Sensitive Data Leaking Onto P2P Networks

Government, businesses hit by inadvertent disclosures.

Corporate and government documents containing confidential and sometimes classified data are increasingly getting exposed through the use of peer-to-peer networks on computers holding the sensitive information.

The problem of inadvertent exposure of sensitive data on P2P networks is a whole lot worse than many government and corporate IT managers believe, said Eric Johnson, professor of operations management at the Center for Digital Strategies at Dartmouth Colleges Tuck School of Business in Hanover, N.H.

Much of the problem, Johnson told the U.S. House Committee on Oversight and Government Reform late last month, is due to the installation of P2P software on computers used by telecommuting workers and contractors.

P2P file-sharing networks represent a significant and poorly understood threat to business, government and individuals, Johnson said. Every employee, contractor, customer or supplier is a potential weak link.

Retired U.S. Army Gen. Wesley Clark, a member of the board of directors at Tiversa Inc., a Cranberry Township, Pa.-based provider of P2P network monitoring services, told the House committee during a hearing that he was able to access more than 200 sensitive government documents from file-sharing networks in a matter of hours.

Clark said he found classified diagrams of the Pentagons backbone network infrastructure, complete with IP addresses and password change scripts; physical terrorism threat assessments for three major U.S. cities; and information on the U.S. Department of Defenses information security system audits on P2P networks. Theres all kind of data leaking out inadvertently, Clark told the committee.

The documents discovered during Clarks search were simply what we found when we put the straw in the water, he said. The American people would be outraged if they were aware of what is inadvertently being disclosed on P2P networks, said Clark.

The retired general said that the use of P2P software by a contract worker at the Pentagon likely caused much of the data to leak onto the P2P network. The breach was discovered in May.

Daniel Mintz, CIO at the U.S. Department of Transportation, told the committee that 93 DOT-related documents were inadvertently exposed on a P2P network in March.

He blamed the release of the documents on the installation of Lime Wire LLCs LimeWire P2P software on the computer of a DOT worker who was authorized to work at home. Mintz said the music- and video-sharing software was installed by the workers teenage daughter.

The DOT inspector general found that 30 of the approximately 93 DOT-related documents were publicly accessible at the time via LimeWire or other P2P software by virtue of residing in a shared folder, Mintz said.

The breach occurred despite DOT efforts to implement security tools and programs that meet the requirements of the Federal Information Security Management Act, Mintz said.

None of these [security measures] were sufficient to prevent access to government documents when a young family member downloaded software that she did not realize would be capable of exposing these documents to anyone else using the same or compatible software, he said.

Robert Boback, CEO of Tiversa, said that the problem of exposing sensitive data through P2P networks is also growing on the corporate side.

Publicly disclosed examples include Pfizer Inc.s acknowledgment in June that personal data on about 17,000 employees had been exposed on a P2P network after the spouse of an employee used a company computer to access a file-sharing network.

In letters to the affected employees, the New York-based pharmaceutical firm said that data on about 15,700 of those workers was accessed and copied by an unknown number of persons on a P2P network.

Speakers at the hearing noted that if used correctly, popular P2P clients like Kazaa from Sharman Networks Ltd., LimeWire, BearShare from Musiclab LLC and Morpheus from StreamCast Networks Inc. are safe.

However, if files downloaded using the software are stored in folders alongside sensitive data, the latter could be exposed to other users of the software, they noted.

Lime Wire Chairman Mark Gorton said that the New York-based firms P2P software contains several features designed to prevent inadvertent file-sharing, including the ability to prevent sharing of specific files or folders.

He said that users are warned when they try to share folders that are likely to contain sensitive information.

At Lime Wire, we continue to be frustrated that despite our warnings and precautions, a small fraction of users override the safe default settings that come with the program and end up inadvertently publishing information that they would prefer to keep private, he told the House committee. Preventive Measures

Chenxi Wang, an analyst at Forrester Research Inc. in Cambridge, Mass., said that despite a growing list of data leaks, some organizations continue to view the use of P2P networks by workers and contractors as a nuisance rather than as a security issue.

Many IT managers still take insufficient measures to control such networks. They usually implement controls to block ports commonly associated with P2P activity and add network-filtering technologies to prevent leaks of sensitive data, she said.

Wang noted that older network intrusion-detection and -prevention systems are incapable of detecting P2P traffic. Therefore, she said, the widely used tools are helpless when dealing with the latest generation of P2P software, which is designed to evade security technologies by using encryption and commonly used ports such as e-mail to communicate.

Llloyd Hession, CSO, BT RADIANZ

Llloyd Hession

CSO, BT RADIANZLloyd Hession, chief security officer at BT Radianz in New York, suggested that companies use deep-packet inspection technologies as part of any effort to prevent illicit P2P traffic.

Deep-packet network-filtering tools are designed to inspect the contents of packets flowing through the network and determine how they should be treated based on policy. The best argument for deep-packet inspection is peer-to-peer traffic, Hession said.

In addition, companies should shut down administrative privileges on all laptops and other client devices to ensure that users cant download P2P software onto their systems, Hession suggested.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon