Government Exposes Documents Detailing Sensitive NSA Software, Surveillance Programs

(Mis)Uses of Technology

from the password:-passw0rd dept

Another leak is causing some headaches for the NSA. Still reeling from the worldwide exposure of one of its exploit hoards, along with documents handed over to journalists by Ed Snowden (and unnamed others), the NSA’s latest embarrassment is an unsecured intelligence system the NSA shares with the military.

The exposed data was discovered by security researcher Chris Vickery, who informed the government about the leak back in October.

On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.

The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.

The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket.

Included in the exposed data were files marked “Top Secret” and “NOFORN,” the latter denoting information considered too sensitive to even be shared with foreign allies. Some of the exposed software could conceivably allow malicious actors to access sensitive (and live) Pentagon systems. Considering the sensitivity of this information, one has to wonder why no attempt was made to secure it.

Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible. Given how simple the immediate solution to such an ill-conceived configuration is – simply updated the S3 bucket’s permission settings to only allow authorized administrators access – the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?

Perhaps part of the reason this was overlooked was the software’s relative uselessness. The military spent $93 million attempting to build a scalable solution for shared intelligence, but a 2014 memo called the software (known as “Red Disk”) “a major hindrance to operations.” Even though this may be all but abandoned, other files left exposed contained plenty of sensitive information.

Vickery noted that the disk image also contains other sensitive files, including private keys used for the system to access other servers on the intelligence community’s network. The keys belong to a third-party firm, Invertix, a working partner of INSCOM and a key developer of Red Disk.

On top of that, the exposed files provided more information about NSA collection program Ragtime, which allowed (allows?) the agency to collect info on US persons.

The document seen by ZDNet, dated November 2011, shows the Ragtime program has eleven variants, including the four that were already known. The document alludes to Ragtime-BQ, F, N, PQ, S, and T.

The eleventh version refers to Ragtime-USP. “USP” is a common term used across the intelligence community to refer to “US person,” like a US citizen or lawful permanent resident.

Ragtime is more than a decade old, but apparently still in use. It was part of the Stellar Wind warrantless surveillance bundle put together by the agency and the Bush administration shortly after the 9/11 attacks in 2001. While Stellar Wind is no longer in use thanks to domestic surveillance concerns (it’s actually just been offshored to dodge FISA obligations), Ragtime appears to still be running, although there’s little publicly-available information discussing its use in surveilling American citizens. An undated document leaked by Snowden in 2013 discusses Ragtime collection in the context of thwarting Congressional oversight.

What is known is Ragtime’s super-secret status. It’s a “need to know” program that only certain analysts can access. Collections from this program are considered so sensitive they aren’t shared with foreign allies, with the exception of the Ragtime-C variant, which allows UK intelligence agency access.

With the Section 702 renewal deadline fast approaching, another leak showing possible domestic surveillance can’t be helpful. Then again, serious reform of the expiring collection authorities doesn’t seem to be in the cards this year, what with both House and Senate committees offering uninspiring legislation that won’t do much to rein in surveillance abuses.

Filed Under: aws, chris vickery, inscom, nsa, secrets
Companies: upgard