nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Security company finds unsecured bucket of US military images on AWS

Anonymous Coward

Id imagine...

Theres a ton of unsecured data on AWS. Its a platform that has so many options and services that it can be very difficult lock down.

Amazon needs to simplify their platform a little I think.

3
8
Silver badge

@AC

"Amazon needs to simplify their platform a little I think."

Have to disagree there. If you're using a certain product which is also publically accessible then you need to ensure that you know what you're doing. I can understand that things can become confusing at some point, but it's not really an impossible task.

This is of course assuming that all of this actually happened.

19
1
Silver badge

Re: Id imagine...

It is not very hard to lock down, you simply need to know how to create a bucket policy. There is even an AWS Policy Generator to help you do this, something that BAH might want to read up on.

10
0
Silver badge
Paris Hilton

Re: Id imagine...

Too much Booz(e) and too little professional conduct?

Tell me again, why putting sensitive information in the cloud is a good idea?

13
3
Bronze badge

Re: Id imagine...

"Tell me again, why putting sensitive information in the cloud is a good idea?"

A question I've struggled with since the cloud became "a thing"

19
0
Silver badge

Re: Id imagine...

I haven't struggled with it at all. Clouds are a no-fly zone in these parts. Added complexity, more layers, out of my control ... tell me again why this is safer/more secure/a good idea?

14
1
Silver badge

Re: Tell me again, why putting sensitive information in the cloud is a good idea?

Because reasons. You'd need a Harvard MBA to understand.

On a tangent: if we're talking military projects that Uncle Sam pays for, why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?

14
0

Re: Tell me again, why putting sensitive information in the cloud is a good idea?

Allthecoolshortnamesweretaken,

These days the NSA would probably just sub to Booz anyways. This company has some major clout; just ask Mr Snowden.... Oh, wait....

8
0
Silver badge

Re: Tell me again, why putting sensitive information in the cloud is a good idea?

"why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?"

Because these days in the US it's all about outsourcing and subcontracting - if a government agency were to do this and these types of configuration errors were discovered then someone would have to resign. But if you sub-contract it nobody gets hurt and many people get rich. Just look at the fall out from Snowden - nothing happened at all but had he been a government employee heads would have rolled and the Republicans would be screaming for blood.

8
0
Anonymous Coward

Re: @AC

Hmm pretty certain I said "can be very difficult" but I can see how that might be read as "impossible".

Yes policy management etc is far from impossible but the larger and more sprawling an AWS solution becomes the more of an administrative effort it becomes to manage it.

Whenever anything in the world of tech tries to do or provide too much you get into trouble.

Take systemd for example. People joke that it will have a word processor built in one day because of its sprawling feature set.

AWS is no different, its a massive sprawl of different services, packages, products and subscriptions.

I find it unsurprising that with something as wide ranging in scope as AWS that shit slips through the net.

Especially if the hosted infrastructure was developed by a military organisation. I dont know about the US military but the MoD has a horrible habit of overengineering things and creating needless amounts of pointless work.

2
2
Silver badge
Childcatcher

Re: Tell me again, why putting sensitive information in the cloud is a good idea?

Configuration error my ass! I know the US DoD is shifting to public cloud services, but ASFIK classified data is not supposed to be stored there. There are isolated networks for that. There is no reason that TS data should be on AWS.

More than anything else, though, I am happy I am not the one having to fill out the paperwork on this spillage. If the data simply being on the host machine(s) also constitutes spillage (which it should), then the systems that it is or was previously on will have to be quarantined. Given the nature of cloud services, that would be a... difficult and involved task.

4
0
Bronze badge

Re: Tell me again, why putting sensitive information in an NSA cloud is a good idea?

Because an NSA provided cloud would not be the appropriate place for some Contractor to Contractor communications?

0
0
Anonymous Coward

Re: Id imagine...

Could it be fake news?

0
0
Anonymous Coward

Re: Tell me again, why putting sensitive information in the cloud is a good idea?

I could tell you, but.....

0
0
FAIL

Re: Id imagine...

Snowden stole documents from On-Premise systems, similar scenario with Panama papers, Wikileaks and many more. It doesn't matter if the data is on a cloud or on the ground, if your security measures suck, you are fucked.

0
0
Silver badge

There's a hole in me bucket,

dear ELIZA, dear ELIZA ...

21
1
Silver badge
Trollface

Re: There's a hole in me bucket,

Please tell me more about the hole in your bucket.

16
0
Anonymous Coward

B****CKS

content should have been secured/encrypted regardless of the server platform used. The information, if classified, shouldn't be left in an open filing cabinet open to all. Maybe a defence contractor, but its not at all clear who's side they are working for!

Appears to be no configuration rather than a configuration mistake too.

They would be better off using dropbox by the sound of it - at least they don't have to give extra credentials to the NSA...

8
2
Silver badge

Re: B****CKS

The information, if classified, shouldn't be left in an open filing cabinet open to all.

