NEW YORK — A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers. Security researchers found that the gigabytes of files were accessible to anyone because the internet-connected backup drive was not password protected.
The files, reviewed by ZDNet, contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers . Another file lists the security clearance levels of hundreds of other officers, some of whom possess “top secret” clearance, and access to sensitive compartmented information and codeword-level clearance1. Phone numbers and contact information of staff and their spouses, as well as other sensitive and private personal information, were found in several other spreadsheets.
The drive is understood to belong to a lieutenant colonel, whose name we are not publishing . ZDNet reached out to the officer by email but did not hear back.
The data was secured last week after a notification2 by MacKeeper security researcher Bob Diachenko. Among the most damaging documents on the drive included the completed applications for renewed national security clearances for two US four-star generals, both of whom recently had top US military and NATO positions.
Both of these so-called SF86 applications3 contain highly sensitive and detailed information, including financial and mental health history, past convictions, relationships with foreign nationals, and other personal information. These completed questionnaires are used to determine a candidate’s eligibility to receive classified material. Several national security experts and former government officials we spoke to for this story described this information as the “holy grail” for foreign adversaries and spies, and said that it should not be made public.
For that reason, we are not publishing the names of the generals, who have since retired from service. Nevertheless, numerous attempts to contact the generals over the past week went unreturned. “Some of the questions ask for information that can be very personal, as well as embarrassing,” said Mark Zaid, a national security attorney, in an email .
The form allows prospective applicants to national security positions to disclose arrests, drug and alcohol issues, or mental health concerns, among other things, said Zaid. Completed SF86 forms aren’t classified but are closely guarded . These were the same kinds of documents that were stolen in a massive theft of sensitive files4 at the Office of Personnel Management, affecting more than 22 million government and military employees.
“Even if the SF86 answers are innocuous, because of the personal information within the form there is always the risk of identity theft or financial fraud that could harm the individual and potentially compromise them,” said Zaid.
One spreadsheet contained a list of officers under investigation by the military, including allegations of abuses of power and substantiated claims of wrongdoing, such as wrongfully disclosing classified information. A former government official, who reviewed a portion of the documents but did not want to be named, said that the document, in the wrong hands, provided a “blueprint” for blackmail. Even officers who have left in recent years may still be vulnerable to coercion if they are still trusted with historical state secrets.
“Foreign powers might use that information to target those individuals for espionage or to otherwise monitor their activity in the hopes of gaining insight into US national security posture,” said Susan Hennessey, a Brookings fellow and a former attorney at the National Security Agency. Government officials use the form as a screening mechanism, said Hennessey, but it also offers applicants the chance to inform the government of past indiscretions or concerns that eliminate the possibility of blackmail in the future, she added. “These are people whose lives can depend on sensitive information being safeguarded, so the notion they would fail to put country over self in that kind of circumstance is far-fetched and supported by relatively few historical examples,” she said. “Still, it is the obligation of the government to keep this kind of information safe, both in order to protect the privacy of those who serve and their families and to protect them against being placed in difficult situations unnecessarily,” said Hennessey.
Though many of the files were considered “confidential” or “sensitive,” a deeper keyword-based search of the files did not reveal any material marked as classified. A completed passport application for one of the generals was also found in the same folder, as well as scans of his own and his wife’s passports and driving licenses. Other data included financial disclosures, bank account and routing information, and some limited medical information.
Another document purported to show the lieutenant colonel’s username and password5 for a sensitive internal Dept . of Defense system, used to check staff security clearances. Another document listed the clearance levels6 of one of the generals.
And, a smaller spreadsheet contained a list of Social Security numbers, passport numbers, and other contact information on high-profile figures and celebrities, including Channing Tatum.
The records were collected in relation to a six-day tour to Afghanistan by Tatum in 2015 . An email to Tatum’s publicist went unreturned. The drive also contained several gigabytes of Outlook email files, covering years worth of emails . Another document purported to be a backup. Nevertheless, this would be the second breach of military data in recent months. Potomac, a Dept . of Defense subcontractor, was the source of a large data exposure7 of military personnel files of physical and mental health support staff . Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment. It’s not known how long the backup drive was active .
Given that the device was public and searchable, it’s not known if anyone other than the security researchers accessed the files.
The Office of Personnel Management, which processes security clearance applications, referred comment to the Pentagon.
A Pentagon spokesperson would not comment in an email Monday.
- ^ codeword-level clearance (www.documentcloud.org)
- ^ after a notification (goo.gl)
- ^ so-called SF86 applications (www.cbsnews.com)
- ^ a massive theft of sensitive files (www.zdnet.com)
- ^ lieutenant colonel’s username and password (www.documentcloud.org)
- ^ the clearance levels (www.documentcloud.org)
- ^ a large data exposure (www.zdnet.com)
(Image: file photo)
(Image: file photo)
Several tech giants have said they are examining a trove of documents leaked earlier this week that purport to show the CIA’s ability to hack into phones, computers, and smart TVs. The documents, released by WikiLeaks1, did not contain exploit code that could be used by hackers to carry out attacks, but the documents do provide details of vulnerabilities that may help security researchers identify some flaws in tech products, including Android devices and iPhones. Apple, Google, Microsoft, and Samsung were all named in the thousands of released documents, which are believed to have come from the CIA’s Center for Cyber Intelligence. The CIA has so far not commented directly on the authenticity of the leak, but on Wednesday it suggested that the release had damaged national security by helping its adversaries “with tools and information to do us harm.”
