Sunday, July 15, 2007

Corps of Engineers Security

This was an interesting story: "Military files left unprotected online". One of the sites described was an FTP server run by the Army Corps of Engineers. Google quickly finds such a server,, and the public directory is indeed full of the sorts of documents the article describes. For example, the /pub/aed (Afghan Engineer Destrict) contains the following subdirectories:

ABP Info (Paktia, Paktika, Ghazni)
AED Cmdr's Brief 05 2007
AED Projects
AED Yearbook 2007
CID Materials
Engineering Conference
Existing Hospital AsBuilt
Gardez Hospital Addition
New Folder
PRB 7-8-07
RFP W917PM-07-R-0074 Bagram USACE Office & Billeting
RFP W917PM-07-R-0081 ANA Brigade Buildings-Heating & Cooling Upgrades
Toor-Ghuundi Border Crossing 99% design
UP HQ Info (Paktia, Paktika, Ghazni)
W917PM-07-R-0076 Wadi Imporements-Pol-E-Charki
W917PM-07-R-0082-ANA Cooling & Heating Upgrades-Kandahar
W917PM-07-R-0084-ANA Cooling Upgrades-Laskargah
W917PM-07-R-0088 Drawings
W917PM-07-R-0089 Khair Kot
W917PM-07-T-0051 - Site Assessment

This looks like the sort of stuff that companies might include on internal file servers. Using my digital voodoo (such as tracking IP sequence numbers), I can tell that this is a heavily used server. According to the greeting information, this server is used to transfer files to the world outside the Corps. Outsiders can upload files to one directory for Corps employees to read, and employees can post files in another directory for outsiders to read.

The Army Corps of Engineers has an annual budget of $12-billion and 35,000 employees, but hundreds of thousands of outsiders work on Corps projects.

People have criticized this as "Security Through Obscurity". Search engines do not catalogue FTP servers, and thus, these documents will not come up in a Google search. However, this obscurity does not secure the server because anonymous FTP servers are easily found and accessed. I could easily write a program that would scan all 4-billion addresses looking for FTP servers that give helpful banners like "220-THIS IS A DOD COMPUTER SYSTEM.", then take directory listings of the files.

However, the Associated Press article hypes the importance of these files. Sure, you might dream of ways terrorists might could use these drawings of barracks to help them plan an attack, but really such information isn't really as helpful as paranoids imagine. Not everything needs the highest level of security. Obscurity is actually an appropriate level of security for trivial information.

It's like how when I stay in a hotel room and I come out of the shower and forget to close the curtains. I'd be unhappy if somebody were to spy through the window and post pictures of me changing my clothes on the Internet. However, such information isn't necessarily all that important to protect with the strictest security measures either. Ultimately, I've made the decision to secure such information with obscurity. I don't double-check the curtains before taking a shower, nor do I verify that there are no cracks that somebody could peek through.

It's easy for us security people to point out when things go wrong, it's hard for us to tell people what's right. The advice they give in such situations is to make things far more secure then they need to be, and far more costly than is practical. The point of the Corps' FTP server is to "publish" documents to the limited community of contractors. I'm guessing that any solution that would "secure" this would also make it far more costly than the benefits the Corps receives from the server. In other words, if you demanded high security, the Corps would just shut it down.

My advice to the management would be that this server is not nearly as obscure as they believe. This is an "anonymous FTP server" which is far more open to the world than they think. At the same time, they are relying upon 35,000 internal users to always make the right judgment call about whether a file can, or cannot, be published on that server. There are some extremely simple steps that would make this more obscure. The easiest is simply to put a password on the "anonymous" account, such as "corps123". This password will, of course, be the worst kept secret ever, but it would make the server dramatically more obscure.

A slightly harder change would be to have a separate account for each other top level directories you have under public. I don't know the structure of the Corps, but I assume that people working for one department in the corps do not need access to the files of another department. Thus, create an "aed-anonymous" account (with a password) that only has access to the /pub/aed subdirectory. Thus, if an employee posts an overly sensitive document, the damage will be a lot less.

Finally, being outted like that in the press is a good opportunity to have a risk assessment done. It looks to me like a bit of mission creep is going on - what might have been appropriate obscurity for documents related to such public works projects as post-Katrina reconstruction might not be the same level of obscurity/security needed for military structures in Afghanistan. That auditor should be independent -- you just know that this is a typical internal politics where the people wanting the public FTP site have influenced the risk assessment to get what they want.

No comments: