Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password

Sensitive files linked to the National Geospatial-Intelligence Agency -- which works with the nation's intelligence agencies to analyze aerial data -- were apparently left on a public Amazon server by an employee of Booz Allen Hamilton, one of the nation's top defense contractors, reports Gizmodo. From the article: A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton. What's more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance. The exposed credentials could potentially grant their holders further access to repositories housing similarly sensitive government data. Countless references are made in the leaked files to the US National Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract. Often referred to as the Pentagon's "mapmakers," the combat support agency works alongside the Central Intelligence Agency, the National Reconnaissance Office, and the Defense Intelligence Agency to collect and analyze geospatial data gathered by spy satellites and aerial drones. The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed.

An accident?

[DickBreath]

Accidentally, on porpoise?

> . . . an employee of Booz Allen Hamilton

Isn't that the company Snowden worked for?

Re:An accident?

[DickBreath]

I'm sure those helpful Russians have made a backup of this information, just as they would with Hillary's email server and Trump's insecure phones.

Re: An accident?

FORMER top defense contractor.

-FTFY

Re:An accident?

[Zontar_Thing_From_Ve]

Accidentally, on porpoise?

I had the exact same thought. Let's see if any action at all is taken against this engineer.

> . . . an employee of Booz Allen Hamilton
Isn't that the company Snowden worked for?

Yes.

Re:An accident?

[DontBeAMoran]

What the hell is a "porpoise"?

Re:An accident?

So how did the email get to the server if it wasn't publicly accessible?

Re:An accident?

[HornWumpus]

Incompetently secured is incompetently secured. Her server wasn't 'half pregnant'.

Re:An accident?

A cetacean, related to dolphins
https://en.wikipedia.org/wiki/Porpoise

Re:An accident?

A porpoise is a fully aquatic marine mammal of the family Phocoenidae, but that is not important right now.

Re:An accident?

[anegg]

I believe that the inquiry actually was concerned about whether marine mammals were involved. That would be a truly disturbing development, perhaps their first move in a bid to destabilize the US government, taking advantage of the current turmoil at the top of the executive branch.

Re:An accident?

[lgw]

Either that, or it was a case of too much Booze, not enough Allen Hamilton. Never attribute to malice what can be explained by drunken carelessness?

Re:An accident?

[DickBreath]

> What the hell is a "porpoise"?

A better question is: what is a 'covfefe'?

I don't think it is something you grab someone by.

Re:An accident?

It's like a dolphin. Only different. Try to keep up.

Re:An accident?

[HangingChad]

this contractor is confused about the justice he will be getting vs what Hillary got.

False equivalence is the refuge of a tiny mind.

Re:An accident?

[Cro+Magnon]

> What the hell is a "porpoise"?

A better question is: what is a 'covfefe'?

I don't think it is something you grab someone by.

Isn't it a drink to keep you from falling asleep while tweeting?

Re:An accident?

[Quince+alPillan]

Per wikipedia:

Porpoises are a group of fully aquatic marine mammals that are sometimes referred to as mereswine, all of which are classified under the family Phocoenidae, parvorder Odontoceti.

https://en.wikipedia.org/wiki/Porpoise

It's close to pedantic in the dictionary.

Re:An accident?

All of this "defense" and "secrets" bullshit is just childish and funny. These governments, which are little more than bigger street gangs think their dinky little "secrets" are important. The don't realise just how silly they look when they claim such things.

"National security", what a fucking joke. It's like that have their own little dear diary that they think is important like a small child would.

Re:An accident?

[HiThere]

It is a good question. Often when "classified material" becomes public knowledge, say by being declassified, it becomes blatantly obvious that there was never any valid reason to classify it. But there really *are* significant secrets that actually shouldn't be revealed. However I don't include internal political advantage as a valid reason.

Re:An accident?

Booz Allen Hamilton always seem to lose their drug and alcohol stash after those words are spoken.

Re: An accident?

Window$ stays half pregnant.

Re:An accident?

[dbIII]

It's very important to have a porpoise before attempting time travel or you end up with a pair of ducks.

Re:An accident?

How come they have not been hit with that crypto locker?
Booze Allen gets their shit back for 50 bit coins.
Ha ha!

Re:An accident?

[DickBreath]

Tiny hands are common accessories for tiny minds.

Re:An accident?

[DickBreath]

Being president while under the influence of covfefe.

Maybe covfefe is a Russian code word that when used on Twitter is intended to trigger some action, such as Putin hinting that Russian private citizens might have had some involvement in influencing US elections.

