Military Files Left Unprotected Online
- From: "Bob Brock" <bbrock@xxxxxxxxxxxxx>
- Date: Thu, 12 Jul 2007 13:45:35 -0400
<http://www.lasvegassun.com/sunbin/stories/tech/2007/jul/12/071205355.html>
0711dv-ftp-security Detailed schematics of a military detainee holding
facility in southern Iraq. Geographical surveys and aerial photographs of
two military airfields outside Baghdad. Plans for a new fuel farm at Bagram
Air Base in Afghanistan.
The military calls it "need-to-know" information that would pose a direct
threat to U.S. troops if it were to fall into the hands of terrorists. It's
material so sensitive that officials refused to release the documents when
asked.
But it's already out there, posted carelessly to file servers by government
agencies and contractors, accessible to anyone with an Internet connection.
In a survey of servers run by agencies or companies involved with the
military and the wars in Iraq and Afghanistan, The Associated Press found
dozens of documents that officials refused to release when asked directly,
citing troop security.
Such material goes online all the time, posted most often by mistake. It's
not in plain sight, unlike the plans for the new American embassy in Baghdad
that appeared recently on the Web site of an architectural firm. But it is
almost as easy to find.
And experts said foreign intelligence agencies and terrorists working with
al-Qaida likely know where to look.
In one case, the Army Corps of Engineers asked the AP to promptly dispose of
several documents found on a contractor's server that detailed a project to
expand the fuel infrastructure at Bagram - including a map of the entry
point to be used by fuel trucks and the location of pump houses and fuel
tanks. The Corps of Engineers then changed its policies for storing material
online following the AP's inquiry.
But a week later, the AP downloaded a new document directly from the
agency's own server. The 61 pages of photos, graphics and charts map out the
security features at Tallil Air Base, a compound outside of Nasiriyah in
southeastern Iraq, and depict proposed upgrades to the facility's perimeter
fencing.
"That security fence guards our lives," said Lisa Coghlan, a spokeswoman for
the Corps of Engineers in Iraq, who is based at Tallil. "Those drawings
should not have been released. I hope to God this is the last document that
will be released from us."
The Corps of Engineers and its contractor weren't alone:
- The National Geospatial-Intelligence Agency - which provides the military
with maps and charts - said it plans to review its policies after the AP
found several sensitive documents, including aerial surveys of military
airfields near Balad and Al Asad, Iraq, on its server.
- Benham Companies LLC is securing its site after learning it had
inadvertently posted detailed maps of buildings and infrastructure at Fort
Sill, Okla. "Now, everything will be protected," said Steve Tompkins, a
spokesman for Oklahoma City-based Benham.
- Los Alamos National Laboratory and Sandia National Laboratories, two of
the nation's leading nuclear laboratories, closed public access to their
file transfer protocol servers after the AP contacted them about material
posted there. Both said the change was unrelated to the AP's inquiry.
The AP has destroyed the documents it downloaded, and all the material cited
in this story is no longer available online on the sites surveyed.
The posting of private material on publicly available FTP servers is a
familiar problem to security experts hired by companies to secure sites and
police the actions of employees who aren't always tech-savvy. They said
files that never should appear online are often left unprotected by
inexperienced or careless users who don't know better.
A spokeswoman for contractor SRA International Inc., where the AP found a
document the Defense Department said could let hackers access military
computer networks, said the company wasn't concerned because the
unclassified file was on an FTP site that's not indexed by Internet search
engines.
"The only way you could find it is by an awful lot of investigation," said
SRA spokeswoman Laura Luke.
But on Tuesday, SRA had effectively shut down its FTP server. The only file
online was a short statement: "In order to mitigate the risk of SRA or
client proprietary information being inadvertently made available to the
public, the SRA anonymous ftp server has been shutdown indefinitely. In the
coming months, a new secure ftp site will be introduced that will replace
the functionality of this site."
Bruce Schneier, chief technology officer of BT Counterpane, a Mountain View,
Calif.-based technology security company, said the attitude that material
posted on FTP sites is hard to find reflects a misunderstanding of how the
Internet works.
"For some, there's sort of this myth that 'if I put something on the Net and
don't tell anybody,' that it's hidden," Schneier said. "It's a sloppy user
mistake. This is yet another human error that creates a major problem."
File transfer protocol is a relatively old technology that makes files
available on the Internet. It remains popular for its simplicity, efficiency
and low cost. In fact, several agencies and contractors said the documents
found by the AP were posted online so they could be easily shared among
colleagues.
Internet users can't scour the sites with a typical search engine, but FTP
servers routinely share a similar address as public Web sites. To log on,
users often only need to replace "http" and "http://www"; in a Web address
with "ftp."
Some are secured by password or a firewall, but others are occasionally left
open to anyone with an Internet connection to browse and download
anonymously. Experts said that when unsophisticated users post sensitive
information to the servers, they would not necessarily know it could be
downloaded by people outside of their business or agency.
"What they don't realize is that every time you set up any type of server,
you have that possibility," said Danny Allan, director of security research
for Watchfire, a Waltham, Mass.-based Web security company. "Any files that
you are putting on the server you want to monitor on a continuous basis."
Allan said he and others in the security industry have watched for more than
a decade as files - including credit card information, sensitive blueprints
of government buildings and military intelligence reports - spread through
the public domain via unsecured FTP servers.
A spokeswoman for the U.S. Central Command, which oversees the war in Iraq,
declined to say if material accidentally left on the Internet had led to a
physical breach of security.
But among the documents the AP found were aerial photographs and detailed
schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq. One of
the documents was password-protected, but the password was printed in an
unsecure document stored on the same server. They showed where U.S. forces
keep prisoners and fuel tanks, as well as the locations of security fences,
guard towers and other security measures.
