Defense Department Spied On Social Media, Left All Its Collected Data Exposed To Anyone
from the not-cool-guys dept
There are two big WTFs in this story. First, the Defense Departments Central Command (Centcom) was collecting tons of data on social media posts… and then the bigger one, they somehow left all the data they collected open on an Amazon AWS server. This was discovered — as so many examples of careless data exposure on Amazon servers — by Chris Vickery and UpGuard, who have their own post about the mess. You may recall Vickery from such previous stories as when the GOP left personal data on 200 million voters on an open Amazon server. Or when Verizon left private data available on millions of customers. Or when a terrorist watch list was left (you guessed it) on an open server. Or when he discovered that Hollywood studios were leaving their own screeners available on an open server. In short, this is what Vickery seems particularly good at: finding large organizations leaving sensitive data exposed on a server.
You would think (wouldn’t you?) that Centcom would be better about these things than, say, Verizon or the GOP or Hollywood. But, nope.
“[It’s] a pretty serious leak when you’re talking about intelligence information being stored in an Amazon cloud service and not properly safeguarded,” said Timothy Edgar, a former White House official in the Obama administration and former U.S. intelligence official.
Centcom’s response is… sketchy. It uses the important term “unauthorized access,” which suggests that it may be pushing for CFAA charges against Vickery/Upguard, since “unauthorized access” is a key part of the CFAA:
“We determined that the data was accessed via unauthorized means by employing methods to circumvent security protocols,” said Maj. Josh Jacques, a spokesperson for U.S. Central Command. “Once alerted to the unauthorized access, Centcom implemented additional security measures to prevent unauthorized access.”
But if it was truly left open, then the access was not “unauthorized.” Indeed, it appears that Centcom went for convenience over security by making its Amazon S3 bucket open for access, and hoping obscurity would hide it.
Amazon servers where data is stored, called S3 buckets, are private by default. Private means only authorized users can access them. For one to be made more widely accessible, someone would have to configure it to be available to all Amazon Web Services users, but users would need to know or find the name of the bucket in order to access it.
By searching specific keywords, Vickery identifies information that companies and organizations inadvertently expose. In this case, he looked for buckets containing the word “com.”
Three S3 buckets were configured to allow anyone with an Amazon Web Services account to access them. They were labeled “centcom-backup,” “centcom-archive” and “pacom-archive,” Vickery said.
As for just what Centcom was doing here — it does appear that it was publicly available social media content, so that’s less of a direct concern, but it still does make you wonder why Centcom was storing all of this social media info. There are also, of course, related concerns about the US Defense Department conducting surveillance on Americans. This is from Upguard’s post on the matter (linked above):
The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world. Among those are many apparently benign public internet and social media posts by Americans, collected in an apparent Pentagon intelligence-gathering operation, raising serious questions of privacy and civil liberties.
While a cursory examination of the data reveals loose correlations of some of the scraped data to regional US security concerns, such as with posts concerning Iraqi and Pakistani politics, the apparently benign nature of the vast number of captured global posts, as well as the origination of many of them from within the US, raises serious concerns about the extent and legality of known Pentagon surveillance against US citizens. In addition, it remains unclear why and for what reasons the data was accumulated, presenting the overwhelming likelihood that the majority of posts captured originate from law-abiding civilians across the world.
I know that the US government still has this “collect it all” mentality, but as we’ve discussed over and over again, adding more hay to the haystack doesn’t make it easier to find the needles.