A major financial institution this week will receive a report outlining the extent to which its Web site exposes it to potential attacks by Osama bin Laden’s al-Qaeda organization and other terrorists.
The audit, produced by security consulting firm Stroz Associates LLC, is one of the first of its kind in the private sector. It marks a growing trend by companies in the aftermath of the Sept. 11 terrorist attacks to assess whether content on their Web sites increases their risk of being targeted by terrorist organizations.
The amount of sensitive data uncovered by Stroz Associates at various corporate Web sites is startling, said Eric Friedberg, managing director at the New York-based firm and a former computer crime coordinator at the U.S. Department of Justice.
“Many Web sites constitute a gold mine for potential attackers,” said Friedberg. Audits have found descriptions of physical locations of backup facilities, the number of people working at specific facilities, detailed information about wired and wireless networks, and specifications on ventilation, air conditioning and elevator systems. Other sites give graphical representations of floor plans, cabling connections and ventilation ductwork, Friedberg said.
Philadelphia-based American Executive Centers Inc. leases office space in a 20-story building to major companies such as Oracle Corp., Bank of America Corp. and Ford Motor Co.
American Executive Centers, whose name fits the targeting profile that security experts say could put companies on a terrorist’s radar screen, offers photographs, floor plans and virtual tour information on its Web site.
Mike Howard, leasing manager for the complex, said that the company hasn’t been concerned with the level of detail provided on the Web site and that it has taken steps since Sept. 11 to improve security.
“Our floor plan is not a whole schematic of the building,” he said, adding that no schematics for underground garages are available on the site.
That lack of concern contrasts sharply with the position of the FBI’s National Infrastructure Protection Center (NIPC). The NIPC on Jan. 17 issued a warning to all companies and government agencies to scour their public Web sites for sensitive information pertaining to critical infrastructure systems. It was the second such warning the NIPC has issued since Sept. 11.
And the NIPC’s concerns may be warranted. A recent Computerworld survey of a dozen Web sites uncovered interactive maps depicting information such as the location of nuclear waste storage facilities and detailed diagrams of every major telecommunications network in the U.S.
But information that could be helpful in the planning of terrorist attacks isn’t the only problem, said Eric Shaw, a former CIA psychologist and profiler and the principal author of the Stroz Associates study. Companies could also be targeted if they post information that terrorist organizations don’t like, he said.
“We know that corporate Web sites that contain messages supporting globalization are going to stimulate portions of the al-Qaeda organization and make those companies a potential target,” said Shaw.
Shaw declined to name the financial institution for which the report was prepared, citing contractual and security reasons. However, he did say that the audit uncovered files listing frozen bank accounts belonging to known supporters of the al-Qaeda terrorist organization, which could have provided motivation for its members in the U.S. to attack the company.
“Companies are communicating very effectively with their internal audience and clients, but they don’t realize how information from a public Web site can be interpreted differently, particularly by adversary groups,” said Shaw. “In the international realm, that can put you in the cross hairs.”
“There’s way too much information out there, especially in the area of critical infrastructure,” said Dan Morrison, director of risk consulting at Arthur Andersen LLP in Chicago. “Bad guys can be really clever. But even when they’re not clever, data aggregation can make targeting possible.”
Large telecommunications firms and local communications companies publish a vast amount of sensitive information on their Web sites about critical nationwide networks.
A recent Computerworld survey of eight national and local telecommunications service providers uncovered enough information to produce a relatively accurate blueprint of the major network backbones serving businesses across the U.S.
In addition to network maps, the survey found detailed information on the locations of current and planned Internet data centres, router locations, major nodes of metropolitan-area networks. Virtual tours of data centres, maps depicting East Coast termination points of all long-haul undersea communications cables and street-level maps of fibre-optic networks are also available.
Reston, Va.-based XO Communications Inc.’s Web site provides location information for all of the company’s five data centres, as well as a virtual tour inside a “typical” centre, including a description of all security systems used to protect the facility. “The physical security threat is something that XO has to consider,” acknowledged James Isaacs, the company’s vice president of product management.
“On a day-to-day basis, most of our concern deals with the logical [network] layer rather than the physical layer,” said Isaacs. However, the physical “perspective merits focus,” he said. “The entire telecommunications industry has to take it into consideration.”
Similar information is available online about the networks and data centres operated by AT&T Corp., Cable & Wireless PLC, Sprint Corp. and Qwest Communications International Inc.
The public availability of maps depicting the nationwide Sprint network has led to a series of “intense discussions” at the company to determine what else can be seen on its Web site, said Robin Carlson, a spokeswoman for Kansas City, Mo.-based Sprint. Carlson said Sprint lacks that information on a corporate level because its individual business units manage their own Web site content.
Nikki Laughlin, a spokeswoman for London-based Cable & Wireless, which publishes maps of all of its U.S. and global networks, downplayed the sensitivity of the information contained in the maps. “We give no specificity on our network maps,” she said. “It just has the city name and would not give terrorists enough information to locate us. It’s really a sales tool.”
Denver-based Qwest couldn’t be reached for comment.
Computerworld also found detailed street-level maps of the fibre backbone serving the city of Palo Alto, Calif., including locations of underground cables and backbone splice points. Jennifer Crossen, a spokeswoman for City of Palo Alto Utilities, said the department doesn’t believe any of the information would be of use to a terrorist. “It’s not any different than what anybody could see walking down the street,” she said.
Washington, D.C.-based TeleGeography Inc. publishes detailed network maps, including the locations of undersea cable termination points, for use by telecommunications companies. TeleGeography CEO Jason Kowal said he doesn’t think that the level of detail on his company’s maps would be useful to terrorists. However, Kowal acknowledged that “if you knew what you were looking for, you could probably find it.”
Detailed information about the nation’s nuclear power plants and other energy infrastructures is readily available on the Internet.
An examination of U.S. Department of Energy (DOE) Web sites revealed maps that provide the approximate locations of all nuclear waste storage facilities, nuclear reactors and surplus plutonium storage sites in the country.
In addition, the Energy Information Administration (EIA), a division within the DOE, offers Web surfers an online database of electric power profiles for every state, plus a sortable database of all operational nuclear reactors and a detailed depiction of a typical uranium mill.
A program manager at the EIA said he couldn’t comment on the Web content, and the DOE didn’t respond to Computerworld’s request for comment.
However, Paula Scalingi, former director of critical infrastructure protection at the DOE, said the problem needs to be addressed immediately.
“The genie is out of the bottle,” and steps should be taken to study what value, if any, this sort of information provides the public, she said. Scalingi, who now heads her own private consulting business, tried to conduct such a study last year at the DOE but couldn’t get funding, she said.
Ed Badolato, president of Washington, D.C.-based Contingency Management Services Inc. and the former deputy assistant secretary for energy emergencies at the DOE, said the amount of information about critical energy infrastructures available on the Internet provides a blueprint for terrorists. Most of the information was put there as a response to regulatory requirements and for business promotion purposes, Badolato said.