Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security United States

Sensitive US Military Emails Spill Online (techcrunch.com) 32

The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks, TechCrunch reported Tuesday. From a report: The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. [...] But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.

[...] The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

This discussion has been archived. No new comments can be posted.

Sensitive US Military Emails Spill Online

Comments Filter:
  • by argStyopa ( 232550 ) on Tuesday February 21, 2023 @01:47PM (#63311987) Journal

    "...The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers..."
    You know, so it was SAFER....?

    My company has also gone entirely to cloud storage.

    I wonder what will happen when (it seems inevitable) that we'll be hacked and everyone's personal data is available online. When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

    • by dpille ( 547949 )
      When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

      Uh, no thanks. I think I already have enough years of free credit report monitoring to eventually have the singularity doing it for me.
    • by DarkOx ( 621550 )

      So was this fail because the DoD was running mail platform on VM? Or was this problem with PaaS service in Azure.

      I think that is a big part of the discussion of how much attack surface and relative safety there when it comes to cloud v. hosting it on your own kit.

      • I think the problem here is that whoever tf was running that email server lacks basic security skills necessary to make the thing secure. From TFS, "a misconfiguration left the server without a password."

        The vast majority of these cases I see are simply default password or no password, no firewall situations where anyone with an inkling of knowledge would have locked down from the get go. I don't think it matters if it's cloud or on-premise HW if you can't be bothered to apply basic security practices.

      • by ezdiy ( 2717051 )

        Just standard SIPRNet MO. People on there just yolo that shit, it's just poorly paid government worker drones after all. This worked fine because it was isolated intranet. Until Azure started hosting part of it in 2017, and this whole circus with "physical" (but not nearly as much network level) separation.

    • When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

      (Company CEO) "Oh, I'm sorry you were speaking to me as if I give a shit. Liability insurance department is down the hall, on your left. Kindly fuck off."

      Hope that explains why the class-action suit, will be funded and paid for by the class getting screwed by it.

    • I wonder what will happen when (it seems inevitable) that we'll be hacked and everyone's personal data is available online.

      That pretty much did happen in 2015 to anybody employed or cleared by the government - the OPM Hack

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      This summary is saying "an" SF86 form was exposed. The OPM hack was that, times (literally) 22.1 million.

  • GUB'MIT CLOUD

  • Cloud and security don't go in the same sentence!
    • Left this reply on another comment, it applies to yours as well:

      I think the problem here is that whoever tf was running that email server lacks basic security skills necessary to make the thing secure. From TFS, "a misconfiguration left the server without a password."

      The vast majority of these cases I see are simply default password or no password, no firewall situations where anyone with an inkling of knowledge would have locked down from the get go. I don't think it matters if it's cloud or on-premise HW

      • Which implies that the management, and ultimately the executives (generals?) lack the basic security skills to hire people to handle the lower level security details.

        Parrt of the problem is failing to realize that when working with sensitive information, ALL actions and operations need security oversight. Ie, you can't just hire some outside contractor (the cheapest there is) to migrate your server of old emails into "the cloud". Even having someone without the necessary basic security training on staff i

  • likely somewhat "meh" in terms of actual secrets exposed. Random government email is mostly "everyone attend this safety lecture" and "hey Bob, what do you want for lunch - burgers or thai?"

    As for the SF86 form. Well, that ain't great for that one individual. That's pretty much all their personal info and life history, but not financial numbers. Annnnnnddd that's why you should use 2FA on anything really important.

    Given our government's level of leakiness, at this point, I would assume that Russia an
    • SF-86 would have enough information on a person to successfully social engineer a bank, cell carrier, etc into giving you access.

      • SF-86 would have enough information on a person to successfully social engineer a bank, cell carrier, etc into giving you access.

        The SF-86 has enough information to blackmail someone into giving you anything. But a single one doesn't matter at this point because Obama let China steal all of them.

  • The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers

    The way things have been going lately, I half expected it to be a server in Mar A Lago.

  • by awwshit ( 6214476 ) on Tuesday February 21, 2023 @02:40PM (#63312169)

    How can something in the Government Cloud even have the option to be passwordless? This is both an admin fail and a service provider fail, in terms of a secure Government cloud.

  • Waste my money (Score:5, Insightful)

    by DarkRookie2 ( 5551422 ) on Tuesday February 21, 2023 @02:43PM (#63312177)
    Can the gov spend the money on a system that doesn't allow this to just "happen"
    • Heh, yea no shit. What, so we can blow a few hundred thousand blowing up some balloons that everyone seems to agree were harmless but we can't afford to hire a computer nerd that knows how to secure a mail server?

  • I've not managed to find the discount coupon for buzzcuts yet :-/

  • Contributing factors:
    - Deadline to "get in the cloud" and they have waited untill the last moment.
    - Special Forces attitude -- They are not using "Enterprise Email", have their own.
    - Special Forces attitude -- "Rules, what rules"?
  • by Ken_g6 ( 775014 ) on Wednesday February 22, 2023 @02:13AM (#63313647)

    Would have made the messages unreadable. (If not the metadata.)

    Why do we still send emails in plain text? Especially sensitive ones?

    • by ebvwfbw ( 864834 )

      A lot of servers do encryption between machines. Getting people to do encryption is like pulling teeth. I'm a security guy and I wanted to communicate with other security professionals. Set up keys, showed them how to set up keys. They wouldn't do it. This is going back 20+ years. I tried again last year. Nope! They won't do it.

      Only if they have to as part of their job description does it seem to happen. In other words - they have no choice. Even though solutions today make it trivial in things like outlook

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...