Sensitive US Military Emails Spill Online

The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks, TechCrunch reported Tuesday. From a report: The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. [...] But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.

[...] The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

the "cloud" is just someone elses computer

[argStyopa]

"...The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers..."
You know, so it was SAFER....?

My company has also gone entirely to cloud storage.

I wonder what will happen when (it seems inevitable) that we'll be hacked and everyone's personal data is available online. When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

Re:

[dpille]

When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

Uh, no thanks. I think I already have enough years of free credit report monitoring to eventually have the singularity doing it for me.

Re:

[DarkOx]

So was this fail because the DoD was running mail platform on VM? Or was this problem with PaaS service in Azure.

I think that is a big part of the discussion of how much attack surface and relative safety there when it comes to cloud v. hosting it on your own kit.

Re:

[x_t0ken_407]

I think the problem here is that whoever tf was running that email server lacks basic security skills necessary to make the thing secure. From TFS, "a misconfiguration left the server without a password."

The vast majority of these cases I see are simply default password or no password, no firewall situations where anyone with an inkling of knowledge would have locked down from the get go. I don't think it matters if it's cloud or on-premise HW if you can't be bothered to apply basic security practices.

Re:

[ezdiy]

Just standard SIPRNet MO. People on there just yolo that shit, it's just poorly paid government worker drones after all. This worked fine because it was isolated intranet. Until Azure started hosting part of it in 2017, and this whole circus with "physical" (but not nearly as much network level) separation.

Re:

[geekmux]

When will there be a class-action suit compelling companies to be liable for the data they have on their employees, if their "securing" that data is hardly secure?

(Company CEO) "Oh, I'm sorry you were speaking to me as if I give a shit. Liability insurance department is down the hall, on your left. Kindly fuck off."

Hope that explains why the class-action suit, will be funded and paid for by the class getting screwed by it.

Re:

[timeOday]

I wonder what will happen when (it seems inevitable) that we'll be hacked and everyone's personal data is available online.

That pretty much did happen in 2015 to anybody employed or cleared by the government - the OPM Hack

https://en.wikipedia.org/wiki/... [wikipedia.org]

This summary is saying "an" SF86 form was exposed. The OPM hack was that, times (literally) 22.1 million.

Re:OPM Hack

[NotInKansas]

The data theft also included 5.6 Million sets of fingerprints for cleared personnel.

OLD MAN YELLS AT

[peterww]

GUB'MIT CLOUD

Cloud and security don't go in the same sentence!

[takionya]

Cloud and security don't go in the same sentence!

Re:

[x_t0ken_407]

Left this reply on another comment, it applies to yours as well:

I think the problem here is that whoever tf was running that email server lacks basic security skills necessary to make the thing secure. From TFS, "a misconfiguration left the server without a password."

The vast majority of these cases I see are simply default password or no password, no firewall situations where anyone with an inkling of knowledge would have locked down from the get go. I don't think it matters if it's cloud or on-premise HW

Re:

[Darinbob]

Which implies that the management, and ultimately the executives (generals?) lack the basic security skills to hire people to handle the lower level security details.

Parrt of the problem is failing to realize that when working with sensitive information, ALL actions and operations need security oversight. Ie, you can't just hire some outside contractor (the cheapest there is) to migrate your server of old emails into "the cloud". Even having someone without the necessary basic security training on staff i

Re:

[x_t0ken_407]

Agreed 100%

Re:"Accidental"

[Moryath]

...$600B worth of state-of-the-art military equipment

False. [factcheck.org] Also, it's weird how conservatives keep making up a number bigger and bigger every time they tell this lie.

Re:

[Darinbob]

Eventually they've got a lie that is too big to fail!

Re:

[evil_aaronm]

Also, it's weird how conservatives keep making up a number bigger and bigger every time they tell this lie.

In their circle, their claims are taken at face value. It's considered ill mannered to actually dig up supporting proof. That's tantamount to calling them liars. And while that may be true - witness the whole brouhaha about "stolen election" - and I suspect they know they're lying, saving face is more important than truth.

Re:

[ArchieBunker]

It really is. Literally once a month there’s a story posted about someone leaving an open database in “the cloud”.

Re:

[hdyoung]

First off: the number might be more like 10 billion:

https://www.cnn.com/2022/04/27... [cnn.com]

Second, I'm sure they didn't leave a single "state-of-the-art" piece of gear in Afghanistan. Small arms and stripped-down humvees? Sure. A few old helicopters? Yeah, but I think those were literally soviet-era. Not exactly our best weaponry. Nothing that would be of much interest to the Chinese

Third, that stuff won't do the Afghanis much good. The Taliban rolled in on a few pickup trucks, firing their AK47s into

Not a good thing but

[hdyoung]

likely somewhat "meh" in terms of actual secrets exposed. Random government email is mostly "everyone attend this safety lecture" and "hey Bob, what do you want for lunch - burgers or thai?"

As for the SF86 form. Well, that ain't great for that one individual. That's pretty much all their personal info and life history, but not financial numbers. Annnnnnddd that's why you should use 2FA on anything really important.

Given our government's level of leakiness, at this point, I would assume that Russia an

Re:

[bugmenot151]

SF-86 would have enough information on a person to successfully social engineer a bank, cell carrier, etc into giving you access.

Re:

[CubicleZombie]

SF-86 would have enough information on a person to successfully social engineer a bank, cell carrier, etc into giving you access.

The SF-86 has enough information to blackmail someone into giving you anything. But a single one doesn't matter at this point because Obama let China steal all of them.

The thought had crossed my mind

[Powercntrl]

The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers

The way things have been going lately, I half expected it to be a server in Mar A Lago.

Government Cloud

[awwshit]

How can something in the Government Cloud even have the option to be passwordless? This is both an admin fail and a service provider fail, in terms of a secure Government cloud.

Waste my money

[DarkRookie2]

Can the gov spend the money on a system that doesn't allow this to just "happen"

Re:

[Narcocide]

Heh, yea no shit. What, so we can blow a few hundred thousand blowing up some balloons that everyone seems to agree were harmless but we can't afford to hire a computer nerd that knows how to secure a mail server?

/o\

[easyTree]

I've not managed to find the discount coupon for buzzcuts yet :-/

USSOCOM = Special Operations

[laughingskeptic]

Contributing factors:
- Deadline to "get in the cloud" and they have waited untill the last moment.
- Special Forces attitude -- They are not using "Enterprise Email", have their own.
- Special Forces attitude -- "Rules, what rules"?

End-to-end email encryption

[Ken_g6]

Would have made the messages unreadable. (If not the metadata.)

Why do we still send emails in plain text? Especially sensitive ones?

Re:

[ebvwfbw]

A lot of servers do encryption between machines. Getting people to do encryption is like pulling teeth. I'm a security guy and I wanted to communicate with other security professionals. Set up keys, showed them how to set up keys. They wouldn't do it. This is going back 20+ years. I tried again last year. Nope! They won't do it.

Only if they have to as part of their job description does it seem to happen. In other words - they have no choice. Even though solutions today make it trivial in things like outlook