> cat /user/bah/secure/readme

!!beware of the leopard!!

simples. Tune in next week for chmod for fun and profit

11
0
Silver badge

Re: B****CKS

Military images? These wouldn't be naked marines by any chance?

6
1
Anonymous Coward

Re: B****CKS

Whenever I smell Amazon, I think of Marines.

Thats the last sensation I had before I cracked up.

The thick smell of Amazon.

When I calmed down, they said they'd stored their files. Cheap. No encryption attached.

Now whenever I think of Marines, I think of two things.

Amazon and trouble.

Bonus thumbs up to those that see the gag.

*coat*

0
0
Joke

The trouble with Buckets

Is they may get water,,,,,, er scorn poured on them

2
0
Anonymous Coward

Booz seems to have recurring security leak problems. . . .

. . . How many have we heard about in the past few years ? At least two NSA leakers (including Snowden), I seem to recall several more that made the news in the past 5-6 years or so.

5
0
Silver badge
Facepalm

Get used to it

With May in charge and her desire to abolish encryption, every day will be like this finding tons of interesting stuff that's not encrypted or secured by private companies!

6
0
Silver badge

Ai ja. Some people clearly don't understand cloud computing and think it is secure enough, and bung all their Most Sensitive Data (eg dick pics or titty pics) on any cloud storage - and think it is secure enough.

Cloud storage means you put your Most Sensitive Data on a public server somewhere in the world, and you MUST take precautions to secure said data. It is not like a privately-owned server sitting in a known, secure location in your company's building, and to which access (physical as well as networked) is controlled.

Expect more bloopers and more sensitive data leaks to occur.

5
0
Silver badge
Facepalm

A caution on encrypted data in ye "cloud"

Not exactly on topic, but related to comments here. We're using a clown, sorry, cloud offering for our business data storage. Let's agree for the moment to leave aside all other contentious issues of sense, reliability, and such, lol... Anyway, I had an encrypted file container stored there. It's my stash of personal junk - journal, etc.

One day I decrypted the container and found the last six weeks of data GONE. As near as I can figure, here's what happened. Any changes made are saved within the file crypt. The crypt file itself never changes size, and apparently doesn't change "modified date" either. So for some reason, the off-site servers decided to overwrite my crypt file with an old copy which to it looked like the same file.

SO BEWARE, if you're saving encrypted file containers in a "cloud" you might should make sure something about it looks different now and then.

5
0
JLV
Silver badge

Re: A caution on encrypted data in ye "cloud"

+1 Same time-stamping issue applies to Truecrypt and backup software. There's a config switch to enable timestamps.

2
0
Silver badge

How was this not encrypted?

One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption. Even if the bucket was secured, Amazon employees would have access to it, as would anyone who hacked Amazon's security. If it is encrypted, then whether it is secured or not, hacked or not, it is kept safe.

Hopefully the person(s) at BAH responsible for placing this data on Amazon are fired and banned from ever getting a security clearance again. Misconfiguration could be excused as everyone makes mistakes, but storing sensitive info on a public service unencrypted shouldn't be.

3
0
Silver badge
Holmes

Re: How was this not encrypted?

One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption.

I'd go one further - military and other such data should always be stored encrypted wherever.

Cloud storage is perfectly fine so long as two conditions are met :

1) Don't trust the cloud storage company

and

2) Don't trust the cloud storage company.

To satisfy rule #1 make sure anything you "backup" or save to "the cloud" is encrypted. Also means if they have any googletastic conditions like "all your data are belong to us forever and we can sell it and shit" (IIRC Linkedin (may they get sued out of existance ASAP!) and Flickr also have similar conditions - any photos you store on the latter you no longer own the rights to IIRC) - if a file is encrypted and only you have the key, google et al can't do much selling of it/making derivatives of it etc.

To satisfy rule #2 make sure anything you "backup" or save to "the cloud" is NOT your only copy, ie use "the cloud" as a backup but treat it as one that could disappear at any moment (company fails, has a hardware failure, system/operator error wipes your data).

Cloudyness has much to offer if used properly and treated like that friend you're sure is rather "light fingered"1 - have it around, but keep a good eye on it and make sure it can't mess with anything that truly matters.

1 Or that friend who "knows lots about IT stuff" and thoroughly screws up your media centre by faffing around with things "to make it better". Or screws up your sound system, or turns your car into an under-performing turd (not a problem for Ford owners - they're already under-performing turds (your choice as to whether I mean the car or the owner)

0
0
Gold badge
Unhappy

"Booz Allen Hamilton "

Former employers of Mr Snowden.

They do seem to have a few issues with their HR processes.

4
0
Bronze badge

Re: "Booz Allen Hamilton "

Methinks their US.gov security contracts should all be reviewed and the entire organisation should be audited from top to bottom by the DoH/NSA/DoD and the rest of the alphabet. will probably stop them getting any new contracts before the next millenium.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing