back to article Top-Secret-cleared SOCOM medics hit in 11GB govt database leak

A Pentagon subcontractor has exposed the names, locations, Social Security Numbers, and salaries of US Military Special Operations Command (SOCOM) healthcare professionals. The cleartext and openly accessible database – said to be at least 11 gigabytes in size – also included names and locations of at least two Special Forces …

  1. Brian Miller

    Encryption, please?

    "Oh, I need to work on this at home, so I'll just hang it out here in the open where I can get at it..."

    Once again, if the data had been encrypted, this wouldn't be a problem. But personally, seeing a hand-written list of programs, user names, and passwords, just doesn't fill me with confidence.

    1. Trigonoceps occipitalis

      Re: Encryption, please?

      Well it fills me with confidence - confidence that there will be some serious lesson learning going on. The lesson being that bonuses are based on profit and security is a cost that reduces the bottom line - lets see the size of any fine or who is fired.

      Go on, take a guess.

    2. Lotaresco

      Re: Encryption, please?

      "if the data had been encrypted"

      For Top Secret data this isn't the panacea that many imagine it to be, no commercial encryption meets the requirements for Top Secret.

      "seeing a hand-written list of programs, user names, and passwords, just doesn't fill me with confidence"

      The fact that you are seeing it doesn't fill me with confidence.

      The fact that several different accounts and services are listed on the same sheet doesn't fill me with confidence.

      The use of a paper based password log doesn't worry me. If you think about it if that log were in a safe designed to the appropriate standard it would not be accessible to a hacker. I'm also shocked that some dweeb didn't understand why passwords were recorded on paper and chose to scan the sheet and put it on an insecure system.

      What also shocks me is the list of commercial services used, including QuickBooks. For special operations? That's careless to the point of criminal negligence. Someone's sensitive parts should be in a mangle for this. Just think, if the US is this bad at national security, should you be sending any of your personal data to the USA?

      1. Anonymous Coward
        Anonymous Coward

        Re: Encryption, please?

        What shocks me is that there is an rsync daemon in place - that implies that data is being replicated to God knows where. If there's one thing you do with information of that grade is control who has access to not only the master, but also the repos.

        I'm willing to put money on it that this won't have much in the way of consequences, though. There is a considerable amount of security fatigue out there, and unwillingness to "reward" the idiots in charge with the fines and punishment they richly deserve keeps all of that nicely in place.

      2. flyryan

        Re: Encryption, please?

        "For Top Secret data this isn't the panacea that many imagine it to be, no commercial encryption meets the requirements for Top Secret."

        What!? You're literally just making things up here. None of your statements here are really correct but this one is just flat out factually wrong.

        AES-256, ECDH Curve P-384, 3072-bit RSA, and SHA-384 (for hashing) are all approved to protect TOP SECRET information. Did you think all of the Windows computers in government were all loaded up with some super secret crypto suite? Do you realize how difficult that would be?

        Source: https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm (via the table about a page down)

  2. GrapeBunch Silver badge
    Joke

    Protomac

    The typo Protomac (for Potomac, the name of the river, for example) sounds like a neologism incorporating "Professional", "Macintosh", "Protoplasm", "Rota" ... all together: "It is the turn of which wanker, pretending to be professional, to bite the apple on this slipup." Did you see what I did there, "protoplasm" refers both to slipup and to wanker?

    1. Notas Badoff
      Facepalm

      Re: Protomac

      Not a neologism, just a typo, quite missing knowledge of the locally prominent river. Google would have sufficed, but then so would looking at the pictured documents. (sigh)

    2. Mephistro Silver badge
      Coat

      Re: Protomac (@ GrapeBunch)

      I see it more like a contraction between Potomac and Prozac. A happy river!

      1. Mahhn

        Re: Protomac (@ GrapeBunch)

        that is suicidal

  3. John Doe 12

    Measurement Units?

    Just a small hair-split - but should that not be GB as opposed to Gb when talking about this kind of thing?

    1. frank ly

      Re: Measurement Units?

      It's only a bit of a mistake.

      1. Anonymous Coward
        Anonymous Coward

        Re: Measurement Units?

        Byte me!

    2. j.bourne
      Coat

      Re: Measurement Units?

      Surely it should be GiB......

  4. David Roberts Silver badge

    Sub-head storm in a teacup?

    I read this as a hacker who had been fired then using an insider to exfiltrate data.

    Not someone using a mate to prod some idiot who wasn't taking a breach seriously.

    Still, good to see articles flowing again after the holidays.

  5. Anonymous Coward
    Anonymous Coward

    This is a disaster!

    Payscale information exposed! This could lead to a complete governmental meltdown!

    As for the rest of the information, wasn't that published in the last hack?

  6. boardbonobo

    Event the redacted password image has enough information still available to start a little OSINT research ; Melissa Amidon be prepared for some SE!

    *Note*

    2015-07-08 delete person Melissa Amidon

    According to https://www.aihitdata.com/company/007DD280/POTOMAC-HEALTHCARE-SOLUTIONS/history?ss=people#main

    Looks like she bit the bullet some time ago.. Awww.

    1. Lotaresco

      Event the redacted password image has enough information still available to start a little OSINT research

      Mr Thomas W Burden FACHE still works for the company.

  7. Anonymous Coward
    Anonymous Coward

    And then they wonder...

    ...at the number of script kiddies that can just walk in and have a poke around in 'secure' US databases. Then they have the temerity to demand that 'hackers' from other countries be extradited to the US to face trial for the various US government departments incompetence.

  8. Paul Woodhouse

    surprised he's not been arrested yet...

  9. Will Godfrey Silver badge
    Unhappy

    Situation normal

    I see they've started 2017 as they mean to carry on.

    ... exactly like last year.

  10. NonSSL-Login

    Not the only guy..

    A week before this guys blog post a shodan search for unsecured rsync's was posted on twitter. Obviously he saw that post and had a look along with many others. So someone else provided his starting point, many would have looked at the data but this guy is the only one shouting 'look at me and what I found'.

    Contractor security fail yet again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019