
Defense Contractor Left Sensitive Pentagon Files on Unprotected AWS S3 Bucket - danso
http://gizmodo.com/top-defense-contractor-left-sensitive-pentagon-files-on-1795669632
======
oval-atom
Retired as govt engineer. Reported a security violation, employees sharing
passwords/account on a secured network. The 2 contractor ITs claimed to know
nothing about it. At most only a handful of employees have access to the
network and at most, but rarely 3 work on the network at the same time. If the
contractor ITs were not aware, and they never are more that a few feet of the
activity, they should have been fired. Management moved me to an isolated area
and began the slow process of retaliation, so as not to look like retaliation.
To their surprise, I walked away from my job. BTW, the supervisor I was
reassigned too, told me not to report any more observations. I am not a fan of
contractor support, and I see no reason to use such infrastructure such as
Amazon to store any data, especially sensitive data.

~~~
SomeStupidPoint
The US is seriously blundering by using contractors for military operations,
and instead needs to hire more military personnel and civilian employees. This
fixation on not having more government staff (and on funneling money to
private sector contractors) is endangering the US government's operation.

In-house staff aren't a panacea, but in-housing critical capabilities has
always been the prudent decision.

Of course, much the same can be said about contractors and off-shoring in the
private sector as well.

At this point, the US is cannibalizing its future for short-term gains. Of
course, the people making the decisions generally won't bear the costs, and
have convinced much of the populace that such a strategy will benefit them
through wishes and pixie dust.

~~~
dyeje
Nothing changes until we can reduce money's influence over the election
process. Until then, any special interest with deep enough pockets can and
will have US taxpayers over a barrel.

~~~
tapatio
Nothing changes until the gov pays competitive salaries.

~~~
balladeer
This is one of the root problems in India too. At the end of the day, in a
Govt job, it's just:

\- a lot of bureaucracy

\- and the mandatory ass-licking

\- working on ancient platforms and techs

\- and a lot less pay compared to the market (so either you do under the table
deals, or well..)

Very few tier one engineers go for Govt jobs and almost no tier one engineers
from tier one college go for the Govt jobs.

Top it wtih maddeningly absurd and archaic interview process and selection
criteria.

~~~
tapatio
Exactly.

------
tuna-piano
For those wondering how this can happen - AWS' command line tools and SDKs by
default upload files as private. Scarily, some other libraries set uploads to
public by default, for example:
[https://www.smore.com/labs/tinys3/](https://www.smore.com/labs/tinys3/)

For those who say cloud isn't less secure than on-prem... that may be true.
However, the cloud is generally just one incorrect click or setting away from
being completely open.

Anyone know how the security researcher found the public bucket? Does he just
crawl for buckets made up of common words? Does AWS not limit the amount of
crawling from one IP?

~~~
FooHentai
>For those who say cloud isn't less secure than on-prem...

I mean that's fundamentally untrue, simply from a trust, venn-diagram point of
view. With cloud you have to assume an additional trust with a third party
that you don't with on-prem.

Is this difference meaningful? that's arguable. But no matter which way it's
argued it's still fundamentally true that in direct comparison between a
cloud-hosted and self-hosted system, the cloud-hosted version inherently
requires that a higher level of trust.

~~~
nothrabannosir
I agree with OP, but this is not true. You can trust Amazon to be better at
security than you are. In essence, depending on how (in)competent you are,
cloud allows you to convert money into security.

If I am a complete zero when it comes to securing my home, and I get a
professional contractor to do it. Is that "inherently less secure" because I
have to trust him, now, too? Not necessarily, if he does a much better job
than I would have done. It can make up for that extra trust.

If you are as competent, or more, than Amazon: sure. You are right. But not
all of us are so lucky :)

~~~
jlarocco
> You can trust Amazon to be better at security than you are.

Unless you have more access to Amazon internals than everybody else, then you
can't really know that for sure. Even if you did, it's only true if you've
decided to let it be that way. There's nothing stopping a company from hiring
great security people, and implementing their own great security.

Also, there are many scenarios, like a defense contractor handling sensitive
information, where I would expect the the in-house (or in-government, I guess)
security to be a lot better than Amazon's.

~~~
NikolaeVarius
You say this, but I would not be so sure about that after having worked for a
defense contractor.

~~~
jlarocco
I've also worked for a defense contractor, and the company I worked for, and
the facility I worked at, took securing classified information very seriously.
The consequences for screwing it up can literally be prison time, so I'm
really surprised to hear the company you worked for didn't take it more
seriously.

