The Pentagon is busy giving DEI instructions to its employees but somehow doesn’t have the time to protect sensitive emails from being publicly available to everyone on the Internet.
Welcome to the new military, courtesy of President Biden.
Granted, I am being a bit harsh on the old man. Incompetence and government go together like peas and carrots, but you have to admit that the military leadership has been keeping its eyes on the wrong set of balls, so to speak.
The latest outrage was revealed by Techcrunch, a technology-focused website.
The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks.
The exposed server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, many pertaining to U.S. Special Operations Command, or USSOCOM, the U.S. military unit tasked with conducting special military operations.
But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.
Any guesses regarding whether our adversaries have that IP address? I’ll grant you one guess.
You can imagine what the soldiers in the USSOCOM are thinking right now. With friends like these, who needs enemies?
During the same two weeks that sensitive emails were freely available to all on the Internet, the Pentagon was busy doing this:
Diversity is a strategic imperative critical to mission readiness and accomplishment. We were on site for the 2023 inaugural @DoD_ODEI Summit as DEIA experts led forums to advance the DEIA and DoD mission — because our people matter. pic.twitter.com/VX42BC1Imo
— Department of Defense 🇺🇸 (@DeptofDefense) February 18, 2023
Yep, they have their eyes on the balls.
Anurag Sen, a good-faith security researcher known for discovering sensitive data that has been inadvertently published online, found the exposed server over the weekend and provided details to TechCrunch so we could alert the U.S. government.
The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries. In 2015, suspected Chinese hackers stole millions of sensitive background check files of government employees who sought security clearance in a data breach at the U.S. Office of Personnel Management.
Sen found the server with a simple web crawler that looks for such information. It didn’t require any fancy hacking skills or specialized knowledge–simply an interest in seeing what is out there to be found.
I’m sure nobody else found it, though. After all, as Otto von Bismarck once said, “God has a special providence for fools, drunkards, and the United States of America.” Right? Right?!
It’s absurd how many stories we read about government misfeasance regarding computer systems. Whether it is the FAA or the US military, apparently it is mainly fools and drunkards who manage our IT systems. Perhaps that is why God has a special providence for the country as a whole.
Seriously, we can rest assured that our adversaries have vacuumed up everything that was exposed to the public, and while none of it was likely classified, all of it was certainly sensitive and should have been protected.
Of course, it’s unlikely anybody will be fired over this. After all, if they have to replace these workers it will mean spending another several hundred thousand dollars on DEI training.
Join the conversation as a VIP Member