Military Papers Found Unprotected Online
Detailed schematics of a military detainee holding facility in southern Iraq. Geographical surveys and aerial photographs of two military airfields outside Baghdad. Plans for a new fuel farm at Bagram Air Base in Afghanistan.
The military calls it "need-to-know" information that would pose a direct threat to U.S. troops if it fell into the hands of terrorists. It's material so sensitive that officials refused to release the documents when asked.
But it's already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.
In a survey of servers run by agencies or companies involved with the military and the wars in Iraq and Afghanistan, The Associated Press found dozens of documents that officials refused to release when asked directly, citing troop security.
Such material goes online all the time, posted most often by mistake. It's not in plain sight — unlike the plans for the new American embassy in Baghdad that appeared recently on the Web site of an architectural firm — but is almost as easy to find.
And experts said foreign intelligence agencies and terrorists working with al Qaeda likely know where to look.
In one case, the Army Corps of Engineers asked the AP to promptly dispose of several documents found on a contractor's server that detailed a project to expand the fuel infrastructure at Bagram — including a map of the entry point to be used by fuel trucks and the location of pump houses and fuel tanks. The Corps of Engineers then changed its policies for storing material online following the AP's inquiry.
But a week later, the AP downloaded a new document directly from the agency's own server. The 61 pages of photos, graphics and charts map out the security features at Tallil Air Base, a compound outside of Nasiriyah in southeastern Iraq, and depict proposed upgrades to the facility's perimeter fencing.
"That security fence guards our lives," said Lisa Coghlan, a spokeswoman for the Corps of Engineers in Iraq, who is based at Tallil. "Those drawings should not have been released. I hope to God this is the last document that will be released from us."
The Corps of Engineers and its contractor weren't alone. For example, the National Geospatial-Intelligence Agency — which provides the military with maps and charts — said it plans to review its policies after the AP found several sensitive documents, including aerial surveys of military airfields near Balad and Al Asad, Iraq, on its server.
The AP has destroyed the documents it downloaded, and all the material cited in this story is no longer available online on the sites surveyed.
The posting of private material on publicly available FTP servers is a familiar problem to security experts hired by companies to secure sites and police the actions of employees who aren't always tech-savvy. They said files that never should appear online are often left unprotected by inexperienced or careless users who don't know better.
"For some, there's sort of this myth that 'if I put something on the Net and don't tell anybody,' that it's hidden," said Bruce Schneier, the chief technology officer of BT Counterpane, a Mountain View, Calif.-based technology security company. Schneier said. "It's a sloppy user mistake. This is yet another human error that creates a major problem."
File transfer protocol is a relatively old technology that makes files available on the Internet. It remains popular for its simplicity, efficiency and low cost. In fact, several agencies and contractors said the documents found by the AP were posted online so they could be easily shared among colleagues.
Internet users can't scour the sites with a typical search engine, but FTP servers routinely share a similar address as public Web sites. To log on, users often only need to replace "http" and "www" in a Web address with "ftp."
Some are secured by password or a firewall, but others are occasionally left open to anyone with an Internet connection to browse and download anonymously. Experts said that when unsophisticated users post sensitive information to the servers, they would not necessarily know it could be downloaded by people outside of their business or agency.
"What they don't realize is that every time you set up any type of server, you have that possibility," said Danny Allan, director of security research for Watchfire, a Waltham, Mass.-based Web security company. "Any files that you are putting on the server, you want to monitor on a continuous basis."
A spokeswoman for the U.S. Central Command, which oversees the war in Iraq, declined to say if material accidentally left on the Internet had led to a physical breach of security.
Among the documents the AP found were aerial photographs and detailed schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq. One of the documents was password-protected, but the password was printed in an unsecure document stored on the same server. They showed where U.S. forces keep prisoners and fuel tanks, as well as the locations of security fences, guard towers and other security measures.
"It gets down to a level of detail that would assist insurgents in trying to free their members from the camp or overpower guards," said Loren Thompson, a military analyst with the Virginia-based Lexington Institute. "When you post ... the map of a high-security facility that houses insurgents, you're basically giving their allies on the outside information useful in freeing them."
The information about Camp Bucca and Bagram Air Base was found on the FTP server of CH2M Hill Companies Ltd., an engineering, consulting and construction company based in Englewood, Colo.
"None of the drawings are classified and we believe they were all handled appropriately per the government's direction," said CH2M Hill spokesman John Corsi. But the company added password protection to its FTP site after the AP's inquiry and referred the direct request for the documents to the government.
Military officials said they could jeopardize troop security and refused to release them.
The AP's discovery led the Army Corps of Engineers to immediately ask all its contractors to put such material under password protection. In fact, all the agencies and contractors contacted by the AP have either shut down their FTP sites, secured them with a password or pledged to install other safeguards to ensure such material is no longer accessible.
Christopher Freeman believes he may have witnessed someone hunting for secrets on FTP servers. Freeman describes himself as "just a slightly above-average computer user," not a programmer or a hacker.
While working on an internal security review at his job with the city of Greensboro, N.C., he watched as a computer with an electronic address from Tehran, Iran, accessed the city's server and downloaded a file that contained design drawings for the area's water infrastructure.
While there's no way to know if there was malicious intent behind the download, Freeman said, "when you think of Iran, you think of all the bad stuff first."
Freeman passed along his findings to the FBI and the Department of Defense, and later aided investigators in securing the Space and Naval Warfare Systems Command site. After getting calls from a contractor and the Army Materiel Command asking about what he found online, Freeman has sought legal representation from Denner Pellegrino, a Boston-based firm that specializes in cyber crime.
"This is a treasure trove for terrorists," Freeman said. "They can just waltz in and browse."
FBI officials declined to specifically discuss Freeman and what he told the agency. But Mark Moss, an FBI agent who focuses on online security, said foreign intelligence agencies spend a lot of time on the Internet because online intelligence-gathering is cheap, quick and anonymous.
"If they steal your technology through the Internet, it's overseas in an instant," Moss said. "It's the perfect conduit."
By Mike Baker