Just over four years ago, Edward Snowden blew the lid off some of the NSA’s most powerful programs and tools for monitoring global communications around the world. In the aftermath of that intelligence debacle — and whatever you think of Edward Snowden and his actions, his releases certainly qualified as a debacle for his employer and its reputation — one would have expected Booz Allen Hamilton to have dramatically overhauled its security procedures, tightened its policies, and taken some basic steps to seal its Titanic-sized leaks. But whatever BAH did to improve security, it wasn’t enough to prevent a different contractor, Harold Martin III, from stealing an estimated 50TB of data.
To be clear, as of this writing, no proof has been presented that Martin actually disseminated any of this information, and the government has not charged that Martin leaked information to the press or gave it to anyone. Nonetheless, it’s not a great situation for Booz Allen Hamilton. And now, just eight short months later, they’ve got another debacle on their hands.
On May 24, Chris Vickery, a risk analyst with UpGuard, found an enormous public repository of federal data that contained “highly sensitive” military information as well. Analysis of the files showed that they were related to the US National Geospatial-Intelligence Agency (NGA). This might not seem like much of a leak compared with, say, secret government contacts or juicy national spy programs, but geospatial intelligence (GEOINT) is critical to virtually every aspect of modern intelligence gathering. Concerned about whether or not North Korea is moving portable missile launchers into launch positions? That’s GEOINT. Concerned about a buildup of troops on the Iranian border? That’s GEOINT.
The exact specifications and capabilities of US spy satellites are kept classified. But some of those capabilities can be determined if you have the data sets in question. If, for example, you can read the license plates in various spy satellite images, you know the country that took the photos has cameras that can resolve down to that level of detail. As Cyberresilience.io points out, the NGA is where the US houses its information on North Korean missile silos or battlefield imaging in Afghanistan. It’s not the sort of data you want enemies to have access to.
The data, which was housed in an Amazon S3 web service “bucket,” wasn’t directly registered to Booz Allen Hamilton, but signs apparently point in that direction. Here’s how Cyberresilience.io describes what happened:
In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.
After receiving no response from BAH to his initial notification, Vickery escalated his notification attempts by sending an email to the NGA at 10:33 AM PST, Thursday, May 25th. Nine minutes later, at 10:42 AM PST, the file repository was secured — an impressively speedy response time from a major US intelligence agency.
It’s not a good look for one of America’s top defense contractors. And it’s bound to raise further questions about what, exactly, BAH is doing — or not doing — to lock down national security data. Initially, UpGuard claimed that the data found in the insecure repository was classified as Top Secret. BAH has told Ars Technica that while the data wasn’t directly connected to classified systems, credentials included within the store could have been used to access more sensitive material.
Now read: 19 ways to stay anonymous and protect your online privacy