Sensitive miliary files readily available online

[RebateMonger]

An Associated Press investigation found several anonymous ftp sites with sensitive U.S. miliary documents openly available:

Sensitive military files readily available online

One site belongs to SRA International, a government contractor. The AP found a document the Defense Department said could let hackers access military computer networks,
According to an SRA spokeswoman, ""The only way you could find it is by an awful lot of investigation," said SRA spokeswoman Laura Luke.

My first guess:
<a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com"><a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com"><a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com">ftp://ftp.sra.com</a></a></a>

Duh.

 

[Oakenfold]

My first guess:
ftp://ftp.sra.com

Wow...
:Q
Doesn't the government get SAS70 Type II reports from contractors or go through some kind of due dilligence process like a public company would be required under SOX?

 

[ScottFern]

Wow talk about bad PR!

 

[Red Squirrel]

lolers owned. The US goverment really scares me. I can almost guarantee theres some kind of way to get anyones SSN and stuff like that, its just a matter of time till someone finds a loophole... probably some innocent user who does it by accident.

In order to mitigate the risk of SRA or client proprietary information being
inadvertently made available to the public, the SRA anonymous ftp server
(ftp://ftp.sra.com ) has been shutdown indefinitely. In the coming months,
a new secure ftp site will be introduced that will replace the functionality
of this site.

 

[Reel]

Originally posted by: Oakenfold

My first guess:
<a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com"><a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com">ftp://ftp.sra.com</a></a>

Wow...
:Q
Doesn't the government get SAS70 Type II reports from contractors or go through some kind of due dilligence process like a public company would be required under SOX?

That is a good question and I will try to inquire with some friends more in the government security consulting area. I personally have no experience in the government realm but based on the evaluations of the various agencies, I would not expect that they are really security-oriented from the ground up. I think they are band-aiding most of their systems to comply with policies rather than having a process-oriented approach. A large part is probably the nature of the beast that resists change and keeps people with an "older" mindset.

@RedSquirrel: Before we continue bashing the government, let's remember that there are plenty of private companies making the same mistakes. Many of whom have information that you would be shocked to discover was recorded. As an example, my dad had a small store when I was a kid and next door was a check approval shop. This guy had Winn-Dixie and some other major merchants using him. As a demonstration to me, he pulled up my parents' recent checks and said "Oh looks like your mom got a new microwave recently". This was 20 years ago when storage space was much more expensive...

 

[SecPro]

Originally posted by: Oakenfold

My first guess:
<a target=_blank class=ftalternatingbarlinklarge href="ftp://ftp.sra.com">ftp://ftp.sra.com</a>

Wow...
:Q
Doesn't the government get SAS70 Type II reports from contractors or go through some kind of due dilligence process like a public company would be required under SOX?

Government contractors are not required any type of "certification" in order to process unclassified .gov data. There maybe some specific contract language that lays out requirements but it is rare. The DoD is considering requiring it's contractors to comply with DITSCAP/DIACAP. The problem they are having is that if they mandate it, they have to pay for it. If they do like they did with Ch. 8 of the NISPOM and grandfather it in for three years, it will be considered overhead on DoD contracts and the contractor can't charge it to the program.

Classified systems go through an accreditation process run by DSS/ODAA.

 

[ForumMaster]

yeah they realized (i hope before too much damage was done) and there is only one read me text file that says that they indefinitely shut down the site.

 

[biggestmuff]

Looks like I'm late to the party. What type of stuff was it? What was the classification level? Any mirrors up yet?

 

[corkyg]

I suspect there are some red faces around. This what that site presently says:

"In order to mitigate the risk of SRA or
client proprietary information being
inadvertently made available to the public,
the SRA anonymous ftp server (ftp://ftp.sra.com)
has been shutdown indefinitely. In the coming
months, a new secure ftp site will be introduced
that will replace the functionality of this site."

 

[imported_LoKe]

I highly doubt any extremely sensitive data would be on the public Internet and not on some private network. That crap you see in movies of hackers busting through firewalls from their own terminal a few hundred/thousand miles away is BS.

 

[biggestmuff]

Originally posted by: LoKe
I highly doubt any extremely sensitive data would be on the public Internet and not on some private network. That crap you see in movies of hackers busting through firewalls from their own terminal a few hundred/thousand miles away is BS.

That's not BS. However, SECRET and above info is kept on their own networks separate from the internet/NIPRNET (U//FOUO) network.

 

[stash]

However, SECRET and above info is kept on their own networks separate from the internet/NIPRNET (U//FOUO) network.

Yes, that's the plan, anyway. But cross-contamination of NIPRNET and SIPRNET is far from unheard of.

 

[biggestmuff]

Originally posted by: stash

However, SECRET and above info is kept on their own networks separate from the internet/NIPRNET (U//FOUO) network.

Yes, that's the plan, anyway. But cross-contamination of NIPRNET and SIPRNET is far from unheard of.

That's a spillage due to an error, negligence or ignorance and is appropriately handled.

 

[stash]

Originally posted by: biggestmuff

Originally posted by: stash

However, SECRET and above info is kept on their own networks separate from the internet/NIPRNET (U//FOUO) network.

Yes, that's the plan, anyway. But cross-contamination of NIPRNET and SIPRNET is far from unheard of.

That's a spillage due to an error, negligence or ignorance and is appropriately handled.

Of course. The leak by SRA was also appropriately handled, in that they shut down the FTP.