Pittsburgh TV Station WPXI is reporting that Security Company Tiversa discovered engineering and communications information about the Marine One Chopper fleet on an Iranian Computer system. Marine One is a critical transportation asset for the President of the United States.
Bob Boback, CEO of Tiversa, said that he found the entire blueprints and avionics package for the famous chopper on an Iranian system. The company traced the file back to it's original source, which appears to be a defense contractor in Bethesda, MD.
How did secret Marine One information end up in Iran? According to Mr. Boback, it appears that the defense contractor had a file sharing program installed on their network, the same network that contained highly sensitive information on Marine One.
Boback said that someone from the company most likely downloaded a file-sharing program, typically used to share music and movie files, not realizing the potential problems.
Iran is not the only country that appears to be accessing this information through file-sharing programs. Boback said that they have seen the files accessed by systems in Pakistan, Yemen, Qatar and China.
If this is what passes for information security in matters of national defense, just wait until the Feds start mandating the digitizing of everyone's medical records.
Boback's team should get kudos for their investigative work. Boback notified the government immediately and said appropriate steps are being taken.
Pennsylvania Congressman Jason Altmire will ask Congress to investigate how to prevent this incident from happening again. There needs to be some tough questions asked, although too many times, these Congressional hearings don't lead to serious changes.
This is all the more reason for SANS' new Consensus Audit Guidelines (CAG) to be taken seriously. One of the goals of that program is to deal with national security-related data breaches.
At this point, we don't know what logging mechanism is in place at this contractor. Logging is a part of the CAG. Although one would have assumed that a good logging mechanism would have detected some of the peer-to-peer traffic before the incident got out of hand. Maybe the contractor has "logging in name only," (LINO) something I have seen first hand.
And, it's important to point out, that among the layers of security in the CAG that need to be added to many networks is the right kind of data loss prevention( DLP).
I have seen a lot of vendors lately pitching what I call single port DLP solutions, many of which only block one port. And even more solutions that only block based upon pre-determined dictionaries of credit card numbers, or social security numbers, or HIPAA data. They point these DLP solutions at the mail server, or others only monitor port 80 for web traffic.
Based upon what we know about this incident, one of the layers of security that is needed is a solution that fingerprints important files in that business unit, with hashing of the "slivers" of those files. Then, DLP should be pointed at all 65536 ports so they can all be monitored for leakage of any of the data, any port, any protocol. Even with a file sharing program on the network, the right DLP solution would have trapped the data before it ended up on servers in the Middle East, and Asia.
By the time you read this, this Marine One story will be all over the mainstream press. The public is going to be mad, and scared. It's time for information security professionals to stand up, and let the public policy makers know that there are solutions to these challenges, and now is the time to (finally) take these solutions seriously.
Ira Victor, GCFA, is the Co-Host of the Data Security Podcast, President of Sierra Nevada InfraGard, and an info sec consultant and forensic analyst with Data Clone Labs.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
