Slashdot Mirror
Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com)
According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.
deep state is no doubt feeling embarrassed, caught like this with its pants down, exposing its boring workaday backside of grunts.
only penetration is lacking.
any takers?
My current job is at [REDACTED] and my security clearance is [REDACTED]. My cover story is cleaning out IT closets. My actual job description is [REDACTED].
Because this we must stop.
Same would apply to Russia but of course, Russia has nothing anybody wants.
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
My bad. I meant to type rm -rf resumes/, but I apparently typed chmod -R a+rw resumes/. It won't happen again. I got U next time, fam.
So yeah it's bad when something sensitive ends up on amazon cloud with no password. That's obvious. What no one ever talks about, is so what if it did have a password? Amazon and likely hundreds of employees have access to it.
I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).
Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and are always thinking about security already. Which is patently false, especially during crunch time.
Engineering proper security into products begins at the top; the execs must be serious about it, and they must be serious about building policies around it, screening candidates that can do it, hiring and utilizing auditors for it, etc.
Without that level of focus from the top, security simply does not happen, no matter how smart the crew is.
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.
https://yro.slashdot.org/story...
You're responsible for your vendors, doubly so since assessing security of others is your business.
In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Surprised Chris Vickery from upguard wasn't slapped with felony cyber terrorism charges and arrested yet. This kind of unauthorized access is criminal and he should never see the light of day, much less a computer, for the rest of his life. TigerSwan and TalentPen are the real victims here. He probably even wears a hoodie. /s
Why does this writer hate Amazon? There is only one reason to say that the file was on an Amazon server and that is to make the readers think that Amazon servers are unsecure. S3 is "no access" by default. Someone has to intentionally set an access policy that allows read from the internet. Someone incompetent did just that. Amazon is not at fault here.
Once again we witness how governments should not be in IT. Why don't they outsource this kind of thing to Amazon or Google or something like that? Those companies know what they are doing.
Amazon is not the one responsible for this. It's the idiot who didn't bother to secure the data. Amazon just gets attention in the headline.
All of you Wikileaks supporters should applaud the transparency created by this breach. If you dont, then you're a hypocrite
I believe we should have more transparency. But that doesn't mean I have to believe everything should be transparent. The government needs to have some secrets. 99% of classified material shouldn't be classified, but the other 1% should be.
Anyway, I don't see the big deal about this breach. I had a "top secret" clearance for more than a decade. The government hands them out like candy corn on Halloween, and you can just assume that any tech within 100km of the Beltway likely has one.
During the 10+ years I did defense work, I don't think I ever saw anything that made me go "Wow, it would be really bad if the commies knew about this!" It was mostly mundane stuff.
So long as there are no penalties for bad security, we will not have a concerted effort to always have good security.
Anons need not reply. Questions end with a question mark.
I am SOOOooo fuckin' HAPPY!!!
https://www.youtube.com/watch?v=nabrmNTrBiU
https://www.youtube.com/watch?v=ZbZSe6N_BXs
https://www.youtube.com/watch?v=XjpraGVs2Sg
https://www.youtube.com/watch?v=MOWDb2TBYDg
Dude, lighten up.
Leaking personal info about people with clearances is not the same thing as whistle blowing illegal government activities.
That fact that you don't know the difference – or can't tell the difference – is telling. It explains a lot, IMO, about how some of you see false equivalences between, e.g. Black Lives Matter and the Nazis.
So who's the hypocrite really? Off hand, I'd say it's you.
Every time I hear the phrase 'insecure document' I die a little ... of laughter.
An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'
Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.
If it weren't for deadlines, nothing would be late.
And all to pretend to improve the bottom line.
Yeah, except for their wheat, their top notch sam, their top notch Rocket engines america buys and Lots of other top end products and Services.
It makes it sound like there was an attack on Amazon's infrastructure, when actually, this was a totally ordinary screwup by TalentPen.
Read it. Understand that the US has always been easily penetrated at this level. We have no real security worth the name at the private sector contractor level.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You just summarized politics itself. Here are the actual facts on the ground:
1) No one cares about this breach except the usual paranoids in the USG. They can up the tall tales of threat all they want, there's a certain limit to how much people with actual power will buy it.
