Network News

X My Profile
View More Activity

Report: First Lady Safehouse Route, Govt. Mafia Trial Info, Leaked on P2P Networks

Update, 2:15 p.m. ET: A previous version of this story incorrectly stated that files were found on P2P networks that listed the location of nuclear missile silos in the United States. A spokesman for the committee said the information regarding nuclear installations is related to sensitive documents accidentally published on the Web site of the Government Printing Office recently, which included a "detailed list of the civilian nuclear complex, including precise locations of weapons grade nuclear fuel." An earlier version also incorrectly stated that on information the location of a safe house for Michelle Obama was compromised. The safe house was designed for former First Lady Laura Bush. The text below has been changed.

The latest caches of sensitive data reportedly found on peer-to-peer (P2P) file-sharing networks are shocking: A highly sensitive document dated July 2009, listing the precise location of installations bearing weapons grade nuclear fuel in the United States; FBI surveillance photos of an alleged mafia hit man leaked while he was still on trial, along with the the government's witness list, some of whom are in the government's witness protection program; A U.S. Secret Service document on the location and layout of an emergency safe house for former First Lady Laura Bush.

The revelations came at a House Government Oversight & Government Reform Committee hearing on the problem of inadvertent sharing of files via P2P software. Robert Boback, chief executive of Tiversa Inc., a company that scours these music- and file-sharing networks for sensitive data, told the committee his researchers also found the Social Security numbers and family information for every master sergeant in the U.S. Army, as well as the medical records of some 24,000 patients of a Texas hospital.

Boback said the list of nuclear sites was found not on computers of P2P users in the United States, but at four locations in France.

"Every nuclear facility, every agency," Boback said. "This is information that is not even subject to government Freedom of Information Act [request], however, you can access it on peer-to-peer, in plain text."

P2P software such as "LimeWire" and "Bearshare" link computers directly, allowing users to swap digital movies, music and files with other users without the need of a central Web site to manage the exchange. What users may not be aware of is that the software that facilitates file sharing may be configured to allow access to a portion, if not all, of a user's documents.

The disclosures are just the latest examples of egregious data breaches made possible by inadvertent file-sharing over P2P. Last summer, The Washington Post found that an employee of a McLean investment firm accidentally shared the Social Security numbers and birthdays of some 2,000 lawyers in the Washington area, including Supreme Court Justice Stephen G. Breyer. In March 2009, blueprints for Marine One, the president's official helicopter, were found on the computer of a P2P user in Iran.

Mark Gorton, chairman of LimeWire parent The Lime Group, told the committee that the latest version of his company's software makes it extremely difficult to accidentally share sensitive documents on their PCs.

Gorton said efforts to regulate the P2P software industry would be difficult, as LimeWire was but one of dozens of such software providers.

"We are doing our best to set a standard that we hope other file-sharing companies can follow," Gorton said. "Most creators of P2P applications are not based in the United States, and may not even be corporations."

But Committee Chairman Edolphus Towns (D-N.Y.) was not convinced, saying he planned to introduce a bill to ban this peer-to-peer software software from all government and contractor computers and networks.

"I plan to meet with the new Chairman of the Federal Trade Commission to request that the FTC investigate whether inadequate safeguards on file sharing software such as LimeWire constitute an unfair trade practice," Towns said. "The Administration should initiate a national campaign to educate consumers about the dangers involved with file sharing software. The FCC needs to look at this, too. The file-sharing software industry has shown it is unwilling or unable to ensure user safety. It's time to put a referee on the field."

Rep. Darrell Issa (Calif.), the panel's ranking Republican, was more concerned about the broad availability of pirated, commercial software on P2P networks. Waiving a CD-Rom filled with dozens of examples of tax returns downloaded from P2P networks, Issa addressed Mark Gorton, chairman of LimeWire parent The Lime Group. Issa said he was concerned about hundreds of millions of dollars of software stolen each year through P2P.

"I will tell you this disk represents to me a referral to the California attorney general if we cannot be satisfied," Issa said. "If you condone and allow and induce this to happen, you are guilty of cooperating and participating in every criminal act that flows from that activity."

By Brian Krebs  |  July 29, 2009; 12:20 PM ET
Categories:  New Patches , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft's Emergency Patch Mess
Next: Weaponizing Web 2.0

Comments

It seems Rep. Darrell Issa (Calif.), has been intentionally downloading copyrighted software. Maybe someone should refer his name to the authorities.

