused of. Hard to pull off if you weren't recently married to someone with access to the classified dossiers of every congresscritter and senior bureaucrat, however.
Heck, the only reason Obama was able to take the primary was that he came out of nowhere, so the Clintons didn't have any dirt on him.
It is intentional. (Score:2)
Re: (Score:3)
Intent does not bring people back to life after collision with drunk driver.
Intent is not going to undo the results that will follow from putting a clown circus in power.
The road to somewhere is paved with good intentions.
WTF? (Score:5, Insightful)
Why do documents with plain-text user credentials exist ANYWHERE, for ANY REASON in the first place? Is the government (or at least the NGA) really that completely incompetent? This is shocking! I don't care that it was leaked. We need to assume that is ALWAYS going to happen. I care that such documents were ever created in the first place.
Re: (Score:2)
Re: (Score:2)
Because average people cannot cope with passwords. They just can't.
Then train them to be better than average.
Re: (Score:1)
First you have to understand that the large majority of Booz employees are ex/retired military officers. These are the types that feel that rules should apply to everyone but themselves. But it is okay because they all were a tie and that makes them Professionals.
Intentionally left (Score:2)
Idiotic contractors
Idiotic employers
Any blend of the above
So... (Score:4, Insightful)
...quick question: did this numbskull ACTUALLY GET FIRED?
Because what I'm finding in our firm's dealing with government and contractors is that very, very few people are ever *actually* held accountable for fuckups.
And I'm talking about people from congresscritters and senior presidential staff on down.
Re: (Score:3)
Re: (Score:2)
> ..quick question: did this numbskull ACTUALLY GET FIRED?
Short answer: If it could have any potential to affect their ability to bid on contracts, your ass will be out the door before you realize what you did.
Well, well . . . (Score:2)
An unintentional act of treason . . .
How was it found?? (Score:1)
Was someone just typing in random url's or ip addresses with random sub-directories and .... surprise??
Re: (Score:2)
That's my weekend hobby, you insensitive clod!
So where's the torrent? (Score:1)