TELECOM Digest OnLine - Sorted: Military Files Left Unprotected Online


Military Files Left Unprotected Online


Mike Baker, AP Writer (ap@telecom-digest.org)
Wed, 11 Jul 2007 23:40:29 -0500

By MIKE BAKER, Associated Press Writer

Detailed schematics of a military detainee holding facility in
southern Iraq. Geographical surveys and aerial photographs of two
military airfields outside Baghdad. Plans for a new fuel farm at
Bagram Air Base in Afghanistan.

The military calls it "need-to-know" information that would pose a
direct threat to U.S. troops if it were to fall into the hands of
terrorists. It's material so sensitive that officials refused to
release the documents when asked.

But it's already out there, posted carelessly to file servers by
government agencies and contractors, accessible to anyone with an
Internet connection.

In a survey of servers run by agencies or companies involved with the
military and the wars in Iraq and Afghanistan, The Associated Press
found dozens of documents that officials refused to release when asked
directly, citing troop security.

Such material goes online all the time, posted most often by mistake.
It's not in plain sight, unlike the plans for the new American embassy
in Baghdad that appeared recently on the Web site of an architectural
firm. But it is almost as easy to find.

And experts said foreign intelligence agencies and terrorists working
with al-Qaida likely know where to look.

In one case, the Army Corps of Engineers asked the AP to promptly
dispose of several documents found on a contractor's server that
detailed a project to expand the fuel infrastructure at Bagram
including a map of the entry point to be used by fuel trucks and the
location of pump houses and fuel tanks. The Corps of Engineers then
changed its policies for storing material online following the AP's
inquiry.

But a week later, the AP downloaded a new document directly from the
agency's own server. The 61 pages of photos, graphics and charts map
out the security features at Tallil Air Base, a compound outside of
Nasiriyah in southeastern Iraq, and depict proposed upgrades to the
facility's perimeter fencing.

"That security fence guards our lives," said Lisa Coghlan, a
spokeswoman for the Corps of Engineers in Iraq, who is based at
Tallil. "Those drawings should not have been released. I hope to God
this is the last document that will be released from us."

The Corps of Engineers and its contractor weren't alone:

The National Geospatial-Intelligence Agency -- which provides the
military with maps and charts -- said it plans to review its policies
after the AP found several sensitive documents, including aerial surveys
of military airfields near Balad and Al Asad, Iraq, on its server.

Benham Companies LLC is securing its site after learning it had
inadvertently posted detailed maps of buildings and infrastructure at
Fort Sill, Okla. "Now, everything will be protected," said Steve
Tompkins, a spokesman for Oklahoma City-based Benham.

Los Alamos National Laboratory and Sandia National Laboratories, two
of the nation's leading nuclear laboratories, closed public access to
their file transfer protocol servers after the AP contacted them about
material posted there. Both said the change was unrelated to the AP's
inquiry.

The AP has destroyed the documents it downloaded, and all the material
cited in this story is no longer available online on the sites
surveyed.

The posting of private material on publicly available FTP servers is a
familiar problem to security experts hired by companies to secure
sites and police the actions of employees who aren't always
tech-savvy. They said files that never should appear online are often
left unprotected by inexperienced or careless users who don't know
better.

A spokeswoman for contractor SRA International Inc., where the AP
found a document the Defense Department said could let hackers access
military computer networks, said the company wasn't concerned because
the unclassified file was on an FTP site that's not indexed by
Internet search engines.

"The only way you could find it is by an awful lot of investigation,"
said SRA spokeswoman Laura Luke.

But on Tuesday, SRA had effectively shut down its FTP server. The only
file online was a short statement: "In order to mitigate the risk of
SRA or client proprietary information being inadvertently made
available to the public, the SRA anonymous ftp server has been
shutdown indefinitely. In the coming months, a new secure ftp site
will be introduced that will replace the functionality of this site."

