Maxim_Kazmin - Fotolia

NSA data leak exposed Army INSCOM project information

Yet another publicly accessible cloud storage bucket exposed government data; this time it was an NSA data leak which included information on an Army intelligence project.

Not to be outdone by the Pentagon or the Republican National Committee, the National Security Agency and Army have also exposed sensitive data in unsecured cloud storage.

Chris Vickery, director of cyber risk research at UpGuard, found the NSA data leak on a publicly accessible Amazon Web Services (AWS) S3 bucket on Sept. 27. The NSA data leak was on an AWS domain labeled "INSCOM," which is the acronym for the U.S. Army Intelligence and Security Command -- a joint project between the Army and NSA tasked with gathering intelligence for U.S. military and political leaders.

According to Dan O'Sullivan, cyber resilience analyst at UpGuard, Vickery found files in the NSA data leak explicitly labeled as classified.

"The properties of files revealed in this hard drive contain areas and technical configurations clearly marked as 'Top Secret,' as well as the additional intelligence classification of 'NOFORN,' [no foreign nationals] a stipulation which means the data is so sensitive, it cannot even be shared with foreign allies," O'Sullivan wrote in a blog post. "Also exposed within are private keys used for accessing distributed intelligence systems, belonging to Invertix administrators, as well as hashed passwords which, if still valid and cracked, could be used to further access internal systems."

UpGuard said the files in the NSA data leak appeared "to be of use for receiving, transmitting, and handling classified data" and included files related to "Red Disk," a failed Defense Department cloud intelligence platform.

In addition to INSCOM, ZDNet reported the exposed NSA data included information on a surveillance program known as Ragtime, which was designed to intercept and collect communications of foreign nationals. While four of Ragtime's components had been previously made public in a 2013 book titled Deep State: Inside the Government Secrecy Industry, the exposed AWS data included seven additional sub-programs, including one that appears to target U.S. citizens.

Vickery previously found exposed data in AWS buckets from the Department of Defense, DoD contractor Booz Allen Hamilton, the Republican National Committee, World Wrestling Entertainment, Verizon and Dow Jones & Co.

The NSA data leak was reported to the government in October and the cloud storage has since been secured. However, it is still unclear if a government agency or contractor was responsible for the misconfigured S3 bucket.

NSA data leak
NSA and Army data was exposed on an unsecured cloud storage server.

Reactions to the NSA data leak

Carl Wright, chief revenue officer of AttackIQ, said protection failures like this and others found by Vickery indicate that "these organizations are doing little to no testing to validate that existing security controls are working properly." 

"Over the past month we have seen a number of enterprise organizations fail because they inadvertently did not configure existing security controls properly," Wright told SearchSecurity. "The cost to validate your security controls is comparably infinitesimal compared to the cost of a data breach. It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams."

The explosion of IT systems, networks, users, clouds and devices has caused the size of the typical enterprise's attack surface to expand exponentially.
Jim KennedyVP and general manager for the Americas, Certes Networks

Jim Kennedy, vice president and general manager for the Americas at Certes Networks, said the NSA data leak is "yet another indicator of how current cyber security thinking is entirely out of sync with the broader changes in IT that have taken place over the last 20 years."

"The explosion of IT systems, networks, users, clouds and devices has caused the size of the typical enterprise's attack surface to expand exponentially. Fundamentally, managing security can no longer be about managing devices, applications and networks. It must instead be focused on understanding and rethinking trust," Kennedy told SearchSecurity. "The security industry as a whole must focus on making security easier to deploy and easier to manage. As this latest leak highlights, the typical security architecture is fragmented and splintered across IT silos, with different tools, different access policies, and different controls in the LAN, WAN, internet, mobile network, cloud, data center and elsewhere. This means setting up and managing consistent, uniform security policies across all of these silos is extremely hard."

Dig Deeper on Security operations and management