CENTCOM (Central Command) and PACOM (Pacific Command) found themselves in the headlines when a security researcher discovered a misconfigured access control setting on a sensitive (or non-sensitive) data store of over 1.8 billion social network posts which had been scraped off the internet. CENTCOM subsequently issued a statement which declared the information which was available for perusal was “non-sensitive.”
I reviewed the researcher’s write-up and the CENTCOM statement, and find that while the information did not reveal any U.S. military personnel’s data, it did reveal what is commonly known as sources (what was CENTCOM/PACOM targeting) and methods (how they were collecting). This information adds additional pieces to the mosaic being created by adversaries of the US, to better understand and target US capabilities, especially with respect to understanding the hearts and minds of those in their respective area of responsibility (AOR)
CENTCOM’s 1.8 billion scraped posts
On the Friday before Thanksgiving security researcher Chris Vickery published a detailed analysis of his discover and review of the CENTCOM and PACOM data store, which had poorly configured access control settings. His discovery shows that data stores contained eight years of scraped content from openly available social networks and media outlets. The security researcher went on to identify the vendor who created the scrapping capability, and apparently placed the results of their efforts into three separate AWS (Amazon Web Services) S3 data storage buckets. The configuration used by the vendor was that of “Amazon authenticated user” – meaning, anyone with an AWS account. The configuration should have been restricted to specific named users, and not the quasi-public setting (As we noted in an earlier story on military personnel’s resumes being revealed, Amazon now sends, proactively, notices to individuals who configure their data storage to this setting as a reminder: Is this the access you intended?).
What the security researcher revealed was accessible to any who had an AWS log-in. Here’s a shortlist of the data compromised:
- Social network scrapping was conducted by a vendor identified as “VendorX LLC.” The data store contained a list of all the individuals working on the product OUTPOST. A query within the LinkedIn social networks showed a number of individuals who worked with VendorX during the 2013-2014 time frame on OUTPOST, which was designed for CENTCOM: “Outpost is a multi-lingual platform designed to positively influence change in high-risk youth in unstable regions of the world. Outpost was built by VendorX and operated exclusively for CENTCOM”. Another, during the same time frame, identified OUTPOST as, “Outpost: a real-time analytics platform used 24/7 by multi-lingual analysts to give high-risk youth in unstable regions of the world non-violent paths forward in life.”
- Confirms CENTCOM’s ability to “ingestion engine for the bulk collection of internet posts” and organizing the data for subsequent search
- Multilingual capability to scrape content across social networks largely focused on the Middle East and South Asia. Associating PACOM with the content, which implies it is a global program.
CENTCOM says it’s nothing, benign
According to ThreatPost, a CENTCOM spokesperson, said the information wasn’t sensitive and was not collected for intelligence purposes. They quote the spokesperson:
“All of the information is readily available public information related to our activities and obtained through commercial off-the-shelf programs in accordance with U.S. Code and Department of Defense policy in a consistent manner.
U.S. Central Command has used commercial off-the-shelf and web-based programs to support public information gathering, measurement and engagement activities of our online programs on public sites. The information is widely available to anyone who conducts similar online activities. The data is raw data that was provided to us by a contractor.
Last month, a researcher informed us that he had accessed data, secured in a DOD-compliant, web-based cloud. Once alerted to the unauthorized access, CENTCOM implemented additional security measures to prevent unauthorized access.”
Non-issue or a CENTCOM OPSEC lapse?
This incident reminds all who collect, store and analyze data to do so in a secure manner. If using vendors, insist that data storage and security is demonstrated, make no assumptions. And while CENTCOM declares the incident a non-incident, it does confirm the capabilities and reach of both CENTCOM and PACOM in their efforts to better understand the environment in which the men and women of the armed forces find themselves deployed, by listening and analyzing the posts of those in their AOR.