http://www.denverpost.com/nationworld/ci_6355971
By MIKE BAKER
Associated Press Writer
07/12/2007
GREENSBORO, N.C. — Detailed schematics of a military detainee holding
facility in southern Iraq. Geographical surveys and aerial photographs
of two military airfields outside Baghdad. Plans for a new fuel farm at
Bagram Air Base in Afghanistan.
The military calls it "need-to-know" information that would pose a
direct threat to U.S. troops if it were to fall into the hands of
terrorists. It's material so sensitive that officials refused to release
the documents when asked.
But it's already out there, posted carelessly to file servers by
government agencies and contractors, accessible to anyone with an
Internet connection.
In a survey of servers run by agencies or companies involved with the
military and the wars in Iraq and Afghanistan, The Associated Press
found dozens of documents that officials refused to release when asked
directly, citing troop security.
Such material goes online all the time, posted most often by mistake.
It's not in plain sight, unlike the plans for the new American embassy
in Baghdad that appeared recently on the Web site of an architectural
firm. But it is almost as easy to find.
And experts said foreign intelligence agencies and terrorists working
with al-Qaida likely know where to look.
In one case, the Army Corps of Engineers asked the AP to promptly
dispose of several documents found on a contractor's server that
detailed a project to expand the fuel infrastructure at Bagram—including
a map of the entry point to be used by fuel trucks and the location of
pump houses and fuel tanks. The Corps of Engineers then changed its
policies for storing material online following the AP's inquiry.
But a week later, the AP downloaded a new document directly from the
agency's own server. The 61 pages of photos, graphics and charts map out
the security features at Tallil Air Base, a compound outside of
Nasiriyah in southeastern Iraq, and depict proposed upgrades to the
facility's perimeter fencing.
"That security fence guards our lives," said Lisa Coghlan, a spokeswoman
for the Corps of Engineers in Iraq, who is based at Tallil. "Those
drawings should not have been released. I hope to God this is the last
document that will be released from us."
The Corps of Engineers and its contractor weren't alone:
— The National Geospatial-Intelligence Agency—which provides the
military with maps and charts—said it plans to review its policies after
the AP found several sensitive documents, including aerial surveys of
military airfields near Balad and Al Asad, Iraq, on its server.
— Benham Companies LLC is securing its site after learning it had
inadvertently posted detailed maps of buildings and infrastructure at
Fort Sill, Okla. "Now, everything will be protected," said Steve
Tompkins, a spokesman for Oklahoma City-based Benham.
— Los Alamos National Laboratory and Sandia National Laboratories, two
of the nation's leading nuclear laboratories, closed public access to
their file transfer protocol servers after the AP contacted them about
material posted there. Both said the change was unrelated to the AP's
inquiry.
The AP has destroyed the documents it downloaded, and all the material
cited in this story is no longer available online on the sites surveyed.
The posting of private material on publicly available FTP servers is a
familiar problem to security experts hired by companies to secure sites
and police the actions of employees who aren't always tech-savvy. They
said files that never should appear online are often left unprotected by
inexperienced or careless users who don't know better.
A spokeswoman for contractor SRA International Inc., where the AP found
a document the Defense Department said could let hackers access military
computer networks, said the company wasn't concerned because the
unclassified file was on an FTP site that's not indexed by Internet
search engines.
"The only way you could find it is by an awful lot of investigation,"
said SRA spokeswoman Laura Luke.
But on Tuesday, SRA had effectively shut down its FTP server. The only
file online was a short statement: "In order to mitigate the risk of SRA
or client proprietary information being inadvertently made available to
the public, the SRA anonymous ftp server has been shutdown indefinitely.
In the coming months, a new secure ftp site will be introduced that will
replace the functionality of this site."
Bruce Schneier, chief technology officer of BT Counterpane, a Mountain
View, Calif.-based technology security company, said the attitude that
material posted on FTP sites is hard to find reflects a misunderstanding
of how the Internet works.
"For some, there's sort of this myth that 'if I put something on the Net
and don't tell anybody,' that it's hidden," Schneier said. "It's a
sloppy user mistake. This is yet another human error that creates a
major problem."
File transfer protocol is a relatively old technology that makes files
available on the Internet. It remains popular for its simplicity,
efficiency and low cost. In fact, several agencies and contractors said
the documents found by the AP were posted online so they could be easily
shared among colleagues.
Internet users can't scour the sites with a typical search engine, but
FTP servers routinely share a similar address as public Web sites. To
log on, users often only need to replace "http" and "http://www" in a
Web address with "ftp."
Some are secured by password or a firewall, but others are occasionally
left open to anyone with an Internet connection to browse and download
anonymously. Experts said that when unsophisticated users post sensitive
information to the servers, they would not necessarily know it could be
downloaded by people outside of their business or agency.
"What they don't realize is that every time you set up any type of
server, you have that possibility," said Danny Allan, director of
security research for Watchfire, a Waltham, Mass.-based Web security
company. "Any files that you are putting on the server you want to
monitor on a continuous basis."
Allan said he and others in the security industry have watched for more
than a decade as files—including credit card information, sensitive
blueprints of government buildings and military intelligence
reports—spread through the public domain via unsecured FTP servers.
A spokeswoman for the U.S. Central Command, which oversees the war in
Iraq, declined to say if material accidentally left on the Internet had
led to a physical breach of security.
But among the documents the AP found were aerial photographs and
detailed schematics of Camp Bucca, a U.S.-run facility for detainees in
Iraq. One of the documents was password-protected, but the password was
printed in an unsecure document stored on the same server. They showed
where U.S. forces keep prisoners and fuel tanks, as well as the
locations of security fences, guard towers and other security measures.
