Posted on 2009-07-30

Both secret and sensitive documents from the United States Secret Service, having to do with the presidential safe-house and motorcade routes, have been leaked via P2P file sharing networks.

The details of one of the "undisclosed locations" the USSS uses for the First Family, specifically in the event of a national security emergency, were found being spread on the Internet file sharing network LimeWire. Other information, not actually classified as secret but still extremely sensitive, such as presidential motorcade routes and a detailed listing of nuclear facilities throughout the country were also found in foreign hands. This may actually be innocuous, but how would one tell that the documents were or were not legitimate? This is a clear warning that proper security precautions are not being taken to safeguard this information.

Information Security means provably protecting the Confidentiality, Integrity, Availability, Authenticity, and Nonrepudiation of the data. Obviously the first failure here is Confidentiality, the information was stored in an unprotected format, on an Internet accessible computer, used by a person that was not aware of the consequences of using P2P software. Encryption is the obvious answer to protecting sensitive documents, but this means more than simply encrypting the entire disk with a low level system, as once such a system is unlocked, that data is available to programs running on the computer; in this case the Limewire P2P application would still have access to the information even if the drive was encrypted. So, the files need to be individually encrypted and only be decrypted to be used; this protects them from accidental disclosure, but this is not the only consideration. What of a single rogue agent, who decides that they will sell this information to the highest bidder? To protect against this, the encryption key should be a "shared secret", using advanced cryptographic techniques, it would require the private keys of at least 3 separate USSS agents to decrypt the secured document. This brings us to Integrity. What would happen if there was a bug in the P2P software that allowed a third party to modify the document, changing the motorcade route to one that was easier to attack. Again cryptography provides the answer; sensitive documents should be cryptographically hashed and signed so that any unauthorized changes are detected immediately. Again, if the private key used to sign is divided up as a shared secret, it would require three or more agents to authorize a change. Availability means ensuring that the data is always accessible; it would seem from this incident that the documents are just strewn around a bunch of different computers in some government office somewhere, although it is possible that they are on some kind of shared network storage, but that fact would actually increase the scale of damage done by this leak. True availability requires that there be multiple copies of the document in disparate locations, and that all of these copies be properly updated when a change is made. In the case of a secure document Authenticity and Non-repudiation are actually achieved in the same way as integrity, with cryptographic signing. Overall it seems the I.T. practises and policies at the USSS are in need of an overhaul. While the USSS is known for keeping its secrets, it seems not everyone there is up to speed with how digitizing the information affects the security model.

The disclosures have prompted the US Congress to consider passing a law that would ban the use of P2P software on government and contractor networks. While I think that, in and of itself, this is a fine idea, it really should just be an IT policy rather than a law. It is the next step that is more worrying. The Congress is also considering forcing P2P software developers to change the way their software works, and eventually become liable for information that is leaked via the service. Why should the software developer be liable for information disclosed and the illegal activities of those who stole the information, when it was in fact the user of the software that mis-configured it to share the sensitive information. This is tantamount to making Microsoft liable for any sensitive information disclosed due to a malware infection on a Windows machine. Do you know how many credit cards are stolen in this way? That would be an awfully big burden for Microsoft to bear, especially when in a large portion of the cases, it is in fact the user who prompted the infection. It seems to me that the US Congress does not understand what it means to develop software, and the number of unintended consequences that are involving in creating complex programs; as such, I feel it is not their place to try to regulate the industry that they can barely understand.

By: Allan Jude
Via: Computer World