[ISN] Download music, share bank account info for free on P2P networks

From: InfoSec News (alerts@private)
Date: Wed Jun 13 2007 - 22:08:06 PDT


By Jaikumar Vijayan
June 12, 2007 

It's not just the Recording Industry Association of America that people 
need to worry about when downloading music from P2P networks.

A surprisingly high number of consumers sharing music and other files on 
peer-to-peer systems are inadvertently exposing all sorts of bank 
account and similar personal information on their computers to criminals 
lurking on the networks to harvest data. And it's not just users at home 
who are exposing information about themselves; so are a large number of 
employees within banks, as well as banks' contractors and suppliers.

That's the conclusion of a study on the dangers of inadvertent data 
disclosure on file-sharing networks that was conducted by Dartmouth 
University's Tuck School of Business.

The study examined data involving P2P searches and files related to the 
top 30 U.S. banks over a seven-week period between December 2006 and 
February 2007. The university used a search engine technology from 
Tiversa Inc. to gather and analyze all P2P traffic that mentioned those 
banks by name or mapped to a specific digital footprint that Dartmouth 
created for each financial institution. Data was gathered from P2P 
networks such as Gnutella, FastTrack, eDonkey and BitTorrent.

The analysis showed that a large number of searches made on those 
networks were aimed at uncovering sensitive financial data from 
individuals, said study author Eric Johnson, a professor of operations 
management at the school's Center for Digital Strategies. "Our analysis 
clearly reveals a significant information risk firms and individuals 
face from P2P file-sharing networks," he said.

When people use popular P2P clients such as Kazaa, Lime Wire, BearShare, 
Morpheus and FastTrack, they often are sharing far more than just media 
files, Johnson said. "In many cases they are sharing the contents of 
their entire hard drive" with others on the file-sharing network, 
Johnson said.

That's because many of these client tools are designed specifically to 
quickly search for and share certain types of media files on a user's 
system. Johnson said, Normally, such P2P clients allow users to download 
files to and share items from a particular folder. But if proper care is 
not taken to control the access that these clients have on a system, it 
is very easy to expose far more data than intended, he said.

There are several ways this can happen, Johnson noted in his research 
paper. For instance, when a music file is accidentally dropped into a 
folder containing other data, the contents of the entire folder could 
end up being shared on a P2P network without a user's knowledge. Many 
P2P client software tools have confusing interfaces that could result in 
users sharing folders that they did not intend to. Similarly, some 
file-sharing apps feature wizards that scan an individual's computer and 
recommend folders containing media to share. If a sensitive file exists 
in one of those recommended folders, it could get exposed, Johnson wrote 
in his research.

The kind of information that can be exposed in this manner is 
astounding, Johnson said. "We found files containing all the information 
needed to commit identity theft. We found almost every kind of business 
document, from spreadsheets to performance reviews. In one instance, we 
found a bank spreadsheet with account information on 23,000 business 
accounts that was leaked. We even found a security evaluation done by a 
third party contractor" of a bank network.

Almost 80% of the leaked information analyzed in the Dartmouth study 
came from home PC users. The rest came from systems belonging to bank 
employees or banks' partners, Johnson said.

While some of the information was inadvertently leaked, there are 
growing signs that cybercriminals are using P2P networks to specifically 
search for and harvest such data, Johnson said. A significant portion of 
the search terms that were analyzed during the Dartmouth study appeared 
to be looking for databases, account and user information, passwords and 
routing and PIN numbers, Johnson said, Sometimes, sensitive data was 
accidentally exposed via the coincidental association of a search term 
with sensitive information. For example, users searching for songs 
containing the words golden Or west in the title pulled up files 
containing account information belonging to Golden West bank, Johnson 
said in his report. Similarly users looking to download the song "State 
Street Residential" sometimes pulled in data belonging to State Street 
bank customers.

The Dartmouth study raises concerns similar to those outlined in a 
report released in March by the U.S. Patent and Trademark Office 
(USPTO). That report was based on an analysis of five specific features 
included in file-sharing software from Kazaa, Lime Wire, Morpheus, 
BearShare and eDonkey. It concluded that the distributors of the 
software deliberately included those features in their tools, despite 
knowing that the features could cause users to inadvertently share 
sensitive data with others on P2P networks.

The report was sent to the U.S. Department of Justice, the Federal Trade 
Commission and the National Association of Attorneys General.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Wed Jun 13 2007 - 22:16:01 PDT