Pentagon Left Web Monitoring Data on Unsecured Amazon Buckets
Three misconfigured Amazon S3 databases contained content scraped off the internet belonging to the Department of Defense.
A researcher stumbled upon three misconfigured Amazon S3 servers earlier this fall containing 1.8 billion pieces of web-monitoring data that belongs to divisions of the U.S. Defense Department.
Chris Vickery, a researcher at the cybersecurity firm UpGuard, revealed on Friday that he discovered the data back in September and said he quickly determined it belonged to both the U.S. Central Command (CENTCOM) and U.S. Pacific Command (PACOM), two divisions of the Pentagon.
CENTCOM, based out of MacDill Air Force Base in Tampa, Fla., oversees military commands in the Middle East, Africa, and Central Asia while PACOM, based out of Camp H.M. Smith in Hawaii, oversees commands across Southeast Asia, Australia, and Oceania.
The information appears to bits of scraped internet content, comments left on articles and news sites, and Facebook posts. Vickery said Friday it looks as if the information gathered was designed to be used in a “Pentagon intelligence-gathering operation.” Some of the data, like the social media and forum posts, date back to 2009 while the most recent data was indexed in August this year. While much of the data belongs to Americans, some posts are in Arabic, Farsi, and a number of Central and South Asian dialects, Vickery said.
Vickery says he believes a defunct private-sector contractor named VendorX built and operated the data stores. Vickery posits the information gathered may have fed into Outpost, a social engineering effort built by the company. The contractor has little web presence; according to the LinkedIn profile of Erik Kjell Berg, former vice president of product at Vendor X, the project was billed as "a multilingual social analytics platform designed to positively influence change in high-risk youth in unstable regions of the world, built exclusively for the Dept. of Defense."
While the researcher says it isn't definitive what the purpose of the data is, the fact that it was left on a series of publicly accessible Amazon cloud storage buckets is alarming. Anyone who has an Amazon Web Services account, something available for free, could have viewed the buckets. The buckets were poorly secured but with names like “centcom-backup,” “centcom-archive,” and “pacom-archive,” they were also easily identifiable.
Neither CENTCOM nor PACOM immediately returned requests for comment on Monday. According to CNN the Defense Department secured data on all three buckets by October 1 after being notified about the issue in mid-September by Vickery.
The finding is the latest in a long line of misconfigured Amazon Web Services buckets. Vickery and UpGuard discovered the entirety of Chicago's electoral roll, 1.8 million records, in a bucket owned by Election Systems & Software (ES&S), a voting machine and election management systems vendor, accessible to the public over the summer. A few weeks later researchers came across a misconfigured Amazon S3 repository that contained terabytes of Verizon customer data. Any web user could find the information if they typed in the right URL.