Government Exposes Documents Detailing Sensitive NSA Software, Surveillance Programs

from the password:-passw0rd dept

Another leak is causing some headaches for the NSA. Still reeling from the worldwide exposure of one of its exploit hoards, along with documents handed over to journalists by Ed Snowden (and unnamed others), the NSA's latest embarrassment is an unsecured intelligence system the NSA shares with the military.

The exposed data was discovered by security researcher Chris Vickery, who informed the government about the leak back in October.

On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.

The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.

The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket.

Included in the exposed data were files marked "Top Secret" and "NOFORN," the latter denoting information considered too sensitive to even be shared with foreign allies. Some of the exposed software could conceivably allow malicious actors to access sensitive (and live) Pentagon systems. Considering the sensitivity of this information, one has to wonder why no attempt was made to secure it.

Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible. Given how simple the immediate solution to such an ill-conceived configuration is - simply updated the S3 bucket’s permission settings to only allow authorized administrators access - the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?

Perhaps part of the reason this was overlooked was the software's relative uselessness. The military spent $93 million attempting to build a scalable solution for shared intelligence, but a 2014 memo called the software (known as "Red Disk") "a major hindrance to operations." Even though this may be all but abandoned, other files left exposed contained plenty of sensitive information.

Vickery noted that the disk image also contains other sensitive files, including private keys used for the system to access other servers on the intelligence community's network. The keys belong to a third-party firm, Invertix, a working partner of INSCOM and a key developer of Red Disk.

On top of that, the exposed files provided more information about NSA collection program Ragtime, which allowed (allows?) the agency to collect info on US persons.

The document seen by ZDNet, dated November 2011, shows the Ragtime program has eleven variants, including the four that were already known. The document alludes to Ragtime-BQ, F, N, PQ, S, and T.

The eleventh version refers to Ragtime-USP. "USP" is a common term used across the intelligence community to refer to "US person," like a US citizen or lawful permanent resident.

Ragtime is more than a decade old, but apparently still in use. It was part of the Stellar Wind warrantless surveillance bundle put together by the agency and the Bush administration shortly after the 9/11 attacks in 2001. While Stellar Wind is no longer in use thanks to domestic surveillance concerns (it's actually just been offshored to dodge FISA obligations), Ragtime appears to still be running, although there's little publicly-available information discussing its use in surveilling American citizens. An undated document leaked by Snowden in 2013 discusses Ragtime collection in the context of thwarting Congressional oversight.

What is known is Ragtime's super-secret status. It's a "need to know" program that only certain analysts can access. Collections from this program are considered so sensitive they aren't shared with foreign allies, with the exception of the Ragtime-C variant, which allows UK intelligence agency access.

With the Section 702 renewal deadline fast approaching, another leak showing possible domestic surveillance can't be helpful. Then again, serious reform of the expiring collection authorities doesn't seem to be in the cards this year, what with both House and Senate committees offering uninspiring legislation that won't do much to rein in surveillance abuses.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aws, chris vickery, inscom, nsa, secrets
Companies: upgard


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    sehlat (profile), 29 Nov 2017 @ 1:46pm

    Tell Me Again

    Just why we should allow these people to have backdoors into all our communications?

    link to this | view in chronology ]

    • icon
      JoeCool (profile), 29 Nov 2017 @ 7:07pm

      Re: Tell Me Again

      They're just so intelligent. I imagine the passwords are all of the form '12345'. When informed about the breach, they promptly changed it to '54321'.

      link to this | view in chronology ]

  • icon
    DannyB (profile), 29 Nov 2017 @ 1:54pm

    Sprawl

    Maybe the intelligance agencies and all their appendages have simply become so big, too big to effectively keep all their secrets bottled up.

    It seems, intuitively, that a small organization is better able to keep secrets than a gigantic impersonal organization.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2017 @ 3:40pm

    At least they're being consistent: they want backdoors into our data; in exchange, they offer backdoors into their data.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2017 @ 6:50pm

    So many of these stories involve an Amazon service. Why hasn't Amazon made a login for access the default yet?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Nov 2017 @ 11:50pm

      Re:

      Because they're not a nanny?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Nov 2017 @ 12:53am

      default?

      The default is to only share it with specific logged in users... but it is much easier to open a bucket for public sharing if someone without Amazon account wants access.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.