Black Box, Red Disk: How Top Secret NSA and Army Data Leaked
Online

Updated on November 28, 2017 by Dan O'Sullivan

Filed under: AWS, government, S3, cloudleaks

In the wake of a string of data exposures originating from
Pentagon intelligence-gathering agencies, the most recent of
which revealed the workings of a massive, worldwide social
media surveillance program, the UpGuard Cyber Risk Team can
now disclose another. Critical data belonging to the United
States Army Intelligence and Security Command (INSCOM), a
joint US Army and National Security Agency (NSA) Defense
Department command tasked with gathering intelligence for US
military and political leaders, leaked onto the public
internet, exposing internal data and virtual systems used
for classified communications to anyone with an internet
connection. With a middling CSTAR cyber risk score of 589
out of a maximum of 950, INSCOM's web presence provides
troubling indications of gaps in their cybersecurity -
exemplified by the presence of classified data within this
publicly accessible data repository.

Among the most compelling downloadable assets revealed from
within the exposed bucket is a virtual hard drive used for
communications within secure federal IT environments, which,
when opened, reveals classified data labeled NOFORN - a
restriction indicating a high level of sensitivity,
prohibited from being disseminated even to foreign allies.
The exposed data also reveals sensitive details concerning
the Defense Department's battlefield intelligence platform,
the Distributed Common Ground System - Army (DCGS-A) as well
as the platform's troubled cloud auxiliary, codenamed "Red
Disk."

This cloud leak follows a number of previous Cyber Risk Team
reports detailing Pentagon data exposures from within the US
Central Command, US Pacific Command, and the National
Geospatial-Intelligence Agency, a Defense Department agency
tasked with acquiring and analyzing satellite imagery
intelligence. Such continual and apparently accidental
exposure of classified national security data to the wider
internet is proof that even the most secretive corners of
the IT landscape are not immune to the cyber risks befalling
any enterprise operating at scale.

In order to stop and shift away from the regular revelations
of another exposed intelligence operation, federal
stakeholders must begin to regain control of their systems,
reducing their complexity by gaining full visibility into
the complex workings of the government's cyber presence.
The Discovery

On September 27th, 2017, UpGuard Director of Cyber Risk
Research Chris Vickery discovered an Amazon Web Services S3
cloud storage bucket configured for public access. Set to
allow anyone entering the URL to see the exposed bucket's
contents, the repository, located at the AWS subdomain
"inscom," contained 47 viewable files and folders in the
main repository, three of which were also downloadable. The
subdomain name provides some indication as to the provenance
of the data: INSCOM, an intelligence command overseen by
both the US Army and the NSA.

The three downloadable files contained in the bucket confirm
the highly sensitive nature of the contents, exposing
national security data, some of it explicitly classified.

The largest file is an Oracle Virtual Appliance (.ova) file
titled "ssdev," which, when loaded into VirtualBox, is
revealed to contain a virtual hard drive and Linux-based
operating system likely used for receiving Defense
Department data from a remote location. While the virtual OS
and HD can be browsed in their functional states, most of
the data cannot be accessed without connecting to Pentagon
systems - an intrusion that malicious actors could have
attempted, had they found this bucket.

However, the properties of files revealed in this hard drive
contain areas and technical configurations clearly marked as
"Top Secret," as well as the additional intelligence
classification of "NOFORN," a stipulation which means the
data is so sensitive, it cannot even be shared with foreign
allies. The hard drive contains six such partitions, varying
in size from 1 GB to 69 GB, and contains indications in its
metadata that the box was worked on in some capacity by a
now-defunct third-party defense contractor named Invertix, a
known INSCOM partner. Finally, also exposed within are
private keys used for accessing distributed intelligence
systems, belonging to Invertix administrators, as well as
hashed passwords which, if still valid and cracked, could be
used to further access internal systems.

