Classified US military info available over P-to-P

Government and private files made available over P2P file sharing

Millions of documents, both government and private, containing sensitive and sometimes classified information are floating about freely on file sharing networks after being inadvertently exposed by individuals downloading P2P software on systems that held the data, members of a U.S. House committee were told Tuesday.

Among the documents exposed: The Pentagon's entire secret backbone network infrastructure diagram, complete with IP addresses and password change scripts; contractor data on radio frequency manipulation to beat Improvised Explosive Devices (IED) in Iraq; physical terrorism threat assessments for three major U.S cities; information on five separate Department of Defense information security system audits.

Information about the breach came during a hearing on inadvertent file sharing over peer-to-peer (P2P) networks held by the House Committee on Oversight and Government Reform chaired by Rep. Henry Waxman, (D-Calif.) One of those testifying was retired General Wesley Clark, who is currently a board member of Tiversa, a company that sells P2P network monitoring services to government agencies and private sector companies.

Clark described how "in a matter of hours" he was able to lay hands on over 200 documents containing classified and secret government data from P2P networks using Tiversa's search engine. He came across the documents while preparing for the hearing.

Some of the data appears to have come from the system of a contract worker at the Pentagon who installed P2P software on her computer, Clark said. The data included everything from Iraq status reports to a list of soldiers with their Social Security numbers. "They are the complete documents. They are not faxed copies. They are not smudged. They are as fresh as if they were printed off the computer" of the organization they came from.

"There's all kind of data leaking out inadvertently," he told the committee, noting that the documents he cited were "simply what we found when we put the straw in the water. The American people would be outraged if they are aware of what is being inadvertently being disclosed on P2P networks."

It's not just government data that is leaking out; So is a lot of sensitive corporate information, said Robert Boback, the CEO at Tiversa who also testified at the hearing. In written testimony, Boback listed several examples of corporate information Tiversa was able to pull from P2P networks. It found, for instance, the board minutes of one of the world's largest financial services organization, the entire foreign exchange trading backbone of a financial company and a comprehensive launch plan -- complete with growth targets -- of yet another financial company that was diversifying into a new region. Other corporate documents retrieved from P2P networks included press releases not yet issued, patent information, business contracts and non-disclosure agreements.

In addition, the ready availability of federal and state ID cards, passports, Social Security numbers, credit card information and bank account details make P2P networks a great source of information for identity thieves, he said.

Popular P2P clients such as Kazaa, Lime Wire, BearShare, Morpheus and FastTrack are designed to let users quickly download and share music and video files. Normally, such P2P clients allow users to download files to and share items from a particular folder. But if proper care is not taken to control the access that these clients have on a system, it is easy to expose far more data than intended.

Eric Johnson, a professor of operations management at the Center for Digital Strategies at Dartmouth College's Tuck School of Business, testified that inadvertent data disclosure on P2P networks is a "whole lot worse" than many assume.

Speaking with Computerworld after the hearing, Johnson said that accidental information disclosure on P2P networks has become a "substantial issue for government [agencies] and for banks and for large corporate enterprises. Many companies believe that they have implemented adequate internal controls to block access to P2P networksl, he said. The problem with these types of disclosures is that every employee, contractor, customer or supplier is a potential weak link.

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

One company compromised in this manner is Pfizer Inc. In June, the company disclosed that personal data on about 17,000 employees had been inadvertently exposed on a P2P network after the spouse of an employee used a company computer to access a file sharing network.

Another example is the U.S. Department of Transportation. Daniel Mintz, the department's CIO, offered written testimony about how 93 DOT-related documents were inadvertently exposed on a P2P network. The exposure resulted when the teenage daughter of a DOT worker who was authorized to work at home installed LimeWire's P2P client on the computer containing the DOT data. The accidental data exposure was only discovered after a Fox News reporter informed the employee that he had been able to access several DOT-related documents from her computer, Mintz said.

DOT's inspector general "found that 30 of the approximately 93 DOT-related documents were publicly accessible at the time via LimeWire or other P2P software by virtue of residing in a 'shared folder,'" Mintz said. In addition, about 36 out of approximately 260 National Archives-related documents that were also on the employee's computer were in a shared folder and thus similarly exposed.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?