[ISN] Downloads may pose security risk

From: InfoSec News (isnat_private)
Date: Thu Aug 29 2002 - 00:13:48 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, August 28, 2002"

    Forwarded from: Steve Munyon <steve.munyonat_private>
    
    http://www.denverpost.com/Stories/0,1413,36%257E33%257E823486%257E,00.html
     
    Downloads may pose security risk 
    By Jennifer Beauprez 
    Denver Post Business Writer 
    Wednesday, August 28, 2002 
     
    Downloading that new Britney Spears hit from the Net may come at a
    cost that includes divulging personal bank account information, credit
    card numbers and even company secrets.
    
    Millions of people, following the trend first set by Napster, use
    file-sharing websites not only to copy and download free music, but
    also find pictures, video clips, pirated software and documents from
    millions of others who open their computers to a virtual network.
    
    These so-called peer-to-peer websites allow people to download free
    files - primarily songs - stored on the computers of millions of other
    file-sharing users.
    
    Yet many people don't know they can inadvertently open private content
    - their entire hard drive - to the world if they rush through
    installation of the software for those services. They could also put
    their files at risk if they later move the folder that contains that
    music.
    
    The risks? A home user may unwittingly divulge financial records or
    personal e-mail. Business employees could inadvertently disclose
    marketing plans, internal memos, secret software code or corporate
    budgets from their own computer or any server to which they are
    connected.
    
    "The risk of exposure is just massive," said Michael Reagan, senior
    vice president of marketing for Vericept Inc., a Denver company that
    sells software to alert employers when workers chat, shop, view
    pornography or share files on the Net.
    
    "Most people haven't realized what peer-to-peer is, and if they do
    know, they don't understand there is a big problem," Reagan said. He
    said Vericept's software can alert companies when confidential
    information is leaked.
    
    More and more companies forbid file-sharing because of the leaks as
    well as copyright concerns and congestion on their networks.
    
    "It's a huge bandwidth hog," said Corey Smith, information technology
    manager for Optika Inc., a Colorado Springs software maker that banned
    all file-sharing at work. "It only took two to three people to bring
    us to our knees, crashing our e-mail servers."
    
    Internet file-sharing has grown exponentially since the debut of
    controversial song-swapping service Napster, which filed for
    bankruptcy and has been offline for the past year following copyright
    lawsuits by record labels.
    
    Despite the copyright fight, people still sign up for file-sharing on
    a number of other sites, including Kazaa.com and Gnutelliums.com, and
    search for MP3 music files to download. They start by giving the site
    a user name and an e-mail address.
    
    People run into trouble when they breeze through installation of their
    file-sharing software, clicking "next" without reading each screen's
    text in detail. If the user later changes configurations or moves the
    folders for downloaded material, the software can share more files
    without that person's knowledge.
    
    Experts say people are safe if they turn off the file-sharing option
    when they install the software. But most click "okay" without seeing
    the option.
    
    "A lot of people want to hurry up and get everything installed so they
    can start downloading and make that great CD," said Fitz Miller, an
    engineer with IT Communications, a Colorado Springs network security
    assessment firm.
    
    In fact, eight in 10 people - even the most computer savvy - don't
    recognize they have disclosed personal files when using the service,
    according to research by Nathan Good, a researcher at H-P Labs in Palo
    Alto, Calif.
    
    Good first learned about the risks of file-sharing in June, when his
    brother complained that his computer was too slow.
    
    Good said his brother was sharing everything on his hard drive with
    the 85 million users of Kazaa.com. His research told him it wasn't an
    isolated case.
    
    In fact, his research showed that searches on Kazaa.com for
    "inbox.dbx" over a 12-hour period showed that 156 people accidentally
    shared their e-mail inboxes for anyone to download. That included
    their sent, saved and deleted messages.
    
    The documents are easy to find with keyword searches.
    
    A recent search using key words such as "account #," and "credit card"  
    on Kazaa.com turned up a number of documents from corporate and
    personal computers.
    
    One Microsoft Word document listed dozens of credit card numbers and
    expiration dates; another, extracted from a Texas company's computer,
    listed the names, addresses, social security numbers and salaries of
    employees.
    
    Vericept's Reagan also discovered a document with the account number
    and recent stock trade information for a Salomon Smith Barney
    customer.
    
    Reagan later talked to the woman, who said her granddaughter had
    downloaded MP3 files on her home computer and inadvertently shared her
    grandmother's personal financial information.
    
    A Salomon Smith Barney broker said the woman was unavailable for
    comment.
    
    Such problems are typical of families in which multiple people are
    using the same computer, experts say. A parent could have a secure
    connection to a corporation for downloading and working on
    confidential files, only to have them inadvertently shared by a
    teenage son or daughter without either's knowledge.
    
    Many people don't know about file-sharing's security risk. But some
    opportunistic people do.
    
    "Unfortunately, the wrong people are finding out about it," said Aaron
    Krekelberg, lead Web developer at the University of Minnesota, who
    collaborated with Good on the study.
    
    Krekelberg and Good set up a server with phony documents that were
    shared on Kazaa.com to see if other users downloaded the private
    information.
    
    Within 24 hours, five people downloaded documents containing phony
    credit card numbers and e-mail inbox files.
    
    "They're coming in and grabbing (these documents,)" Krekelberg said.  
    "It's horrible."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:22:22 PDT