Spy Games: How Booz Allen Hamilton Exposed Pentagon Access Keys

Updated on November 29, 2017 by Dan O'Sullivan

Filed under: data breaches, third-party vendor risk

In what constitutes the latest in a series of blows to the US intelligence community’s reputation for stringent information security, UpGuard’s Cyber Resilience Team can now reveal the discovery by Cyber Risk Analyst Chris Vickery of a publicly exposed file repository containing highly sensitive US military data. Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD).

While the precise identity of the owner of the unsecured Amazon Web Services “S3” bucket on which the data set was hosted remains murky, domain registrations and credentials within the data set point to private-sector defense firm Booz Allen Hamilton (BAH), as well as industry peer Metronomeboth of which are known NGA contractors. The revelation of exposed and highly sensitive data involving an intelligence agency tasked with everything from battlefield imaging in Afghanistan to satellite surveillance of North Korea’s ballistic missile arsenal comes at a frighteningly tense time for international relations. Coming on the heels of contentious debate in Washington over a series of national security leaks, this exposure of systems used to provision servers designed for handling intelligence data up to the classification of Top Secret serves to highlight the even more common and potentially grave threat vectors presented by cyber risk—a state of affairs in which simple human error can be as damaging as outright malice.

A Discovery

Vickery’s initial email to Booz Allen Hamilton’s Chief Information Security Officer (CISO), notifying the consulting giant of a potential data breach, was sent on Wednesday, May 24th, following an ominous discovery analyzing an exposed data set. In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.

After receiving no response from BAH to his initial notification, Vickery escalated his notification attempts by sending an email to the NGA at 10:33 AM PST, Thursday, May 25th. Nine minutes later, at 10:42 AM PST, the file repository was secured—an impressively speedy response time from a major US intelligence agency.

Later that day, at approximately 5 PM PST, BAH belatedly responded to Vickery’s initial notification—hours after public access to the data had already been cut, and well over a day since the original notification was issued. BAH’s response, sent on behalf of the firm’s CISO, acknowledged receipt of the notification and stated they were investigating the issue. BAH made no apparent indication they were aware that the exposure had already been plugged—itself a noteworthy event.

Due to the diligent work of Chris Vickery on behalf of UpGuard, and the rapid response of the NGA to his notification, a potentially catastrophic breach of systems dealing with the most sensitive corners of the US military-industrial apparatus was averted. Pursuant to an explicit government request on May 26th, UpGuard has preserved the data downloaded during this discovery. Until such time as UpGuard is cleared to securely and permanently delete this data, it will be safeguarded with the same stringent standards with which it has thus far been kept.

Lingering Questions

That top secret geospatial intelligence was potentially accessible for anyone with an internet connection is perhaps not even among the more alarming revelations of this exposure. Indeed, while the data in this case may have been far more consequential to the US government than most sensitive information exposed online, the same trends driving cyber risk in IT systems around the world are visible in this case.

Unsecured Amazon S3 buckets have starred in previous massive government data breaches. In April 2016, Vickery discovered a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens, apparently posted to an Amazon cloud database by IT staff of the Mexican political party Movimento Ciudadano. By aiding in securing the database, which lacked even password protection, Vickery aided in protecting more than seventy percent of the country’s population from the risk of exposure of their personal information—including to violent drug cartels with a track record of such exploitation.

As the aforementioned voter rolls were, at the time, distributed under Mexican law to all political parties in the country, the incident provides a relevant lesson: information security is only as good as the weakest link in the chain. Nowhere is this more true than in evaluating third-party vendor risk.

Booz Allen Hamilton is already aware of this truth. This is not BAH’s first brush with data leakage—nor even its most consequential. Among its former analysts is one Edward Snowden, who later stated he had accepted a position with BAH with the specific goal of acquiring and leaking National Security Agency (NSA) data. More recently, BAH employee Hal Martin was indicted on allegations that he exfiltrated a large collection of NSA software and secret documents, hoarding the data in his Maryland home. This is a troubling track record for a company tasked with the most valuable tools of American spycraft.

But while both the Martin and Snowden cases involved the willful removal of this data—and did not involve the exposure of system access to the general public—it remains unclear just how this Amazon bucket came to be exposed. As with IT operations, misconfigurations and mistakes tend to account for a far greater share of cyber risk than do vulnerabilities or insider attacks, while receiving far less attention as a threat vector.

The “House of Cards”-style grand villain really is mostly fiction; genial errors often pose a greater risk. Despite this reality, there has been relatively little informed scrutiny of the actual cyber postures of the private firms entrusted with so much sensitive intelligence, to say nothing of billions of dollars in taxpayer funds. Evaluating some of the relevant defense contractors using the CSTAR cyber risk scanner is illustrative in showing just how truly egregious the failings of information security can be.

CACI International—Fortune 1000 federal contractor, heavily involved in intelligence services in post-invasion Iraq. CSTAR Score (out of possible maximum score of 950): 437 (Low)

 

GEOINT Services —Unclassified geospatial software and application provider offered by the NGA as resource for entire US Intelligence Community (IC). CSTAR Score (out of possible maximum score of 950): 428 (Low)

 

Booz Allen Hamilton—Top 100 US federal contractor, with over 22,000 employees located in 80 countries around the world; dubbed by Bloomberg “the world’s most profitable spy organization.” CSTAR Score (out of possible maximum score of 950): 390 (Poor)


 

SolidDyn—Colorado-based defense and intelligence contractor whose clients include the National Security Agency (NSA), US Air Force (USAF), and Central Intelligence Agency (CIA). CSTAR Score (out of possible maximum score of 950): 276 (Poor)

 

Metronome—Defense and intelligence contractor whose clients include National Geospatial-Intelligence Agency (NGA), the Central Intelligence Agency (CIA), and the Defense Intelligence Agency (DIA). CSTAR Score (out of possible maximum score of 950): 143 (Poor)


 

As the disappointing CSTAR scores indicate, cyber risk is a problem common to even the home webpages of many government contractors. Some light searching indicates that defense contractor Metronome, also mentioned in the data set plaintext and somehow tied to the exposure, is no stranger to less-than-secure operations. At the time of this writing, Google’s search results for Metronome display metatags and sublinks from Metronome’s homepage advertising the drugs Viagra and Cialis.

 

Google search result for Metronome USA, US defense contractor.

A cursory review of Metronome’s current home page source code does not reveal from where this pharmaceutical advertising is coming. It is conceivable Google may still be displaying the results of a semi-recent malicious altering of Metronome’s site, which Metronome may have since fixed. Unless a defense contractor tasked with assisting in geospatial intelligence operations chose to voluntarily poison their own website with ads for erectile dysfunction pills, this is a troubling omen.

Vendor risk is as real as any internal risk, if the vendor is relied upon in any serious way. While it is not every day that such a risk might affect questions about international stability in East Asia, or warfare in the Middle East, the lessons of such failings of cyber resilience are relevant to any IT operation.

Get the complete 2017 cloud leak report