back to article Security company finds unsecured bucket of US military images on AWS

“Cyber resilience” company UpGuard claims to have found a publicly-accessible AWS S3 bucket full of classified US intelligence data. The company's Dan O'Sullivan says colleague Chris Vickery found an “unsecured Amazon Web Services 'S3' bucket” and that the firm's “Analysis of the exposed information suggests the overall …

  1. Anonymous Coward
    Anonymous Coward

    Id imagine...

    Theres a ton of unsecured data on AWS. Its a platform that has so many options and services that it can be very difficult lock down.

    Amazon needs to simplify their platform a little I think.

    1. Anonymous Coward
      Anonymous Coward

      @AC

      "Amazon needs to simplify their platform a little I think."

      Have to disagree there. If you're using a certain product which is also publically accessible then you need to ensure that you know what you're doing. I can understand that things can become confusing at some point, but it's not really an impossible task.

      This is of course assuming that all of this actually happened.

      1. Anonymous Coward
        Anonymous Coward

        Re: @AC

        Hmm pretty certain I said "can be very difficult" but I can see how that might be read as "impossible".

        Yes policy management etc is far from impossible but the larger and more sprawling an AWS solution becomes the more of an administrative effort it becomes to manage it.

        Whenever anything in the world of tech tries to do or provide too much you get into trouble.

        Take systemd for example. People joke that it will have a word processor built in one day because of its sprawling feature set.

        AWS is no different, its a massive sprawl of different services, packages, products and subscriptions.

        I find it unsurprising that with something as wide ranging in scope as AWS that shit slips through the net.

        Especially if the hosted infrastructure was developed by a military organisation. I dont know about the US military but the MoD has a horrible habit of overengineering things and creating needless amounts of pointless work.

    2. macjules

      Re: Id imagine...

      It is not very hard to lock down, you simply need to know how to create a bucket policy. There is even an AWS Policy Generator to help you do this, something that BAH might want to read up on.

      1. big_D
        Paris Hilton

        Re: Id imagine...

        Too much Booz(e) and too little professional conduct?

        Tell me again, why putting sensitive information in the cloud is a good idea?

        1. Baldrickk

          Re: Id imagine...

          "Tell me again, why putting sensitive information in the cloud is a good idea?"

          A question I've struggled with since the cloud became "a thing"

          1. jake Silver badge

            Re: Id imagine...

            I haven't struggled with it at all. Clouds are a no-fly zone in these parts. Added complexity, more layers, out of my control ... tell me again why this is safer/more secure/a good idea?

        2. allthecoolshortnamesweretaken

          Re: Tell me again, why putting sensitive information in the cloud is a good idea?

          Because reasons. You'd need a Harvard MBA to understand.

          On a tangent: if we're talking military projects that Uncle Sam pays for, why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?

          1. Chairman of the Bored

            Re: Tell me again, why putting sensitive information in the cloud is a good idea?

            Allthecoolshortnamesweretaken,

            These days the NSA would probably just sub to Booz anyways. This company has some major clout; just ask Mr Snowden.... Oh, wait....

          2. Version 1.0 Silver badge

            Re: Tell me again, why putting sensitive information in the cloud is a good idea?

            "why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?"

            Because these days in the US it's all about outsourcing and subcontracting - if a government agency were to do this and these types of configuration errors were discovered then someone would have to resign. But if you sub-contract it nobody gets hurt and many people get rich. Just look at the fall out from Snowden - nothing happened at all but had he been a government employee heads would have rolled and the Republicans would be screaming for blood.

            1. Robert Helpmann??
              Childcatcher

              Re: Tell me again, why putting sensitive information in the cloud is a good idea?

              Configuration error my ass! I know the US DoD is shifting to public cloud services, but ASFIK classified data is not supposed to be stored there. There are isolated networks for that. There is no reason that TS data should be on AWS.

              More than anything else, though, I am happy I am not the one having to fill out the paperwork on this spillage. If the data simply being on the host machine(s) also constitutes spillage (which it should), then the systems that it is or was previously on will have to be quarantined. Given the nature of cloud services, that would be a... difficult and involved task.

          3. Uffish

            Re: Tell me again, why putting sensitive information in an NSA cloud is a good idea?

            Because an NSA provided cloud would not be the appropriate place for some Contractor to Contractor communications?

          4. Anonymous Coward
            Anonymous Coward

            Re: Tell me again, why putting sensitive information in the cloud is a good idea?

            I could tell you, but.....

        3. Anonymous Coward
          Anonymous Coward

          Re: Id imagine...

          Could it be fake news?

        4. nilfs2
          FAIL

          Re: Id imagine...

          Snowden stole documents from On-Premise systems, similar scenario with Panama papers, Wikileaks and many more. It doesn't matter if the data is on a cloud or on the ground, if your security measures suck, you are fucked.

  2. jake Silver badge

    There's a hole in me bucket,

    dear ELIZA, dear ELIZA ...

    1. Stoneshop
      Trollface

      Re: There's a hole in me bucket,

      Please tell me more about the hole in your bucket.

  3. Anonymous Coward
    Anonymous Coward

    B****CKS

    content should have been secured/encrypted regardless of the server platform used. The information, if classified, shouldn't be left in an open filing cabinet open to all. Maybe a defence contractor, but its not at all clear who's side they are working for!

    Appears to be no configuration rather than a configuration mistake too.

