US Military security boffins play golf, leak their data

A non-profit corporation that works as trade association for military personnel that ironically deal with communications, IT, intelligence and security, offers the world+dog a view of CSV files for people who took part in its golf and tennis tournaments, including names, email addresses, and phone numbers.

AFCEA is the “U.S. Armed Forces Communications and Electronics Association” a non-profit corporation and sort of trade association. The mid-Pacific island known as Hawaii has an AFCEA office as it’s to be expected. Its web site is dubbed, and AFCEA Hawaii claims to include “over 600 members representing the military, federal government, and industry” with the mission to help preserve “the security of our great nation”. It also offers on-line registrations for the Annual golf and tennis tournaments dubbed “TechNet Asia-Pacific” for its members.

The problem is that the poor security configuration of its web site has left personal data of members wide open for everyone to see, data which was surely submitted via its web form to register for its tennis and golf events, eventually getting indexed by and its cache.

Luckily, no national security secrets appear to have been leaked, but the information indexed by Google and its cache -and readily available for download from its site in the form of CSV files- includes names, phone numbers, and .mil email addresses. This is kinda embarrassing for an association that caters to people in the fields known as “C4I” which in American militaryspeak means “Command, Control, Communications, Computers, and Intelligence”.

The organization also provides scholarships, in disciplines that support “AFCEA Hawaii Fields of Interest (communications, IT, intelligence, and global security)”. That does not, apparently, include a major on how to configure a web site or store members’ email addresses and phone numbers safely, or to disable directory browsing on its web server.

Its web site informs visitors that AFCEA TechNet Asia – Pacific Conference – was was started 24 years ago by three members of AFCEA Hawaii, and had meetings at Hangar 25 at Hickam AFB and that the conference has grown to over 3,000 attendees and is now hosted at the Royal Hawaiian and Sheraton Waikiki Hotels. Luckily, only a small fraction of those 3,000 need to be worried, if they care about their names, phone numbers and email addresses being wide open on the interweb.

CSV means “comma-separated values” and is probably one of the oldest ways to store tabular data in computers. Usually each line represents a record, with different fields separated by commas. Think of it like a spreadsheet dumped as txt: each line in the CSV is a row in the table, which each cell separated by commas. You would think that CSV would be dead in the age of databases but it’s not. Google lists near three million results for a web search with CSV and java, for instance.

It’s a very simple and effective way to move data between different systems and to manage short lists of data that are only meant to be loaded or saved sequentially. As you can imagine, as the volume of data grows, accessing CSV files becomes slower. The best piece of code out there to work with CSV files from your program seems to be SuperCSV. It’s cross, platform, too. So, see, this scribbler not only highlights security mishaps, we also educate the mySQL generation on ancient technologies.

A glimpse of the data in those CSV files which has been indexed and cached by Google includes execs at IT firms like Oracle’s top honcho Joe Sheenan listed as “DOD manager”, with status “civilian” and his corporate email address and phone number. Others in the private sector are someone with name Terence from Dell inc. and a senior engineer from Qwest Communications named Andy (last names withheld here).

Among the military whose names, email addresses and phoene numbers are readily available in plain text are people from the US army (30th signal batallion), someone from the JHITS telecomms system of the navy, and a U.S. coast guard commander, among others. And that’s just glimpsing over the tennis players CSV file indexed by Google. There are other such files on the same site. The organization has been informed of this security mishap before running this story.

As a GrounchoMarxist, this scribbler can’t help thinking that perhaps there’s some truth to Groucho’s famous quote on military intelligence, or as security professionals like to say “security is as strong as its weakest link” in this case, the love for tennis and golf. What happened to that unwritten rule about computer geeks and IT types not exactly being sportsmen?.