Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com) 115
According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
regardless... (Score:2, Insightful)
TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.
Re: (Score:3)
If you want something done right, do it yourself.
You are so right. When revealing personal information, do it yourself [bloomberg.com].
Live by... (Score:2)
Live by the cloud, die by the cloud.
The "cloud" is just some machine(s) somewhere that you have no security control over, that you have no reliability control over, that you have no maintenance control over, that you have no connectivity control over, that some marketing weasel somewhere (who you also have no control over) has convinced you is "better", when there's absolutely no concrete assurance of that.
You use "the cloud" for anything critical, you're a fool. It's a fad. A dangerous fad. Sure, you might
Re: (Score:2)
Mainframes aren't a fad. They've existed since the dawn of the computing industry. Just because they're sometimes called clouds doesn't change anything about what they actually are.
It changes things because the morons being marketed to don't understand the risks that they're taking when they outsource their private internal data.
boring backside of deep state? (Score:2)
deep state is no doubt feeling embarrassed, caught like this with its pants down, exposing its boring workaday backside of grunts.
only penetration is lacking.
any takers?
Security requires consequences (Score:2, Insightful)
I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).
Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and
My security clearance resume... (Score:2)
Re: (Score:2)
You can redact anything you want. It doesn't mean the information was actually sensitive.
I had to scrub my LinkedIn profile shortly after I got hired. A well-known whistle blower contacted me via LinkedIn wanting to meet with me. Of course, I reported this to management and security.
I highly doubt fetching coffee for other employees actually requires a security clearance.
I don't handle classified information. But I do work on systems that might have classified information and I might find out something that I'm not supposed to know.
But, hey, you should still be able to provide an Amazon referral link for this, right?
Hopscotch [amzn.to] with Walter Matthau and Glenda Jackson is one of my favorite Cold War spy movies. When a veteran spymaster is sidelined by the CIA, he decides
Re: (Score:2)
I had to scrub my LinkedIn profile shortly after I got hired. A well-known whistle blower contacted me via LinkedIn wanting to meet with me. Of course, I reported this to management and security.
Hey, that was me and I just wanted to share linking strategies for our revenue streams since I have some too. Anyway, it is useless to "scrub" you LinkedIn profile once you made the information available.
I don't handle classified information. But I do work on systems that might have classified information and I might find out something that I'm not supposed to know.
Don't worry about that. As a whistle blower I know people who earn 200K a year just to make sure this doesn't happen.
Re: (Score:2)
Warning: goatse link.
Here's a Goatse t-shirt [amzn.to] that the kids might like.
Re: (Score:2)
That's a relief. It could have been him with his shirt off.
Again.
Re: (Score:2)
My cover story is cleaning out IT closets. My actual job description is [REDACTED].
Strange agency you work at. In mine, once our cover is blown, we retire.
Re: (Score:2)
Say a US clandestine agency needed a skilled flight crew to load a big transport aircraft and fly a lot of support in for "freedom" to some "pro democracy" group.
The US clandestine agency does not want a log of its complex crew searches and have to request a decrypt of many different gov/mil/contractor databases.
So all that mission critical worker data is easy to search and kept in a format every US gov computer system can access without questions or track
Re: (Score:2)
This makes sense. But looking at it another way, it's not necessary for an adversary to examine your search parameters. They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are.
And some of that intelligence is valuable long after the fact. So building up a list of where people were from resumes and past assignments is still of considerable use to an enemy. Operational data (where we might be shipping arms
Re: (Score:2)
That depends if the USA is doing a new version of Iran Contra and needs to ensure no system or network ever keeps any related files/logs this time. https://en.wikipedia.org/wiki/... [wikipedia.org]–Contra_affair
Re "They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are."
The US had a few considerations
OPM breach (Score:2)
Not identity theft. (Score:2, Insightful)
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.
https://yro.slashdot.org/story... [slashdot.org]
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.
https://yro.slashdot.org/story... [slashdot.org]
Ah, so I'm guessing a website that specializes in whoring out resumes that include massive lists of US Citizens holding Top Secret clearances has already been confiscated by the US Government, and was shut down?
Oh look, LinkedIn is still up and running. Gee, I wonder why that is. Maybe it's because US Citizens holding Top Secret clearances has never been deemed classified, confidential, or even sensitive enough to not put on a resume that you freely share with damn near anyone and everyone.
This was a leak
Re: nobody thinks (Score:1)
Does "can't look at files" mean they're unable to look or not allowed to look? Is access prevented, audited? Does anyone check?
Re: (Score:2)
unless they have a police warrant
This wouldn't even slow down the BOFH.
you're responsible for your vendors (Score:5, Insightful)
You're responsible for your vendors, doubly so since assessing security of others is your business.
In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.
Re: (Score:2)
Re: (Score:2)
As you may notice, the perspective of the mass media is becoming less and less relevant.
Short term, it may seem that way. Long term, the trust of Americans in the federal government is eroding, year after year.
Re: (Score:2)
Re: (Score:1)
Why the hell is this even possible? (Score:5, Insightful)
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
Re: (Score:1)
Amazon S3 is used for content hosting for public web sites; of course, there are public buckets.
