Pentagon server ‘leaked’ for weeks – researcher
The US Defense Department left three terabytes of internal military emails unprotected by so much as a password on Microsoft’s Azure government cloud for more than two weeks, security researcher Anurag Sen revealed to TechCrunch on Sunday.
The vulnerability was finally patched on Monday, a day after the outlet contacted US Special Operations Command (USSOCOM) to alert it that years of sensitive personal data on a server comprising part of an internal mailbox system was freely available to view for anyone who had the right IP address. The Pentagon confirmed via a senior official on Monday that it had passed the information from TechCrunch on to USSOCOM.
In addition to internal military email messages, some of which were years old, the server contained plenty of sensitive personnel information, including the detailed forms filled out by federal employees applying for security clearances. These 136-page questionnaires, known as SF-86, are desirable enough to foreign rivals that Washington believes Chinese hackers stole millions of them upon breaking into the US Office of Personnel Management.
None of the information on the exposed server was believed to be classified, as USSOCOM’s classified networks are not accessible from the internet.
It was unclear why the server was not password-protected, though a spokesman for USSOCOM told TechCrunch in an email that “We can confirm at this point…no one hacked US Special Operations Command’s information systems.”
The spokesman did not answer when asked if the Defense Department kept logs that would show who besides Sen might have accessed the sensitive data, but said that an investigation into the vulnerability had been opened on Monday.
The server was first observed to be spilling data on February 8, according to a listing on Shodan, a search engine for exposed systems and databases, cited by the outlet.
Last month, a Swiss hacker claimed to have come across a copy of the US Transportation Security Administration’s ‘no-fly’ list on an unsecured server belonging to US regional and commuter airline CommuteAir.