"It gets down to a level of detail that would assist insurgents in
trying to free their members from the camp or overpower guards," said
Loren Thompson, a military analyst with the Virginia-based Lexington
Institute. "When you post ... the map of a high-security facility that
houses insurgents, you're basically giving their allies on the outside
information useful in freeing them."
The Corps of Engineers expressed a similar concern when it learned that
the AP had downloaded the details about the fuel infrastructure upgrade
at Bagram from a contractor's FTP site. Spokeswoman Joan Kibler said
that kind of information "could put our troops in harm's way."
The AP's discovery led the agency to ask all its contractors to
immediately put such material under password protection. In fact, all
the agencies and contractors contacted by the AP have either shut down
their FTP sites, secured them with a password or pledged to install
other safeguards to ensure the documents are no longer accessible.
"We saw that there have been instances where some documents have been
placed on FTP sites, and they haven't had any safeguarding mechanisms
for them," Kibler said. "We've determined that those documents need to
be safeguarded, so we've amended our practices here to require that any
of those types of documents have restricted access when they're placed
on FTP sites."
Documents found by the AP about Contingency Operating Base Speicher near
Tikrit, Iraq, describe potential security vulnerabilities at the
facility and paraphrase an Army major expressing concerns about a "great
separation between personnel and equipment" as the base prepared for the
military's current counterinsurgency push.
"For force-protection reasons and operational security, that's sensitive
stuff," said Lt. Col. Michael Donnelly, a military spokesman based at
Speicher. "That's for a need-to-know basis. The enemy regularly takes
that stuff and pieces it together for their advantage."
The information about Camp Bucca, Bagram Air Base and Contingency
Operating Base Speicher was found on the FTP server of CH2M Hill
Companies Ltd., an engineering, consulting and construction company
based in Englewood, Colo.
"None of the drawings are classified and we believe they were all
handled appropriately per the government's direction," said CH2M Hill
spokesman John Corsi. But the company added a password protection to its
FTP site after the AP's inquiry and referred the direct request for the
documents to the government.
Military officials said they could jeopardize troop security and refused
to release them.
Other files found by the AP didn't appear to pose an immediate threat to
troop security, but illustrated advanced military technologies. The
National Geospatial-Intelligence Agency posted PowerPoint presentations
outlining military GPS systems, including plans to combat GPS jammers.
Files from Los Alamos give an early look at a developing technology to
combat enemy snipers in urban environments, including one file
describing the levels of security behind the new program.
Dean Carver, a counterintelligence officer with the federal Office of
the National Counterintelligence Executive, part of the Office of the
Director of National Intelligence, said at a recent security conference
that such trade secrets—even those dealing with a basic technology—are
often a common target for foreign espionage because they can be used to
advance a country's own military technology.
"Every military-critical technology is sought by many foreign
governments," said Carver, mentioning China and Russia as the leading
culprits of snooping on the Internet.
Christopher Freeman believes he may have witnessed such hunting for
secrets. While working on an internal security review at his job with
the city of Greensboro, N.C.., Freeman watched as a computer with an
electronic address from Tehran, Iran, accessed the city's FTP server and
downloaded a file that contained design drawings for the area's water
infrastructure.
He said that while there's no way to know if there was malicious intent
behind the download, "when you think of Iran, you think of all the bad
stuff first."
"It could have been anyone," Freeman said. "It opened our eyes to show
that we're not just little old Greensboro. We're a part of the global
community."
That was years ago, and it led Freeman to start looking for FTP sites he
thought should be secure. He found a manual describing how to operate a
Navy encryption device on the server of the Space and Naval Warfare
Systems Command. He also found photographs and graphics detailing the
inner workings of missiles designed at Sandia.
"It's not something that had any business being on a FTP site," said
Sandia spokeswoman Stephanie Holinka of the material Freeman found. The
agency has shut down its FTP site while a security upgrade is put in
place, she said.
Many sites housed raw data, presentations and documents that didn't have
security classifications, while other documents were clearly marked to
prevent public release. The manual of the encryption device tells users
to "destroy by any method that will prevent disclosure of contents or
reconstruction of this document." A warning says exporting the document
could result in "severe criminal penalties."
"The military is often criticized for making too many things secret, but
when you're enabling an enemy to find out how you use encryption
devices, you easily could be helping them to defeat America," said
Thompson, the military analyst.
Freeman, who showed the AP the documents from Sandia and the Space and
Naval Warfare Systems Command, said he made a conscious effort to avoid
information labeled classified but still managed to accidentally
download files from Sandia with "top secret" classifications, forcing
him to wipe his computer hard drive clean and notify authorities.
Freeman passed along his findings to the FBI and the Department of
Defense and later aided investigators in securing the Space and Naval
Warfare Systems Command site. After getting calls from a contractor and
the Army Materiel Command asking about what he found online, Freeman has
sought legal representation from Denner Pellegrino, a Boston-based firm
that specializes in cyber crime.
"This is a treasure trove for terrorists," Freeman said. "They can just
waltz in and browse. I'm by no means a high-tech person. I'm not a
programmer. I don't know hacking. I'm just a slightly above-average
computer user."
FBI officials declined to specifically discuss Freeman and what he told
the agency. But Mark Moss, a Charlotte-based FBI agent who focuses on
online security, said foreign intelligence agencies spend a lot of time
on the Internet because online intelligence-gathering is cheap, quick
and anonymous.
"If they steal your technology through the Internet, it's overseas in an
instant," Moss said. "It's the perfect conduit."
Received on Thu Jul 12 05:00:06 2007