virtual disk image belonging to the NSA -- essentially the
contents of a hard drive -- was left exposed on a public
Amazon Web Services storage server. The server contained
more than 100 gigabytes of data from an Army intelligence
project codenamed "Red Disk,"ZDNet
server was unlisted, but it didn't have a password, which
meant that anyone who found it could dig through the
government's secret documents. That's exactly what happened
in late September when Chris Vickery, director of cyber risk
research at security company UpGuard,discovered
the server. He alerted the government in October.
was on the AWS subdomain "inscom," an abbreviation for the
US Army Intelligence and Security Command.
was as simple as typing in a URL," Vickery said. "This data
was top secret classification, as well as files obviously
related to US intelligence networks. It's stuff used to
target people for death, and it was all available in a URL."
said it had been so unbelievably easy to access that when he
first discovered it, his first thought was, "is this
the latest incident, the contents on the insecure AWS server
are classified as "NOFORN," meaning the information is
sensitive enough that even foreign allies are not allowed to
see it, UpGuard said. The server contained 47 viewable
files, three of which were downloadable and exposed national
of the data couldn't be accessed without connecting to the
Pentagon's network, the security firm's researchers said.
was able to get a look at some of the files, and spotted a
connection to Red Disk, a cloud-based intelligence system
developed by the Army in 2013. Red Disk, a$93
million program considered a military failure, was
designed to help the Pentagon with soldiers on the field
collecting classified reports, drone footage and satellite
images. The data all belonged toINSCOM,
a division of both the Army and the NSA.
put, the digital tools needed to potentially access the
networks relied upon by multiple Pentagon intelligence
agencies to disseminate information should not be something
available to anybody entering a URL into a web browser,"
UpGuard said in a blog post.