I can think up crazy insane theories just well as the alt-right nutjobs. Maybe better.

Re: An accident?

It's a typographical error, nimrod. You baizou sure are grasping at straws.

Accident

Accidentally leaving information for someone else to obtain is a great way of escaping a harsh punishment.

Re:Accident

[DickBreath]

Especially if no harm was done.

> The NGA on Tuesday confirmed the leak to Gizmodo while stressing
> that no classified information had been disclosed.

So no harm, no foul fowl.

> “NGA takes the potential disclosure of sensitive but unclassified information
> seriously and immediately revoked the affected credentials,”
> an agency spokesperson said.

I feel safer already. They closed the barn door after it came to their attention that the horse had escaped.

> The Amazon server from which the data was leaked was “not directly
> connected to classified networks,” the spokesperson noted.

That makes me wonder how the information got there then. It must have been some really strange kind of unintentional accident if there is no possible connection between the networks.

> Typically, US government servers hosted by Amazon are segregated into
> what’s called the GovCloud—a “gated community” protected by advanced
> cryptography and physical security. Instead, the Booz Allen bucket was found
> in region “US-East-1,” chiefly comprised of public and commercial data.

So however these 60,000 files weighing in at 28 GB, and "contain[ing] at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance", must have gotten there through some amazing series of unintentional accidents.

Will wonders ever cease?

Re:Accident

[gnick]

> The Amazon server from which the data was leaked was “not directly
> connected to classified networks,” the spokesperson noted.

That makes me wonder how the information got there then. It must have been some really strange kind of unintentional accident if there is no possible connection between the networks.

I don't understand the confusion. The Amazon server was never connected to a classified network and no classified information was leaked. It would be a really strange accident if data had migrated off of a classified network. That didn't happen.

Re:Accident

sensitive =/= classified.

hence sensitive but unclassified.

Re: Accident

That's exactly what the author was saying. Congrats on the ability to read.

Re:Accident

[MonteCarloMethod]

So no harm, no foul fowl.

Stop trying to make this about fauna you animal!

Suitable Punishment

[DatbeDank]

Refuse to allow Booz any new government contracts for their incompetence. (Won't happen)

Re:Suitable Punishment

[DickBreath]

Sir, what you suggest might negatively affect the economies of several congressional districts.

Re:Suitable Punishment

[DickBreath]

> Sensitive files tied to a US military project were leaked by a multi-billion dollar firm
> once described as the world’s most profitable spy operation, Gizmodo has confirmed.

I think that should indicate it won't happen.

Re:Suitable Punishment

[chispito]

Refuse to allow Booz any new government contracts for their incompetence. (Won't happen)

Good call, then only the companies whose stupid actions haven't been caught yet will get all the contracts. You probably think this is an exceptional level of incompetence, but it is not. Enumerating unsecured, exposed and supposedly temporary dev systems is a very common and lucrative way to collect bug bounties.

Re:Suitable Punishment

[chispito]

Sir, what you suggest might negatively affect the economies of several congressional districts.

Booz Allen is all over the place. I count 71 offices in 28 states (I counted quickly; I could be a bit off). Most of the stuff that applies to the Pentagon are going to naturally be in their DC, Maryland, and Virginia locations, I suspect. But there are sure to be a lot of wheels for them to grease nonetheless.

Re: Suitable Punishment

That would be capitalism!

Re:Suitable Punishment

[sconeu]

Actually, if a company is flagged with a sufficient number* of security violations, the US.gov will drop current contracts and refuse to issue new ones that require access to classified data.

* The definition of a "sufficient number" is probably extremely flexible.

Re:Suitable Punishment

[Chris+Mattern]

That number for a contractor with as much influence as Booz Allen Hamilton being approximately one googleplex.

Re:Suitable Punishment

[barc0001]

No problem. Strangely work that would have gone their way is now instead going to a new corporate entity named AllenBooz which is totally separate and not at all connected.

Re:Suitable Punishment

[dbIII]

That's what were are told is supposed to happen, but has it every happened?

Re:Suitable Punishment

OK, so like make some shit data, claim it has been leaked, now it has value, some shady dude buys it, swallows it, gets poisoned.
How can you even trust a gibillions of random data floating around, found in some honey pot?

Re:Suitable Punishment

[sconeu]

When I held a clearance (thank the FSM I don't anymore), it was drilled into us.

Re:Suitable Punishment

[dbIII]

When I held a clearance (thank the FSM I don't anymore), it was drilled into us.