    They would be better off using dropbox by the sound of it - at least they don't have to give extra credentials to the NSA...

    1. 's water music

      Re: B****CKS

      The information, if classified, shouldn't be left in an open filing cabinet open to all.

      > cat /user/bah/secure/readme

      !!beware of the leopard!!

      simples. Tune in next week for chmod for fun and profit

    2. Version 1.0 Silver badge

      Re: B****CKS

      Military images? These wouldn't be naked marines by any chance?

      1. Anonymous Coward
        Anonymous Coward

        Re: B****CKS

        Whenever I smell Amazon, I think of Marines.

        Thats the last sensation I had before I cracked up.

        The thick smell of Amazon.

        When I calmed down, they said they'd stored their files. Cheap. No encryption attached.

        Now whenever I think of Marines, I think of two things.

        Amazon and trouble.

        Bonus thumbs up to those that see the gag.

        *coat*

  4. Arachnoid
    Joke

    The trouble with Buckets

    Is they may get water,,,,,, er scorn poured on them

  5. Anonymous Coward
    Anonymous Coward

    Booz seems to have recurring security leak problems. . . .

    . . . How many have we heard about in the past few years ? At least two NSA leakers (including Snowden), I seem to recall several more that made the news in the past 5-6 years or so.

  6. FuzzyWuzzys
    Facepalm

    Get used to it

    With May in charge and her desire to abolish encryption, every day will be like this finding tons of interesting stuff that's not encrypted or secured by private companies!

  7. Anonymous South African Coward Silver badge

    Ai ja. Some people clearly don't understand cloud computing and think it is secure enough, and bung all their Most Sensitive Data (eg dick pics or titty pics) on any cloud storage - and think it is secure enough.

    Cloud storage means you put your Most Sensitive Data on a public server somewhere in the world, and you MUST take precautions to secure said data. It is not like a privately-owned server sitting in a known, secure location in your company's building, and to which access (physical as well as networked) is controlled.

    Expect more bloopers and more sensitive data leaks to occur.

  8. Tikimon
    Facepalm

    A caution on encrypted data in ye "cloud"

    Not exactly on topic, but related to comments here. We're using a clown, sorry, cloud offering for our business data storage. Let's agree for the moment to leave aside all other contentious issues of sense, reliability, and such, lol... Anyway, I had an encrypted file container stored there. It's my stash of personal junk - journal, etc.

    One day I decrypted the container and found the last six weeks of data GONE. As near as I can figure, here's what happened. Any changes made are saved within the file crypt. The crypt file itself never changes size, and apparently doesn't change "modified date" either. So for some reason, the off-site servers decided to overwrite my crypt file with an old copy which to it looked like the same file.

    SO BEWARE, if you're saving encrypted file containers in a "cloud" you might should make sure something about it looks different now and then.

    1. JLV

      Re: A caution on encrypted data in ye "cloud"

      +1 Same time-stamping issue applies to Truecrypt and backup software. There's a config switch to enable timestamps.

  9. Anonymous Coward
    Anonymous Coward

    How was this not encrypted?

    One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption. Even if the bucket was secured, Amazon employees would have access to it, as would anyone who hacked Amazon's security. If it is encrypted, then whether it is secured or not, hacked or not, it is kept safe.

    Hopefully the person(s) at BAH responsible for placing this data on Amazon are fired and banned from ever getting a security clearance again. Misconfiguration could be excused as everyone makes mistakes, but storing sensitive info on a public service unencrypted shouldn't be.

    1. Kiwi
      Holmes

      Re: How was this not encrypted?

      One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption.

      I'd go one further - military and other such data should always be stored encrypted wherever.

      Cloud storage is perfectly fine so long as two conditions are met :

      1) Don't trust the cloud storage company

      and

      2) Don't trust the cloud storage company.

      To satisfy rule #1 make sure anything you "backup" or save to "the cloud" is encrypted. Also means if they have any googletastic conditions like "all your data are belong to us forever and we can sell it and shit" (IIRC Linkedin (may they get sued out of existance ASAP!) and Flickr also have similar conditions - any photos you store on the latter you no longer own the rights to IIRC) - if a file is encrypted and only you have the key, google et al can't do much selling of it/making derivatives of it etc.

      To satisfy rule #2 make sure anything you "backup" or save to "the cloud" is NOT your only copy, ie use "the cloud" as a backup but treat it as one that could disappear at any moment (company fails, has a hardware failure, system/operator error wipes your data).

      Cloudyness has much to offer if used properly and treated like that friend you're sure is rather "light fingered"1 - have it around, but keep a good eye on it and make sure it can't mess with anything that truly matters.

      1 Or that friend who "knows lots about IT stuff" and thoroughly screws up your media centre by faffing around with things "to make it better". Or screws up your sound system, or turns your car into an under-performing turd (not a problem for Ford owners - they're already under-performing turds (your choice as to whether I mean the car or the owner)

  10. John Smith 19 Gold badge
    Unhappy

    "Booz Allen Hamilton "

    Former employers of Mr Snowden.

    They do seem to have a few issues with their HR processes.

    1. EnviableOne

      Re: "Booz Allen Hamilton "

      Methinks their US.gov security contracts should all be reviewed and the entire organisation should be audited from top to bottom by the DoH/NSA/DoD and the rest of the alphabet. will probably stop them getting any new contracts before the next millenium.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like