Bruce Schneier, chief technology officer of BT Counterpane, a Mountain
View, Calif.-based technology security company, said the attitude that
material posted on FTP sites is hard to find reflects a
misunderstanding of how the Internet works.

"For some, there's sort of this myth that 'if I put something on the
Net and don't tell anybody,' that it's hidden," Schneier said. "It's a
sloppy user mistake. This is yet another human error that creates a
major problem."

File transfer protocol is a relatively old technology that makes files
available on the Internet. It remains popular for its simplicity,
efficiency and low cost. In fact, several agencies and contractors
said the documents found by the AP were posted online so they could be
easily shared among colleagues.

Internet users can't scour the sites with a typical search engine, but
FTP servers routinely share a similar address as public Web sites. To
log on, users often only need to replace "http" and "http://www" in a
Web address with "ftp", such as "ftp://sitename".

Some are secured by password or a firewall, but others are
occasionally left open to anyone with an Internet connection to browse
and download anonymously. Experts said that when unsophisticated users
post sensitive information to the servers, they would not necessarily
know it could be downloaded by people outside of their business or
agency.

"What they don't realize is that every time you set up any type of
server, you have that possibility," said Danny Allan, director of
security research for Watchfire, a Waltham, Mass.-based Web security
company. "Any files that you are putting on the server you want to
monitor on a continuous basis."

Allan said he and others in the security industry have watched for more
than a decade as files -- including credit card information, sensitive
blueprints of government buildings and military intelligence reports --
spread through the public domain via unsecured FTP servers.

A spokeswoman for the U.S. Central Command, which oversees the war in
Iraq, declined to say if material accidentally left on the Internet had
led to a physical breach of security.

But among the documents the AP found were aerial photographs and
detailed schematics of Camp Bucca, a U.S.-run facility for detainees
in Iraq. One of the documents was password-protected, but the password
was printed in an unsecure document stored on the same server. They
showed where U.S. forces keep prisoners and fuel tanks, as well as the
locations of security fences, guard towers and other security
measures.

"It gets down to a level of detail that would assist insurgents in
trying to free their members from the camp or overpower guards," said
Loren Thompson, a military analyst with the Virginia-based Lexington
Institute. "When you post ... the map of a high-security facility that
houses insurgents, you're basically giving their allies on the outside
information useful in freeing them."

The Corps of Engineers expressed a similar concern when it learned
that the AP had downloaded the details about the fuel infrastructure
upgrade at Bagram from a contractor's FTP site. Spokeswoman Joan
Kibler said that kind of information "could put our troops in harm's
way."

The AP's discovery led the agency to ask all its contractors to
immediately put such material under password protection. In fact, all
the agencies and contractors contacted by the AP have either shut down
their FTP sites, secured them with a password or pledged to install
other safeguards to ensure the documents are no longer accessible.

"We saw that there have been instances where some documents have been
placed on FTP sites, and they haven't had any safeguarding mechanisms
for them," Kibler said. "We've determined that those documents need to
be safeguarded, so we've amended our practices here to require that
any of those types of documents have restricted access when they're
placed on FTP sites."

Documents found by the AP about Contingency Operating Base Speicher
near Tikrit, Iraq, describe potential security vulnerabilities at the
facility and paraphrase an Army major expressing concerns about a
"great separation between personnel and equipment" as the base
prepared for the military's current counterinsurgency push.

"For force-protection reasons and operational security, that's
sensitive stuff," said Lt. Col. Michael Donnelly, a military spokesman
based at Speicher. "That's for a need-to-know basis. The enemy
regularly takes that stuff and pieces it together for their
advantage."

The information about Camp Bucca, Bagram Air Base and Contingency
Operating Base Speicher was found on the FTP server of CH2M Hill
Companies Ltd., an engineering, consulting and construction company
based in Englewood, Colo.

"None of the drawings are classified and we believe they were all
handled appropriately per the government's direction," said CH2M Hill
spokesman John Corsi. But the company added a password protection to
its FTP site after the AP's inquiry and referred the direct request
for the documents to the government.

