When Upguard analyst Chris Vickery did his security sweep of Amazon’s Cloud server last week, he didn’t expect to find 60,000 military documents on it, along with information from an employee of Defense contractor Booz Allen. The files contained encrypted passwords connected to a US Military project at the US National Geospatial-Intelligence Agency (NGA). Those passwords would have allowed someone to obtain access to classified documents. But the Amazon file itself had NO password and was publicly accessible. The Amazon server allegedly was not connected to classified networks. But…
Based on domain-registration data tied to the servers linked to the S3 “bucket,” the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer’s remote login (SSH) keys and login credentials for at least one system in the company’s data center.
[Update, 5:10 PM] UpGuard’s post suggested the data may have been classified at up to the Top Secret level. A Booz-Allen spokesperson told Ars that the data was not connected to classified systems. However, the credentials included in the store could have provided access to more sensitive data, including code repositories.
The information was uploaded by an IT analyst at Booz Allen, which is one of our top Defense Contractors. It should have been uploaded to a special GovCloud, which is a “gated community” that has specific encryption and security measures. Vickery didn’t realize at first what he was seeing, but then it became evident that something wasn’t right.
UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data. Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud—a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East-1,” chiefly comprised of public and commercial data.
Yet the files bore some hallmarks of a government project. First, Vickery spotted the public and private SSH keys of a Booz Allen employee, identified by his LinkedIn page as a lead senior engineer in Virginia—also home to the NGA’s Fort Belvoir campus. “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities,” he said.
SSH keys employ what’s called public-key cryptography and challenge-response authentication. Essentially, Booz Allen stores sensitive data in the cloud, and before the engineer can access it, his private key must pair successfully with a public key on Booz Allen’s server. This protocol only really works, however, so long as the employee’s private key remains a secret.
NGA has reportedly revoked the credentials of the affected employee, and secured the files. Booz Allen says the incident had “limited impact.”
“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment. We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.” Booz Allen statement
Is that what Hillary said?