Classified data on president's helicopter leaked via P2P, found on Iranian computer
The information about Marine One apparently leaked last summer
Computerworld - Classified information about the communications, navigation and management electronics on Marine One, the helicopter now used by President Barack Obama, were reportedly discovered in a publicly available shared folder on a computer in Tehran, Iran, after apparently being accidentally leaked over a peer-to-peer file-sharing network last summer.
The classified file appears to have been leaked from a computer belonging to a Bethesda, Md., military contractor and was discovered Thursday by Tiversa Inc., a Cranberry Township, Pa.-based P2P monitoring services provider. P2P networks are widely used to share music, video and data files over the Internet.
The Iranian IP address at which the file was found belongs to an "information concentrator" -- someone who searches P2P networks for sensitive information, said Chris Gormley, chief operating officer at Tiversa. The location where the file was found included several other documents with classified and sensitive military information that were also leaked over file-sharing networks, Gormley said. He did not disclose what the other documents were.
According to Gormley, Tiversa first found information about Marine One's avionics floating around on file-sharing networks last summer and notified the contractor and the authorities about the discovery. Last week's search shows that copies of the document are still available on P2P networks to anyone who knows how to look for it, he said.
This is not the first time that highly classified and sensitive information has been discovered on P2P networks. In July 2007, members of a congressional subcommittee heard from a panel of security experts, including executives at Tiversa, about how they had found millions of classified documents on file-sharing networks. Among the examples cited were a diagram of the Pentagon's secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio frequency manipulation used to defeat improvised explosive devices in Iraq; physical terrorism threat assessments for three major U.S cities; and information on five Department of Defense information security systems audits.
Barely a month ago, a professor of operations management at Dartmouth College's Tuck School of Business released a report showing how large amounts of sensitive patient health care data was available on P2P networks after being accidentally leaked by health care providers, physicians and business associates. The data discovered as part of the Dartmouth study included a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes and other health care data belonging to about 9,000 patients at a medical testing laboratory. Also unearthed were more than 350MB of sensitive patient data for a group of anesthesiologists, and a spreadsheet with 82 fields of information on more than 20,000 patients belonging to a health system.
According to Gormley, Tiversa has also been able to find 120,000 tax records belonging to individuals in New York.
Corporations are not immune, either. In June 2007, personal data on about 17,000 Pfizer Inc. workers was exposed by an employee who installed unauthorized file-sharing software on a company laptop containing that data. And just last year, an Alexandria, Va.-based investment firm, Wagner Resource Corp., had to notify about 2,000 clients -- including U.S. Supreme Court Justice Stephen Breyer -- about the exposure of their names, Social Security numbers and birth dates on a P2P network after an employee downloaded file-sharing software on a company laptop.
Such disclosures point to the continuing risk companies face from P2P file-sharing, according to security experts. Normally, popular P2P clients -- such as Kazaa, LimeWire, BearShare, Morpheus and FastTrack -- let users download files and share items from a particular folder. But if proper care isn't taken to control the access these clients have on a system, it is easy to expose data unintentionally.
Companies need to take measures to protect against such risks, said Avivah Litan, an analyst at Gartner Inc. Among the measures she recommends are the use of file encryption technologies to protect sensitive files, data loss prevention tools to block leakage of data over corporate networks, and the use of intrusion-detection and network behavioral analysis products to detect P2P file-sharing. Companies also need to block the installation of P2P software on client systems and block P2P traffic at the gateway, she said.
A lot of what Tiversa has found on P2P networks has been "pretty outrageous" and underscores the need for better controls, Litan said, The Marine One avionics information "is just an example" she said. "It basically drives home the point that companies cannot forget about P2P."
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts