Exposed Military Email Server Caused ‘Internal Emails to Leak’
“The server contained around three terabytes of military emails, with many related to the U.S. Special Operations Command, which is a military unit which conducts special operations.”
Fox News confirmed an email server left exposed for two weeks caused leakage of internal emails:
A misconfiguration with a Department of Defense server hosted on Microsoft Azure’s government cloud allowed the server to be accessed with a password, according to Tech Crunch, who reported that anyone with internet access could access mailbox data if they knew the server’s IP address and were using a web browser.
The server contained around three terabytes of military emails, with many related to the U.S. Special Operations Command, which is a military unit which conducts special operations.
According to the report, the emails inside the server appear to date years back and contain personal information…
A completed SF-86 questionnaire was one of the files left in the open. Government employees fill out the questionnaire to gain security clearance.
Thankfully, the leak did not include anything marked as classified.
Anurag Sen, a researcher who finds data accidentally leaked online, found out about the situation over the weekend. He gave the information to TechCrunch, which told the government:
The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries. In 2015, suspected Chinese hackers stole millions of sensitive background check files of government employees who sought security clearance in a data breach at the U.S. Office of Personnel Management.
None of the limited data seen by TechCrunch appeared to be classified, which would be consistent with USSOCOM’s civilian network, as classified networks are inaccessible from the internet.
U.S. Special Operations Command Ken McGraw assured TechCrunch that “no one hacked U.S. Special Operations Command’s information systems.”
Donations tax deductible
to the full extent allowed by law.
This is serious. Plugging this hole will mean the cessation of Xi’s monthly deposits into Austin’s Caymans account.
There is no reason for any DoD or frankly Government email servers to be hosted in the cloud. We squander billions. We can surly afford to build and staff a few datacenters for email.
Well, what the heck do you think the government uses? They have been using Microsoft 365 for years like everyone else. So, all our CIA data is on AWS cloud. It probably cheaper to house it in the Cloud than to run a few data centers. I wonder who the contract is that left the door open.
I wouldn’t be so sure that the govt is taking the cheaper option. It has been known to take the most expensive route numerous times.
DoD had already been shifting towards centralized servers. Army has separate garrison and tactical networks. The servers used to be maintained at BDE level then pushed to DIV on the tactical side. The garrison servers were at installation level but now storage on cloud with enterprise services run at installation level. GWOT and rise of cloud storage accelerated this, primarily due to lack of uniformed personnel and cost savings arguments.
Today the customer facing services are done at BN level by uniformed personnel but routed to installation level, staffed by civilian contractors for review and final action. There are some very good civilian employees and contractors. Unfortunately they are a minority at least in my experience.
Many times the civilians are former service members, usually those who did one enlistment and held a MOS, military occupational specialty as a 25B or 25U both of which trained them to do their civilian job. The problem is many times these folks are bitter, former E4 who couldn’t get promoted to E5 (SGT). They sometimes have a grudge and now are in position due to civilian status and federal employee union agreements, to act on it. They do the absolute bare minimum and delight in it with little to no repercussion. Mistakes, delays and uncompleted actions are commonplace.
According to other reports, the DCCC was paying a third party to obtain military records for Republican congressional candidates in 2022 so the contents could be used to smear them. Apparently, all they had to do is tell the military that it was for the purpose of employment. Who needs a password anymore?
That is a separate issue. In that case the DCCC hired an opposition research outfit who it was reported posed as an employer conducting a background screen to verify military service.
Several issues on that. First the guy had somehow gotten the SSN of these 11 people. Second he lied misrepresented his purpose to the Air Force to fraudulently obtain records. Third the AF gave over far more than they are allowed; basically a 3rd part is allowed to get what amounts to your DD214 (-) SSN.
According to reports they handed over the entire personnel files both open and restricted portions. That’s totally wrong. No one who doesn’t know not to do that should have authorization / access to those records. They don’t leave the hands of the DoD to a potential employer. The AF is gonna get hemmed up on this series of dumb ass errors.
No- cloud providers are generally better at this. The problem is the people who should be auditing and checking are asleep at the wheel.
I actually oversaw the contract for some of this work from 2013-2015. The clearance related areas are one of the few areas where they can’t discriminate against old white dudes in IT – because they are the only ones with clearance, qualifications to do this work. Sorry to the black female gender confused candidates… wait a generation- you too will have top secret clearance.
Note the government had to be TOLD it was exposed… that tells you everything you need to know.
What? You didn’t expect competent people to work for a pedophile like Joe Biden did you?
Affirmative-action hires and competence live in different worlds.
Three terabytes of data but “nothing marked classified.” As if we expect people to put classified markings on their emailed gossip and memes.
And they’re sure no one hacked it because … ???
If the military intel people were competent, they would assume that China (at least) now has the full contents of that server and they would start trying to assess what was lost.
More likely, they’re just making memes about how stupid the IT people are and sending them by email.
If it was a bunch of personnel stuff, it would probably be marked no more than “For Official Use Only”.
Maybe security is a little more important than how many men are wearing a dress.
“”A misconfiguration with a Department of Defense server hosted on Microsoft Azure’s government cloud allowed the server to be accessed with a password””
According to reporting elsewhere, it could be accessed without a password. I don’t know which is correct.
Without. It makes no sense otherwise.
Interesting takes above. I keep imagining an “LI Commentariat InfoSec Round Table” moderated something like Hard Drugs, Hard Choices years ago.
That would be fun.
The folks here who know stuff don’t so much disagree as they’re commenting on a particular aspect, or from an partiular PoV at the moment.
Infosec in data processing is a elephant problem. Yr only wrong if you think it’s small, or that one aspect is the whole story. Of course, leadership by hot take does exactly that.
Here’s my contributiin to cloudy platforms w/ sequestered data: don’t. You’ve expanded the attack surface n side channels. If every thing-and-body in a “cloud” is mutually trusted, sure, it’s admin-cheap scaling. Hetetodox — dare I say “diverse” — processing in the same puddle, however, is ridiculously risky.
BTW, this problem in the news isn’t about “cloud — it’s self-important sloppiness. Like, I don’t know, running State Dept operations for years on a non-SCIF, non-maintained server, over public networks w/ commercial a la carte support..
Not that anybody would ever do that. Just makin up somethin crazy…
You know, if they don’t need that stuff to be secure or available, I can do it even cheaper.
There seems to be no floor for the incompetence of the Biden administration. Any and every department/agency is totally in the hands of people with no experience in their job description and we see the results. Can we make it two more years?