‘The Worst Leak I’ve Witnessed’: A CISA Contractor Left AWS GovCloud Credentials Sitting In A Public GitHub Repo
from the whose-cybersecurity-are-we-talking-about? dept
The Cybersecurity & Infrastructure Security Agency (CISA) was one of the few genuinely good things Donald Trump was talked into doing during his first term. It was an agency within the Department of Homeland Security that was focused on coordination between the government and industry when there were larger cybersecurity threats that needed coordination to deal with in a manner that protected Americans.
It was staffed with genuinely competent people who understood cybersecurity risks, and who did serious work keeping critical systems safe and secure. Everything started to go south in late 2020 when its then-director, Chris Krebs, made the factually accurate statement that the 2020 election had been incredibly secure. That MAGA narrative violation made it so Trump had to fire Krebs and for MAGA to decide that this factual statement was the equivalent of treason.
From about that point onwards, CISA has been basically seen by the MAGA world as suspect, and that was helped along by some bad reporting and conspiracy theory nonsense pretending that CISA was involved in “censoring social media,” something that was not even remotely true. The real story was that, given CISA’s involvement in sharing cybersecurity threat information across industries, there were some efforts to see if they could also coordinate information sharing for things like election disinformation: not as a tool of censorship, but if an election official in some random area saw someone posting information telling people to (for example) “vote by phone” or whatever, there would be a way to route that issue to the relevant internet company to review against its own guidelines.
But because of the false reporting, the MAGA world took it on faith that CISA was commanding a vast censorship empire which simply never actually existed. Either way that made it ripe for the chopping block. Rand Paul, in particular, wanted to destroy the whole thing, falsely believing it was engaged in censorship.
However, he barely needed to do anything because the Donald Trump / Kristi Noem DHS moved many CISA officials away from actually worrying about cybersecurity to… processing deportation paperwork for ICE. And then, of course, came the firings, gutting the agency.
But, you know, having people who actually understand the basics of cybersecurity is probably useful for the [checks notes] cybersecurity agency of the United States. And as a recent Brian Krebs (unrelated to Chris Krebs) report details, whoever was left at CISA apparently was so bad at cybersecurity that they leaked the government’s AWS GovCloud keys by… putting them in a public Github repo.
On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.
Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.
This is really bad in so many ways. First, as already mentioned, GitHub has literal protections against just this thing which you have to actively go and disable, which whoever is left at CISA clearly did.
On top of that, any developer with even the slightest knowledge of how this works knows you put credentials and tokens in a .gitignore file — which, as the name implies, makes sure they never end up in an accessible repository.
Here it was even worse — this wasn’t just tokens buried in the code, but a CSV file with plaintext passwords. What are they even doing?
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.
It is difficult to explain how incredibly insecure and, well, amateurish all this is. And these don’t appear to be dummy data or old and obsolete data either. Again from Krebs:
Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.
“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”
This kind of security blunder would be embarrassing for anyone. But for the US government’s Cybersecurity & Infrastructure Security Agency to have a fuckup this bad is unforgivable.
Hell, even when Krebs reached out to CISA about this they did a poor job reacting. While they, thankfully, pulled the repo right after being alerted, it appears it took them over two days to actually rotate the keys to make the exposed ones inactive:
The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.
Krebs points out that CISA has lost a third of its workforce to Trumpian purges, but the bigger story is how the agency was so thoroughly demonized — made the villain in so many MAGA conspiracy theories about censorship — that it drove away the people who actually know how to run a secure operation.
Filed Under: cisa, cybersecurity, git repo, leak, passwords, plaintext
Comments on “‘The Worst Leak I’ve Witnessed’: A CISA Contractor Left AWS GovCloud Credentials Sitting In A Public GitHub Repo”
Fascism values loyalty over expertise and knowledge. To fascists, anyone who might think independently of their leaders is a threat.
From a slightly different perspective
Maybe not such an accident? They have been brow-beaten, bullied, and otherwise treated worse than dogs…. I know I would be tempted to have an oopsie if I were treated the same.
Re:
It’s possible but at this point there’s no evidence of that.
Re: Re:
Evidence? Oh how quaint 😉
Re:
You know the MAGA’s Razor principle: Never attribute to malice that which is adequately explained by MAGA’s work.
Re: If we're going to hypothesize motives...
It could just as easily have been a hostile foreign agent embedded in the agency as a disgruntled employee.
Whether any of those conspiracy theories holds water would depend on whether this administration has the resources and motivation to properly investigate the incident. It could just as easily be a witch hunt/scapegoating or a white-washing as a legitimate investigation.
Re:
One might think such an oopsie wouldn’t be so horrific in that case, unless the person was crazy malicious to begin with.
OK where did my post go, or did it get spam marked?
So much fun to re type.
Never attribute to incompetence that which is adequately explained by malice masquerading as incompetence
"Catastrophe" may be too mild a term
I know that we’ve all become somewhat numb to the endless parade of security breaches and dataloss incidents, but this…this is the worst I’ve ever seen, and I’ve been around far longer than Valadon. If you had told me a week ago that this would happen, I wouldn’t have believed you; I would have rejected that prediction as highly implausible, given the combination of incompetence and negligence required to make it happen.
And yet here we are. Kudos to Valadon for finding it and for reporting it, and thus taking a chance that some contingent of wackos out there will blame him for it. I would continue with “…and we’ll see what the investigation turns up…” but we won’t. There’s nobody left with the skills and the power and the motivation to conduct one. All that’ll happen is that someone will get thrown under the bus and the usual platitudes will be uttered and then it’ll all be forgotten because tomorrow we’ll be bombing Cuba or banning solar panels or whatever other completely insane nonsense someone whispered into Trump’s ear.
But the Chinese won’t forget. Nor will the Russians. Nor will everyone else who got there first and of course didn’t report it — why would they? Everything those credentials protected is now being analyzed elsewhere in the world and it’s only a matter of time until that information is exploited.
In their purge of DEI hires, they defined ‘DEI’ as ‘anyone capable of doing their job, but not willing to bow before the orange diaper man.’
What they have now are the remaining ‘DEI’ hires – incompetent fuckheads who pose a national security risk, but adequately bow before the egomaniacal shitbag president.
They just expect us to shrug and think ‘we need to give mouth-breathing morons important jobs. People that ‘think’ are a threat to the rest of the stupids! (aka The MAGA-faithful)
Your entire article is pointing out that is correct.
Re:
Oh dude. Claiming that AFTER you fired or pushed out all the competent people THEN the remaining incompetence proves you were right all along that the agency was bad is… just next level stupidity.
Re:
Your entire article is pointing out that is correct.
That’s what I find the most interesting about you people – you cheer on incompetence and stupidity, like that’s your ‘team’ or something.
Who taught you that being a dumbass was something to be proud of?
Re: Re:
The same man who has admitted, multiple times, that he likes people who are dumb (and therefore more easily manipulated into believing his bullshit).
Cybersecurity and other expertise
While the cyber security purge was due to the belief that they could substantiate Russian meddling in the 2020 election (IMO), and therefore contradicted the Trumpian big lie, isn’t it just part of the general regime’s/MAGA purging of all agencies of scientific and technical expertise? And should Russia want to help the GOP win the next election, the regime won’t want some government group exposing that, would it?
Re:
Sure, but there isn’t a purge where there is no evidence contradictory to their narrative. Or something they think they can outsource for way more money.