Classified data on president's helicopter leaked via P2P, found on Iranian computer

Computerworld - Classified information about the communications, navigation and management electronics on Marine One, the helicopter now used by President Barack Obama, were reportedly discovered in a publicly available shared folder on a computer in Tehran, Iran, after apparently being accidentally leaked over a peer-to-peer file-sharing network last summer.

The classified file appears to have been leaked from a computer belonging to a Bethesda, Md., military contractor and was discovered Thursday by Tiversa Inc., a Cranberry Township, Pa.-based P2P monitoring services provider. P2P networks are widely used to share music, video and data files over the Internet.

The Iranian IP address at which the file was found belongs to an "information concentrator" -- someone who searches P2P networks for sensitive information, said Chris Gormley, chief operating officer at Tiversa. The location where the file was found included several other documents with classified and sensitive military information that were also leaked over file-sharing networks, Gormley said. He did not disclose what the other documents were.

According to Gormley, Tiversa first found information about Marine One's avionics floating around on file-sharing networks last summer and notified the contractor and the authorities about the discovery. Last week's search shows that copies of the document are still available on P2P networks to anyone who knows how to look for it, he said.

This is not the first time that highly classified and sensitive information has been discovered on P2P networks. In July 2007, members of a congressional subcommittee heard from a panel of security experts, including executives at Tiversa, about how they had found millions of classified documents on file-sharing networks. Among the examples cited were a diagram of the Pentagon's secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio frequency manipulation used to defeat improvised explosive devices in Iraq; physical terrorism threat assessments for three major U.S cities; and information on five Department of Defense information security systems audits.

Barely a month ago, a professor of operations management at Dartmouth College's Tuck School of Business released a report showing how large amounts of sensitive patient health care data was available on P2P networks after being accidentally leaked by health care providers, physicians and business associates. The data discovered as part of the Dartmouth study included a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes and other health care data belonging to about 9,000 patients at a medical testing laboratory. Also unearthed were more than 350MB of sensitive patient data for a group of anesthesiologists, and a spreadsheet with 82 fields of information on more than 20,000 patients belonging to a health system.

According to Gormley, Tiversa has also been able to find 120,000 tax records belonging to individuals in New York.

Corporations are not immune, either. In June 2007, personal data on about 17,000 Pfizer Inc. workers was exposed by an employee who installed unauthorized file-sharing software on a company laptop containing that data. And just last year, an Alexandria, Va.-based investment firm, Wagner Resource Corp., had to notify about 2,000 clients -- including U.S. Supreme Court Justice Stephen Breyer -- about the exposure of their names, Social Security numbers and birth dates on a P2P network after an employee downloaded file-sharing software on a company laptop.

Such disclosures point to the continuing risk companies face from P2P file-sharing, according to security experts. Normally, popular P2P clients -- such as Kazaa, LimeWire, BearShare, Morpheus and FastTrack -- let users download files and share items from a particular folder. But if proper care isn't taken to control the access these clients have on a system, it is easy to expose data unintentionally.

Companies need to take measures to protect against such risks, said Avivah Litan, an analyst at Gartner Inc. Among the measures she recommends are the use of file encryption technologies to protect sensitive files, data loss prevention tools to block leakage of data over corporate networks, and the use of intrusion-detection and network behavioral analysis products to detect P2P file-sharing. Companies also need to block the installation of P2P software on client systems and block P2P traffic at the gateway, she said.

A lot of what Tiversa has found on P2P networks has been "pretty outrageous" and underscores the need for better controls, Litan said, The Marine One avionics information "is just an example" she said. "It basically drives home the point that companies cannot forget about P2P."

Read more about security in Computerworld's Security Knowledge Center.