P-to-P Users Expose U.S. Government Secrets

— -- Contractors and U.S. government employees are sharing hundreds of secret documents on peer-to-peer networks, in many cases overriding the default security settings on their P-to-P software to do so, according to a company that monitors the networks.

Robert Boback, CEO of P-to-P monitoring service vendor Tiversa Inc., and retired U.S. Army General Wesley Clark, a Tiversa board member, said the company found more than 200 sensitive U.S. government documents during a recent scan of three popular P-to-P networks. The two testified earlier this week before the U.S. House of Representatives Oversight and Government Reform Committee.

Among the files shared: Physical threat assessments for multiple cities, including Philadelphia and Miami; a physical security attack assessment for a U.S. Air Force base; a detailed report from a government contractor on how to connect two secure Department of Defense (DOD) networks; a document titled, "NSA (National Security Agency) Security Handbook."

Many lawmakers directed their criticism toward the Lime Group LLC, distributor of the popular P-to-P software Lime Wire, during a contentious hearing Tuesday. But Boback, in a later interview, said his testimony wasn't intended to cast blame on Lime Wire.

In many cases, P-to-P users override the default security settings in the software. In Lime Wire, the default setting allows users to share files only from a "shared" folder, but many users apparently override the default settings, ignore warnings from the software, and share their entire "my documents" folder or other folders, Lime Group CEO Mark Gorton testified.

In other cases, government employees or contractors apparently ignore policies prohibiting the use of P-to-P software on computers containing sensitive government information, witnesses testified.

P-to-P users can also download files with hidden executables that can index the entire hard drive, Boback said, and that can create victims of even expert computer users. But the fault doesn't lie with Lime Wire or other P-to-P vendors, he added.

"It's the malicious user writing code that will expose the entire hard drive," he said. "Just because that user is a Lime Wire user, it makes it look as though Lime Wire indexed their system, when actually it was an executable within a download."

The problem isn't with the P-to-P network itself, he added. "It's just another access for malicious users to index one's information," he said.

In preparation for the congressional hearing, Tiversa scanned the three most popular P-to-P networks, including the Gnutella network Lime Wire uses, for two days. Tiversa staff entered common military search terms and found more than 200 secret U.S. government documents, Boback said.

The problem with official government documents on P-to-P networks in general is likely to be much greater; since Tiversa confined itself to military search terms, he said. The company reported its findings to U.S. government officials, some of whom took action to remove the documents, Boback said.

In another scan, on July 17, Tiversa found a defense contractor employee sharing 1,900 files, including 534 sensitive files, from what was apparently a home computer. The contractor, an IT expert, supported 34 U.S. government agencies including the DOD and intelligence agencies, Tiversa said.

Among the files shared from the contractor's computer: The infrastructure diagram for the entire Pentagon secret backbone network; password change scripts for secret Pentagon network servers; Secure Sockets Layer instructions and certificates allowing access to the contractor's IT systems; a contract issued by the U.S. Army Contracting Agency authorizing $1.5 million in fees from the contractor.

The contractor's shared files also included a letter from the U.S. White House Office of Management and Budget warning about the risks of P-to-P networks.

Representative Henry Waxman, a California Democrat and chairman of the oversight committee, asked during the hearing how sensitive the information was. "Would this kind of information jeopardize the United States if it fell into the wrong hands?" he asked.

"Of course it would," answered Tiversa's Clark. "There's all kinds of information that's getting out."

Several lawmakers targeted Lime Wire's Gorton, even though U.S. Department of Transportation CIO Daniel Mintz said employees broke agency policy by using P-to-P software on computers containing government information.

Representative Darrell Issa, a California Republican, said he's unsure how Lime Wire avoids lawsuits from users whose personal information has been exposed. Representative Jim Cooper, a Tennessee Democrat, scolded Gorton for having a "failure of imagination" about the security lapses associated with P-to-P.

"If I were you ... I'd feel more than shame and guilt at this point for having made the laptop a dangerous weapon against the security of the United States," he said.

Gorton, whose company does not monitor what's shared over Lime Wire, said he was surprised that so much secret government data was being shared over P-to-P networks. Lime Wire will look at ways to block users from sharing personal and sensitive information, he said, but he also called on Congress to look at ways to block sharing at the ISP (Internet service provider) level. ISPs would have the power to block such data, he said.

"I had no idea there was the amount of classified data out there," he said. "Clearly, some people are not paying attention to our warnings. We need to do a better job of making it very, very, very difficult for users to accidentally share files."