P2P Usage Leads To Presidential Security Breach

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO  Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it’s original source, which appears to be a defence contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defensible contractor had a file sharing program installed on their network, the same network that contained highly sensitive information on Marine One.

Boback said that someone from the company most likely downloaded a file-sharing program, typically used to share music and movie files, not realizing the potential problems.

Iran is not the only country that appears to be accessing this information through file-sharing programs. Boback said that they have seen the files accessed by systems in Pakistan, Yemen, Qatar and China.

If this is what passes for information security in matters of national defence, just wait until the Feds start mandating the digitizing of everyone’s medical records.

Boback’s team should get kudos for their investigative work. Boback notified the government immediately and said appropriate steps are being taken.

Pennsylvania Congressman Jason Altmire
will ask  Congress to investigate how to prevent this incident from happening again. There needs to be some tough questions asked, although too many times, these Congressional hearings don’t lead to serious changes.

This is all the more reason for  SANS’ new Consensus Audit Guidelines (CAG) to be taken seriously. One of the goals of that program is to deal with national security-related data breaches.

At this point, we don’t know what logging mechanism is in place at this contractor. Logging is a part of the CAG. Although one would have assumed that a good logging mechanism would have detected some of the peer-to-peer traffic before the incident got out of hand. Maybe the contractor has a “logging in name only,” (LINO) something I have seen first hand.

And, it’s important to point out, that among the layers of security in the CAG that need to be added to many networks is the right kind of data loss prevention( DLP).

I have seen a lot of vendors lately pitching what I call single port DLP solutions, many of which only block one port. And even more solutions that only block based upon pre-determined dictionaries of credit card numbers, or social security numbers, or HIPAA data.  They point these DLP solutions at the mail server, or others only monitor port 80 for web traffic.

Based upon what we know about this incident, one of the layers of security that is needed is a solution that fingerprints important files in that business unit, with hashing of the “slivers” of those files. Then, DLP should be pointed at all 65535 ports so they can all be monitored for leakage of any of the data, any port, any protocol. Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia.

By the time you read this, this Marine One story will be all over the mainstream press. The public is going to be mad, and scared. It’s time for information security professionals to stand up, and let the public policy makers know that there are solutions to this challenges, and now is the time to (finally) take these solutions seriously.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: