Pierluigi Paganini November 28, 2017

The experts from the security firm UpGuard have discovered another S3 bucket containing documents from INSCOM, that is a joint US Army and NSA agency.

A couple of weeks ago sensitive data from the US Army’s CENTCOM and PACOM divisions was exposed on an unsecured Amazon S3 bucket, experts from the security firm UpGuard found terabytes of US military social media surveillance.

Now the same team from UpGuard have discovered another S3 bucket containing documents from INSCOM, that is a joint US Army and NSA agency involved in intelligence, security, and information operations.

The S3 server contained a small number of files and folders, three of which were available for the download.

“Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection.” reads the blog post published by UpGuard.

“Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. “

One of the files was an image of a virtual machine in Oracle Virtual Appliance (.ova) format. It was a Linux-based operating system and an attached virtual hard drive likely used for receiving Defense Department data from a remote location.

The experts were not able to access the data likely because it cannot be accessed without connecting to Pentagon systems.

The experts were able to analyzed the metadata of files stored on the virtual hard drive, they discovered that the SSD image was containing a huge trove of highly sensitive files, some of which were classified with the TOP SECRET and NOFORN (NO FOReign Nationals) security classifiers.

According to UpGuard, this was the first time it discovered classified information left freely accessible on Amazon S3 servers.

Another a folder in the same virtual machine image suggests that the system was also part of the Red Disk, a cloud computing platform that was part of the Distributed Common Ground System-Army (DCGS-A) intelligence platform.

“The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System – Army (DCGS-A) as well as the platform’s troubled cloud auxiliary, codenamed “Red Disk.”” continues the post.

The second downloadable file discovered by the experts is a plaintext ReadMe document stored on the virtual hard drive. The ReadMe file provides indications of instruction for the contents of the .ova and information on the location of additional Red Disk packages.

The third downloadable file was a compressed .jar titled “rtagger,” that seems to be a training snapshot for labeling and categorizing classified information, as well as assigning such data to “regions.”

According to UpGuard, the leak was the result of process errors within an IT environment.

“Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible,” said the UpGuard team. “Given how simple the immediate solution to such an ill-conceived configuration is […] the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?“

Pierluigi Paganini

(Security Affairs – NSA, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]