Defense Department Spied On Social Media, Left All Its Collected Data Exposed To Anyone

from the not-cool-guys dept

There are two big WTFs in this story. First, the Defense Departments Central Command (Centcom) was collecting tons of data on social media posts... and then the bigger one, they somehow left all the data they collected open on an Amazon AWS server. This was discovered -- as so many examples of careless data exposure on Amazon servers -- by Chris Vickery and UpGuard, who have their own post about the mess. You may recall Vickery from such previous stories as when the GOP left personal data on 200 million voters on an open Amazon server. Or when Verizon left private data available on millions of customers. Or when a terrorist watch list was left (you guessed it) on an open server. Or when he discovered that Hollywood studios were leaving their own screeners available on an open server. In short, this is what Vickery seems particularly good at: finding large organizations leaving sensitive data exposed on a server.

You would think (wouldn't you?) that Centcom would be better about these things than, say, Verizon or the GOP or Hollywood. But, nope.

"[It's] a pretty serious leak when you're talking about intelligence information being stored in an Amazon cloud service and not properly safeguarded," said Timothy Edgar, a former White House official in the Obama administration and former U.S. intelligence official.

Centcom's response is... sketchy. It uses the important term "unauthorized access," which suggests that it may be pushing for CFAA charges against Vickery/Upguard, since "unauthorized access" is a key part of the CFAA:

"We determined that the data was accessed via unauthorized means by employing methods to circumvent security protocols," said Maj. Josh Jacques, a spokesperson for U.S. Central Command. "Once alerted to the unauthorized access, Centcom implemented additional security measures to prevent unauthorized access."

But if it was truly left open, then the access was not "unauthorized." Indeed, it appears that Centcom went for convenience over security by making its Amazon S3 bucket open for access, and hoping obscurity would hide it.

Amazon servers where data is stored, called S3 buckets, are private by default. Private means only authorized users can access them. For one to be made more widely accessible, someone would have to configure it to be available to all Amazon Web Services users, but users would need to know or find the name of the bucket in order to access it.

By searching specific keywords, Vickery identifies information that companies and organizations inadvertently expose. In this case, he looked for buckets containing the word "com."

Three S3 buckets were configured to allow anyone with an Amazon Web Services account to access them. They were labeled "centcom-backup," "centcom-archive" and "pacom-archive," Vickery said.

As for just what Centcom was doing here -- it does appear that it was publicly available social media content, so that's less of a direct concern, but it still does make you wonder why Centcom was storing all of this social media info. There are also, of course, related concerns about the US Defense Department conducting surveillance on Americans. This is from Upguard's post on the matter (linked above):

The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world. Among those are many apparently benign public internet and social media posts by Americans, collected in an apparent Pentagon intelligence-gathering operation, raising serious questions of privacy and civil liberties.

While a cursory examination of the data reveals loose correlations of some of the scraped data to regional US security concerns, such as with posts concerning Iraqi and Pakistani politics, the apparently benign nature of the vast number of captured global posts, as well as the origination of many of them from within the US, raises serious concerns about the extent and legality of known Pentagon surveillance against US citizens. In addition, it remains unclear why and for what reasons the data was accumulated, presenting the overwhelming likelihood that the majority of posts captured originate from law-abiding civilians across the world.

I know that the US government still has this "collect it all" mentality, but as we've discussed over and over again, adding more hay to the haystack doesn't make it easier to find the needles.

Filed Under: amazon s3, aws, centcom, chris vickery, defense department, exposed, social media, surveillance
Companies: amazon, upguard

Reviewer Caught Posting Marketing Material As A Review... Uses DMCA To Takedown Site Of Guy Who Exposed Him

from the this-is-going-to-backfire-badly dept

Duncan writes in to alert us to what must be the mother of all stories of a guy caught doing something questionable online, who then goes to amazingly great lengths -- including publishing private info, blocking users, changing content surreptitiously and (finally) using a bogus DMCA takedown to take down the entire site of the guy who caught him. It's quite a story, so let's start from the beginning.

There's some site called BenchmarkReviews. I'd never heard of it, but apparently it recently published a review of a Herman Miller chair supposedly written by one Olin Coles, who appears to own the site. Fair enough. However, some folks noticed some... well... oddities about the review, and started discussing them in the "World of Stuart" forums, leading journalist Stuart Campbell (of World of Stuart fame) to investigate. In looking through the details, it quickly became clear that the "review" text appeared to have copied potentially large segments from either marketing material or a press release. Some of the sources of the material were found out -- including a Herman Miller product brochure (pdf) and a furniture store company's product description. As people commented on the BenchmarkReviews website pointing this out, those comments were swiftly deleted, and the users' IP addresses were banned.

Campbell then sent Coles an email, identifying himself and asking a series of questions about the "review." Instead of replying, Campbell discovered that Coles posted a note to BenchmarkReview's forums, publicly naming Campbell, claiming that Campbell was banned from the site for making "anonymous... threats." Campbell says that the forum post displayed his name, email address and phone number, though it appears to only currently show his name and IP address.

Next up, a reader of Campbell's site contacted the furniture store in question, Smart Furniture, who claimed that they had written their own product description, suggesting that Benchmark Review may have copied it from Smart Furniture (or that Smart Furniture was lying).

Next up? Well, suddenly the text of the original review at Benchmark Review started gradually morphing, with no notice of the changes. Of course, Campbell had the originals and highlighted the ongoing changes. Oddly, the newly changed review included a whole bunch of ads pointing to Smart Furniture, the company who claimed to have created some of the text that showed up (uncredited) in the review.

That's when things got nasty. Apparently Coles sent a DMCA takedown to Campbell's hosting provider a company called JustHost. JustHost then totally overreacted, pulled down the entire site and seemed utterly clueless about how to properly handle a DMCA takedown notice and counternotice. In the end, JustHost would only allow Campbell's site to go back online if he removed the "offending" material. It has been removed, but the original blog post has been reposted elsewhere, so you can compare it to what's left.

The DMCA claim is clearly bogus -- and if Campbell decides to pursue it, the DMCA does allow for sanctions against those who knowingly file false DMCA claims. Cambell's post was clearly providing commentary on the review, and highlighting problems with it. The material was quoted in the context of highlighting the problems with the text, and certainly was not used in a manner that infringes. It's difficult to see how much deeper a hole Coles wants to dig himself here. His activities have only served to call that much more attention to the problems of the original "review" (if you can call it that), and filing a bogus DMCA notice to take down the website of the guy who called him on his activities seems only likely to make matters even worse for himself.

Filed Under: dmca, exposed, marketing, olin coles, reviews, stuart campbell, takedowns
Companies: benchmarkreviews, herman miller, smart furniture