NEW YORK — A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers. Security researchers found that the gigabytes of files were accessible to anyone because the internet-connected backup drive was not password protected.
The files, reviewed by ZDNet, contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers . Another file lists the security clearance levels of hundreds of other officers, some of whom possess “top secret” clearance, and access to sensitive compartmented information and codeword-level clearance1. Phone numbers and contact information of staff and their spouses, as well as other sensitive and private personal information, were found in several other spreadsheets.
The drive is understood to belong to a lieutenant colonel, whose name we are not publishing . ZDNet reached out to the officer by email but did not hear back.
The data was secured last week after a notification2 by MacKeeper security researcher Bob Diachenko. Among the most damaging documents on the drive included the completed applications for renewed national security clearances for two US four-star generals, both of whom recently had top US military and NATO positions.
Both of these so-called SF86 applications3 contain highly sensitive and detailed information, including financial and mental health history, past convictions, relationships with foreign nationals, and other personal information. These completed questionnaires are used to determine a candidate’s eligibility to receive classified material. Several national security experts and former government officials we spoke to for this story described this information as the “holy grail” for foreign adversaries and spies, and said that it should not be made public.
For that reason, we are not publishing the names of the generals, who have since retired from service. Nevertheless, numerous attempts to contact the generals over the past week went unreturned. “Some of the questions ask for information that can be very personal, as well as embarrassing,” said Mark Zaid, a national security attorney, in an email .
The form allows prospective applicants to national security positions to disclose arrests, drug and alcohol issues, or mental health concerns, among other things, said Zaid. Completed SF86 forms aren’t classified but are closely guarded . These were the same kinds of documents that were stolen in a massive theft of sensitive files4 at the Office of Personnel Management, affecting more than 22 million government and military employees.
“Even if the SF86 answers are innocuous, because of the personal information within the form there is always the risk of identity theft or financial fraud that could harm the individual and potentially compromise them,” said Zaid.
One spreadsheet contained a list of officers under investigation by the military, including allegations of abuses of power and substantiated claims of wrongdoing, such as wrongfully disclosing classified information. A former government official, who reviewed a portion of the documents but did not want to be named, said that the document, in the wrong hands, provided a “blueprint” for blackmail. Even officers who have left in recent years may still be vulnerable to coercion if they are still trusted with historical state secrets.
“Foreign powers might use that information to target those individuals for espionage or to otherwise monitor their activity in the hopes of gaining insight into US national security posture,” said Susan Hennessey, a Brookings fellow and a former attorney at the National Security Agency. Government officials use the form as a screening mechanism, said Hennessey, but it also offers applicants the chance to inform the government of past indiscretions or concerns that eliminate the possibility of blackmail in the future, she added. “These are people whose lives can depend on sensitive information being safeguarded, so the notion they would fail to put country over self in that kind of circumstance is far-fetched and supported by relatively few historical examples,” she said. “Still, it is the obligation of the government to keep this kind of information safe, both in order to protect the privacy of those who serve and their families and to protect them against being placed in difficult situations unnecessarily,” said Hennessey.
Though many of the files were considered “confidential” or “sensitive,” a deeper keyword-based search of the files did not reveal any material marked as classified. A completed passport application for one of the generals was also found in the same folder, as well as scans of his own and his wife’s passports and driving licenses. Other data included financial disclosures, bank account and routing information, and some limited medical information.
Another document purported to show the lieutenant colonel’s username and password5 for a sensitive internal Dept . of Defense system, used to check staff security clearances. Another document listed the clearance levels6 of one of the generals.
And, a smaller spreadsheet contained a list of Social Security numbers, passport numbers, and other contact information on high-profile figures and celebrities, including Channing Tatum.
The records were collected in relation to a six-day tour to Afghanistan by Tatum in 2015 . An email to Tatum’s publicist went unreturned. The drive also contained several gigabytes of Outlook email files, covering years worth of emails . Another document purported to be a backup. Nevertheless, this would be the second breach of military data in recent months. Potomac, a Dept . of Defense subcontractor, was the source of a large data exposure7 of military personnel files of physical and mental health support staff . Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment. It’s not known how long the backup drive was active .
Given that the device was public and searchable, it’s not known if anyone other than the security researchers accessed the files.
The Office of Personnel Management, which processes security clearance applications, referred comment to the Pentagon.
A Pentagon spokesperson would not comment in an email Monday.