That's interesting to read but not anything like an answer.
Has anyone else heard of a case where the threat was followed through on? All I keep hearing about is fuckups of this type that get ignored when contracts are renewed. I've seen a few myself and fruitlessly argued to ditch the contractor but not in a security situation.

Mapmaker mapmaker

[turkeydance]

Make me a map, Find me a find, catch me a catch...FOTR

Re:Mapmaker mapmaker

Make me a sandwich, find me a fish, catch me a cold...BOTR

Re:Mapmaker mapmaker

[DickBreath]

> Make me a map, Find me a find, catch me a catch...FOTR

. . . . and in the darkness bind them...LOTR

Doesn't matter

Remember where Snowden worked? Where their any consequences for his employer? Not that I know of. Remember Harold Thomas Martin III who stole 50 TB of NSA data? Guess which company he worked for? Any consequences for the company? Haven't heard of any. They are still a government contractor.

Booz Allen Hamilton can do whatever the shit they want.

Re:Doesn't matter

[DickBreath]

Triangle. Congress critters control taxpayer money used by the military. The military uses private contractors in those congress critters' districts. Those private contractors control the money given to congress critters, thus completing the triangle.

hillary defense

[Elric55]

let's see how well the hillary defense holds up on this one.

Re:hillary defense

[DickBreath]

I've heard the Hillary defense many times. I'm not sure how it would apply here. Or maybe I'm thinking of the wrong Hillary defense.

The Hillary defense goes something like this: . . . . bu, bu, but Hillary's email servers! And Hillary this, and Obama that and Hillary something else! What about those? It's so unfair!

Re:hillary defense

[lgw]

The actual Hillary defense would hold up quite well, and always will: you have more dirt on everyone important involved in the process than what you're accused of. Hard to pull off if you weren't recently married to someone with access to the classified dossiers of every congresscritter and senior bureaucrat, however.

Heck, the only reason Obama was able to take the primary was that he came out of nowhere, so the Clintons didn't have any dirt on him.

Re:hillary defense

As opposed to the Trump defense, "Since I blabbed the secret directly and it's no longer secret I can claim it was strategic without specifics or understanding, by the way I never mentioned Israel."

It is intentional.

[140Mandak262Jamuna]

This guy should go to jail.

Yeah, but did they INTEND to leak classified info?

it doesn't count if you didn't mean to, right?

tarball...

... or it didn't happen.

Use the Clinton Defense...

He certainly didn't have intent to do that, so he shouldn't be prosecuted... right? I mean, that's what the FBI and Hillary Clinton said, so it must be right?

Re:Yeah, but did they INTEND to leak classified in

[DickBreath]

Intent does not change the color of the pregnancy test stick.

Intent does not bring people back to life after collision with drunk driver.

Intent is not going to undo the results that will follow from putting a clown circus in power.

The road to somewhere is paved with good intentions.

WTF?

[hackel]

Why do documents with plain-text user credentials exist ANYWHERE, for ANY REASON in the first place? Is the government (or at least the NGA) really that completely incompetent? This is shocking! I don't care that it was leaked. We need to assume that is ALWAYS going to happen. I care that such documents were ever created in the first place.

Re:WTF?

[avandesande]

Maybe for first log in?

Re:WTF?

Because average people cannot cope with passwords. They just can't.

Re:WTF?

First you have to understand that the large majority of Booz employees are ex/retired military officers. These are the types that feel that rules should apply to everyone but themselves. But it is okay because they all were a tie and that makes them Professionals.

Re:WTF?

[dbIII]

Because average people cannot cope with passwords. They just can't.

Then train them to be better than average.

Intentionally left

[aglider]

Possible options:
Idiotic contractors
Idiotic employers
Any blend of the above

Mar-a-Lago does this all the time

[WillAffleckUW]

Why should the gander have different rules than the Russian goose?

That said, the NSA toolkit originally was from a cloud store that should never have been let outside of the secure net.

Remember

Remember Obama leaking the doctor's name in Pakistan that led us to Osama Bin Ladin.
Remember that doctor being killed because of Obama's leak?

Yea, Obama leaked and allies died. You didn't care.

Re:Remember

Bin Laden died nonviolently of kidney failure in December 2001.

Re: Remember

You mean Shakil Afridi who is currently in jail in Pakistan, and who Donald Trump said he could release in two minutes if elected?

Subsequent investigation found no evidence that the Obama administration leaked his name. It was a baseless, politically motivated accusation.

If you're going to lie, at least make it plausible.

