Sensitive Data Leaking Onto P2P Networks

Computerworld - Corporate and government documents containing confidential  and sometimes classified  data are increasingly getting exposed through the use of peer-to-peer networks on computers holding the sensitive information.

The problem of inadvertent exposure of sensitive data on P2P networks is a whole lot worse than many government and corporate IT managers believe, said Eric Johnson, professor of operations management at the Center for Digital Strategies at Dartmouth Colleges Tuck School of Business in Hanover, N.H.

Much of the problem, Johnson told the U.S. House Committee on Oversight and Government Reform late last month, is due to the installation of P2P software on computers used by telecommuting workers and contractors.

P2P file-sharing networks represent a significant and poorly understood threat to business, government and individuals, Johnson said. Every employee, contractor, customer or supplier is a potential weak link.

Retired U.S. Army Gen. Wesley Clark, a member of the board of directors at Tiversa Inc., a Cranberry Township, Pa.-based provider of P2P network monitoring services, told the House committee during a hearing that he was able to access more than 200 sensitive government documents from file-sharing networks in a matter of hours.

Clark said he found classified diagrams of the Pentagons backbone network infrastructure, complete with IP addresses and password change scripts; physical terrorism threat assessments for three major U.S. cities; and information on the U.S. Department of Defenses information security system audits on P2P networks. Theres all kind of data leaking out inadvertently, Clark told the committee.

The documents discovered during Clarks search were simply what we found when we put the straw in the water, he said. The American people would be outraged if they were aware of what is inadvertently being disclosed on P2P networks, said Clark.

The retired general said that the use of P2P software by a contract worker at the Pentagon likely caused much of the data to leak onto the P2P network. The breach was discovered in May.

Daniel Mintz, CIO at the U.S. Department of Transportation, told the committee that 93 DOT-related documents were inadvertently exposed on a P2P network in March.

He blamed the release of the documents on the installation of Lime Wire LLCs LimeWire P2P software on the computer of a DOT worker who was authorized to work at home. Mintz said the music- and video-sharing software was installed by the workers teenage daughter.

The DOT inspector general found that 30 of the approximately 93 DOT-related documents were publicly accessible at the time via LimeWire or other P2P software by virtue of residing in a shared folder, Mintz said.