OpsLens

Pentagon Contractor Leaks Intelligence Gathering Operations Through Sheer Incompetence

Sometimes it doesn’t take criminal action from an NSA contractor like Reality Winner to leak classified information to the world.

A Pentagon contractor left a massive social media spy archive open on the Amazon cloud, exposing to the world a global data collecting operation that included American citizens as well.  Unlike the cases of Edward Snowden and Reality Winner, these leaks seem to have been completely unintentional.

https://twitter.com/fart/status/931608863039614976

The publically accessible Amazon account contained at least 1.8 billion posts and three cloud-based storage buckets.  The information had been scraped from a wide variety of sites, to include social media giant Facebook.  The scraped posts were available for access to any individual with a free Amazon Web Server account. According to security researchers, the content had been collected from news sites, web forums, and social media platforms over the last 8 years.  The scraped content featured several different languages and originated from countries all over the world.

The breach was discovered during a routine security scan in September by Chris Vickery, the director of cyber risk research at UpGuard.  The Department of Defense secured the data no later than October 1st, after Vickery notified officials of the security problem; UpGuard ensured all of the exposed data was secure before making the situation public.  Vickery said that he discovered the breach while running a scan for the word “COM,” eventually discovering a CENTCOM archive.  Content in the archives included items relating to politics in Iraq and Pakistan, as well as discussions about ISIS and other sensitive topics. However, the containers also consisted of ample benign social media posts made by Americans.  This raises the obvious concern over the government covertly collecting data from people located in the US, not to mention how exposed all of this data was to the world.  It was just last month that the Human Rights Watch publicized documents that suggest expanded warrantless surveillance of American citizens.

According to Major Josh Jacques, a spokesperson for CENTCOM, the information that was left exposed was “not sensitive information.  It is not collected nor processed for any intelligence purposes.” Jacques also stated that the data had been collected via commercially available programs.  “US Central Command has used commercial off-the-shelf and web-based programs to support public information gathering, measurement, and engagement activities of our online programs on public sites.  The information is widely available to anyone who conducts similar online activities.”  According to data inside one of the three storage buckets, the data had been collected and analyzed by a company called VendorX.  VendorX was trademarked on March 18, 2013 by a company called VX Technologies LLC in Seattle, WA.

According to the United States Patent and Trademark Office, VendorX is computer software for the collection, editing, analysis, viewing, organization, modification, bookmarking, transmission, storage, exchange, sharing, querying, auditing, and tracking of data and information for use in law enforcement, intelligence, and defense industries.

The company’s documents themselves cast doubt on CENTCOM’s claims that information was neither collected nor processed for intelligence purposes. In addition to being designed specifically for law enforcement, intelligence, and defense organizations, some of the features of VendorX are that it “combs the web continuously for data that supports the mission using both discovery and multiple types of targeted systems combined with recursive mining techniques and link acquisition,” “pull[s] information for specific periods and as-needed, mine[s] for historic content as far back historically as is necessary for analysis,” and has the “ability to collect and follow a conversation thread from start to finish and gather information that allows for inter-relationships between authors to be deeply examined.”

Documents in the archive made reference to the United States government program called Outpost, which is a social listening and influence campaign designed to prevent overseas youth from being radicalized by terrorists.  According to the LinkedIn profile of Erik Kjell Berg, a software designer and startup investor affiliated with VendorX, Outpost is “a multi-lingual social analytics platform designed to positively influence change in high-risk youth in unstable regions of the world, built exclusively for the Dept. of Defense.”