The Weakest Link: DoD Data Exposed by Third-party

By David Fratini on November 1, 2019

Stylized image of bullet impact on green binary code

Overview: 

Reservations management company AutoClerk found itself in hot water last week when it was discovered that one of its databases was exposed online. The database, which is 179 GB in size and is hosted on Amazon Web Services, held client information including full names, unencrypted login information, phone numbers, addresses, travel dates, room numbers, and masked payment information. Roughly 100,000 reservations were exposed, the most disturbing of which were made by a contractor who regularly handles travel reservations for the Department of Defense (DoD), Department of Homeland (DHS), and across the government.

Investigations into the exposed database showed travel itineraries and personal information of U.S. Army generals travelling to Moscow and Tel Aviv, along with their Personally Identifiable Information (PII).

This instance speaks to a broader issue of cyber vulnerabilities that exist in the third-party contractors that criss-cross the national security infrastructure, ultimately offering a backdoor for malicious actors into our most secure operations.

 

Impact:

The travel plans and phone numbers of DoD personnel may seem relatively benign, but even such elementary data can be co-opted by hacking groups to leverage more damaging information. For instance, hackers could easily pose as employees of the contractor or hotel where high level DoD personnel will be staying using the information found within the database and manipulate either high-level government officials or their aides into compromising their system through malicious links or documents.

The infamous hack of the 2016 Hilary Clinton shows just how real this threat is. Although the scope of these hacks are at opposite ends of the spectrum, it is a poignant look at how only a small amount of PII can be used to social engineer a much larger breach. In 2016, John Podesta was manipulated into clicking a malicious link which may have altered the trajectory of the 2016 election; the malicious actors had little more information to go on other than an email address and a name. When considering this, the idea of what dedicated adversaries could do with travel dates, addresses, phone numbers, room numbers, and login information begins to expand to startling territories.

This is not the first time that government supply-chains have been found under-protected, in fact, it is not even the first time that government travel management operations have been found under-protected. Just last year the Defense Travel System (DTS), already well-known within the military as a prime example of over-engineered and under-functional systems typical within the defense network, was hacked. Over 30,000 military and DoD civilian employees travel records and credit information was stolen in a data breach at one of the contracted vendors who run DTS. What is the common factor? Complicated dependencies throughout multiple organizations with radically different security operations requirements.

When auditing authorities (if in place) examine the supply-chains that drive there processes, it is important that they consider the second and third-order effects of these systems – such as the inadvertent divulging of sensitive information through a negligent reservations management company utilized by a contractor.

 

The database in question was discovered and reported to U.S. CERT on September 13th and closed on October 2nd. Although the incident was labeled a breach, it is unclear whether third-parties were able to access the database.

 

References:

Matishak, M. (2016, October 21). How Podesta became a cybersecurity poster child. Retrieved from https://www.politico.com/story/2016/10/john-podesta-cybersecurity-hacked-emails-230122 McCuin, T. (2018, October 15). DoD’s Defense Travel System Hacked, Employee Credit Card Info Stolen. Retrieved from https://news.clearancejobs.com/2018/10/15/dods-defense-travel-system-hacked-employee-credit-card-info-stolen/ O’Donnell, L. (2019, October 21). U.S. Government, Military Personnel Data Leaked By Autoclerk. Retrieved from https://threatpost.com/government-military-personnel-data-leaked/149386/