2) This issue is irrelevant from a mass media perspective. The common person doesn't care, so that angle is covered.
So, therefore, from a contracting perspective, this is a non-issue. The auditors will bitch and moan but business will go on as usual. You have to show an actual impact to get anything done at this level.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
In Brazil, Dilma Russef and Lula da Silva created a cyber group that spies on the police and on specific people. They are linked with arms, drugs and slavery. Thy already are very big, so hurry up motherfucker. They like to blame other people, so they have a lot of proxy.
Shh, buddy. "Mundane stuff" isn't good enough to justify $0.8 trillion/year in defense spending.
To sell this to the public, we need a shroud of "top secret" mystery, evil enemies attacking our democracy, and ideally even some kinda Russia collusion!
(cause the goat-fuckers in Afghani caves just aren't cutting it).
"TigerSwan" and "TalentPen"? Really?
Aren't those the names of the newer black-ops programs from the next Jason Bourne movie, now that they are fully finished with "Treadstone" and "Blackbriar"?
"At no time was there ever a data breach of any TigerSwan server"
Technically correct. But completely misleading.
Have gnu, will travel.
I'm just illustrating the point of view of the powers that be. Understanding it doesn't signal agreement.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
We love this project! Just ordered 50 sets of parts for the boys and girls to play with, including the optional countdown timers with big red digits BUT Adafruit, Sparkfun and the rest have no plutonium in stock and told our agents it's very unlikely they'll be able to get any more (Health & Safety or some other bureaucracy hindering the Maker community as usual).
You probably know and our scientists confirmed, even under torture, that plutonium is an essential part of the device. We tried everywhere from Alibaba and Amazon to Zod's Killing Supplies without success so we'd be grateful if you'd provide us with a source. Could you tell us where Comrade Kim gets his, if it's not a trade secret?
Best wishes (unless you cross us),
World Domination Inc
(Please note that we have no connection to Elon Musk)
Aweeeee... Bu-but it was HER TURN!!
You lost. Get over it already, dipshit.
I don't know what else to say.
Plutonium is readily available on the dark web. Be aware that this stuff is VERY dangerous and may be illegal in your country. I am not responsible for how you use this information.
If you are skilled at using Tor, follow the instructions in the following video - AT YOUR OWN RISK.
https://www.youtube.com/watch?v=1w8j7jSLsrs
You know, maybe what is old is new again, those active duty back so far there was no such thing as Amazon, still know my craft, but nobody knows me or my home address. I can pass a real security clearance all the way back to birth and I am not fat or drunk, the only problem is I wouldn't work for government again, unless it's to arrest people for treason.
No security company that blames security breaches on its own subcontractor is worse shit. It demonstrates that they are useless for any real-world security. Everyone deals with subcontractors. If you can't verify their security, you are worthless.
Nazis are EVERYWHERE! There's one under my bed right now!
great show of ignorance. Their are things that the government SHOULD be keeping secret/secure and things that they should not ever be allowed to hide. private details of individuals, especially of security clearance levels is something that should ALWAYS be secured and I think you would find even WikiLeaks would censor that data before releasing it.
I've held plenty of clearances, going back over 20 years. At NO point during my service or debriefs from leaving jobs that required clearances was it deemed illegal or even discouraged to list my work on a resume, also known as that unclassified document you share with anyone and everyone you might want to work for all throughout your life.
Was sensitive information leaked? Application documents included drivers license info, passport numbers, and some SSN data. Yes, I'd say some PII was not protected well. But enough of this "Top Secret" bullshit hype. Gathering a list of U.S. Citizens who hold Top Secret clearances would probably take about 30 seconds on LinkedIn, also known as that public website that specializes in whoring out out your curriculum vitae.
Wait, I can explain, that's just a ... erhm ... friend, and he has a SS uniform fetish for BDSM play that... oh. You meant YOUR bed.
Ok, never mind, carry on.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Live by the cloud, die by the cloud.
