Slashdot Mirror
Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com)
According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.
deep state is no doubt feeling embarrassed, caught like this with its pants down, exposing its boring workaday backside of grunts.
only penetration is lacking.
any takers?
My current job is at [REDACTED] and my security clearance is [REDACTED]. My cover story is cleaning out IT closets. My actual job description is [REDACTED].
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).
Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and are always thinking about security already. Which is patently false, especially during crunch time.
Engineering proper security into products begins at the top; the execs must be serious about it, and they must be serious about building policies around it, screening candidates that can do it, hiring and utilizing auditors for it, etc.
Without that level of focus from the top, security simply does not happen, no matter how smart the crew is.
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.
https://yro.slashdot.org/story...
You're responsible for your vendors, doubly so since assessing security of others is your business.
In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Surprised Chris Vickery from upguard wasn't slapped with felony cyber terrorism charges and arrested yet. This kind of unauthorized access is criminal and he should never see the light of day, much less a computer, for the rest of his life. TigerSwan and TalentPen are the real victims here. He probably even wears a hoodie. /s
Amazon is not the one responsible for this. It's the idiot who didn't bother to secure the data. Amazon just gets attention in the headline.
All of you Wikileaks supporters should applaud the transparency created by this breach. If you dont, then you're a hypocrite
I believe we should have more transparency. But that doesn't mean I have to believe everything should be transparent. The government needs to have some secrets. 99% of classified material shouldn't be classified, but the other 1% should be.
Anyway, I don't see the big deal about this breach. I had a "top secret" clearance for more than a decade. The government hands them out like candy corn on Halloween, and you can just assume that any tech within 100km of the Beltway likely has one.
During the 10+ years I did defense work, I don't think I ever saw anything that made me go "Wow, it would be really bad if the commies knew about this!" It was mostly mundane stuff.
So long as there are no penalties for bad security, we will not have a concerted effort to always have good security.
Anons need not reply. Questions end with a question mark.
Every time I hear the phrase 'insecure document' I die a little ... of laughter.
An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'
Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.
If it weren't for deadlines, nothing would be late.
Once again we witness how governments should not be in IT. Why don't they outsource this kind of thing to Amazon or Google or something like that? Those companies know what they are doing.
Wrong. The problem is the over-use of contractors and constant outsourcing of everything.
In this case, for example, all of this data should have been on a server controlled and accessed only by employees of the relevant government agency. Instead, nobody wants to be bothered doing any actual work. So, the government outsourced work to TigerSwan, who outsourced it to TalentPen, Each new layer of middlemen that you add significantly increases the chance that someone will screw something up.
And all to pretend to improve the bottom line.
Read it. Understand that the US has always been easily penetrated at this level. We have no real security worth the name at the private sector contractor level.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You just summarized politics itself. Here are the actual facts on the ground:
1) No one cares about this breach except the usual paranoids in the USG. They can up the tall tales of threat all they want, there's a certain limit to how much people with actual power will buy it.
2) This issue is irrelevant from a mass media perspective. The common person doesn't care, so that angle is covered.
So, therefore, from a contracting perspective, this is a non-issue. The auditors will bitch and moan but business will go on as usual. You have to show an actual impact to get anything done at this level.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
"TigerSwan" and "TalentPen"? Really?
Aren't those the names of the newer black-ops programs from the next Jason Bourne movie, now that they are fully finished with "Treadstone" and "Blackbriar"?
Does "can't look at files" mean they're unable to look or not allowed to look? Is access prevented, audited? Does anyone check?
"At no time was there ever a data breach of any TigerSwan server"
Technically correct. But completely misleading.
Have gnu, will travel.
unless they have a police warrant
This wouldn't even slow down the BOFH.
Have gnu, will travel.
I'm just illustrating the point of view of the powers that be. Understanding it doesn't signal agreement.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
No security company that blames security breaches on its own subcontractor is worse shit. It demonstrates that they are useless for any real-world security. Everyone deals with subcontractors. If you can't verify their security, you are worthless.
great show of ignorance. Their are things that the government SHOULD be keeping secret/secure and things that they should not ever be allowed to hide. private details of individuals, especially of security clearance levels is something that should ALWAYS be secured and I think you would find even WikiLeaks would censor that data before releasing it.
I've held plenty of clearances, going back over 20 years. At NO point during my service or debriefs from leaving jobs that required clearances was it deemed illegal or even discouraged to list my work on a resume, also known as that unclassified document you share with anyone and everyone you might want to work for all throughout your life.
Was sensitive information leaked? Application documents included drivers license info, passport numbers, and some SSN data. Yes, I'd say some PII was not protected well. But enough of this "Top Secret" bullshit hype. Gathering a list of U.S. Citizens who hold Top Secret clearances would probably take about 30 seconds on LinkedIn, also known as that public website that specializes in whoring out out your curriculum vitae.
Wait, I can explain, that's just a ... erhm ... friend, and he has a SS uniform fetish for BDSM play that... oh. You meant YOUR bed.
Ok, never mind, carry on.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Live by the cloud, die by the cloud.
The "cloud" is just some machine(s) somewhere that you have no security control over, that you have no reliability control over, that you have no maintenance control over, that you have no connectivity control over, that some marketing weasel somewhere (who you also have no control over) has convinced you is "better", when there's absolutely no concrete assurance of that.
You use "the cloud" for anything critical, you're a fool. It's a fad. A dangerous fad. Sure, you might save a few bucks up front over a proper server or servers and the people required to keep said hardware and software up, secure and running properly, but eventually, it'll very likely bite you because the model is inherently flawed: The interest in and concern for your work which only you have has been firmly separated from the control of your work, which only they have. The more critical your data / processes, the harder you're likely to get bitten. In the meantime, you're eroding the pool of qualified people who can actually keep your data and processes safe and operating. One tiny win followed by a series of avalanching losses.
I've fallen off your lawn, and I can't get up.
There's a public square in most conventional towns. Doesn't mean anyone with a lick of common sense goes out there dragging bags of money with them.
If your stuff needs security, you don't put it somewhere that has no security.
If your stuff needs security, and you hire someone who knows nothing about security to manage it, it's your fault.
I've fallen off your lawn, and I can't get up.
Every single individual with Top Secret clearance has already been exposed with the OPM breach (2012-2015). OPM (Office Of Personal Management) suffered a successful spear fishing breach in which the personal information of every single current and past federal worker's (including all military and those who've applied for the Top Secret clearance) stolen. The number of individuals exposed exceed 21 million. The lost information included the 127 page personal questionnaire required for clearance evaluation.
Essentially, every single US spy had their personal information - including secrets that could be used for blackmail - stolen and sold to foreign governments.
The OPM breach makes every other data theft look trivial in comparison. The fact that the main storing house for all Federal information did not keep PIN encrypted at rest is greatly telling and disturbing.
OPM is run by the USG itself. (should be) a big difference. What Boeing, Northrop Grumman or General Dynamics do is one thing...and not very good. What the USG does itself is quite another.
No argument with the criminal negligence involved in the OPM leak.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.