"It gets down to a level of detail that would assist insurgents in trying to
free their members from the camp or overpower guards," said Loren Thompson,
a military analyst with the Virginia-based Lexington Institute. "When you
post ... the map of a high-security facility that houses insurgents, you're
basically giving their allies on the outside information useful in freeing
them."
The Corps of Engineers expressed a similar concern when it learned that the
AP had downloaded the details about the fuel infrastructure upgrade at
Bagram from a contractor's FTP site. Spokeswoman Joan Kibler said that kind
of information "could put our troops in harm's way."
The AP's discovery led the agency to ask all its contractors to immediately
put such material under password protection. In fact, all the agencies and
contractors contacted by the AP have either shut down their FTP sites,
secured them with a password or pledged to install other safeguards to
ensure the documents are no longer accessible.
"We saw that there have been instances where some documents have been placed
on FTP sites, and they haven't had any safeguarding mechanisms for them,"
Kibler said. "We've determined that those documents need to be safeguarded,
so we've amended our practices here to require that any of those types of
documents have restricted access when they're placed on FTP sites."
Documents found by the AP about Contingency Operating Base Speicher near
Tikrit, Iraq, describe potential security vulnerabilities at the facility
and paraphrase an Army major expressing concerns about a "great separation
between personnel and equipment" as the base prepared for the military's
current counterinsurgency push.
"For force-protection reasons and operational security, that's sensitive
stuff," said Lt. Col. Michael Donnelly, a military spokesman based at
Speicher. "That's for a need-to-know basis. The enemy regularly takes that
stuff and pieces it together for their advantage."
The information about Camp Bucca, Bagram Air Base and Contingency Operating
Base Speicher was found on the FTP server of CH2M Hill Companies Ltd., an
engineering, consulting and construction company based in Englewood, Colo.
"None of the drawings are classified and we believe they were all handled
appropriately per the government's direction," said CH2M Hill spokesman John
Corsi. But the company added a password protection to its FTP site after the
AP's inquiry and referred the direct request for the documents to the
government.
Military officials said they could jeopardize troop security and refused to
release them.
Other files found by the AP didn't appear to pose an immediate threat to
troop security, but illustrated advanced military technologies. The National
Geospatial-Intelligence Agency posted PowerPoint presentations outlining
military GPS systems, including plans to combat GPS jammers. Files from Los
Alamos give an early look at a developing technology to combat enemy snipers
in urban environments, including one file describing the levels of security
behind the new program.
Dean Carver, a counterintelligence officer with the federal Office of the
National Counterintelligence Executive, part of the Office of the Director
of National Intelligence, said at a recent security conference that such
trade secrets - even those dealing with a basic technology - are often a
common target for foreign espionage because they can be used to advance a
country's own military technology.
"Every military-critical technology is sought by many foreign governments,"
said Carver, mentioning China and Russia as the leading culprits of snooping
on the Internet.
Christopher Freeman believes he may have witnessed such hunting for secrets.
While working on an internal security review at his job with the city of
Greensboro, N.C.., Freeman watched as a computer with an electronic address
from Tehran, Iran, accessed the city's FTP server and downloaded a file that
contained design drawings for the area's water infrastructure.
He said that while there's no way to know if there was malicious intent
behind the download, "when you think of Iran, you think of all the bad stuff
first."
"It could have been anyone," Freeman said. "It opened our eyes to show that
we're not just little old Greensboro. We're a part of the global community."
That was years ago, and it led Freeman to start looking for FTP sites he
thought should be secure. He found a manual describing how to operate a Navy
encryption device on the server of the Space and Naval Warfare Systems
Command. He also found photographs and graphics detailing the inner workings
of missiles designed at Sandia.
"It's not something that had any business being on a FTP site," said Sandia
spokeswoman Stephanie Holinka of the material Freeman found. The agency has
shut down its FTP site while a security upgrade is put in place, she said.
Many sites housed raw data, presentations and documents that didn't have
security classifications, while other documents were clearly marked to
prevent public release. The manual of the encryption device tells users to
"destroy by any method that will prevent disclosure of contents or
reconstruction of this document." A warning says exporting the document
could result in "severe criminal penalties."
"The military is often criticized for making too many things secret, but
when you're enabling an enemy to find out how you use encryption devices,
you easily could be helping them to defeat America," said Thompson, the
military analyst.
Freeman, who showed the AP the documents from Sandia and the Space and Naval
Warfare Systems Command, said he made a conscious effort to avoid
information labeled classified but still managed to accidentally download
files from Sandia with "top secret" classifications, forcing him to wipe his
computer hard drive clean and notify authorities.
Freeman passed along his findings to the FBI and the Department of Defense
and later aided investigators in securing the Space and Naval Warfare
Systems Command site. After getting calls from a contractor and the Army
Materiel Command asking about what he found online, Freeman has sought legal
representation from Denner Pellegrino, a Boston-based firm that specializes
in cyber crime.
"This is a treasure trove for terrorists," Freeman said. "They can just
waltz in and browse. I'm by no means a high-tech person. I'm not a
programmer. I don't know hacking. I'm just a slightly above-average computer
user."
FBI officials declined to specifically discuss Freeman and what he told the
agency. But Mark Moss, a Charlotte-based FBI agent who focuses on online
security, said foreign intelligence agencies spend a lot of time on the
Internet because online intelligence-gathering is cheap, quick and
anonymous.
"If they steal your technology through the Internet, it's overseas in an
instant," Moss said. "It's the perfect conduit."
.
- Prev by Date: Re: Flynt says he is motivated by hypocrisy
- Next by Date: The Corporation
- Previous by thread: Flynt says he is motivated by hypocrisy
- Next by thread: The Corporation
- Index(es):
Relevant Pages
|
