Info sharing can be perilous'just ask Energy and DHS

The SANS Institute's Allan Paller gives pointers on avoiding security pitfalls

Agencies should check systems 'regularly with vulnerability testing tools and/or configuration testing tools. If that's not done at least every week, you're probably already broken into.'


'It turns out that sometimes people post their password files or they don't adequately protect them. If you run a direct query in Google, what that will do is look for a file that you might be able to access that the spiders have already indexed. ... When we ran it a couple of years ago on a research project, we got more than 800 files.'


Users also can create a security weakness by leaving unneeded software with known vulnerabilities on computers. 'There are programs that are distributed with Web server software that demonstrate capabilities. One of the ones distributed with all the Apache servers had a bunch of CGI scripts. Most people, unless they know about this, don't erase the CGI scripts when they install their Web server, but it turns out a fair number have vulnerabilities in them.'

Energy is working to 'ensure a situation of this nature does not arise again,' CIO Rose Parkes says.

Henrik G. de Gyor

It's a cautionary tale: Five months worth of sensitive federal briefings on terrorism show up on a nongovernment Web site. Supposedly, only government eyes would ever see them.

Agencies must share information to improve homeland security, but the risk of leaks rises as the circle of data users expands. The recent glitch at the Energy Department that led to dozens of sensitive Homeland Security Department documents being posted on a public Internet site illustrates that sharing data comes with serious cybersecurity challenges.

'Information sharing is a hard problem,' said Marty Lindner, a senior member of the technical staff at the CERT Coordination Center, the nonprofit computer vulnerability-tracking center at Carnegie Mellon University. 'There are things I think are sensitive and you don't. That's probably the biggest hurdle: what is sensitive and what is not.'

Both DHS and Energy moved quickly to correct the problem after they became aware of it last month. The error prompted short-term fixes, which included taking down the Energy site where the information was posted, and long-term ones, which focus on improving training and physically separating servers that host sensitive data from those for public information.

But no matter what steps the two departments take, security experts say protecting data from prying eyes when sharing it among many users requires continued vigilance.

Alan Paller of the SANS Institute of Bethesda, Md., said agencies should check systems regularly for vulnerabilities, implement strict password protections and remove unneeded software that can expose their sensitive data on the Web.

Neither Energy nor Homeland Security would release specifics on the incident, but DHS spokeswoman Michelle Petrovich said the problem arose from a special crawl application in the Google search engine that located the data posted on what Energy believed was an internal Web site.

Homeland Security has changed the way it shares the briefings with other agencies. Outside users now must 'come to us, to a special portal, to access information,' Petrovich said.

Energy CIO Rose Parkes said the department discovered on Jan. 16 that the terrorism documents it received from DHS could be accessed through a Web site run by its Energy Assurance Office and 'immediately took down the site.'

Configuration malfunction

Energy policy requires the documents be posted on a site that has user identification and password protection.

'All Energy employees and contractors who handle such materials undergo extensive training with regard to document control, and in this case, the contractor responsible is undergoing a rigorous retraining effort,' Parkes said. 'We also are working to address all of the contributing causes to ensure a situation of this nature does not arise again.'

She blamed the leak on 'an error of misconfiguration' that allowed the document to be accessed and said the department believes it was a one-time problem.

The documents covered five months' worth of morning briefings sent by DHS to federal and state law enforcement agencies, including the CIA, FBI and White House.

The briefings provide daily summaries of law enforcement actions directed at thwarting terrorist activities within the United States, and include details such as names and possible terrorist operations.

The documents carry the government's 'for official use only' designation, which means they contain information the government does not make public or let be posted to public Web sites.
Energy shut down the entire www. ea.doe.gov Web site when the problem was discovered, Parkes said. It remained offline late last week.

The CIO's office 'has provided an application security configuration fix and is personally overseeing implementation,' she said. Once the fix is completed, Energy will monitor the site to make sure all vulnerabilities have been corrected.

The public Web site that posted the documents, www.cryptome.org, touts itself as a source for documents 'that are prohibited by governments worldwide.'

The site noted that the DHS documents were provided by an unidentified source. Cryptome.org also reported that a person claiming to be an Energy contractor contacted the site administrator Jan. 19 and asked that it remove the documents. The administrator declined.

Although the vulnerability on the Energy site was found and fixed, the episode demonstrates some of the risks in the government's push to share information broadly among agencies'especially for the administration's war on terror.

Users should maintain the level of security at which they receive information, the CERT Coordination Center's Lindner said.

'We sort of have the model that you always have the right to raise sensitivity on something, but please don't lower it,' he said. 'If I send something encrypted, when you forward it, keep it encrypted.'

Parkes said her office 'takes this incident very seriously and will use it as a case study for cybersecurity awareness training.'

Further, the CIO's office is requiring the physical separation of public and internal Web servers as a way to reduce the possible transfer or exposure of sensitive information. Energy also is scanning all its internal and external sites for other vulnerabilities.

'We are also requiring DOE organizations to implement a management process and technical controls to provide for continuous monitoring to ensure that publicly available online information does not include sensitive information,' she said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above