Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Government Privacy Databases Security The Military United States

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com) 115

According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."

Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

This discussion has been archived. No new comments can be posted.

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach

Comments Filter:
  • regardless... (Score:2, Insightful)

    by Anonymous Coward

    TigerSwan was negligent by outsourcing to a negligent vendor. If you want something done right, do it yourself.

    • If you want something done right, do it yourself.

      You are so right. When revealing personal information, do it yourself [bloomberg.com].

    • Live by the cloud, die by the cloud.

      The "cloud" is just some machine(s) somewhere that you have no security control over, that you have no reliability control over, that you have no maintenance control over, that you have no connectivity control over, that some marketing weasel somewhere (who you also have no control over) has convinced you is "better", when there's absolutely no concrete assurance of that.

      You use "the cloud" for anything critical, you're a fool. It's a fad. A dangerous fad. Sure, you might

  • deep state is no doubt feeling embarrassed, caught like this with its pants down, exposing its boring workaday backside of grunts.
    only penetration is lacking.
    any takers?

    • by Anonymous Coward

      I have worked with programmers who are really smart, easily able to solve very tricky or complex problems, and yet also terribly sloppy when it came to security (prone to doing things like what someone at TalentPen allegedly did).

      Intelligence is simply not enough. Proper security also requires the right mindset and the will to get it right. Companies are happy whenever they can find anyone that can get stuff working, and management generally just assumes that these developers know what they are doing and

  • My current job is at [REDACTED] and my security clearance is [REDACTED]. My cover story is cleaning out IT closets. My actual job description is [REDACTED].
    • by ls671 ( 1122017 )

      My cover story is cleaning out IT closets. My actual job description is [REDACTED].

      Strange agency you work at. In mine, once our cover is blown, we retire.

    • by AHuxley ( 892839 )
      Think about it from the US gov/mil perspective.
      Say a US clandestine agency needed a skilled flight crew to load a big transport aircraft and fly a lot of support in for "freedom" to some "pro democracy" group.
      The US clandestine agency does not want a log of its complex crew searches and have to request a decrypt of many different gov/mil/contractor databases.
      So all that mission critical worker data is easy to search and kept in a format every US gov computer system can access without questions or track
      • by PPH ( 736903 )

        This makes sense. But looking at it another way, it's not necessary for an adversary to examine your search parameters. They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are.

        And some of that intelligence is valuable long after the fact. So building up a list of where people were from resumes and past assignments is still of considerable use to an enemy. Operational data (where we might be shipping arms

        • by AHuxley ( 892839 )
          Re " But looking at it another way, it's not necessary for an adversary to examine your search parameters. "
          That depends if the USA is doing a new version of Iran Contra and needs to ensure no system or network ever keeps any related files/logs this time. https://en.wikipedia.org/wiki/... [wikipedia.org]–Contra_affair
          Re "They can make a pretty decent guess at what you are up to by examining the results of your search (who you hired) if they know what individuals' skill sets are."
          The US had a few considerations
  • The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.
    • by Anonymous Coward

      The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.

      You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.

      https://yro.slashdot.org/story... [slashdot.org]

      • Read it. Understand that the US has always been easily penetrated at this level. We have no real security worth the name at the private sector contractor level.

      • The OPM data breach lost all the shit anyway. It's a treasure trove for identity theft. Where did you go to high school, what was you mothers maiden name, what was you address 20 years ago? It's all in those SF171 forms.

        You're thinking too small. It's not about identity theft. It's about intelligence work and social engineering of people who are involved in national security. It's about recruiting new spies. It's about predicting and influencing policy. And with resumes, it's about understanding another country's secret projects so you can work against them.

        https://yro.slashdot.org/story... [slashdot.org]

        Ah, so I'm guessing a website that specializes in whoring out resumes that include massive lists of US Citizens holding Top Secret clearances has already been confiscated by the US Government, and was shut down?

        Oh look, LinkedIn is still up and running. Gee, I wonder why that is. Maybe it's because US Citizens holding Top Secret clearances has never been deemed classified, confidential, or even sensitive enough to not put on a resume that you freely share with damn near anyone and everyone.

        This was a leak

  • by doctorvo ( 5019381 ) on Sunday September 03, 2017 @02:29PM (#55133373)

    "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants."

    You're responsible for your vendors, doubly so since assessing security of others is your business.

    In a sane universe, the founders and owners of TigerSwan would be sued for every dime they have and be barred in perpetuity from all government contracts. In reality, this will get papered over using lame excuses, and Democrats and Republicans will continue to unite in institutionalized corruption and cronyism, in particular in favor of ex-military and ex-government employees.

    • You just summarized politics itself. Here are the actual facts on the ground:

      1) No one cares about this breach except the usual paranoids in the USG. They can up the tall tales of threat all they want, there's a certain limit to how much people with actual power will buy it.

      2) This issue is irrelevant from a mass media perspective. The common person doesn't care, so that angle is covered.

      So, therefore, from a contracting perspective, this is a non-issue. The auditors will bitch and moan but business wil

      • This issue is irrelevant from a mass media perspective.

        As you may notice, the perspective of the mass media is becoming less and less relevant.

        So, therefore, from a contracting perspective, this is a non-issue.

