SANS Digital Forensics and Incident Response Blog

P2P Usage Leads To Presidential Security Breach

by Ira Victor

Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.

Bob Boback, CEO Tiversa, said, that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it's original source, which appears to be a defense contractor in Bethesda, MD.

How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defense contractor had a file sharing program installed on their network, the same network that contained highly sensitive information on Marine One.

Boback said that someone from the company most likely downloaded a file-sharing program, typically used to share music and movie files, not realizing the potential problems.

Iran is not the only country that appears to be accessing this information through file-sharing programs. Boback said that they have seen the files accessed by systems in Pakistan, Yemen, Qatar and China.

If this is what passes for information security in matters of national defense, just wait until the Feds start mandating the digitizing of everyone's medical records.

Boback's team should get kudos for their investigative work. Boback notified the government immediately and said appropriate steps are being taken.

Pennsylvania Congressman Jason Altmire
will ask Congress to investigate how to prevent this incident from happening again. There needs to be some tough questions asked, although too many times, these Congressional hearings don't lead to serious changes.

This is all the more reason for SANS' new Consensus Audit Guidelines (CAG) to be taken seriously. One of the goals of that program is to deal with national security-related data breaches.

At this point, we don't know what logging mechanism is in place at this contractor. Logging is a part of the CAG. Although one would have assumed that a good logging mechanism would have detected some of the peer-to-peer traffic before the incident got out of hand. Maybe the contractor has "logging in name only," (LINO) something I have seen first hand.

And, it's important to point out, that among the layers of security in the CAG that need to be added to many networks is the right kind of data loss prevention( DLP).

I have seen a lot of vendors lately pitching what I call single port DLP solutions, many of which only block one port. And even more solutions that only block based upon pre-determined dictionaries of credit card numbers, or social security numbers, or HIPAA data. They point these DLP solutions at the mail server, or others only monitor port 80 for web traffic.

Based upon what we know about this incident, one of the layers of security that is needed is a solution that fingerprints important files in that business unit, with hashing of the "slivers" of those files. Then, DLP should be pointed at all 65536 ports so they can all be monitored for leakage of any of the data, any port, any protocol. Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia.

By the time you read this, this Marine One story will be all over the mainstream press. The public is going to be mad, and scared. It's time for information security professionals to stand up, and let the public policy makers know that there are solutions to these challenges, and now is the time to (finally) take these solutions seriously.

Ira Victor, GCFA, is the Co-Host of the Data Security Podcast, President of Sierra Nevada InfraGard, and an info sec consultant and forensic analyst with Data Clone Labs.

6 Comments

Posted March 2, 2009 at 4:03 PM | Permalink | Reply

Paul Bobby

secret Marine One information"
Does anyone actually verify these stories before the FUD hits the fan?

Posted March 3, 2009 at 12:07 PM | Permalink | Reply

trustedsignal

Paul,
Great question. I'm not sure what research Ira did, but this story has been in the online news for a few days. If you do a little searching you'll find news sources reporting that "classified" information was leaked, specifically information relating to Marine One's radar and missile warning systems, electronic schematics and telecommunications capabilities.

Posted March 3, 2009 at 12:23 PM | Permalink | Reply

johnmccash

I have a minor quibble with the statement:
"Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia."
Does anybody know whether any common P2P protocols use encrypted transmission? If they do, then DLP would probably not have detected it.

Posted March 3, 2009 at 1:01 PM | Permalink | Reply

datasecurityblog

>IRA REPLIES TO PAUL'S COMMENT ABOUT SOURCES OF THE STORY:
The posting was written Sunday evening. The source was sited in the posting: Pittsburgh TV Station WPXI. They have a reporter there that did some excellent work. Since the story broke on Sunday, more reports have posted.
There are some interesting details that were revealed within the hour at Ars Technica: http://arstechnica.com/tech-policy/news/2009/03/specs-for-presidential-chopper-turn-up-on-gnutella.ars

Posted March 3, 2009 at 1:15 PM | Permalink | Reply

datasecurityblog

>IRA REPLIES TO johnmccash's COMMENT ABOUT DLP AND ENCRYPTED CONTENT:
johnmccash validates my point that there are many DLP offerings on the market, but many of them are not comprehensive, despite the spin from the vendor.
I said the "right kind of data loss prevention(DLP)." The right DLP solution in this case would include a proxy of all traffic, including encrypted traffic.
If the late breaking reports are true, the system with the P2P software on it was a mobile worker. If there are mobile workers with access to confidential information, then the right DLP solution needs a mobile DLP rule solution, or mobile workers must route all traffic through a DLP system located at the organization's facility.
I suspect that the latter solution would make some users upset, since they would want to go right out on the internet, rather than log in back to the office every time they want to get online.
Memo to staffers: When you want to surf "directly" online, log onto Facebook/MySpace/Twitter/Meebo/LimeWire go buy a netbook for ~$299 and do personal surfing on your own equipment, and on your own network.
Heck, for just $99, you can get a netbook bundled with cellular wireless service. Wow, what a great way to "Facebook" during your lunch hour, in or out of the office!

Posted March 3, 2009 at 1:18 PM | Permalink | Reply

datasecurityblog

Correction to the second to last paragraph:
Memo to staffers: When you want to surf "directly" online, or log onto Facebook/MySpace/Twitter/Meebo/LimeWire: go buy a netbook for ~$299. Personal internet use must be on your own equipment, and on your own network.