- ^ codeword-level clearance (www.documentcloud.org)
- ^ after a notification (goo.gl)
- ^ so-called SF86 applications (www.cbsnews.com)
- ^ a massive theft of sensitive files (www.zdnet.com)
- ^ lieutenant colonel’s username and password (www.documentcloud.org)
- ^ the clearance levels (www.documentcloud.org)
- ^ a large data exposure (www.zdnet.com)
Tunisian security forces reliance on the brutal tactics of the past, including torture, arbitrary arrests, detentions and restrictions on travel of suspects as well as harassment of their family members, is threatening Tunisia s road to reform, said Amnesty International in a new report published today. In response to a series of armed attacks since March 2015 which shook the country, the authorities have stepped up security measures, increasingly relying on emergency laws, many of which are inconsistent with human rights obligations.
We want an end to the fear : Abuses under Tunisia s state of emergency 1details how the security forces have imposed these measures in an arbitrary, repressive and discriminatory manner . These abuses risk jeopardizing gains made over the past six years which have seen Tunisians enjoy greater freedoms of expression, assembly and association, rights that are enshrined in the 2014 Constitution.
There is no doubt that the authorities have a duty to counter security threats and protect the population from deadly attacks, but they can do so while respecting the human rights protections set out in the Tunisian constitution and international law, as well as by ensuring accountability for any human rights violations committed by security officers, said Heba Morayef, North Africa research director at Amnesty International.
Giving security agencies a free hand to act above the law will not deliver security. Giving security agencies a free hand to act above the law will not deliver security
Heba Morayef, North Africa research director at Amnesty International
The report details the impact of emergency measures on the everyday lives of those subjected to them, and includes cases of torture, arbitrary arrests and detention, house searches without warrants, arbitrary assigned residence orders and travel restrictions known as S17 orders . It shows how in some cases these measures are imposed in a discriminatory manner based on appearance, religious beliefs or previous criminal convictions and with disregard to the due process of law.
Amnesty International communicated these concerns to the Tunisian authorities and received a written response from the Ministry of Interior in December 2016 . The response, which is included in the report, set out the legal framework that allows for these measures but did not address concerns about the manner in which they are being implemented by security forces and the impact they are having on people s rights and lives. The start of the Truth and Dignity Commission public hearings in November 2016 has opened public debate over accountability for abuses of the past and security sector reform . However, the Commission faces an uphill battle as accountability for abuses of the past has been extremely limited thus far and its mandate does not extend beyond 2013.
The fact that abuses are being committed in the name of security has meant that the scale of human rights violations in Tunisia today has thus far gone unaddressed by the Tunisian authorities, said Heba Morayef.
Tunisian officials who have publicly and privately stated their commitment to upholding human rights and breaking with the past must order an end to these practices and ensure that they are effectively investigated.
Resumption in use of repressive tactics
The chilling accounts detailed in this report signal a disturbing rise in the use of repressive tactics against suspects in terrorism-related cases over the past two years, providing a grim reminder of former President Zine el-Abidine Ben Ali s rule. The report details 23 cases of torture and other ill-treatment by the police, National Guard and counter-terrorism brigades since January 2015 and the harassment and intimidation that the victims have endured following their release . Victims described to Amnesty International how they were brutally beaten with sticks and rubber hoses, placed in stress positions such as the roast chicken position or forced to stand for prolonged periods, subjected to electric shocks, deprived of sleep or had cold water poured on them. The report also highlights two incidents of sexual violence including rape that took place in the Ben Guerdane police station in March 2016 and in Mornaguia prison in January 2015.
Ahmed (whose name has been changed to protect his identity), who was arrested in March 2016 in Ben Guerdane, told Amnesty International how security forces violently stormed his family home and beat his wife leading her to miscarry, as well as arresting two of his brothers .
When he was detained five days later he was tortured, including by being raped with a wooden stick, at the police station.
They beat me until I fell unconscious They beat me on my legs and feet and my arms which became bruised and inflamed . I still get nightmares from the torture I endured . They beat me until some of my toenails came off, he said, explaining that his harassment continues as he is stopped for questioning by security forces on a regular basis. I still get nightmares from the torture I endured . They beat me until some of my toenails came off
“Ahmed”, a torture survivor
Thousands of people have been arrested since the state of emergency was reinstated in November 2015 after the deadly bombing that targeted the Presidential Guard in Tunis . Amnesty International has documented at least 19 cases in which the arrest was arbitrary . At least 35 witnesses described raids and house sweeps in which residential homes were stormed without a judicial warrant, terrifying residents .
Some family members also faced intimidation or arbitrary arrest and torture and other ill-treatment in detention in order to coerce them to give up details about loved ones suspected of involvement in armed attacks. The report also highlights the emotional trauma and psychological impact of such repeated raids . More than a dozen people said they were forced to seek medical treatment for shock; in some cases people said the constant harassment had driven them to the brink of suicide.
We want an end to the fear . We no longer go out I feel like I m living in a cage and always afraid, and I haven t even done anything, said Meriem , who was repeatedly harassed by security officers. We want an end to the fear I feel like I m living in a cage and always afraid
“Meriem”, who was harassed by security forces
Fighting terrorism isn t an excuse to violate people .