Military officials said they could jeopardize troop security and
refused to release them.

Other files found by the AP didn't appear to pose an immediate threat
to troop security, but illustrated advanced military technologies. The
National Geospatial-Intelligence Agency posted PowerPoint
presentations outlining military GPS systems, including plans to
combat GPS jammers. Files from Los Alamos give an early look at a
developing technology to combat enemy snipers in urban environments,
including one file describing the levels of security behind the new
program.

Dean Carver, a counterintelligence officer with the federal Office of
the National Counterintelligence Executive, part of the Office of the
Director of National Intelligence, said at a recent security conference
that such trade secrets -- even those dealing with a basic technology --
are often a common target for foreign espionage because they can be used
to advance a country's own military technology.

"Every military-critical technology is sought by many foreign
governments," said Carver, mentioning China and Russia as the leading
culprits of snooping on the Internet.

Christopher Freeman believes he may have witnessed such hunting for
secrets. While working on an internal security review at his job with
the city of Greensboro, N.C.., Freeman watched as a computer with an
electronic address from Tehran, Iran, accessed the city's FTP server
and downloaded a file that contained design drawings for the area's
water infrastructure.

He said that while there's no way to know if there was malicious
intent behind the download, "when you think of Iran, you think of all
the bad stuff first."

"It could have been anyone," Freeman said. "It opened our eyes to show
that we're not just little old Greensboro. We're a part of the global
community."

That was years ago, and it led Freeman to start looking for FTP sites
he thought should be secure. He found a manual describing how to
operate a Navy encryption device on the server of the Space and Naval
Warfare Systems Command. He also found photographs and graphics
detailing the inner workings of missiles designed at Sandia.

"It's not something that had any business being on a FTP site," said
Sandia spokeswoman Stephanie Holinka of the material Freeman
found. The agency has shut down its FTP site while a security upgrade
is put in place, she said.

Many sites housed raw data, presentations and documents that didn't
have security classifications, while other documents were clearly
marked to prevent public release. The manual of the encryption device
tells users to "destroy by any method that will prevent disclosure of
contents or reconstruction of this document." A warning says exporting
the document could result in "severe criminal penalties."

"The military is often criticized for making too many things secret,
but when you're enabling an enemy to find out how you use encryption
devices, you easily could be helping them to defeat America," said
Thompson, the military analyst.

Freeman, who showed the AP the documents from Sandia and the Space and
Naval Warfare Systems Command, said he made a conscious effort to
avoid information labeled classified but still managed to accidentally
download files from Sandia with "top secret" classifications, forcing
him to wipe his computer hard drive clean and notify authorities.

Freeman passed along his findings to the FBI and the Department of
Defense and later aided investigators in securing the Space and Naval
Warfare Systems Command site. After getting calls from a contractor
and the Army Materiel Command asking about what he found online,
Freeman has sought legal representation from Denner Pellegrino, a
Boston-based firm that specializes in cyber crime.

"This is a treasure trove for terrorists," Freeman said. "They can
just waltz in and browse. I'm by no means a high-tech person. I'm not
a programmer. I don't know hacking. I'm just a slightly above-average
computer user."

FBI officials declined to specifically discuss Freeman and what he
told the agency. But Mark Moss, a Charlotte-based FBI agent who
focuses on online security, said foreign intelligence agencies spend a
lot of time on the Internet because online intelligence-gathering is
cheap, quick and anonymous.

"If they steal your technology through the Internet, it's overseas in
an instant," Moss said. "It's the perfect conduit."

Copyright 2007 The Associated Press.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html

For more news and headlines, please go to:
http://telecom-digest.org/td-extra/AP.html

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Anick Jesdanun, AP Writer: "FTP is Simple, But Open to Leaks"
Go to Previous message: TELECOM Digest Editor: "Some Troubles With Telecom Digest"
TELECOM Digest: Home Page