CISA Leaks Secret Credentials in a Public Github Repo

Brian Krebs reported that a public GitHub repository with sensitive internal CISA credentials "including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets." The original discoverer, Guillaume Valadon from the security firm GitGuardian, reached out to Brian due to the owner of the repository not responding when made aware of the exposed secrets. GitGuardian scans public repositories on GitHub looking for just such information, and alerts the owners about the unintentional data exposure. The repository was ironically named "Private-CISA." Valadon expressed disbelief in an email to Brian: > Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature . . . I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices. The repository, owned by a contractor and opened all the way back in 2018, was a "textbook example of poor security hygiene." The CISA administrator explicitly disabled the default setting in GitHub that prevents users from publishing SSH keys in public repositories, in an almost comical level of ineptitude. The exposed files included ones titled "importantAWSTokens" with the administrative credentials for three AWS GovCloud servers. Another file entitled "AWS-Workspace-Firefox-Passwords.csv" listed plaintext usernames and passwords for various internal CISA systems. Anyone who has a relative that puts all their passwords in a plaintext Microsoft excel document will be familiar with the internal security practices at CISA. Although grandma didn't publish her passwords on the public internet, so she's much more secure than CISA. "The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments," observed Philippe Caturegli, founder of the security consultancy firm Seralys. Caturegli validated the AWS tokens and observed that the archive included plaintext credentials for CISA's internal repository of all code packages they use to build software, a juicy target for an attacker looking to remained inside CISA's systems permanently. The public GitHub repo has now been made private. CISA is the premier cybersecurity agency of the US. After the Tump administration, it has seen intense budget cuts and now operates with a third of its workforce evaporated. > As the National Coordinator for Critical Infrastructure Security and Resilience, CISA works with partners at every level to identify and manage risk to the cyber and physical infrastructure that Americans rely on every hour of every day. CISA works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. It's no wonder then that important US infrastructure has been targeted by recent cyberattacks.