Classified Pentagon program data mistakenly leaked

  • Classified Pentagon program data mistakenly leaked

Classified Pentagon program data mistakenly leaked

It's nearly unbelievable that there was top secret information from the US Army and the NSA, all available on a public platform and without any password protection.

Chris Vickery of the security firm UpGuard shared that over 100 GBs of data from an Army intelligence program codenamed Red Disk was left unprotected.

"It is unclear to us what the precise relevance of the classified data we found is to active INSCOM operations", Dan O'Sullivan, another analyst on UpGuard's cyber risk team, said Tuesday.

Security researcher Chris Vickery, from a firm called UpGuard, discovered the data trove, totaling about 100GB, in October and subsequently told the USA government about it.

Upguard security expert Chris Vickery notified the Pentagon of the data exposure in late September and was informed on October 10 that the exposed data was secured, said the report.

Just like the last Army leak, the exposed servers were found by the UpGuard team, who identified an S3 server hosting a small number of files and folders, three of which were freely downloadable.

NSA INSCOM Leak Red Disk 3 16x9

The National Security Agency has been acting like the National Stupidity Agency for the past several years now.

Among the files supposedly made public was a virtual hard drive containing classified documents labeled "NOFORN", materials so secret that the US does not even share their contents with foreign allies.

Vickery discovered that there were hundreds of gigabytes of data from something called Red Disk, an Army intelligence program, that was completely open - without any password protection. There were also private keys used for accessing distributed intelligence systems and hashed passwords stored in the hard drive. These, if accessed by malicious hackers, "could be used to further access internal systems". ZDNet reported that Red Disk was created to complement the US Army's legacy intelligence, surveillance and reconnaissance-sharing platform - the Distributed Common Ground System (DCGS). Some of the data could not be accessed without being linked to Pentagon systems, O'Sullivan said.

"Regrettably, this cloud leak was entirely avoidable", O'Sullivan added. Poor security on AWS servers led to exposed data tied to the Pentagon, Verizon, Dow Jones and almost 200 million American voter records. "Given how simple the immediate solution to such an ill-conceived configuration is [.] the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?"

A virtual disk image belonging to the NSA - essentially the contents of a hard drive - was left exposed on a public Amazon Web Services storage server.