Gen. Clark: Sensitive Gov't. Documents Exposed by LimeWire
In testimony before the House Oversight and Government Reform Committee on Tuesday, Gen. Wesley Clark - the former supreme commander of NATO forces and US presidential candidate, speaking as a board member of and advisor to security software company Tiversa - cited a study by his company revealing that in a period of two hours' search time on the P2P file-sharing system LimeWire, over 200 classified US Government documents were discovered.
"If you saw the scope of the risk," Gen. Clark testified, "I think you'd agree that it's just totally unacceptable. The American people would be outraged if they were aware of what's inadvertently shared by government agencies on P2P networks. They would demand solutions."
Later, Clark stated, Tiversa engineers located the entire Pentagon backbone network security infrastructure diagram, which apparently came as part of a package that included a letter from the US Office of Management and Budget warning of the dangers of using LimeWire and other P2P file sharing programs on computers where sensitive or secret documents are stored. The material, it was discovered, was copied from the computer of a single Pentagon contractor, who happened to be a LimeWire user. She didn't share those files intentionally; instead, her local file system was exposed through LimeWire.
"As I was preparing for the testimony," Clark continued, "I asked [Tiversa CEO] Bob Boback to search for anything marked 'Classified: Secret' or 'Secret: NOFORN' [No Foreign Nationals]. He pulled up over 200 classified documents in a few hours running his search engine. These documents were everything from INSUMs [intelligence summaries] of what's going on in Iraq, to contractor data on radio frequency manipulation to defeat improvised explosive devices. This material was all secret, it was all legitimate. I called the chairman of the National Intelligence Advisory Board, who works for [NSA Chairman] Adm. [Mike] McConnell, and shipped the information to him. He looked at it, he called NSA, NSA has it, they're now seized with the problem, I think."
The IAB chairman responded to Clark, he said, by exclaiming how he was astonished the documents weren't faxes or Xeroxes or grainy photographs, but the actual electronic documents themselves - which, in a way, may characterize the intelligence community's unfamiliarity with the whole idea of paperless documents and their propagation. "My goodness, they're in full color!" Clark says he shouted.
Dartmouth Professor Eric Johnson participated in a study with Tiversa to test how pervasive sensitive information traverses a P2P network, by creating a document that looked personal enough, and placing it on a computer where LimeWire was installed.
"In our first experiment, we posted the text of an e-mail message containing an active VISA (debit) number and AT&T phone card in a music directory that was shared via Limewire," reads an article written by Prof. Johnson and colleagues that was entered into the Committee record. In one week's time, he reports, the file was pilfered. Scanning the traffic on the debit card number and calling card at least helped engineers track where the file was being put to use, if not precisely by whom.
In the first week, the contents of the debit card were spent. The two spenders were believed to have Paypal and Nochex accounts, which helped place them in the US and the UK, respectively. With the calling card, they both placed long-distance calls exclusively to the Bronx, New York; and Tacoma, Washington. This, Johnson believes, illustrates the fact that the P2P file sharing threat crosses international boundaries.
It's worth noting that Tiversa seeded these "honey pot" documents within a music sharing directory, according to Prof. Johnson himself. Easily, files located here would bypass all security features of LimeWire, and perhaps most of its warnings as well.
"Peer-to-peer file sharing is a wonderful tool," Gen. Clark conceded in his testimony, "it's going to be a continuing part of the economy. It's a way that successfully moves large volumes of data, and that's not going to go away. It has to be regulated, and people have to be warned about the risks, and especially our government agencies, our National Security Agency, DOD, people who run the [NGI] SuperNet, have to take the appropriate precautions, because we can't have this kind of information bleeding out over the peer-to-peer network."
Later, Committee Chairman Rep. Henry Waxman (D - Calif.) read from a list Tiversa provided of other classified items during LimeWire searches: "1) a document with individual soldiers' names and Social Security numbers; 2) physical threat assessments for multiple cities, such as Philadelphia, St. Louis, and Miami; 3) a document titled 'NSA Security Handbook;' 4) numerous DOD directives on information security; 5) DOD security system audits; 6) numerous field security operations documents; and 7) numerous presentations for Armed Forces leadership on information security topics, including how to profile hackers and potential internal information leakers."
Clark added that it was technically feasible for government agencies to track the identities of individuals who effectively commit security breaches using P2P, although the procedures would be quite elaborate, and the processes for determining and testing them have yet to begin.
Next: LimeWire's chairman is all alone in the hot seat