(Mis)Uses of Technology

by Tim Cushing


Filed Under:
aws, chris vickery, inscom, nsa, secrets

Companies:
upgard



Government Exposes Documents Detailing Sensitive NSA Software, Surveillance Programs

from the password:-passw0rd dept

Another leak is causing some headaches for the NSA. Still reeling from the worldwide exposure of one of its exploit hoards, along with documents handed over to journalists by Ed Snowden (and unnamed others), the NSA's latest embarrassment is an unsecured intelligence system the NSA shares with the military.

The exposed data was discovered by security researcher Chris Vickery, who informed the government about the leak back in October.

On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.

The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.

The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket.

Included in the exposed data were files marked "Top Secret" and "NOFORN," the latter denoting information considered too sensitive to even be shared with foreign allies. Some of the exposed software could conceivably allow malicious actors to access sensitive (and live) Pentagon systems. Considering the sensitivity of this information, one has to wonder why no attempt was made to secure it.

Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible. Given how simple the immediate solution to such an ill-conceived configuration is - simply updated the S3 bucket’s permission settings to only allow authorized administrators access - the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?

Perhaps part of the reason this was overlooked was the software's relative uselessness. The military spent $93 million attempting to build a scalable solution for shared intelligence, but a 2014 memo called the software (known as "Red Disk") "a major hindrance to operations." Even though this may be all but abandoned, other files left exposed contained plenty of sensitive information.

Vickery noted that the disk image also contains other sensitive files, including private keys used for the system to access other servers on the intelligence community's network. The keys belong to a third-party firm, Invertix, a working partner of INSCOM and a key developer of Red Disk.

On top of that, the exposed files provided more information about NSA collection program Ragtime, which allowed (allows?) the agency to collect info on US persons.

The document seen by ZDNet, dated November 2011, shows the Ragtime program has eleven variants, including the four that were already known. The document alludes to Ragtime-BQ, F, N, PQ, S, and T.

The eleventh version refers to Ragtime-USP. "USP" is a common term used across the intelligence community to refer to "US person," like a US citizen or lawful permanent resident.

Ragtime is more than a decade old, but apparently still in use. It was part of the Stellar Wind warrantless surveillance bundle put together by the agency and the Bush administration shortly after the 9/11 attacks in 2001. While Stellar Wind is no longer in use thanks to domestic surveillance concerns (it's actually just been offshored to dodge FISA obligations), Ragtime appears to still be running, although there's little publicly-available information discussing its use in surveilling American citizens. An undated document leaked by Snowden in 2013 discusses Ragtime collection in the context of thwarting Congressional oversight.

What is known is Ragtime's super-secret status. It's a "need to know" program that only certain analysts can access. Collections from this program are considered so sensitive they aren't shared with foreign allies, with the exception of the Ragtime-C variant, which allows UK intelligence agency access.

With the Section 702 renewal deadline fast approaching, another leak showing possible domestic surveillance can't be helpful. Then again, serious reform of the expiring collection authorities doesn't seem to be in the cards this year, what with both House and Senate committees offering uninspiring legislation that won't do much to rein in surveillance abuses.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    sehlat (profile), 29 Nov 2017 @ 1:46pm

    Tell Me Again

    Just why we should allow these people to have backdoors into all our communications?

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 29 Nov 2017 @ 7:07pm

      Re: Tell Me Again

      They're just so intelligent. I imagine the passwords are all of the form '12345'. When informed about the breach, they promptly changed it to '54321'.

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 29 Nov 2017 @ 1:54pm

    Sprawl

    Maybe the intelligance agencies and all their appendages have simply become so big, too big to effectively keep all their secrets bottled up.

    It seems, intuitively, that a small organization is better able to keep secrets than a gigantic impersonal organization.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2017 @ 3:40pm

    At least they're being consistent: they want backdoors into our data; in exchange, they offer backdoors into their data.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2017 @ 6:50pm

    So many of these stories involve an Amazon service. Why hasn't Amazon made a login for access the default yet?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.