Massive US military social media spying archive left wide open in AWS S3 buckets

Massive US military social media spying archive left wide open in AWS S3 buckets
Dozens of terabytes exposed, your tax dollars at work
By Iain Thomson in San Francisco 17 Nov 2017 at 20:08
https://www.theregister.co.uk/2017/11/17/us_military_spying_archive_exposed/
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.
The archives were found by UpGuard’s veteran security-breach hunter Chris Vickery during a routine scan of open Amazon-hosted data silos, and the trio weren’t exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive.
CENTCOM is the common abbreviation for the US Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for US Pacific Command, covering the rest of southern Asia, China and Australasia.
Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens.
“Previously, we would mine through those intelligence reports or whatever data would be available, and that would be very manual-intensive.”
Before you start scrabbling for your tinfoil hats, the army hasn’t made a secret of Coral Reef, even broadcasting the awards the software has won. And social media monitoring isn’t anything new, either.
However, it is disturbing quite how easily this material was to find, how poorly configured it was, and that the archives weren’t even given innocuous names. If America’s enemies – or to be honest, anyone at all – are looking for intelligence, these buckets were a free source of information to mine.
After years of security cockups like this in the public and private sectors, Amazon has tried to help its customers avoid configuring their S3 buckets as publicly accessible stores, by adding full folder encryption, yellow warning lights when buckets aren’t locked down, and tighter access controls.
“This was found before these new Amazon controls were added,” Vickery said. “So we have yet to see how effective that yellow button will be.”
<snip>