Posted by: crete | July 29, 2009 12:45 PM | Report abuse

What is so disturbing about this article is that the problem of peer-to-peer software is one that can be readily and easily addressed with COTS solutions and enforcement of basic security configurations. There is a well defined set of software, such as peer-to-peer software cited in this article, which is known to create security vulnerabilities. In far too many cases, this software exists on endpoint machines because they are part of applications loaded on these machines for personal use. There is software that will detect and remove unauthorized software from machines on a daily basis, and will check the machines to ensure that this software did not make any changes to the security configuration to make the machine more vulnerable to attack. It is easily installed, easily configured, requires little or no human intervention (labor costs) and is performing this role in government installations today.

But there is also a human side as personal use policies have become increasingly more liberal and need to be returned to a place that pragmatically balances the protection of confidential data with the implied right of the employee to use a work issued computer for personal pursuits such as gaming and digital music. Malicious attacks are becoming increasingly more targeted and precise in their pursuit of sensitive data and we should not make that process easier by loading machines with software that offer known paths to exploit.

Jim Ivers
Triumfant, Inc.

Posted by: jimiversva | July 29, 2009 1:36 PM | Report abuse

Why is IT security for these govt agencies even allowing software like LimeWire on their office computers (or employees' laptops, for that matter)?

Posted by: gmg22 | July 29, 2009 1:37 PM | Report abuse

By all means put these idiots in charge of Healthcare. Once you medical records have been stolen and the data used against you we'll see how many of the bleeding heart LIBS still feel this is a good choice. Wait until the day you're denied a job based on you're health. After all you don't think their going to hire you if you have AIDS or cancer do you?? or when you're denied a loan because you have a disease. After all why would we loan you money if you are going to die shortly.

Posted by: askgees | July 29, 2009 1:44 PM | Report abuse

Jim,

These people are looking to blame people other than their own, even if their own IT people can't even figure out Windows poledit.exe to create user profiles. In fact, that's our fault too.

And so you have this, and over half a million credit card accounts in the wild according to the post this week. Yet us security professionals are told that it's our fault they did not execute on the bullet items from our risk assessments.

For shame.

Posted by: jwalter6 | July 29, 2009 1:45 PM | Report abuse

Darrell Issa: criminal...

Banning an entire class of software because of a few poorly designed programs seems foolish. P2P is an effective file sharing mechanism, as used in products like Microsoft's Groove.

Posted by: staticvars | July 29, 2009 2:08 PM | Report abuse

By all means put these idiots in charge of Healthcare. Once you medical records have been stolen and the data used against you we'll see how many of the bleeding heart LIBS still feel this is a good choice. askgees: "Wait until the day you're denied a job based on you're health. After all you don't think their going to hire you if you have AIDS or cancer do you?? or when you're denied a loan because you have a disease."

Why would any Republican have trouble with that? Shouldn't employers, lenders, buyers, and investors have full disclosure? Why not let the same interested parties pick applicants based on color or religion too? Isn't association, selection, or affiliation purely a matter of private choice?

But, if you really worry so much about government incompetence and meddling, perhaps we should privatize all the nuke defenses too. Why draw any line?

Posted by: jkoch2 | July 29, 2009 2:16 PM | Report abuse

So what? There are all kinds of non-trustworty folks in government who already have all this info. The Dick Cheney Corp comes to mind. All the missile silo locations are out there? Ohh, that's really scary! Almost as scary as the fact that they exist in the first place.

Posted by: halifar59 | July 29, 2009 2:34 PM | Report abuse

Government, govern thyself.

Posted by: theartistpoet | July 29, 2009 2:34 PM | Report abuse

Well, I guess Cheney won't have to worry about justifying his decision to tell the CIA to not tell Congress about stuff.

By the way, where are all the folks who were sooooooooooo upset at the government surveillance programs under Bush -- that don't have a problem with medical records on the entire US population (legal and illegal) being leaked?

Posted by: oracle2world | July 29, 2009 2:35 PM | Report abuse

It is nice to know someone knows where the silos are because when fires in them can go days without detection one has to wonder!!

Posted by: Wildthing1 | July 29, 2009 2:39 PM | Report abuse

We are lucky the "sensitive" data wasn't transported via a commercial airline flight, lest our government would be clamoring for an end to airports and the taxicabs that that get people there.

