Jul 14, 2007

Military Secrets Discovered on Unprotected Web Sites

More leaks.




Military Secrets Discovered on Unprotected Web Sites

A security gap has allowed dozens of secret military documents to appear on the Internet, unguarded and for anyone with the right FTP address to access. The documents include plans for air bases and national laboratories. While one would have to know the exact location of the documents in order to find them, hackers are known to continually run scanners looking for open FTP sites.

Dozens of documents containing classified information that could affect the safety of U.S. troops in Iraq and Afghanistan have been posted on unprotected servers by military agencies and related companies, according to a survey by the Associated Press.

The AP, abetted by work done by Christopher Freeman, a Greensboro, N.C, resident who has been tracking this practice, downloaded several documents containing classified information that had been stored on FTP (file transfer protocol) servers.

Wealth of Information

These included the following, according to the AP:

  • Several documents on a contractor's server Manage remotely with one interface -- the HP ProLiant DL360 G5 server. detailed a project to expand the fuel infrastructure at Bagram Air Base in Afghanistan, including a map of the entry point to be used by fuel trucks and the location of pump houses and fuel tanks.
  • A document from the Army Corps of Engineers that contains 61 pages of photos, graphics and charts that map out the security features at Tallil Air Base in southeastern Iraq. It also depicts proposed upgrades to the facility's perimeter fencing.
  • Aerial surveys of military airfields near Balad and Al Asad, Iraq, on the National Geospatial-Intelligence Agency server.
  • Detailed maps of buildings and infrastructure at Fort Sill, Okla., were posted on Benham Companies site.
  • Material from Los Alamos National Laboratory Latest News about Los Alamos National Laboratory and Sandia National Laboratories.

Most of the agencies shut down the servers in question when contacted by the AP.

Not Surprising

It is not a surprising development.

What most likely happened, speculated Paul Moriarty, director of Internet content security for Trend Micro (Nasdaq: TMIC) Latest News about Trend Micro, is that someone needed to share large data files and they were too big to e-mail Email Marketing Software - Free Demo. "So they used the FTP protocol," he told TechNewsWorld. Setting it up so it requires password protection can be tricky, but opening up for anonymous access, he said, is relatively simple.

"Maybe the person intended to take it down later but forgot," Moriarty added.

Workers tend to take shortcuts that make their jobs easier, he also observed. "That is human nature. What they don't realize is that there are hackers out there that are continually running scanners looking for open FTP sites."

Over the Hump

Secure computing habits or practices do not seem to improve even as government agencies and companies become more sophisticated in their use of computers, Roger Thompson, CTO of Exploit Prevention Labs told TechNewsWorld.

"The number of users that keep increasing is one problem," he noted. "Another problem is that computers have become so much a part of the business environment it is almost impossible to make rules for every action or scenario."

Common sense does not always fill the gap, he added.

Out of Sight, Out of Mind

Also, end users, unless they are directly involved in IT security, do not tend to really believe the worst projections by security analysts unless they can actually see the impact first hand, David Perry, global director of education for Trend Micro, told TechNewsWorld.

"The threats they believe in are the ones they can see -- the damage that spam can cause for instance," he said, pointing to a recent study by the company found that corporate users are more concerned with spam levels than Web threats, despite spam's decline (84 percent in 2005 and 72 percent in 2007) and a 540 percent increase in Web threats, likely due to the silent and invisible nature of new infections.

Yet employees take the security precautions about spam more seriously.

"But try telling them about need for firewall or keeping information off of unsecure severs, and they dismiss the warnings," Perry said.


Anonymous said...

There are encrypted protocols like FCP and FTPS. A rational organization would assist its workers in setting these up when they are needed. Unfortunately when one is working on projects the 'support side' of LANL is useless. The 'support' people are too busy with meetings making up incoherent rulebooks and then demanding more garbled training of the workers. With the ever expanding, bloated bureaucracy at LANL and DOE demanding more from a shrinking pool of overstressed workers one should expect security to continue to rot away at teh labs.

Anonymous said...

As stated, the 'support' is nearly nonexistent. The current setup at LANL seems to be geared towards avoiding simple threats that can be scanned easily.

But it should be noted that each individual is responsible for knowing what protocols to follow. And in any case, one should know whether information is sensitive or not; appropriate handling should be nearly second nature to most handlers. Certainly, the organizations are partially to blame for having moving-target policies on handling, and making it nearly impossible to follow common sense for many situations. However, it comes down to the individual making the right choice.

Anonymous said...

Support is nonexistent because LANS did not understand how various contractors were providing support necessary to the day to day operations. So 1200 contractors are gone, and there's no support staff.

Some divisions and groups are trying to contract for certain types of necessary support, but purchasing (or whatever nom de plume they use now) throws one monkey wrench after another to prevent the groups and divisions from contracting with small companies. They basically lie about the reasons for disallowing contracts all the while saying how LANL is following the small business provisions of the LANS contract.

Until enough staff fight back against the loss of necessary support staff who can get the work done and force purchasing to level the playing field and not to contract with a few favorites, nothing will change. Management positions have to be eliminated, salaries have to be cut, and money has to be spent for the right reasons.

Anonymous said...

Quick! Someone call Dingell and his boy, Stupak! I fear we will now need to close down some military bases and military contract companies over this latest disclosure.

Anonymous said...

like the Scooter Libby travesty.... this is already old news and buried... funny how these breaches never make much of a splash in the headlines unless LANL is front and center....