According to a report by Krebs on Security, the US Cybersecurity and Infrastructure Security Agency (CISA) has been leaving digital keys in its own cloud storage accounts out in the open as plain text for some unknown period of time. The report said the problem was finally fixed over the weekend.
Surely the secret information was buried in some obscure folder with some cryptic nameI hear you saying. The repository was reportedly named “Private-CISA”.
But by no means was the material so sensitive, You object. But the contents included passwords, keys, and tokens – and the passwords were plain text in a .CSV file.
CISA provided a statement to Krebs saying the following:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure that additional security measures are implemented to prevent future incidents.
Since the repository was created in November last year, the duration of the vulnerability has been about six months – but it could have been much shorter depending on what information was added when.
To refresh your memory, CISA is a relatively new branch of the Department of Homeland Security that has faced a tough time overall during Trump 2.0, even though, by signing it into law in 2018, Trump actually brought CISA into existence during Administration 1.0. And sorry about the tangent, but Trump’s speech to mark the occasion was an extraordinary example of Trump poetry, including such excerpts as:
“Cyber battlespace is evolving – and it is evolving, and unfortunately, faster than a lot of people want to talk about it. But battlespace it is. So as cyber battlespace evolves, this new agency will ensure that we confront the full range of threats from nation-states, cyber criminals and other malicious actors, of which there are many.”
Unquestionably true, Mr. President. Battlespace is this.
Anyway, Trump was enraged by the information provided by CISA leadership during the period between the 2020 election and January 6, 2021, when he was on a mission to overturn the election results in his favor. He removed the CISA director he had appointed, and since taking over again, his CISA has been a chaotic spectacle. None of the acting directors he appointed so far have been confirmed by the Senate, and Trump has recently sought to drastically cut CISA’s funding.
Now, to add to CISA’s concerns, it seems, according to an interpretation of the Krebs report on what was in the repository, that an individual employee working for a government contractor called Nightwing was using GitHub to transfer content from a work device to a home device – somewhat like emailing documents to yourself, but somehow even less secure.
I’m no expert on federal cybersecurity, but Krebs’ point seems to be that as citizens we don’t want our government leaking:
“One of the exposed files, titled ‘importantAWStokens’, contains administrative credentials for three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository – ‘AWS-Workspace-Firefox-Passwords.csv’ – listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems[s] This includes one called ‘LZ-DSO’, which appears to be an acronym for the agency’s secure code development environment ‘Landing Zone DevSecOps’.
Crabb’s source about the information left in the open was Guillaume Valadon of GitGuardian, a company that scans GitHub for secrets, implying that his business is detecting situations like this. Valadon told Krebs that it was “the worst leak I have seen in my career.”
<a href