The US Cybersecurity and Infrastructure Security Agency (CISA) is releasing the digital keys of its cloud storage accounts publicly, in plain text, for a period of time. This is stated in the Krebs on Security report. The report notes that the problem was finally fixed over the weekend.
Undoubtedly, the secret information was buried in an obscure folder with an incomprehensible nameI hear you say. It is reported that the warehouse is called “Private-CISA”.
But it’s impossible for the content to be so sensitive, you object. But the content included passwords, keys, and tokens, and the passwords were plain text in the .CSV file.
CISA issued a statement to Krebs saying:
“At this time, there is no indication that any sensitive information has been compromised as a result of this incident(…) We are committed to ensuring that our team members are held to the highest standards of integrity and operational awareness, and that additional safeguards are in place to prevent future incidents.”
Since the repository was created last November, the vulnerability was around six months old, but could have been shorter depending on what information was added and when.
To refresh your memory, CISA is a relatively new branch of the Department of Homeland Security A general hard time during Trump 2.0although by signing the law in 2018, Trump actually midwifed CISA into existence during Administration 1.0, and sorry for the tangent, but Trump’s gave a speech on the occasion It was an exceptional example of Trump’s poetry, including passages such as:
“The cyber battlefield is evolving — and it is evolving, and unfortunately, it’s evolving faster than a lot of people want to talk about it. But it is a battlefield. So as the cyber battlefield evolves, this new agency will ensure that we face all the threats from nation states, cyber criminals and a host of other malicious actors.”
Undoubtedly, Mr. President. It is a place of battle.
So was Trump, anyway He was outraged by the information provided by CISA management Between the 2020 elections and January 6, 2021, he is on a mission to overturn the election results in his favor. He fired the CISA director he had appointedand his CISA upon reinstatement it has been a chaotic farce. None of them the alternate director he has appointed so far It was approved by the Senate, and Trump recently gave it a serious try CISA‘etc. financing.
Now, to add to CISA’s concerns, it appears that an individual employee working for a government contractor named Nightwing was using Github to transfer material from a work device to a home device—like emailing documents to yourself, but somehow less secure, according to the Krebs report’s interpretation of what was in the repository.
I’m not an expert on federal cybersecurity, but this from Krebs sounds like the kind of stuff we, as citizens, don’t want our government leaking:
One of the leaked files, titled “ImportantAWStokens,” contained administrative credentials for three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — displayed on their public GitHub repository listed clear-text usernames and passwords for dozens of CSAgli systems. The system(s) included a system named ‘LZ-DSO,’ which is short for ‘Landing Zone DevSecOps,’ the agency’s secure code development environment.
Kreb’s source for the exposed data was Guillaume Valadon of GitGuardian, a company that scans GitHub for secrets, meaning his work finds situations like this. Valadon told Krebs it was “the worst leak I’ve ever seen in my career.”
