A defense contractor has secured an Amazon S3 bucket containing sensitive intelligence data after accidentally leaving it publicly exposed.
On 22 May 2017, security analyst Chris Vickery came across an exposed file repository. The owner of the unsecured Amazon S3 bucket remains unclear. But domain registrations and credentials point to Booz Allen Hamilton (BAH) and Metronome, two U.S. defense companies. Both are known contractors with the U.S. National Geospatial-Intelligence Agency (NGA), a combat support agency in the Department of Defense (DoD) for which the file registry appears to have been created.
Dan O’Sullivan, an analyst at UpGuard, elaborates in a blog post on what Vickery found:
“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.”
To set the record straight, a Booz Allen Hamilton spokesperson contacted Ars Technica and clarified that the repository didn’t link to any classified systems. Even so, an attacker could have abused the SSH keys and credentials to gain access to sensitive information stored by the defense contractor.
Two days after making his discovery, Vickery sent an email to the CISO at Booz Allen Hamilton notifying them of the issue. At 10:33 PT on 25 May, he contacted NGA. He then found someone had secured the file repository just nine minutes later.
At this time, it’s unclear what exposed the S3 bucket. Sure, it could have been a vulnerability or an insider attack. But it also could have been a misconfiguration or a mistake.
With that said, others in the defense community should learn from this incident by reviewing any and all of their file repositories, securing them with at least a password, and using identity and access management to detect unknown logins. If one of them detects a potential exposure, we can only hope they’ll emulate the example of NGA and BAH by rectifying the issue quickly.
For more discussion on this security incident, check out this episode of the “Smashing Security” podcast: