‘The Worst Leak I’ve Witnessed’: A CISA Contractor Left AWS GovCloud Credentials Sitting In A Public GitHub Repo

from the whose-cybersecurity-are-we-talking-about? dept

The Cybersecurity & Infrastructure Security Agency (CISA) was one of the few genuinely good things Donald Trump was talked into doing during his first term. It was an agency within the Department of Homeland Security that was focused on coordination between the government and industry when there were larger cybersecurity threats that needed coordination to deal with in a manner that protected Americans.

It was staffed with genuinely competent people who understood cybersecurity risks, and who did serious work keeping critical systems safe and secure. Everything started to go south in late 2020 when its then-director, Chris Krebs, made the factually accurate statement that the 2020 election had been incredibly secure. That MAGA narrative violation made it so Trump had to fire Krebs and for MAGA to decide that this factual statement was the equivalent of treason.

From about that point onwards, CISA has been basically seen by the MAGA world as suspect, and that was helped along by some bad reporting and conspiracy theory nonsense pretending that CISA was involved in “censoring social media,” something that was not even remotely true. The real story was that, given CISA’s involvement in sharing cybersecurity threat information across industries, there were some efforts to see if they could also coordinate information sharing for things like election disinformation: not as a tool of censorship, but if an election official in some random area saw someone posting information telling people to (for example) “vote by phone” or whatever, there would be a way to route that issue to the relevant internet company to review against its own guidelines.

But because of the false reporting, the MAGA world took it on faith that CISA was commanding a vast censorship empire which simply never actually existed. Either way that made it ripe for the chopping block. Rand Paul, in particular, wanted to destroy the whole thing, falsely believing it was engaged in censorship.

However, he barely needed to do anything because the Donald Trump / Kristi Noem DHS moved many CISA officials away from actually worrying about cybersecurity to… processing deportation paperwork for ICE. And then, of course, came the firings, gutting the agency.

But, you know, having people who actually understand the basics of cybersecurity is probably useful for the [checks notes] cybersecurity agency of the United States. And as a recent Brian Krebs (unrelated to Chris Krebs) report details, whoever was left at CISA apparently was so bad at cybersecurity that they leaked the government’s AWS GovCloud keys by… putting them in a public Github repo.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

This is really bad in so many ways. First, as already mentioned, GitHub has literal protections against just this thing which you have to actively go and disable, which whoever is left at CISA clearly did.

On top of that, any developer with even the slightest knowledge of how this works knows you put credentials and tokens in a .gitignore file — which, as the name implies, makes sure they never end up in an accessible repository.

Here it was even worse — this wasn’t just tokens buried in the code, but a CSV file with plaintext passwords. What are they even doing?

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

It is difficult to explain how incredibly insecure and, well, amateurish all this is. And these don’t appear to be dummy data or old and obsolete data either. Again from Krebs:

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

This kind of security blunder would be embarrassing for anyone. But for the US government’s Cybersecurity & Infrastructure Security Agency to have a fuckup this bad is unforgivable.

Hell, even when Krebs reached out to CISA about this they did a poor job reacting. While they, thankfully, pulled the repo right after being alerted, it appears it took them over two days to actually rotate the keys to make the exposed ones inactive:

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

Krebs points out that CISA has lost a third of its workforce to Trumpian purges, but the bigger story is how the agency was so thoroughly demonized — made the villain in so many MAGA conspiracy theories about censorship — that it drove away the people who actually know how to run a secure operation.

Filed Under: cisa, cybersecurity, git repo, leak, passwords, plaintext