Army personnel data allegedly exposed on P2P network
Technorati Tag: Security Breach
Date Reported:
12/02/08
Organization:
United States Army
Contractor/Consultant/Branch:
Unknown
Location:
Unknown
Victims:
Soldiers
Number Affected:
"nearly 24,000"
Types of Data:
Personal information including "full names and social security numbers"
Breach Description:
An alleged and previously undisclosed breach has come to light "in an August letter sent by then Sen. Joseph Biden to Pete Geren, secretary of the Army. The letter, which has been reviewed by The Wall Street Journal, mentions "files containing the personal identifying information of nearly 24,000 U.S. soldiers" that became publicly accessible through a so-called peer-to-peer network."
Reference URL:
The Wall Street Journal (blog) and a special thanks to Rian Wroblewski from RedTeam Protection.
Report Credit:
Ben Worthen, The Wall Street Journal
Response:
From the online source cited above:
Consider the case of an apparent data breach of Army soldiers’ names and personal information, the details of which were described in an August letter sent by then Sen. Joseph Biden to Pete Geren, secretary of the Army.
The letter, which has been reviewed by The Wall Street Journal, mentions "files containing the personal identifying information of nearly 24,000 U.S. soldiers" that became publicly accessible through a so-called peer-to-peer network.
[Evan] Breaches occurring through the misconfiguration of peer-to-peer (P2P) networking applications are much more prevalent than most people realize. I haven't written many blog posts about these types of breaches, but I have a good one coming soon. Rian Wroblewski, a friend recently sent me a recap list of the P2P breaches he has found over the past 30 days or so and I will share that list here on The Breach Blog within the next 24 hours.
"The files include full names and social security numbers" of the soldiers, the letter says.
The Army wouldn’t confirm or deny the existence of the files, and said it doesn’t comment on ongoing investigations or incidents.
A spokeswoman replied in an email that the Army has taken steps in recent months to boost its security.
[Evan] Hopefully the Army is always taking steps to boost security!
However, there’s little it can do about information on computers the government doesn’t control; in that situation, "the Army can only ask the owner of a public site to remove the information," she says in the email.
[Evan] Right and wrong. Right in the fact that there is little the Army (or anyone else) can do once information has already leaked. How is it possible to make information confidential again after confidentiality has been compromised? The wrong that I see in this comment is the general sense of irresponsibility. The security of sensitive information collected, created or otherwise given over to the Army is the responsibility of the Army. The Army has the responsibility to protect the information in accordance with what is expected by the data owners, which in this case are the soldiers.
In this case the files - spreadsheets that appear to be lists of soldiers due for promotion - made their way to a peer-to-peer file-trading network
People most commonly use these networks - examples include Limewire and BitTorrent - to swap music files or videos.
in many cases the software used to connect to the network also makes available all the files on someone’s computer, such as bank statements or work documents.
[Evan] This is generally due to a lack of understanding on the part of the application user. P2P programs can be configured to only share what they have been explicitly allowed to share. Too many times people install the P2P program and either accept default settings or neglect to read instructions/manuals. Personally, I use a couple of P2P programs and I have yet to leak any of the sensitive information entrusted to me.
It’s not clear how the apparently leaked Army information reached the network, but one possible scenario is that someone in the military had stored the information on a home computer that was used to exchange files.
[Evan] Sensitive employer information should never be permitted on non-employer controlled/owned devices. To me the reasons are obvious, to others not so much.
Businesses and other organizations are just starting to appreciate the risk these networks pose.
For example, peer-to-peer networks were named on only a few ballots in a recent survey by the Ponemon Institute, a privacy think tank, asking security professionals to identify potentially-dangerous software. But it was considered the single greatest threat among the security pros that cited it.
[Evan] Does this tell us that there are some "security professionals" that aren't very good "security pros"?
This wouldn’t be the first time that military files have been available over peer-to-peer networks, says Robert Boback, chief executive of Tiversa Inc., a security company that specializes in peer-to-peer technology. He says that he’s come across many such documents in the past, although he declined to say whether this included the list mentioned in Mr. Biden’s letter.
[Evan] I would be remiss if I didn't mention (again) one of the best P2P network security researchers I know, Rian Wroblewski at RedTeam Protection.
The Army says that its policy forbids people from installing peer-to-peer software on Army-owned computers.
in May the Army stopped including social-security numbers and other personally-identifiable information on promotion lists
[Evan] Good.
in June, the Army developed a training program on the threat of information leaks and how to prevent them, which personnel will be required to take
[Evan] Double-good.
Breaches like this are preventable, says Bob Gourley, former chief information officer for the Defense Intelligence Agency.
It requires investing in technology that would control who has access to certain information and strict enforcement of policies now in place. It requires effort, time and money.
[Evan] Wait, no shortcuts?! No magic pills?! There must be something we can do that doesn't require "effort, time and money"! ;) It seems I read somewhere that it generally costs an average seven (7) times more to respond to an information security incident than it does to prevent one.
Unfortunately, organizations don’t seem willing to make that effort. "We’ve had 10 years of warning of how damning and dangerous this kind of activity can be," he says. "Why is it still occurring when it doesn’t have to?"
Commentary:
This is two Army breaches in a row on The Breach Blog. As promised, I will post Rian's list (see above) soon.
