Confidential details of a top-secret encryption-breaking supercomputer were left completely exposed on an unsecured computer server belonging to New York University (NYU), according to a new report.
While it’s not uncommon for even critical-level infrastructure to suffer potentially catastrophic security breaches, what makes this event different is that there was seemingly no foul-play or attempts to hack into NYU’s systems.
Instead, it looks like somebody may have just forgotten to secure their classified data properly, exposing hundreds of pages of information on a covert code-breaking machine co-administered by the Department of Defence, IBM, and NYU.
The large volume of confidential data about the supercomputer project – code-named WindsorGreen – was discovered by an unnamed American computer security researcher in early December 2016, while he was trawling the internet looking for technical vulnerabilities, according to a new report by Sam Biddle in The Intercept.
In the course of his investigations, the researcher – called Adam (not his real name) – came across an unsecured server connected to the internet, belonging to NYU’s Institute for Mathematics and Advanced Supercomputing (IMAS), and which looked to be a backup drive full of what presumably should have been secret operational information about the previously unknown computer initiative:
“The supercomputer described in the trove, ‘WindsorGreen’, was a system designed to excel at the sort of complex mathematics that underlies encryption, the technology that keeps data private, and almost certainly intended for use by the Defence Department’s signals intelligence wing, the National Security Agency.”
According to the leaked documents – a very small sample of which has been uploaded online – WindsorGreen is the successor to WindsorBlue, a previous encryption-breaking supercomputer used by the NSA, details of which first came to light after leaks by infamous NSA whistleblower Edward Snowden.
As Adam told The Intercept, all the documents were marked as being for the attention of the Department of Defence and US government agencies only, so he was stunned to find them left so carelessly exposed on the server, without even rudimentary layers of protection.
“The fact that this software, these spec sheets, and all the manuals to go with it were sitting out in the open for anyone to copy is just simply mind blowing,” he said.
“All of this leaky data is courtesy of what I can only assume are misconfigurations in the [IMAS] department at NYU. Not even a single username or password separates these files from the public internet right now. It’s absolute insanity.”
Fortunately for the agencies, academics and other computer scientists at IBM who were involved with the classified project, NYU took the data offline after Adam notified them about their mistake – and thanked him by sending him a poster.
While it’s unclear just how the files got exposed in the first place, the likelihood that it was user error may be supported by the fact that one of the NYU scientists involved – mathematician David Chudnovsky – also had his email correspondence (including messages sent to US military operatives) laid bare by the same misconfigured settings.
It’s not known whether others discovered the same top-secret data trove hidden in plain sight, but if they did, Adams says it would go a long way to undermining efforts made by the defence community to maintain a lead in anti-encryption technology.
“Let’s, just for hypotheticals, say that China found the same exposed NYU lab server that I did and downloaded all the stuff I downloaded,” he told The Intercept.
“That simple act alone, to a large degree, negates a humongous competitive advantage we thought the US had over other countries when it comes to supercomputing.”
At this point, we don’t know what ultimately became of WindsorGreen. The leaked documents are dated from 2005 to 2012, with details suggesting the supercomputer might have been ready by 2014.
That could mean the system is currently in use by organisations like the NSA and its partners – or it may have already been superseded by technology that’s even better at code-breaking: unlocking efforts made to lock down personal data, by brute-forcing its way past simplistic or outmoded encryption algorithms.
Of course, no matter how advanced WindsorGreen or its successors are, it will pale in comparison to the frighteningly powerful code-breaking abilities of tomorrow’s quantum computers, which could have the ability to retroactively uncover any secret communications we make today.
While there’s still a lot we don’t know about WindsorGreen – and it’s worth pointing out that all the information we have on it at present is limited to just one source – the fact that you’re reading about it right now due to somebody else’s fundamental IT mistake is just another cautionary reminder to always secure your data as much as you can.
You might not always be able to counter the code-breaking might of the NSA (or others who might want to snoop on you), but you should at least make the effort to protect yourself with a password.
H/T: The Intercept