        Short term, it may seem that way. Long term, the trust of Americans in the federal government is eroding, year after year.

    • You are depressingly right.
  • by mhkohne ( 3854 ) on Sunday September 03, 2017 @02:36PM (#55133405) Homepage

    Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.

    And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.

    • by Anonymous Coward

      Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.

      Amazon S3 is used for content hosting for public web sites; of course, there are public buckets.

      • Amazon S3 is used for content hosting for public web sites; of course, there are public buckets.

        There's a public square in most conventional towns. Doesn't mean anyone with a lick of common sense goes out there dragging bags of money with them.

        If your stuff needs security, you don't put it somewhere that has no security.

        If your stuff needs security, and you hire someone who knows nothing about security to manage it, it's your fault.

    • Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it?

      Mostly for hosting web pages. People host their websites on AWS (obvously) and any static resources gets hosted in either S3 or a CDN.

    • Not that it's an excuse, but in what universe is it OK to have internet-connected data repositories that don't have a password? When is that EVER a good idea? Why can you even create a bucket without some kind of authorization on it? That's just kinda stupid.

      And yea, TigerSwan: You were freaking responsible for the data. You might not directly employ the guy who screwed up, but your contractors are YOUR problem. The fact that you obviously DIDN'T control your contractors properly indicates that you probably aren't the right guys for the job.

      This has been done before and one of 4 times my data has been hacked. https://www.computerworld.com/... [computerworld.com]

  • Surprised Chris Vickery from upguard wasn't slapped with felony cyber terrorism charges and arrested yet. This kind of unauthorized access is criminal and he should never see the light of day, much less a computer, for the rest of his life. TigerSwan and TalentPen are the real victims here. He probably even wears a hoodie. /s
  • by edibobb ( 113989 ) on Sunday September 03, 2017 @02:59PM (#55133503) Homepage
    Amazon is not the one responsible for this. It's the idiot who didn't bother to secure the data. Amazon just gets attention in the headline.
  • So long as there are no penalties for bad security, we will not have a concerted effort to always have good security.

  • by ClickOnThis ( 137803 ) on Sunday September 03, 2017 @03:21PM (#55133597) Journal

    Every time I hear the phrase 'insecure document' I die a little ... of laughter.

    An insecure document is a document that is harbouring feelings of self-doubt. 'Am I really a document? Do people like to read me? Does this file format make me look fat?'

    Folks, it's unsecured, not insecure. Yeah I know, it's probably too late to change this. But I just need to say it. There, I feel better now.

    • Just wait till it's so overused it will literally be in Websters.
      • As is commonly the case, the highly-upvoted snark about legacy language is dead wrong. It's already in Webster's:

        2: not adequately guarded or sustained : unsafe an insecure investment

        https://www.merriam-webster.com/dictionary/insecure [merriam-webster.com]

        (Side note: "The only modern dictionaries that trace their lineage to Noah Webster's are published by Merriam-Webster.", Wikipedia [wikipedia.org].)

    • Imho both terms can apply to software, but they mean different things.

      An application is unsecured if there is no intention or attempt to secure it. "The data was available in an unsecured S3 bucket, wide open the world."

      An application is insecure when there is intention and attempt to secure it, but that attempt fails due to a software bug or misconfiguration. "The data was available on an insecure 'private' server. At attacker executed a SQL injection attack and gained unauthorized access."

    • Hush! If Tony Leondis reads this we'll get a movie about an insecure document!

  • by McLae ( 606725 ) on Sunday September 03, 2017 @03:46PM (#55133661) Homepage
    No company does what they are paid to do these days. It is outsourced to a company that outsources security that outsources to some fat kid laying in bed. Who hires an Indian in Mumbai to do the actual work. No surprise that something like accountability gets lost.

    And all to pretend to improve the bottom line.

    • by swm ( 171547 )

      Hitler: (screaming at his generals) You outsourced our security to a vendor who's servers are in Leningrad?!?!
      -- from an EFF Downfall parody

  • "TigerSwan" and "TalentPen"? Really?

    Aren't those the names of the newer black-ops programs from the next Jason Bourne movie, now that they are fully finished with "Treadstone" and "Blackbriar"?
  • ... weasel words.

    "At no time was there ever a data breach of any TigerSwan server"

    Technically correct. But completely misleading.

  • No security company that blames security breaches on its own subcontractor is worse shit. It demonstrates that they are useless for any real-world security. Everyone deals with subcontractors. If you can't verify their security, you are worthless.

  • I've held plenty of clearances, going back over 20 years. At NO point during my service or debriefs from leaving jobs that required clearances was it deemed illegal or even discouraged to list my work on a resume, also known as that unclassified document you share with anyone and everyone you might want to work for all throughout your life.

    Was sensitive information leaked? Application documents included drivers license info, passport numbers, and some SSN data. Yes, I'd say some PII was not protected wel

  • Every single individual with Top Secret clearance has already been exposed with the OPM breach (2012-2015). OPM (Office Of Personal Management) suffered a successful spear fishing breach in which the personal information of every single current and past federal worker's (including all military and those who've applied for the Top Secret clearance) stolen. The number of individuals exposed exceed 21 million. The lost information included the 127 page personal questionnaire required for clearance evaluat

A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Working...