WikiLeaks founder Julian Assange said in a Thursday press conference that he will give the tech companies “exclusive access”2 to some of the technical details it has of the CIA’s hacking tools, as part of an effort to expedite the security patching process. But so far there has been no such evidence of sharing files with tech companies, however. Apple said in a statement3 that it will “rapidly address any identified vulnerabilities” it finds in its Macs or iPhone software. Google, too, said it will4 “implement any further necessary protections” and that its analysis is ongoing.
Microsoft said it was “looking into” the reports, but didn’t comment further. But security experts say that many of the vulnerabilities have already been patched. Jon Sawyer, an Android security researcher, said that most of the Android bugs listed have been already patched.
“The list seems to be limited to Android 2.2 to 4.4.4 — we are on Android 7.1.1 now,” said Sawyer . He said that many of the bugs related to legacy versions of Android and older devices. “Vague descriptions of bugs is no more worrisome than the fact they know any software has unknown vulnerabilities,” he said, adding that Google was “in no worse position than they were a week ago.”
An analysis by F-Secure showed that the majority of Android users are still using Android 4.45 . Google’s own statistics shows that the software version is third6 behind Android 5 and Android 6. Will Strafach, an iOS security researcher, said that “essentially, there is nothing” in the documents that point to working vulnerabilities of iOS 10 and later. Almost 80 percent of users are currently on a version of iOS 10, says Apple7. Strafach said the Samsung smart TV vulnerability, which required an older firmware version and physical access to the device, had also been fixed. In a brief statement, a Samsung spokesperson said the company was “urgently looking into the matter.”
Linux, the open-source operating system, was also listed in the cache of documents. “Linux is a very widely used operating system, with a huge installed base all around the world, so it is not surprising that state agencies from many countries would target Linux along with the many closed source platforms that they have sought to compromise,” said Nicko van Someren, chief technology officer at The Linux Foundation, speaking to BBC News8. He emphasized that the rapid release of security patches “enable the open source community to fix vulnerabilities and release those fixes to users faster.” But the status of other products isn’t fully known.
In the cache, close to two-dozen antivirus products, including Kaspersky, Symantec, and Avast, were listed as having vulnerabilities that were exploitable by the CIA. According to the Associated Press9, the CIA used unflattering terms to deride antivirus makers, many of which the agency exploited through vulnerabilities in their software. In one case, a flaw in Kaspersky antivirus allowed the CIA to “bypass Kaspersky’s protections,” but founder Eugene Kaspersky told an AP reporter that the vulnerability was fixed “years ago.”
Avira, another antivirus maker, said it fixed a “minor vulnerability” within hours of the documents’ release. Cindy Cohn, director of the Electronic Frontier Foundation, said the CIA had “failed to accurately assess the risk of not disclosing vulnerabilities.” “Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans,” she said.
WikiLeaks said so far it has released only a fraction of what it says it obtained, and that more files will be released in the coming days and weeks.
- ^ released by WikiLeaks (www.zdnet.com)
- ^ give the tech companies “exclusive access” (www.zdnet.com)
- ^ in a statement (www.zdnet.com)
- ^ said it will (www.zdnet.com)
- ^ still using Android 4.4 (labsblog.f-secure.com)
- ^ the software version is third (developer.android.com)
- ^ says Apple (developer.apple.com)
- ^ speaking to BBC News (www.bbc.com)
- ^ to the Associated Press (hosted.ap.org)
Microsoft says its Azure Blueprint for the UK Government s Cloud Security Principles will provide the highest level of security for cloud services. Azure Blueprint for the UK Government details how services built on Microsoft s cloud platform1 implement the 14 cloud security principles2 published by the UK s National Cyber Security Centre, which include practices around data governance, authentication and operational security.
The Azure Blueprint UK Government Customer Responsibilities Matrix outlines how Azure implements security controls designed to satisfy each security principle and assists customers in understanding how they may implement safeguards within their Azure solution3 to fulfill the requirements of each principle where they hold a responsibility, said Matt Rathbun, chief information security officer for Azure Government. Microsoft has also released a Blueprint compliance architecture ARM (Azure Resource Manager) template on GitHub, which provides a baseline from which customers can build secure environments in line with the cloud security principles4.
When users create a new group in Yammer it will automatically be part of the Office 365 Groups environment, providing a OneNote notebook, Planner for task management, a SharePoint Online site and a document library.
All shared resources can be access directly from Yammer by all group members, with group membership queries based on Azure Active Directory attributes such as role, location and manager.
This integration between Yammer and Office 3656 Groups affects customers who have enforced Office 365 identity in their networks, and have only one Yammer network associated with their Office 365 tenant, added Connie Woo, product marketing manager at Yammer.
You can also look forward to integration with Outlook Calendar as well as greater enhancements to Yammer integration with SharePoint Online and Planner.
Digital transformation is one of the key opportunities in today’s business for CIOs to increase leverage with their internal and external customers .
- ^ Microsoft s cloud platform (www.silicon.co.uk)
- ^ 14 cloud security principles (www.ncsc.gov.uk)
- ^ within their Azure solution (www.silicon.co.uk)
- ^ cloud security principles (www.silicon.co.uk)
- ^ business communication service Yammer (www.silicon.co.uk)
- ^ integration between Yammer and Office 365 (www.silicon.co.uk)
- ^ which will connect Office 365 Groups (www.silicon.co.uk)
- ^ The history, products and people of Microsoft (www.silicon.co.uk)
- ^ … (www.trustopen.net)
- ^ … (www.trustopen.net)
- ^ … (www.trustopen.net)