R. Fink | File transfers weren't part of official protocol

The Packet Rat | Commentary: Sensitive data takes flight, via FTP

Packet Rat

Illustration by Michael J. Bechetti

The phone rang in the middle of the night. The Rat made the mistake of answering it.

'Hullo?' he groaned.

'You need to see this,' said a voice. 'Get to your computer. There's an example of bad security that you need to see.'

The Rat rose and walked to the kitchen, his wife whining at the loss of body heat in the air-conditioned bed. 'Who is this, really?' he asked groggily as he flipped open his laptop on the breakfast bar.

'Go to this Web address,' the caller said in a muted voice, refusing to acknowledge the whiskered one's groggy request. The Rat, suspecting a phishing attempt, carefully typed in the URL, with all his download blockers armed and ready.

Instead, what loaded on the Rat's screen was a collection of photos, charts and maps of sensitive security features of Tallil Air Base in Iraq, with proposed upgrades to the perimeter fencing of the facility. And the information was all out in the clear on the Army Corps of Engineers' Web server.

'OK, what is this, some kind of hack? How did you find this?' the wirebiter asked, now fully awake.

'Actually, the Associated Press found it first,' the voice said. 'How's that for embarrassment?'

Sure enough, the Rat found a story from AP that outlined a number of Army Corps of Engineers lapses in information security, including schematics of a military detainee holding facility in Iraq, plans for fuel farms at Bagram Air Base in Afghanistan, and other plans for sensitive facilities abroad and in the United States. Some of the information was on contractors' servers. Other things, including the air base plans, were on the corps' own servers.

The National Geospatial-Intelligence Agency and the Energy Department also got unwelcome surprises from AP reporter Mike Baker. The gaps were brought to his attention by a number of people ' one of them a techie for the city of Greensboro, N.C., who detected an IP address from Tehran while accessing schematics of the city's water supply system. He did some poking around public government File Transfer Protocol sites and found he had downloaded files from Sandia National Laboratories marked top secret.

'Whoopsie,' the Rat muttered as he read the litany. 'OK, so who are you, and why are you calling me about this at 2 in the morning?'

'Errr'I just thought you should know about this, and that this wasn't the work of some'err'teenage hackers.'

The whiskered one pulled the phone from his ear and looked at the Caller ID, which showed the call coming from a Skype account. He turned and followed the glow of a computer monitor to his eldest son's room.

'Alright, son, you are so busted. Why did you wake me in the middle of the night about this?'

The ratling slid his headset off and looked at his father and gulped. 'Because I didn't want you to panic when you saw all the new Halo maps I hacked together using those maps.'

The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him at rat@1105govinfo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above