Past Events:
United States Army:
December, 2008 - US Army laptop is missing, personal data was encrypted
July, 2008 - Fort Lewis soldiers exposed by laptop theft
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Date Reported:12/02/08
Organization:
United States Army
Contractor/Consultant/Branch:
Unknown
Location:
Unknown
Victims:
Soldiers
Number Affected:
"nearly 24,000"
Types of Data:
Personal information including "full names and social security numbers"
Breach Description:
An alleged and previously undisclosed breach has come to light "in an August letter sent by then Sen. Joseph Biden to Pete Geren, secretary of the Army. The letter, which has been reviewed by The Wall Street Journal, mentions "files containing the personal identifying information of nearly 24,000 U.S. soldiers" that became publicly accessible through a so-called peer-to-peer network."
Reference URL:
The Wall Street Journal (blog) and a special thanks to Rian Wroblewski from RedTeam Protection.
Report Credit:
Ben Worthen, The Wall Street Journal
Response:
From the online source cited above:
Consider the case of an apparent data breach of Army soldiers’ names and personal information, the details of which were described in an August letter sent by then Sen. Joseph Biden to Pete Geren, secretary of the Army.
The letter, which has been reviewed by The Wall Street Journal, mentions "files containing the personal identifying information of nearly 24,000 U.S. soldiers" that became publicly accessible through a so-called peer-to-peer network.
[Evan] Breaches occurring through the misconfiguration of peer-to-peer (P2P) networking applications are much more prevalent than most people realize. I haven't written many blog posts about these types of breaches, but I have a good one coming soon. Rian Wroblewski, a friend recently sent me a recap list of the P2P breaches he has found over the past 30 days or so and I will share that list here on The Breach Blog within the next 24 hours.
"The files include full names and social security numbers" of the soldiers, the letter says.
The Army wouldn’t confirm or deny the existence of the files, and said it doesn’t comment on ongoing investigations or incidents.
A spokeswoman replied in an email that the Army has taken steps in recent months to boost its security.
[Evan] Hopefully the Army is always taking steps to boost security!
However, there’s little it can do about information on computers the government doesn’t control; in that situation, "the Army can only ask the owner of a public site to remove the information," she says in the email.
[Evan] Right and wrong. Right in the fact that there is little the Army (or anyone else) can do once information has already leaked. How is it possible to make information confidential again after confidentiality has been compromised? The wrong that I see in this comment is the general sense of irresponsibility. The security of sensitive information collected, created or otherwise given over to the Army is the responsibility of the Army. The Army has the responsibility to protect the information in accordance with what is expected by the data owners, which in this case are the soldiers.
In this case the files - spreadsheets that appear to be lists of soldiers due for promotion - made their way to a peer-to-peer file-trading network
People most commonly use these networks - examples include Limewire and BitTorrent - to swap music files or videos.
in many cases the software used to connect to the network also makes available all the files on someone’s computer, such as bank statements or work documents.
[Evan] This is generally due to a lack of understanding on the part of the application user. P2P programs can be configured to only share what they have been explicitly allowed to share. Too many times people install the P2P program and either accept default settings or neglect to read instructions/manuals. Personally, I use a couple of P2P programs and I have yet to leak any of the sensitive information entrusted to me.
It’s not clear how the apparently leaked Army information reached the network, but one possible scenario is that someone in the military had stored the information on a home computer that was used to exchange files.
[Evan] Sensitive employer information should never be permitted on non-employer controlled/owned devices. To me the reasons are obvious, to others not so much.
Businesses and other organizations are just starting to appreciate the risk these networks pose.
For example, peer-to-peer networks were named on only a few ballots in a recent survey by the Ponemon Institute, a privacy think tank, asking security professionals to identify potentially-dangerous software. But it was considered the single greatest threat among the security pros that cited it.
[Evan] Does this tell us that there are some "security professionals" that aren't very good "security pros"?
This wouldn’t be the first time that military files have been available over peer-to-peer networks, says Robert Boback, chief executive of Tiversa Inc., a security company that specializes in peer-to-peer technology. He says that he’s come across many such documents in the past, although he declined to say whether this included the list mentioned in Mr. Biden’s letter.
[Evan] I would be remiss if I didn't mention (again) one of the best P2P network security researchers I know, Rian Wroblewski at RedTeam Protection.
The Army says that its policy forbids people from installing peer-to-peer software on Army-owned computers.
in May the Army stopped including social-security numbers and other personally-identifiable information on promotion lists
[Evan] Good.
in June, the Army developed a training program on the threat of information leaks and how to prevent them, which personnel will be required to take
[Evan] Double-good.
Breaches like this are preventable, says Bob Gourley, former chief information officer for the Defense Intelligence Agency.
It requires investing in technology that would control who has access to certain information and strict enforcement of policies now in place. It requires effort, time and money.
[Evan] Wait, no shortcuts?! No magic pills?! There must be something we can do that doesn't require "effort, time and money"! ;) It seems I read somewhere that it generally costs an average seven (7) times more to respond to an information security incident than it does to prevent one.
Unfortunately, organizations don’t seem willing to make that effort. "We’ve had 10 years of warning of how damning and dangerous this kind of activity can be," he says. "Why is it still occurring when it doesn’t have to?"
Commentary:
This is two Army breaches in a row on The Breach Blog. As promised, I will post Rian's list (see above) soon.
Past Events:
United States Army:
December, 2008 - US Army laptop is missing, personal data was encrypted
July, 2008 - Fort Lewis soldiers exposed by laptop theft
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Posts Atom 1.0
Comments