"Booz" Allen

'nough said

So...

[argStyopa]

...quick question: did this numbskull ACTUALLY GET FIRED?

Because what I'm finding in our firm's dealing with government and contractors is that very, very few people are ever *actually* held accountable for fuckups.

And I'm talking about people from congresscritters and senior presidential staff on down.

Re:So...

[Fire_Wraith]

From what I've seen, the only thing that really has any impact is loss of clearance. Otherwise, they turn around and wind up with a new job for another contracting company at a different agency. I've known and worked with people in the government/contracting world who were either fired or quit just ahead of being fired, that were right back in another job at the drop of a hat.

Re:So...

...quick question: did this numbskull ACTUALLY GET FIRED?

Because what I'm finding in our firm's dealing with government and contractors is that very, very few people are ever *actually* held accountable for fuckups.

Hey, people get fired from government all the time. Point out that new social justice hire was caught on video pledging to destroy America and BOOM you're out the door. We can't have any Islamophobia in office when the boss has his quotas to meet, lawyers are threatening to sue us for having a hostile work environment, and our national policy is to be friendly to Islam, any kind of Islam. They went through all of the branches and got rid of every single person who studied the Muslim Brotherhood so we would never have this kind of fuckup again.

Re:So...

[OverlordQ]

> ..quick question: did this numbskull ACTUALLY GET FIRED?

Short answer: If it could have any potential to affect their ability to bid on contracts, your ass will be out the door before you realize what you did.

Well, well . . .

[hduff]

An unintentional act of treason . . .

How was it found??

[dasgoober]

Was someone just typing in random url's or ip addresses with random sub-directories and .... surprise??

Re:How was it found??

[snookiex]

That's my weekend hobby, you insensitive clod!

How this works ... business card people make out

If they get nailed bad enough, all the management on the impacted contracts will leave/be fired. They will open a new defense contractor and in 6 months bid on the contract with a 3% cost reduction to the govt.
They will win, because they are the low bidder.
That leaves all the prior workers stuck, looking for a job, which they will each be offered at the new company for a 10% pay cut.
The new company will lease the exact same building, same furniture, use the same medical insurance, and probably even keep the same parking space reservations from before.

On day one of work for each worker, they will be provided a new sticker and new HR forms to sign, but told to go to their old office/cubes and get to work.
In effect, 5% of the upper management will be replaced. 10-20% of the old workers won't be hired back (usually those with expertise or near retirement) and for that, the new company will be slightly more profitable off the bat.

Nothing about the processes and procedures will be effectively changed. Nothing.

BTW - I say this as someone who did the exact same job over a 7 yr period, but with 4 different "stickers" over my company access badge.

Besides the new upper management, only the card stock/business card people made out.

Beltway Bandits

>Booz Allen... Often referred to as the Pentagon's "mapmakers,"... the combat support agency...

WHY are we still relying on contractors for combat support. Heck for anything? Can the government not just 'hire' their own mapmakers?
I understand one reason gov does not hire so many staff, (preferring to administer contractors instead), is the retirements, health ins, benefits, etc. outweigh what contractors cost.

Anyway, back to the original point, why do departments not have in-house staff for these things?

Re:Beltway Bandits

Anyway, back to the original point, why do departments not have in-house staff for these things?

It's easier to fire government contractors than it is to fire government employees. Budget gets cut? Give some contractors the ax.

Re: Beltway Bandits

Budget always seems to go up and nobody ever gets fired, just shuffled around.

Re:Beltway Bandits

[AHuxley]

If the US uses gov workers thats more union workers and tax money needed to support them.
If the US gov offers bids to contractors thats full employment in the private sector been paid for by the US tax payer.
The costs allow US political leadership can cling to its "private" sector policy.
With private sector workers all looking at the same US product and US data sets, everything is kept in plain text too. So all the contractors can bid and work with gov/mil data.
If the US gov encrypts its own data then the private sector would have less ability to work with the gov data or bid for work.
So its all kept open, in plain text and contractor friendly so politicians can say they fully support the private sector.

Re:Yeah, but did they INTEND to leak classified in

All statements are true. I don't care for people using intent to completely wave consequences for one's actions. It matters for sentencing, but that is about it.

It's the russians.

I'm sure it was an amazon instance hosted in Russia.

Probably the same clown

Probably the same clown that left the files unprotected on Kim dot coms equipment - which is why it had to be confiscated.

So where's the torrent?

[schleimkeim]

I hope the people on gizmodo put up a torrent with the files somewhere, because sharing is caring.