U.S. Feds Expose Internet Surveillance Data on Amazon S3
Reports of two separate Amazon S3 data leaks emerged late this week, including the exposure of a massive archive of social media posts scraped from the Internet by the U.S. Department of Defense (DoD).
On Friday, security researchers at UpGuard reported the discovery in early September of three publicly accessible Amazon S3 buckets that appeared to contain DoD surveillance data on Internet users. UpGuard, no stranger to ferreting out instances of Amazon S3 misconfigurations, said the wide-open buckets held at least 1.8 billion records of individuals' Internet posts dating from 2009 to February 2017.
UpGuard traced the data contained in the buckets to two U.S. military agencies: The U.S. Central Command (CENTCOM), which manages U.S. military operations in Egypt, Saudi Arabia, Iran, Pakistan and Kazakhstan, among other countries, and the U.S. Pacific Command (PACOM), which oversees operations in the Asia-Pacific. The buckets themselves were managed by a government contractor called VendorX, which is now apparently defunct.
The data in the buckets spanned civilians' Facebook posts, Web article comments, forum posts, discussion groups and Tweets. The data appeared to cover a broad swath of individuals, according to UpGuard. Languages represented included Farsi, Arabic and other Central and South Asian dialects. Some posts were from foreign Web sites, while some were from the United States and made by American citizens. Some were political in nature, while others "appear entirely benign."
By now, it's old hat to remind organizations to make sure that their Amazon S3 buckets are not configured for public access, especially after months of highly publicized data exposures stemming from misconfigured buckets. The scope of the data exposed in this particular leak, however, is unique in that it raises "serious concerns about the extent and legality of known Pentagon surveillance against US citizens," according to UpGuard researchers.
"[I]t remains unclear why and for what reasons the data was accumulated, presenting the overwhelming likelihood that the majority of posts captured originate from law-abiding civilians across the world," they said.
ABC Data Leak
Besides the DoD, the Australian Broadcasting Corporation (ABC) was also reported to have exposed a significant amount of critical data on a misconfigured Amazon S3 bucket this week.
Researchers at Kromtech Security on Thursday reported its discovery of publicly accessible buckets belonging to ABC's commercial arm, which is in charge of the network's retail sales. Kromtech described the information in these buckets as being mostly derived from backups of ABC's MySQL database. Among them were "several thousands emails, logins, hashed passwords for ABC Commercial users," including those of "well-known members of the media."
The exposed information also included log-in and security key information for a separate ABC data repository, data from other media companies' content licensing agreements, and nearly 2,000 MySQL database backups dating from 2015.
ABC, which confirmed the exposure in a brief note on Friday, secured the buckets "within minutes," according to Kromtech.
News of both data leaks comes less than two weeks after AWS rolled out new security capabilities designed specifically to lock down Amazon S3 environments.
Gladys Rama (@GladysRama3) is the editor of Redmondmag.com, RCPmag.com and AWSInsider.net, and the editorial director of Converge360.