24 February 2023

US Military Emails Leaked for 2 Weeks

Someday government will take security seriously, but this in not that day. Sensitive US military emails spill online | TechCrunch

Why are sensitive military emails not end-to-end encrypted? And who is responsible for this kind of crap?

The exposed server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, many pertaining to U.S. Special Operations Command, or USSOCOM, the U.S. military unit tasked with conducting special military operations.

The server was "misconfigured" so it was access was available without a password.

The breach was disclosed to Tech Crunch by a white-hat security researcher, and TC informed the DoD.

The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

Now apparently no truly classified info was involved, but what was involved was bad enough to have been leaked over a stupid screw up.

Everybody makes mistakes. Humans are not perfect. That is why you put procedures in place to check and double check things. Once notified it took more than 24 hours for the DoD to secure the server, which they are blaming on the holiday weekend.

Or maybe I should say, "people and organizations who value security" put procedures in place... That quoted phrase apparently doesn't include large swaths of the .gov and military. (Have you ever looked at CISA directives on software updates? Apparently some parts of the .gov are going years without updating software that is known to be vulnerable and known to be exploited because, "You IT people always want to update something. Everything is fine!")

at
Labels: ,

1 comment:

  1. Fredrick24 February, 2023 12:03

    Somwhich contractor configured that and who signed off on the work?

    ReplyDelete

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.

Subscribe to: Post Comments (Atom)