The "cloud" is just some machine(s) somewhere that you have no security control over, that you have no reliability control over, that you have no maintenance control over, that you have no connectivity control over, that some marketing weasel somewhere (who you also have no control over) has convinced you is "better", when there's absolutely no concrete assurance of that.
You use "the cloud" for anything critical, you're a fool. It's a fad. A dangerous fad. Sure, you might save a few bucks up front over a proper server or servers and the people required to keep said hardware and software up, secure and running properly, but eventually, it'll very likely bite you because the model is inherently flawed: The interest in and concern for your work which only you have has been firmly separated from the control of your work, which only they have. The more critical your data / processes, the harder you're likely to get bitten. In the meantime, you're eroding the pool of qualified people who can actually keep your data and processes safe and operating. One tiny win followed by a series of avalanching losses.
I've fallen off your lawn, and I can't get up.
There's a public square in most conventional towns. Doesn't mean anyone with a lick of common sense goes out there dragging bags of money with them.
If your stuff needs security, you don't put it somewhere that has no security.
If your stuff needs security, and you hire someone who knows nothing about security to manage it, it's your fault.
I've fallen off your lawn, and I can't get up.
Everyone knows that leaking USG workers info puts them in danger and these leakers "have blood in their hands". The USG should just drone them.
Every single individual with Top Secret clearance has already been exposed with the OPM breach (2012-2015). OPM (Office Of Personal Management) suffered a successful spear fishing breach in which the personal information of every single current and past federal worker's (including all military and those who've applied for the Top Secret clearance) stolen. The number of individuals exposed exceed 21 million. The lost information included the 127 page personal questionnaire required for clearance evaluation.
Essentially, every single US spy had their personal information - including secrets that could be used for blackmail - stolen and sold to foreign governments.
The OPM breach makes every other data theft look trivial in comparison. The fact that the main storing house for all Federal information did not keep PIN encrypted at rest is greatly telling and disturbing.
Russia's INCREDIBLY rich in natural resources http://www.bing.com/search?q=russia+natural+resources+list&qs=AS&pq=%22russia+natural+resources&sk=AS1SC1&sc=8-25&cvid=D7E80F6184BE4F27A4B3644B918EADA6&FORM=QBLH&sp=3/ & I've heard tell that they even have MORE than Africa itself as well!
APK
P.S.=> Guys like you should "look before you leap" & speak... apk
You can put that you have a clearance on your resume, if you want.
Some people are a bit more cagey - they put something like "SSBI on MM/YY" or "full scope poly on MM/YY"
And employers generally put "clearable" or "had SSBI in last 3 years" or something like that in their requisition. And that's just to reduce the flood of resumes, because as soon as your resume comes in, they can just go look you up in one of the official databases (e.g. JPAS) and see what clearance you really have.
Millions of people have clearances, and I'm sure there are essentially open lists (perhaps they're For Official Use Only FOUO, but you know).
Someone who is looking for potential "converts to the cause" or "mercenary thieves" or whatever is going to
a) care more about other access than a S or TS
b) care more about specifically *where* you work and what access you might have
Oh, you're an underpaid file clerk handling design documents for spy satellites? We know who makes such satellites, we know where the people who work there live and play, we go there and just wait to find someone who looks ripe for the picking. Then a suitable approach, whether false flag, or sticking it to the man, or that professional colleague working on their masters, or that cute boy/girl, or whatever.
where shit happens??? Computer security is a pointless exercise in futility.
No public cloud may be used to hold US classified data, period. Not even Amazon's US-government-exclusive GovCloud region is permitted for such use. At most, it can be used for "SBU" - Sensitive But Unclassified - data. If any of the data involved in this incident was actually classified, then the shitstorm is just beginning for these contractors, whether the data was protected or not.
Exactly, and this is the kind of thing that puts people's lives at risk. If you think we shouldn't have intelligence agencies, then you're just a moron. And if you think the people who work there should be exposed, your a dangerous moron.
OPM is run by the USG itself. (should be) a big difference. What Boeing, Northrop Grumman or General Dynamics do is one thing...and not very good. What the USG does itself is quite another.
No argument with the criminal negligence involved in the OPM leak.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.