Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com) 79
According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.
All of you Wikileaks supporters should applaud the transparency created by this breach. If you dont, then you're a hypocrite
I believe we should have more transparency. But that doesn't mean I have to believe everything should be transparent. The government needs to have some secrets. 99% of classified material shouldn't be classified, but the other 1% should be.
Anyway, I don't see the big deal about this breach. I had a "top secret" clearance for more than a decade. The government hands them out like candy corn on Halloween, and you can just assume that any tech within 100km of the Beltway likely has one.
TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.
If you want something done right, do it yourself.
You are so right. When revealing personal information, do it yourself [bloomberg.com].
deep state is no doubt feeling embarrassed, caught like this with its pants down, exposing its boring workaday backside of grunts.
only penetration is lacking.
any takers?
I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).
Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and
You can redact anything you want. It doesn't mean the information was actually sensitive.
I had to scrub my LinkedIn profile shortly after I got hired. A well-known whistle blower contacted me via LinkedIn wanting to meet with me. Of course, I reported this to management and security.
I highly doubt fetching coffee for other employees actually requires a security clearance.
I don't handle classified information. But I do work on systems that might have classified information and I might find out something that I'm not supposed to know.
But, hey, you should still be able to provide an Amazon referral link for this, right?
Hopscotch [amzn.to] with Walter Matthau and Glenda Jackson is one of my favorite Cold War spy movies. When a veteran spymaster is sidelined by the CIA, he decides
I had to scrub my LinkedIn profile shortly after I got hired. A well-known whistle blower contacted me via LinkedIn wanting to meet with me. Of course, I reported this to management and security.
Hey, that was me and I just wanted to share linking strategies for our revenue streams since I have some too. Anyway, it is useless to "scrub" you LinkedIn profile once you made the information available.
I don't handle classified information. But I do work on systems that might have classified information and I might find out something that I'm not supposed to know.
Don't worry about that. As a whistle blower I know people who earn 200K a year just to make sure this doesn't happen.
My cover story is cleaning out IT closets. My actual job description is [REDACTED].
Strange agency you work at. In mine, once our cover is blown, we retire.
Say a US clandestine agency needed a skilled flight crew to load a big transport aircraft and fly a lot of support in for "freedom" to some "pro democracy" group.
The US clandestine agency does not want a log of its complex crew searches and have to request a decrypt of many different gov/mil/contractor databases.
So all that mission critical worker data is easy to search and kept in a format every US gov computer system can access without questions or track
This makes sense. But looking at it another way, it's not necessary for an adversary to examine your search parameters. They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are.
And some of that intelligence is valuable long after the fact. So building up a list of where people were from resumes and past assignments is still of considerable use to an enemy. Operational data (where we might be shipping arms
That depends if the USA is doing a new version of Iran Contra and needs to ensure no system or network ever keeps any related files/logs this time. https://en.wikipedia.org/wiki/... [wikipedia.org]–Contra_affair
Re "They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are."
The US had a few considerations
The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.
https://yro.slashdot.org/story... [slashdot.org]
Read it. Understand that the US has always been easily penetrated at this level. We have no real security worth the name at the private sector contractor level.
Does "can't look at files" mean they're unable to look or not allowed to look? Is access prevented, audited? Does anyone check?
unless they have a police warrant
This wouldn't even slow down the BOFH.
You're responsible for your vendors, doubly so since assessing security of others is your business.
In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.
You just summarized politics itself. Here are the actual facts on the ground:
1) No one cares about this breach except the usual paranoids in the USG. They can up the tall tales of threat all they want, there's a certain limit to how much people with actual power will buy it.
2) This issue is irrelevant from a mass media perspective. The common person doesn't care, so that angle is covered.
So, therefore, from a contracting perspective, this is a non-issue. The auditors will bitch and moan but business wil
As you may notice, the perspective of the mass media is becoming less and less relevant.
Short term, it may seem that way. Long term, the trust of Americans in the federal government is eroding, year after year.
I'm just illustrating the point of view of the powers that be. Understanding it doesn't signal agreement.
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
Amazon S3 is used for content hosting for public web sites; of course, there are public buckets.
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it?
Mostly for hosting web pages. People host their websites on AWS (obvously) and any static resources gets hosted in either S3 or a CDN.
Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.
And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.
This has been done before and one of 4 times my data has been hacked. https://www.computerworld.com/... [computerworld.com]
Once again we witness how governments should not be in IT. Why don't they outsource this kind of thing to Amazon or Google or something like that? Those companies know what they are doing.
Wrong. The problem is the over-use of contractors and constant outsourcing of everything.
In this case, for example, all of this data should have been on a server controlled and accessed only by employees of the relevant government agency. Instead, nobody wants to be bothered doing any actual work. So, the government outsourced work to TigerSwan, who outsourced it to TalentPen, Each new layer of middlemen that you add significantly increases the chance that someone will screw something up.
The company was of course responsible but so is also Amazon, they could have made it so that buckets that contain classified data can't be accessed without authorization.
Someone mis-configured their bucket. Amazon has no way of knowing this or that the information is classified. Do you really think someone is going to tell them "Hey, we're putting a bunch of classified information on your servers, could you keep an eye on it for us?"
So long as there are no penalties for bad security, we will not have a concerted effort to always have good security.
Every time I hear the phrase 'insecure document' I die a little
... of laughter.
An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'
Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.
As is commonly the case, the highly-upvoted snark about legacy language is dead wrong. It's already in Webster's:
2: not adequately guarded or sustained : unsafe an insecure investment
https://www.merriam-webster.com/dictionary/insecure [merriam-webster.com]
(Side note: "The only modern dictionaries that trace their lineage to Noah Webster's are published by Merriam-Webster.", Wikipedia [wikipedia.org].)
And all to pretend to improve the bottom line.
Hitler: (screaming at his generals) You outsourced our security to a vendor who's servers are in Leningrad?!?!
-- from an EFF Downfall parody
Aren't those the names of the newer black-ops programs from the next Jason Bourne movie, now that they are fully finished with "Treadstone" and "Blackbriar"?
"At no time was there ever a data breach of any TigerSwan server"
Technically correct. But completely misleading.