CISA exposed passwords on GitHub

TechCrunch reported on May 19 that the Cybersecurity and Infrastructure Security Agency had internal passwords, access tokens and cloud keys exposed in a public GitHub repository that had been maintained by a contractor. The report said GitGuardian researcher Guillaume Valadon found plaintext credentials in spreadsheets and other files and traced them to systems used by CISA and the Department of Homeland Security. Brian Krebs first reported the repository on May 18 after Valadon alerted him when the repository owner did not respond to warnings. CISA spokesperson Marco DiSandro told TechCrunch the agency was investigating and that there was “no indication that any sensitive data was compromised as a result of this incident.” ### How were the credentials found? Guillaume Valadon, a researcher at GitGuardian, told Krebs that his company’s monitoring of public code repositories flagged exposed secrets in a GitHub repository called “Private-CISA.” Krebs reported that Valadon contacted him on May 15 after the repository owner did not respond to automated alerts. The repository remained public until that weekend, according to Krebs. (techcrunch.com) Krebs reported that the public archive contained cloud keys, tokens, plaintext passwords, logs and internal files linked to CISA and DHS systems. TechCrunch separately reported that Valadon said some of the exposed credentials gave access to government cloud and internal agency systems. ### What exactly was exposed? (krebsonsecurity.com) Krebs reported that one file titled “importantAWStokens” contained administrative credentials for three Amazon AWS GovCloud servers. Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext usernames and passwords for dozens of internal CISA systems, including one identified by Krebs as “LZ-DSO,” which appeared to refer to the agency’s secure code development environment. (techcrunch.com) TechCrunch reported that the exposed material included access tokens, cloud keys and other sensitive files. The outlet said Valadon tested some of the keys to confirm they were valid before reporting the lapse. ### What has CISA said? Marco DiSandro, a CISA spokesperson, told TechCrunch that the agency was “aware of the reported exposure and is continuing to investigate the situation.” DiSandro also said there was “no indication that any sensitive data was compromised as a result of this incident.” TechCrunch said CISA did not answer whether it had seen evidence of a breach tied to the exposed credentials or whether the credentials had been revoked and replaced. (techcrunch.com) (krebsonsecurity.com) Nick Andersen is CISA’s acting director, according to the agency’s leadership page. Axios identified Andersen as the official from whom Sen. Maggie Hassan sought a classified briefing. ### Why did Congress get involved so quickly? Axios reported on May 19 that Sen. Maggie Hassan, a New Hampshire Democrat, asked Andersen for an “urgent” classified briefing after researchers uncovered the exposed repository. (techcrunch.com) Hassan’s office later published the May 19 letter, which said public reporting showed that a CISA contractor had maintained lists of agency accounts and passwords on a public database and asked for a briefing “at the highest classification level.” (cisa.gov) Hassan’s letter said the reported leak raised “serious questions” about how the lapse occurred at the agency responsible for helping prevent cyber breaches. Axios described the request as the first congressional response to the credential exposure. ### What does the reporting show about the repository itself? (axios.com) Krebs reported that commit logs suggested the user behind the repository had disabled GitHub’s default protection against publishing secrets such as SSH keys in public repositories. Valadon told Krebs the case included “passwords stored in plain text in a csv” and “explicit commands to disable GitHub secrets detection feature.” (hassan.senate.gov) Philippe Caturegli, founder of security consultancy Seralys, told Krebs he tested the AWS keys only to determine whether they were still valid and what systems they could access. Caturegli said the account’s activity looked like a working scratchpad or synchronization mechanism rather than a curated project repository. (krebsonsecurity.com) ### What happens next? CISA said on May 19 that its investigation was continuing. Sen. Hassan’s May 19 letter asks Acting Director Andersen for a classified briefing, and her office published the request on its website the same day. (techcrunch.com) (krebsonsecurity.com)