This is injustice, Sofien , a former detainee, told Amnesty International . His wife, who was two months pregnant, had to be hospitalized as the shock had affected the foetus . On at least two occasions, men told Amnesty International that their wives had miscarried due to the stress and anxiety caused by forceful or repeated home raids. As well as being harassed through home raids, arbitrary arrest and detention, the Tunisian authorities have imposed local and international travel bans on at least 5,000 individuals and placed at least 138 people under assigned residence orders restricting their movements to specific areas. They have claimed the purpose is to prevent thousands of Tunisians from joining armed groups operating in the Middle East and North Africa and to monitor the movements of those who have returned from conflict zones .
However, Amnesty International s research shows that restrictions on movement have at times been applied in an arbitrary and disproportionate manner . People affected have been unable to work, study or lead a normal family life and have not been able to challenge the restrictions in court.
This report exposes how entrenched impunity has fostered a culture in which violations by security forces have been able to thrive, said Heba Morayef. This report exposes how entrenched impunity has fostered a culture in which violations by security forces have been able to thrive
Heba Morayef, North Africa research director at Amnesty International
Only a handful of security officers have been held to account in Tunisia despite the authorities repeatedly voicing their commitment to investigating all allegations of torture and other ill-treatment . In its written response to Amnesty International, the Ministry of Interior said that the National Security General Inspectorate had investigated one allegation of torture in 2015 and 2016 and found it to be false . Victims and eyewitnesses have faced harassment and intimidation by security officers to dissuade them from filing torture complaints.
The Tunisian authorities have made some positive changes, such as amendments to Tunisian laws in 2016 that strengthen safeguards against torture and other ill-treatment . These include reducing the time a suspect can be detained without charge and guaranteeing them access to families, lawyers and medical care . However, these changes do not legally apply to those detained in terrorism-related cases. The authorities also introduced a flawed new counter-terrorism law in 2015 which increases surveillance powers of security forces, proscribes the death penalty for certain offences and includes an overly broad definition of terrorism, leaving it open to abuse . In January 2017, the Ministry of Justice announced there were 1,647 people detained on charges of terrorism and money-laundering.
The Tunisian government must ensure that the methods used to combat security threats neither violate the prohibition of torture and other ill-treatment nor restrict people s rights to liberty, movement, privacy, family life and employment in an unlawful, arbitrary, discriminatory or disproportionate manner, said Heba Morayef.
Under a state of emergency the Tunisian authorities can temporarily suspend certain rights, but the prolonged state of emergency in recent years and rampant abuse of security measures raises serious questions about whether these measures are proportionate or comply with Tunisia s international obligations .
Certain rights such as the prohibition of torture cannot be suspended in any circumstances, even during a state of emergency.
- ^ We want an end to the fear : Abuses under Tunisia s state of emergency (www.amnesty.org)
Now security experts are warning that drones could be hacked and commandeered in the same way.
Drones are becoming more commonplace, with both Amazon2 and UPS announcing plans to use them to deliver packages, and even Domino’s3 is testing the use of drones to deliver pizzas. But as unmanned aerial vehicles become an increasingly common sight in our skies, some are starting to question whether these devices are adequately protected from cyber criminals.
Amazon prime air drone delivery service (Photo: Amazon/YouTube)
Now a new report by Intel Security has highlighted “dronejacking” as one of the top cyber security threats for 2017 – warning that hackers could attempt to hijack drones while they’re in flight.
“Someone looking to ‘dronejack’ deliveries could find a location with regular drone traffic and wait for the targets to appear,” said Bruce Snell, cybersecurity and privacy director at Intel Security.
“Once a package delivery drone is overhead, the drone could be sent to the ground, allowing the criminal to steal the package.”
It’s not just delivery companies that exploring use of drones . M ore and more law enforcement agencies are now using the devices to assist in surveillance and crowd control.
Computer Hacker (Photo: Getty)
“In a highly charged situation like a protest or active shooter situation, a police drone would be a tempting target for someone looking to remain unseen by law enforcement,” said Snell.
He explained that drones are designed to have a quick and easy setup – often using unencrypted communication and many open ports – which makes them potentially easier to hack.
In 2017, Intel Security expects to see drone exploit toolkits finding their ways to the dark corners of the Internet.
“Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news,” said Snell.
Drone (Photo: Reuters)
“Even without a dronejacking toolkit in hand, we will begin to see an increase in drone-related incidents.”
The report also warns that attacks on the “smart home” are likely to become more commonplace in 2017, with hackers using “internet of things” malware to open backdoors that could go undetected for years.
“To change the rules of the game between attackers and defenders, we need to neutralise our adversaries’ greatest advantages,” said Vincent Weafer, vice president of Intel Security s McAfee Labs.