Hotmail
Messenger
My MSN
MSN Directory
Sensitive military files readily available online
RSS feeds on msnbc.com |
Add these headlines to your news reader Security  |
Internet users can't scour the sites with a typical search engine, but FTP servers routinely share a similar address as public Web sites. To log on, users often only need to replace "http" and "http://www" in a Web address with "ftp."
Some are secured by password or a firewall, but others are occasionally left open to anyone with an Internet connection to browse and download anonymously. Experts said that when unsophisticated users post sensitive information to the servers, they would not necessarily know it could be downloaded by people outside of their business or agency.
"What they don't realize is that every time you set up any type of server, you have that possibility," said Danny Allan, director of security research for Watchfire, a Waltham, Mass.-based Web security company. "Any files that you are putting on the server you want to monitor on a continuous basis."
Allan said he and others in the security industry have watched for more than a decade as files — including credit card information, sensitive blueprints of government buildings and military intelligence reports — spread through the public domain via unsecured FTP servers.
A spokeswoman for the U.S. Central Command, which oversees the war in Iraq, declined to say if material accidentally left on the Internet had led to a physical breach of security.
But among the documents the AP found were aerial photographs and detailed schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq. One of the documents was password-protected, but the password was printed in an unsecure document stored on the same server. They showed where U.S. forces keep prisoners and fuel tanks, as well as the locations of security fences, guard towers and other security measures.
"It gets down to a level of detail that would assist insurgents in trying to free their members from the camp or overpower guards," said Loren Thompson, a military analyst with the Virginia-based Lexington Institute. "When you post ... the map of a high-security facility that houses insurgents, you're basically giving their allies on the outside information useful in freeing them."
The Corps of Engineers expressed a similar concern when it learned that the AP had downloaded the details about the fuel infrastructure upgrade at Bagram from a contractor's FTP site. Spokeswoman Joan Kibler said that kind of information "could put our troops in harm's way."
The AP's discovery led the agency to ask all its contractors to immediately put such material under password protection. In fact, all the agencies and contractors contacted by the AP have either shut down their FTP sites, secured them with a password or pledged to install other safeguards to ensure the documents are no longer accessible.
"We saw that there have been instances where some documents have been placed on FTP sites, and they haven't had any safeguarding mechanisms for them," Kibler said. "We've determined that those documents need to be safeguarded, so we've amended our practices here to require that any of those types of documents have restricted access when they're placed on FTP sites."
Documents found by the AP about Contingency Operating Base Speicher near Tikrit, Iraq, describe potential security vulnerabilities at the facility and paraphrase an Army major expressing concerns about a "great separation between personnel and equipment" as the base prepared for the military's current counterinsurgency push.
"For force-protection reasons and operational security, that's sensitive stuff," said Lt. Col. Michael Donnelly, a military spokesman based at Speicher. "That's for a need-to-know basis. The enemy regularly takes that stuff and pieces it together for their advantage."
The information about Camp Bucca, Bagram Air Base and Contingency Operating Base Speicher was found on the FTP server of CH2M Hill Companies Ltd., an engineering, consulting and construction company based in Englewood, Colo.
"None of the drawings are classified and we believe they were all handled appropriately per the government's direction," said CH2M Hill spokesman John Corsi. But the company added a password protection to its FTP site after the AP's inquiry and referred the direct request for the documents to the government.
Military officials said they could jeopardize troop security and refused to release them.
- Discuss Story On Newsvine
- Rate Story:
View popularLowHigh - Instant Message
MORE FROM SECURITY |
 Security Section Front |
| Add Security headlines to your news reader: |