Of course, but that's not the point (Score:2)
There's a public square in most conventional towns. Doesn't mean anyone with a lick of common sense goes out there dragging bags of money with them.
If your stuff needs security, you don't put it somewhere that has no security.
If your stuff needs security, and you hire someone who knows nothing about security to manage it, it's your fault.
Re: (Score:3)
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it?
Mostly for hosting web pages. People host their websites on AWS (obvously) and any static resources gets hosted in either S3 or a CDN.
Re: (Score:2)
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
This has been done before and one of 4 times my data has been hacked. https://www.computerworld.com/... [computerworld.com]
Have they jailed the hacker yet? (Score:2)
Re: (Score:1)
Once again we witness how governments should not be in IT. Why don't they outsource this kind of thing to Amazon or Google or something like that? Those companies know what they are doing.
Wrong. The problem is the over-use of contractors and constant outsourcing of everything.
In this case, for example, all of this data should have been on a server controlled and accessed only by employees of the relevant government agency. Instead, nobody wants to be bothered doing any actual work. So, the government outsourced work to TigerSwan, who outsourced it to TalentPen, Each new layer of middlemen that you add significantly increases the chance that someone will screw something up.
Just for the record... (Score:5, Informative)
Re: (Score:3)
The company was of course responsible but so is also Amazon, they could have made it so that buckets that contain classified data can't be accessed without authorization.
Someone mis-configured their bucket. Amazon has no way of knowing this or that the information is classified. Do you really think someone is going to tell them "Hey, we're putting a bunch of classified information on your servers, could you keep an eye on it for us?"
No penalties for bad security. (Score:2)
So long as there are no penalties for bad security, we will not have a concerted effort to always have good security.
'Unsecured' ... not 'Insecure' (Score:5, Insightful)
Every time I hear the phrase 'insecure document' I die a little ... of laughter.
An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'
Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.
Re: (Score:2)
Re: (Score:2)
As is commonly the case, the highly-upvoted snark about legacy language is dead wrong. It's already in Webster's:
2: not adequately guarded or sustained : unsafe an insecure investment
https://www.merriam-webster.com/dictionary/insecure [merriam-webster.com]
(Side note: "The only modern dictionaries that trace their lineage to Noah Webster's are published by Merriam-Webster.", Wikipedia [wikipedia.org].)
Re: (Score:2)
That can be solved. Would you kindly step into this cell here so we can secure you properly?
Re: 'Unsecured' ... not 'Insecure' (Score:2)
Imho both terms can apply to software, but they mean different things.
An application is unsecured if there is no intention or attempt to secure it. "The data was available in an unsecured S3 bucket, wide open the world."
An application is insecure when there is intention and attempt to secure it, but that attempt fails due to a software bug or misconfiguration. "The data was available on an insecure 'private' server. At attacker executed a SQL injection attack and gained unauthorized access."
Re: (Score:2)
Hush! If Tony Leondis reads this we'll get a movie about an insecure document!
Predictable from outsourcing (Score:5, Interesting)
And all to pretend to improve the bottom line.
Re: (Score:3)
Hitler: (screaming at his generals) You outsourced our security to a vendor who's servers are in Leningrad?!?!
-- from an EFF Downfall parody
"TigerSwan" and "TalentPen"? (Score:2)
Aren't those the names of the newer black-ops programs from the next Jason Bourne movie, now that they are fully finished with "Treadstone" and "Blackbriar"?
We call these ... (Score:2)
"At no time was there ever a data breach of any TigerSwan server"
Technically correct. But completely misleading.
TigerSwan is shit (Score:2)
No security company that blames security breaches on its own subcontractor is worse shit. It demonstrates that they are useless for any real-world security. Everyone deals with subcontractors. If you can't verify their security, you are worthless.
Re: (Score:2)
... worse shit
That's supposed to be worth shit.
Enough of the "Top Secret" bullshit already. (Score:2)
I've held plenty of clearances, going back over 20 years. At NO point during my service or debriefs from leaving jobs that required clearances was it deemed illegal or even discouraged to list my work on a resume, also known as that unclassified document you share with anyone and everyone you might want to work for all throughout your life.
Was sensitive information leaked? Application documents included drivers license info, passport numbers, and some SSN data. Yes, I'd say some PII was not protected wel
Nothing New (Score:2)
Re: (Score:3)
All of you Wikileaks supporters should applaud the transparency created by this breach. If you dont, then you're a hypocrite
I believe we should have more transparency. But that doesn't mean I have to believe everything should be transparent. The government needs to have some secrets. 99% of classified material shouldn't be classified, but the other 1% should be.
Anyway, I don't see the big deal about this breach. I had a "top secret" clearance for more than a decade. The government hands them out like candy corn on Halloween, and you can just assume that any tech within 100km of the Beltway likely has one.
During the 10+ year
Re: (Score:2)
Wait, I can explain, that's just a ... erhm ... friend, and he has a SS uniform fetish for BDSM play that... oh. You meant YOUR bed.
Ok, never mind, carry on.
Re: (Score:2)