Surprise! US DoD Server Had no Password — 3TB of Sensitive Data Leaked
Sensitive military data found on unprotected Microsoft Azure server. Defense Department email store left insecure for at least 11 days.
U.S. Special Operations Command (USSOCOM) seems to be responsible. The super-sensitive stash should have been encrypted. But it wasn’t. Your tax dollars at work.
Amateurs. In today’s SB Blogwatch, we seek professional help.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Daisy, corrected.
I’m Sorry, Dave
I think you know what the problem is, just as well as I do. Zack Whittaker reports—“Sensitive US military email spills online”:
“Human error”
The exposed server was hosted on Microsoft’s Azure government cloud for [DoD] customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, many pertaining to … USSOCOM, the U.S. military unit tasked with conducting special military operations.
…
Anurag Sen, a good-faith security researcher known for discovering sensitive data that has been inadvertently published online, found the exposed server [which] was packed with internal military email messages, dating back years. … One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information.
…
The mailbox server was first [listed] on Shodan … as spilling data on February 8. It’s not clear how the mailbox data became exposed … but it’s likely due to a misconfiguration caused by human error. … It’s not known if anyone other than Sen found the exposed data during the two-week window that the cloud server was accessible.
This sort of thing has cropped up before—and it has always been due to human error. Sean Lyngaas brings us, “US military investigating leak of email”:
“Cause for concern”
The US military’s Special Operations Command says it is investigating a report from a cybersecurity researcher that the command was leaking a trove of unclassified email data on the internet. … “[We] initiated an investigation into information we were provided about a potential issue with the command’s cloud service,” Special Operations Command (SOCOM) spokesperson Ken McGraw said. “The only other information we can confirm at this point is no one has hacked US Special Operations Command’s information systems.”
…
Special Operations Command is an elite Pentagon command responsible for counterterrorism and hostage rescue missions around the globe. … The data exposure is an example of how powerful organizations can unwittingly expose potentially sensitive internal data by not configuring their computer servers properly. It is not uncommon for large organizations to inadvertently expose internal data … but the fact that this is a Department of Defense email server will give US officials cause for concern.
I honestly think you ought to sit down calmly, take a stress pill and think things over. Ines Kagubare adds—“Leak from military email server”:
A spokesperson for the U.S. Cyber Command [said] “As a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage. Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate.”
I know I’ve made some very poor decisions recently. So did some DoD employees, according to Jtsummers:
For a DoD employee to not have sent a document like an SF-86 encrypted indicates a failure to follow basic procedures. Every DoD employee (military and civilian) has an encryption key they can use, and are required to use, for things like PII and many others (which an SF-86 would definitely contain). … US DoD has CAC – Common Access Card.
…
CACs have encryption keys and are used for signing and encrypting email. The data should have been transmitted and stored encrypted for something like an SF-86.
We are all—by any practical definition of the words—foolproof and incapable of error. x_t0ken_407 says cloud isn’t the problem:
The problem here is that whoever … was running that email server lacks basic security skills necessary to make the thing secure: … ”A misconfiguration left the server without a password.” … I don’t think it matters if it’s cloud or on-premise HW if you can’t be bothered to apply basic security practices.
Bishop takes Queen, Knight takes Bishop—mate. u/professorDissociate shares their experience:
I used to know a network admin on the edge of retirement in the Air Force. I have no idea what his position was actually called, but he was enlisted.
…
I wanted to understand more about what a network admin does in the Air Force, and I asked the basic questions that I could as a mere data analyst without much networking knowledge. It didn’t take long to become very clear to me that I knew more about networking than this network admin. … I’m actually really curious as to how the hell they get anything done.
Just a moment. … Just a moment. Darinbob waxes metaphorical:
The equivalent of the janitor propping open the back door to make it easier to take out the trash.
I’ve never completely freed myself from the suspicion that there are some extremely odd things about this mission. Neither has booboofixer:
Or they have just finished setting up an effective honeypot and would like all adversaries to try again.
Will you stop, Dave? Meanwhile, as u/celebrityBiguy notes, everything’s OK now they’ve password protected the server:
Login: admin
Pw: password
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Mark Olsen (via Unsplash; leveled and cropped)