While the specific purpose of the virtual drive's partitions
are unclear, the file appears to be of use for receiving,
transmitting, and handling classified data. A folder within
the hard drive reveals a human-configured installation of
files for use with Red Disk, a troubled Defense Department
cloud intelligence platform partially integrated into the
Pentagon's DCGS-A program.

The second downloadable file, a plaintext ReadMe document
stored within the virtual hard drive, provides indications
of instruction for the contents of the .ova and where to
obtain additional Red Disk packages.

The final downloadable file, a compressed .jar titled
"rtagger," appears to constitute a training snapshot for
labeling and categorizing classified information, as well as
assigning such data to "regions." Such a function would be
of vital use for the remote receipt and analysis of
classified information, possibly via a virtual appliance of
the sort already discussed.

The Significance

Plainly put, the digital tools needed to potentially access
the networks relied upon by multiple Pentagon intelligence
agencies to disseminate information should not be something
available to anybody entering a URL into a web browser.
Although the UpGuard Cyber Risk Team has found and helped to
secure multiple data exposures involving sensitive defense
intelligence data, this is the first time that clearly
classified information has been among the exposed data.

It is unnecessary to speculate as to the potential value of
such an exposed bucket to foreign intelligence services or
malicious individual actors; the care taken to classify
sections of the exposed virtual drive as "Top Secret" and
"NOFORN" provide all the indications necessary to determine
how seriously this data was taken by the Defense Department.
Finally, the subdomain name for the S3 bucket, "INSCOM,"
provides little ambiguity to any bad guys seeking to
determine the data's significance.

If, then, such a high level of sensitivity is inherent to
the data, how could it be exposed? Regrettably, this cloud
leak was entirely avoidable, the likely result of process
errors within an IT environment that lacked the procedures
needed to ensure something as impactful as a data repository
containing classified information not be left publicly
accessible. Given how simple the immediate solution to such
an ill-conceived configuration is - simply updated the S3
bucket's permission settings to only allow authorized
administrators access - the real question is, how can
government agencies keep track of all their data and ensure
they are correctly configured and secured?

Doing so requires full visibility into the real-time state
of all relevant IT systems, as well as possessing the
necessary oversight and ability to make changes when
necessary. Unfortunately, the indications that some of the
data in the bucket had been access and worked upon by
Invertix, the external third-party vendor, provides some
indication of another difficulty faced in regaining trust in
digital systems.

Third-party vendor risk remains a silent killer for
enterprise cyber resilience. The transfer of information to
an external contractor, such as Invertix, exposes the
originating enterprise (in this case, INSCOM) to the
consequences of a breach, but without direct oversight of
how the data is handled. Invertix has since merged into a
new corporation, Altamira, which registers a CSTAR score of
513. If the right hand does not know what the left hand is
doing, the entire body will be injured. The Defense
Department must have full oversight into how their data is
handled by external partners, and be able to react quickly
should disaster strike.

Get the complete Government Cyber Risk Report

Tweet

Learn more
What are misconfigurations?

Misconfigurations are an internal problem that emanate from
within the IT infrastructure of any enterprise; no hacker is
necessary for massive damage to occur to digital systems and
stored data. And the problem is pervasive, with Gartner
estimating anywhere from 70% to 99% of data breaches result
not from external, concerted attacks, but from internal
misconfiguration of the affected IT systems.
Keep Reading

Join the newsletter to receive UpGuard Breach Analysis post
alerts via email

Cyber Risk Analyst
Chris Vickery

As a security researcher, Chris possesses a long track
record of professional distinction and success discovering
major data breaches and vulnerabilities across the cyber
landscape. Previous achievements have included reports on
the online exposure of hundreds of thousands of patient
medical records, an illegal spam operation insecurely
storing 1.4 billion target email addresses, a series of
unsecured MongoDB databases which threatened the security of
millions of internet users, and a publicly accessible
database containing the voter registration records for 93.4
million Mexican citizens. As a researcher and analyst, Chris
has helped to protect the most sensitive data of hundreds of
millions of people, while raising awareness of the looming
issues of cyber risk.