The US Cybersecurity and Infrastructure Security Agency (CISA) has been leaving the digital keys to its own cloud storage accounts out in the open, in plain text form, for an unknown period of time. according to a Krebs report on security. The issue was finally fixed over the weekend, according to the report.
Surely the secret information was buried in some obscure folder with an inscrutable name.I hear you say. The repository was reportedly named “Private-CISA”.
But there’s no way the content was that sensitive. you object. But the content included passwords, keys, and tokens, and the passwords were plain text in a .CSV file.
CISA gave a statement to Krebs, saying the following:
“Currently, there is no indication that any sensitive data has been compromised as a result of this incident (…) While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure that additional safeguards are implemented to prevent future incidents.”
Since the repository was created in November of last year, the duration of the vulnerability appears to have been approximately six months, but could have been much shorter depending on what information was added and when.
To refresh your memory, CISA is a relatively new branch of the Department of Homeland Security that has had a tough times in general during Trump 2.0Although, by signing it into law in 2018, Trump actually created CISA during Administration 1.0, and sorry for the tangent, but Trump’s decision speech to mark the occasion It was an exceptional example of Trump’s poetry, including excerpts like this:
“The cyber battlespace is evolving, and it is evolving, and unfortunately, faster than many people want to talk about. But the cyber battlespace is. So as the cyber battlespace evolves, this new agency will ensure that we face the full range of threats from nation-states, cybercriminals and other malicious actors, of which there are many.”
It is indisputably true, Mr. President. Battlespace it is.
Anyway, Trump was enraged by information provided by CISA leadership during the period between the 2020 elections and January 6, 2021, when he was tasked with overturning the election results in his favor. He fired the CISA director he appointedand since he took office again, his CISA It has been a chaotic farce. None of the acting directors you have appointed so far have been confirmed by the Senate, and Trump has recently tried to drastically reduce CISA‘financing.
Now, to add to CISA’s concerns, it appears that, according to one interpretation of the Krebs report about what was in the repository, an individual employee working for a government contractor called Nightwing was using Github to move material from a work device to a home device, sort of like emailing documents to each other, but somehow even less secure than that.
I’m not a federal cybersecurity expert, but this from Krebs sounds like something we, as citizens, don’t want our government to leak:
“One of the exposed files, titled ‘importantAWStokens,’ included the administrative credentials for three Amazon AWS GovCloud servers. Another file exposed in its public GitHub repository – ‘AWS-Workspace-Firefox-Passwords.csv’ – listed usernames and passwords in plain text for dozens of CISA’s internal systems. According to Caturegli, those systems included one called ‘LZ-DSO,’ which appears to be short for ‘Landing Zone DevSecOps, the agency’s secure code development environment.”
Kreb’s source for the information left open was Guillaume Valadon of GitGuardian, a company that scans GitHub for secrets, meaning his business is encountering situations like this. Valadon told Krebs it was “the worst leak I have ever witnessed in my career.”
