In 2002, the Federal Transit Administration (FTA) hired a consulting firm to provide 35 different terrorist threat assessment scenarios relating to the Chicago’s Metra and CTA transit systems. The company completed the assessments and under contract, confidentially disseminated the assessments to various federal, state and private sector entities, as well as first responders.
Five years later, an investigative reporter for a Chicago television news station reported that he was able to download the threat assessment documents via the Peer to Peer (P2P) file-sharing network, Limewire.
The reporter’s discovery highlights a concerning trend where classified government documents and personal identification information are easily available to access on P2P networks.
Downloading MP3’s, Videos, and Classified Documents
In 1999, the first P2P file-sharing network, Napster, was created and soon, many other similar software programs followed. While the programs simplified the methods of sharing and gaining access to music, video and document files, lax security precautions could expose data on a hard drive. Specifically, a file sharing program gives “User A” the option to limit the amount of hard drive access for “User B.” Most often, network users designate a specific folder to download to and share from. If this option is denied or ignored, it is possible that P2P users could access the entire hard drive to upload and download any file on the sharing individual’s hard drive.
In the case of the leaked documents, this negligence to secure access to a hard drive was the likely conduit for the information’s release. A federal, state or private employee given access to the documents likely used Limewire without setting any safety or limitation controls. On the other hand, another scenario could possibly involve an individual intentionally sharing the documents for unknown outside influences. As the source of the leak is investigated, several incidents in the past few months highlight the security threat posed by P2P networks.
• In September 2007, authorities arrested a Seattle man on charges of identification theft on a P2P network. The accused allegedly gained personal information on unsecured user hard drives to commit identity theft and fraud.
• In July 2007, the CEO of Tiversa, a company that scans P2P networks on behalf of government agencies and companies, testified in front of the US House Committee on Oversight and Government Reform. Tiversa’s CEO Robert Boback, testified and described 34 government documents that have been discovered on P2P networks. According to media reports, such documents on the networks included the Pentagon’s network infrastructure diagram, techniques to defeat improvised explosive devices and terrorist threat assessments for some US cities.
• In June 2007, authorities discovered that a Pfizer employee deliberately leaked personal data onto P2P file sharing networks of 17,000 of the company’s employees.
Recent Findings Raise Suspicion of Tampering in Chicago
Last week, Metra railway workers discovered that at least one dozen railroad spikes that help bind the rails to the wooden ties underneath the track were missing. The discovery caught the attention of the Federal Bureau of Investigation (FBI). Additionally, the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) are conducting investigations.
According to the Federal Railroad Administration, the finding is alarming in that if a sufficient amount of spikes are removed in a contained location, the potential for a rail to shift could lead to a train derailment. While the finding is most likely linked to some degree of criminal tampering, it also underlines a more subtle threat to Chicago’s transit system that may have been related to the leaked threat assessments.
The discovery of various breaches in secure electronic transmissions is alarming for national security. As a result, it is likely that consulting firms will implement new regulations, restrictions or procedures for methods of disseminating threat assessments or other sensitive information.