"Issa said he was concerned about hundreds of millions of dollars of software stolen each year through P2P." Was he now? Oooooh, we better all pitch in to help those millionaire SW companies, with their armies of Indians, continue to rape us all with their sloppy software and exorbitant pricing. Somebody please wake up Issa and ask him about the BILLIONs of dollars stolen from the American people thru illegal aliens sucking the system dry, or the scumbag defense contractors stealing us blind in Iraq and Afghanistan with their illegal contracting, or the insane graft that has become SOP in our government. I get the feeling that petty stuff like this is the most Issa and the other wastes of time in our government can actually handle.

Posted by: whizkidz1 | July 29, 2009 3:12 PM | Report abuse

End-users without local admin rights can still install and run P2P software on Windows computers. Not only can they, but a growing number know they can, and do. This assertion is not based on a statistically significant survey, however. Its based on the observation that one of the most popular posts for roughly a year from a blog I frequent explains how to install software without local admin rights. Its painfully easy, BTW.

So, if you believe your organization has this problem under control because you've eradicated local admin rights throughout your endpoint population, perhaps somebody someone will find your name on a phone list found in a server in France as in Brian's article. The more important question: what prevents your organization from becoming yet another victim of one of these P2P data leaks?

Posted by: eiverson1 | July 29, 2009 3:45 PM | Report abuse

The White House must have read the article then contacted the Post demanding they change the head line. Let's worry about the cover up more than securing the data. Anything the Feds touch turns to s$%t. Look at the mess they created by changing the water standard for toilets. There brilliant idea double the water use. Thanks to Al Gore we pay twice as much in water as we did before they stuck their noses into the s$%t. No pun intended.

Posted by: askgees | July 29, 2009 5:18 PM | Report abuse

Issa is a moron. Software makers aren't responsible for their use.

No more than gun or videocam makers.

What do you expect from a politician who's never created anything of value?

Posted by: Major_Variola_ret | July 29, 2009 6:16 PM | Report abuse

askgees, in reference to your 5:18 pm post: you seem very paranoid, although I don't know you and can't judge whether or not your paranoia is justified, it seems excessive.
As for low-flow toilets, 2 things to consider: 1- your experience is probably with the first generation of low-flow products in the 1980s when the "double-flush" method was common. Try checking out the latest high performance low-flow units. The price is competitive with standard models and the performance is vastly better. 2- clean water is a prescious commodity that becomes more rare, and therefore more expensive, as more is used. It is not to be wasted, ever. And I'm not certain how you conclude that low-flow toilets doubled water use, but I doubt a claim so outrageous has any reasonable chance of being correct. Why don't you direct your anger at local governments that have control over your water supplies. Is regular, sometimes daily, watering of office park and shopping center lawns and landscaping a wise thing to allow? Local goverments and citizen pressure can force or encourage landscaping with drought tolerant plantings. And most communities in Virginia impose lawn watering restrictions yearly, after the rivers and reservoirs become too low; why not a year round restriction? If a golf course needs a smooth, level green, then there are plenty of artificial replacements for grass. A lot of progressive-thinking homeowners have gone that route and the initial investment is recouped in both money and time saved. Now if only Vegas would stop allowing development of so many thousands of new homes yearly; I mean, a green lawn in the desert?! The once mighty Colorado hasn't reached its original ocean outlet in Baja for years; what little is left after diversions evaporates into the desert air. I dread a future of water wars, now that water is becoming as scarce as oil.

Posted by: xplorer59 | July 29, 2009 6:28 PM | Report abuse

Anyone doubt that a large part of Congress' desire to "regulate" P2P networks is fueled by "campaign contributions" from the entertainment industry?

We have the finest government money can buy.

Posted by: DupontJay | July 29, 2009 7:00 PM | Report abuse

This is a p2p networking problem?

Call me crazy but why were these documents in a position of vulnerability?

Posted by: DD163 | July 29, 2009 8:34 PM | Report abuse

The disclosures are just the latest examples of egregious data breaches made possible by inadvertent file-sharing over P2P
------------------------------
Wow! The fact that these file sharing programs are on computers with classified information is part of the issue, I don't think this information was given up inadvertently...you have spies. Or Tiversa Inc. has to justify their contract and hacking with exaggerated or doctored claims.

This is mind boggling.

Posted by: DD163 | July 29, 2009 8:42 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company