Ethan Carter
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been inadvertently exposing its cloud storage accounts’ digital keys in plaintext for an extended period, as reported by Krebs on Security. Thankfully, this issue was rectified over the weekend.
Perhaps the sensitive information was hidden in a convoluted folder with an unrecognizable name, you might think. the repository was conspicuously labeled “Private-CISA.”
But surely the contents were not highly sensitive, you may argue. Yet, the exposed data included passwords, keys, and tokens, with passwords stored in a .CSV file as plain text.
CISA provided a statement to Krebs, which included the following:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The repository was established in November of the previous year, indicating that the vulnerability may have persisted for approximately six months, although it could have been shorter depending on when new information was added.
For context, CISA is a relatively new division of the Department of Homeland Security that has faced numerous challenges during the Trump administration. Interestingly, it was created with the signing of legislation in 2018 by Trump, who, in a sense, facilitated its formation during his first term. It’s worth mentioning that Trump’s speech during this event was a unique display of his rhetorical style, featuring memorable lines such as:
“The cyber battlespace evolves — and it is evolving, and unfortunately, faster than a lot of people want to talk about. But battlespace it is. So as the cyber battlespace evolves, this new agency will ensure that we confront the full range of threats from nation-states, cyber criminals, and other malicious actors, of which there are many.”
Indisputably accurate, Mr. President. It is indeed a battlespace.
During the tumultuous period between the 2020 election and the events of January 6, 2021, Trump was reportedly infuriated by the information provided by CISA’s leadership while attempting to overturn the election results. He dismissed the CISA director he had appointed, and since his return to office, CISA has been characterized by disorder. Neither of the acting directors appointed so far has received Senate confirmation, and Trump has recently aimed to substantially cut CISA’s budget.
To further complicate matters for CISA, the Krebs report suggests that an employee from a government contractor named Nightwing was utilizing Github to transfer materials from a work device to a personal device—similar to emailing documents to oneself, but even less secure.
While I may not be a federal cybersecurity expert, the findings from Krebs highlight information that should not be leaked by our government:
“One of the exposed files, titled ‘importantAWStokens,’ included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — ‘AWS-Workspace-Firefox-Passwords.csv’ — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems[s] included one called ‘LZ-DSO,’ which appears short for ‘Landing Zone DevSecOps,’ the agency’s secure code development environment.”
Krebs’ source regarding the information left publicly accessible was Guillaume Valadon of GitGuardian, a company specializing in scanning GitHub for security vulnerabilities. Valadon remarked to Krebs that this was “the worst leak that I’ve witnessed in my career.”
Daniel Mercer