In this specific case, it doesn't sound like the "sensitive Pentagon Files"
were classified at all, though, so it's probably not as big of a deal as the
article is making it out to be.

------
sevensor
The really interesting question for me is why the government would award new
contracts to Booz Allen after the Snowden leaks. (While I applaud Snowden, I
deplore the government's inability to prevent his leaks.) Booz Allen
demonstrated that they were unable to enforce appropriate practices for
handling classified data. So what's the rationale for ever awarding them
another contract? What capabilities do they have that the government doesn't
have or can't develop?

~~~
jbooth
The question is more, "what capabilities do they have that other companies
don't", and I suspect the answer is "extreme proficiency at the federal RFP
process".

~~~
ipunchghosts
This!

I interviewed at Booz in 2004. I told them i was interested in going to grad
school and that i heard they work their new hires to death. I told them that
id rather work myself to death in grad school where i can get a phd rather
than at Booz. They said none of the folks in their group work more than 40
hours so I agreed to come to for an interview.

So I arrive at my interview all suited up. I was interviewed in a lunch room
by a woman first. She was really nice. I asked her how many hours she works a
week and she said around 60 and that everyone does. I was a bit taken back
because this is the opposite of what the hiring manager had said.

Interviewer 2 comes in and I ask the same question during the course of the
meeting and I get the same answer: he works 60 hours a week and so does
everyone else but everyone really loves their work. I'm angry now because I
had to drive 4 hours to get to this interview and it essentially wasted a
whole day.

I literally got up in the middle of the interview and shook the guys hand and
said, sorry, but i dont think this will work for me. The hiring manager must
of saw that something was up and came and and asked what was going on. I
politely said he lied to me about the position and mentioned the hours thing
and he accused me of not being a team player. I told him frankly, you wasted
my time and said goodbye. He threatened to not pay my hotel and per diem as i
walked out. I never even acknowledged him and just kept going. I walked out
past security on the way out and dropped off my badge, I didnt even sign up
and no one even bothered to stop me.

They ended up paying for everything and there were no consequences. I ended up
getting a well paying job at raytheon the following day. I worked there for 5
years and never worked a day over 8 hours AND they paid for my graduate work
(they offered).

A friend mentioned it best, "When you Booz, you lose."

~~~
basseq
Similar Booz story: I took an interview with them while with a competitor. I
had no real interest in the firm, but was interested in what they had to say
and offer for competitive intel. Ended up having a _great_ interview with the
guy who ran one of their larger accounts, who happened to be one of my clients
at the time. Got a phone call from their recruiter that evening who was
_excited_ to offer me a position at a 30% pay cut and a more junior title. She
didn't understand my confusion, tried to convince me that "our managers are
basically partners at all the other firms", and eventually got the picture
when I started laughing.

I _think_ it was also Booz who tried to get me to tell them confidential
compensation information because, quote, "C'mon, I'm not going to tell
anyone."

------
danso
It's really confusing how they ended up in this predicament. S3 buckets are
private by default. You have to manually configure them to be public-read.
Given the scope of Booz Allen's work, it doesn't seem like they needed any of
the S3 buckets to ever be just public. I wonder if they're using software or
maybe even just copied a script in which the default assumption for S3
configuration and uploads is to set files to be public?

~~~
conorh
We had this issue previously as one of our clients was using cyberduck to
upload files and it had default read access for public for uploads.

[1]
[https://forums.aws.amazon.com/thread.jspa?messageID=213248](https://forums.aws.amazon.com/thread.jspa?messageID=213248)

~~~
danso
Yeah, this is also something that can be set using Transmit (my OS X GUI of
choice). I guess I assumed that, given the size of the data they have to
manage, they have something more sophisticated than file-management-by-click-
and-drag but...maybe I'm giving them too much credit in terms of dev ops.

------
atemerev
Sometimes when I read such things, I really hope that it was a planted leak to
seed disinformation to The Russians (tm). But then I realize that this is the
US government we are talking about...

------
nthcolumn
Kids these days have it easy. You young whippersnappers! We didn't have google
dorks you have today! Hell we didn't even have google! Back in my day if you
wanted to hack the Pentagon you actually had to hack the Pentagon!!! And there
was no tor hideurass neither... times like this makes me think the internet is
just one big honeypot...

------
kelvin0
<Tin-Foil-hat>

Well that could also be construed as a 'oups my bad' kind of way of leaking
documents, instead of going the (painful) whistle-blowing route ...

</Tin-Foil-hat>

------
random3
So docker registry credentials and auth to a "datacenter operating system". I
wonder if they use Mesos and Mesosphere's DC/OS :)

