--Gussie
_____________________________________________
http://www.ecommercetimes.com/story/58299.html
Military Secrets Discovered on Unprotected Web Sites
A security gap has allowed dozens of secret military documents to appear on the Internet, unguarded and for anyone with the right FTP address to access. The documents include plans for air bases and national laboratories. While one would have to know the exact location of the documents in order to find them, hackers are known to continually run scanners looking for open FTP sites.
Dozens of documents containing classified information that could affect the safety of U.S. troops in Iraq and Afghanistan have been posted on unprotected servers by military agencies and related companies, according to a survey by the Associated Press.
The AP, abetted by work done by Christopher Freeman, a Greensboro, N.C, resident who has been tracking this practice, downloaded several documents containing classified information that had been stored on FTP (file transfer protocol) servers.
These included the following, according to the AP: Most of the agencies shut down the servers in question when contacted by the AP. It is not a surprising development. What most likely happened, speculated Paul Moriarty, director of Internet content security for Trend Micro (Nasdaq: TMIC) , is that someone needed to share large data files and they were too big to e-mail . "So they used the FTP protocol," he told TechNewsWorld. Setting it up so it requires password protection can be tricky, but opening up for anonymous access, he said, is relatively simple. "Maybe the person intended to take it down later but forgot," Moriarty added. Workers tend to take shortcuts that make their jobs easier, he also observed. "That is human nature. What they don't realize is that there are hackers out there that are continually running scanners looking for open FTP sites." Secure computing habits or practices do not seem to improve even as government agencies and companies become more sophisticated in their use of computers, Roger Thompson, CTO of Exploit Prevention Labs told TechNewsWorld. "The number of users that keep increasing is one problem," he noted. "Another problem is that computers have become so much a part of the business environment it is almost impossible to make rules for every action or scenario." Common sense does not always fill the gap, he added. Also, end users, unless they are directly involved in IT security, do not tend to really believe the worst projections by security analysts unless they can actually see the impact first hand, David Perry, global director of education for Trend Micro, told TechNewsWorld. "The threats they believe in are the ones they can see -- the damage that spam can cause for instance," he said, pointing to a recent study by the company found that corporate users are more concerned with spam levels than Web threats, despite spam's decline (84 percent in 2005 and 72 percent in 2007) and a 540 percent increase in Web threats, likely due to the silent and invisible nature of new infections. Yet employees take the security precautions about spam more seriously. "But try telling them about need for firewall or keeping information off of unsecure severs, and they dismiss the warnings," Perry said. Wealth of Information
Not Surprising
Over the Hump
Out of Sight, Out of Mind
There are encrypted protocols like FCP and FTPS. A rational organization would assist its workers in setting these up when they are needed. Unfortunately when one is working on projects the 'support side' of LANL is useless. The 'support' people are too busy with meetings making up incoherent rulebooks and then demanding more garbled training of the workers. With the ever expanding, bloated bureaucracy at LANL and DOE demanding more from a shrinking pool of overstressed workers one should expect security to continue to rot away at teh labs.
ReplyDeleteAs stated, the 'support' is nearly nonexistent. The current setup at LANL seems to be geared towards avoiding simple threats that can be scanned easily.
ReplyDeleteBut it should be noted that each individual is responsible for knowing what protocols to follow. And in any case, one should know whether information is sensitive or not; appropriate handling should be nearly second nature to most handlers. Certainly, the organizations are partially to blame for having moving-target policies on handling, and making it nearly impossible to follow common sense for many situations. However, it comes down to the individual making the right choice.
Support is nonexistent because LANS did not understand how various contractors were providing support necessary to the day to day operations. So 1200 contractors are gone, and there's no support staff.
ReplyDeleteSome divisions and groups are trying to contract for certain types of necessary support, but purchasing (or whatever nom de plume they use now) throws one monkey wrench after another to prevent the groups and divisions from contracting with small companies. They basically lie about the reasons for disallowing contracts all the while saying how LANL is following the small business provisions of the LANS contract.
Until enough staff fight back against the loss of necessary support staff who can get the work done and force purchasing to level the playing field and not to contract with a few favorites, nothing will change. Management positions have to be eliminated, salaries have to be cut, and money has to be spent for the right reasons.
Quick! Someone call Dingell and his boy, Stupak! I fear we will now need to close down some military bases and military contract companies over this latest disclosure.
ReplyDeletelike the Scooter Libby travesty.... this is already old news and buried... funny how these breaches never make much of a splash in the headlines unless LANL is front and center....
ReplyDelete