[ISN] Confidential Chicago terrorist threat assessment leaked over P2P

From: InfoSec News (alerts@private)
Date: Thu Sep 13 2007 - 23:19:10 PDT


By Jaikumar Vijayan
September 13, 2007 

Officials at consulting firm Booz Allen Hamilton Inc. are looking into 
how a Fox News reporter acquired a confidential terrorist threat 
assessment on Chicago over a public file-sharing network.

Larry Yellen, an investigative reporter with WFLD Fox News in Chicago, 
on Tuesday reported that he recently used a peer-to-peer (P2P) program 
called LimeWire to obtain the Booz Allen document. The firm authored the 
document in 2002.

George Farrar, a spokesman for Booz Allen, today confirmed the incident 
and said the document was commissioned by the Federal Transit 
Administration (FTA) five years ago. It was one of 35 threat assessments 
of the nation's bus and rail systems that Booz Allen was commissioned to 
do by the agency.

"Essentially, yes, those were Booz Allen documents that were available 
on the Internet via a peer-to-peer file-sharing system," Farrar said. 
"What we don't know is from what system those documents made their way 
to the Internet."

Farrar said that after Booz Allen completed the threat assessment, it 
made the document available to numerous federal, state and 
private-sector entities and first responders as required under its 
contract with the FTA. It was then the responsibility of those entities 
to protect the documents, Farrar said.

"We investigated internally and didn't find the document on our 
computers," Farrar said. He also noted that employees at Booz Allen 
cannot connect to file-sharing networks at work. "We are continuing to 
investigate. We can't say definitely one way or the other," who the 
source of the leaked document was. But he said it is possible that the 
document was leaked from a computer belonging to one of the entities 
that got the report.

"We don't know what controls were put in place after the document left 
our hands. So far, we haven't been able to find evidence that it was 
from our computers," he said.

The Booz Allen incident again highlights what some analysts say is a 
growing problem: the easy availability of all sorts of government, 
personal and confidential information on P2P networks.

The situation is the result of information being leaked onto these 
networks by individuals who fail to take precautions for securing their 
computers during P2P sessions. Popular P2P clients such as Kazaa, 
LimeWire, BearShare, Morpheus and FastTrack are designed to let users 
quickly download and share music and video files. Normally, such clients 
allow users to download files to -- and share items from -- a particular 
folder on their system with other users on the network. But if the 
access these P2P clients have on a system is not controlled, it is easy 
to expose and share personal data with all other users on a file-sharing 

U.S. authorities recently arrested a Seattle man on charges that he 
deliberately mined and harvested P2P networks for such data which he 
then used to commit ID theft -- the first time that anyone in the U.S. 
has been arrested on charges of committing ID theft over P2P networks.

In July, the House Committee on Oversight and Government Reform heard 
testimony from several witnesses about how everything from classified 
military documents to corporate data can be found on P2P networks. The 
leaked documents on P2P networks cited as examples at the hearing 
included the Pentagon's entire secret backbone network infrastructure 
diagram; contractor data on radio frequency manipulation to defeat 
improvised explosive devices in Iraq; and physical terrorism threat 
assessments for three major U.S cities.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Thu Sep 13 2007 - 23:49:09 PDT