This site may earn chapter commissions from the links on this folio. Terms of utilise.

NGA

Just over four years agone, Edward Snowden blew the lid off some of the NSA'south nearly powerful programs and tools for monitoring global communications around the world. In the aftermath of that intelligence debacle — and whatever you retrieve of Edward Snowden and his actions, his releases certainly qualified as a debacle for his employer and its reputation — one would accept expected Booz Allen Hamilton to have dramatically overhauled its security procedures, tightened its policies, and taken some basic steps to seal its Titanic-sized leaks. But any BAH did to improve security, it wasn't enough to forbid a different contractor, Harold Martin Three, from stealing an estimated 50TB of data.

To be clear, as of this writing, no proof has been presented that Martin actually disseminated whatsoever of this information, and the government has non charged that Martin leaked information to the printing or gave it to anyone. Nonetheless, it's not a great situation for Booz Allen Hamilton. And at present, simply eight short months later on, they've got some other debacle on their easily.

On May 24, Chris Vickery, a chance analyst with UpGuard, constitute an enormous public repository of federal data that contained "highly sensitive" military data as well. Assay of the files showed that they were related to the US National Geospatial-Intelligence Bureau (NGA). This might non seem similar much of a leak compared with, say, secret government contacts or juicy national spy programs, merely geospatial intelligence (GEOINT) is disquisitional to most every aspect of modernistic intelligence gathering. Concerned about whether or non North Korea is moving portable missile launchers into launch positions? That'south GEOINT. Concerned about a buildup of troops on the Iranian border? That's GEOINT.

The exact specifications and capabilities of US spy satellites are kept classified. Just some of those capabilities can exist determined if you have the information sets in question. If, for instance, y'all can read the license plates in various spy satellite images, you lot know the state that took the photos has cameras that tin resolve down to that level of detail. As Cyberresilience.io points out, the NGA is where the US houses its information on North Korean missile silos or battlefield imaging in Afghanistan. Information technology'southward not the sort of information you want enemies to have admission to.

Image by Cyberresilience.io

The data, which was housed in an Amazon S3 web service "bucket," wasn't directly registered to Booz Allen Hamilton, simply signs apparently signal in that direction. Here'south how Cyberresilience.io describes what happened:

In short, data that would usually require a Peak Secret-level security clearance from the DoD was accessible to anyone looking in the correct place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, besides equally credentials granting authoritative access to at least 1 data heart's operating system.

Later on receiving no response from BAH to his initial notification, Vickery escalated his notification attempts by sending an electronic mail to the NGA at ten:33 AM PST, Th, May 25th. Nine minutes later, at 10:42 AM PST, the file repository was secured — an impressively speedy response time from a major US intelligence agency.

It's not a skilful look for one of America's top defence force contractors. And information technology'south bound to raise further questions nearly what, exactly, BAH is doing — or not doing — to lock down national security information. Initially, UpGuard claimed that the information establish in the insecure repository was classified as Acme Secret. BAH has told Ars Technica that while the information wasn't directly connected to classified systems, credentials included inside the store could have been used to access more sensitive material.

Now read: 19 ways to stay anonymous and protect your online privacy