Sensitive Files Left on DOD, Energy Contractors FTP Servers

All the firewalls in the world can’t fix stupid security practices and careless users.  The Associated Press actually did some great investigative journalism, coupled with some rank amateur cyber-sleuthing to come up with mounds of sensitive, classified and secret documents scatterred around the FTP servers of many of the nation’s DOD and DOE contractors.

FTP is often used as a temporary directory in today’s fast-paced military contracting offices.  You have to do a presentation and don’t want to have to carry a laptop or a thumbdrive?  You put the slideshow on your company’s FTP server and you can access it from the presentation site using any internet connected host.

Document too large to fit into an email with that 10MB restriction?  No problem, dump it into the FTP server and get it that way. 

But the problem is that the files are forgotten and not removed, or there are non-existent security measures to prevent anyone from simply downloading it.

The whole long AP article is here, and it is worth the read.  Some highlights of items found are:

• aerial photographs and detailed schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq
• fuel infrastructure upgrade at Bagram
• potential security vulnerabilities at the facility Contingency Operating Base Speicher near Tikrit
• plans to combat GPS jammers
• technology to combat enemy snipers in urban environments
• manual describing how to operate a Navy encryption device on the server of the Space and Naval Warfare Systems Command, along with the decryption passwords in a plaintext document
• photographs and graphics detailing the inner workings of missiles designed at Sandia.

Sloppy data handling, especially during wartime is inexcusable.  What may be needed is to have military groups red-teaming against their own contractors to detect and close gaping security holes such as these.