[ISN] Our P2P Investigation Turns Up Business Data Galore

From: InfoSec News (alerts@private)
Date: Mon Mar 17 2008 - 00:38:15 PST


http://www.informationweek.com/story/showArticle.jhtml?articleID=206903417

By Avi Baumstein
InformationWeek
March 17, 2008

Are peer-to-peer networks really filled with sensitive corporate data 
just waiting to be plucked and abused? It seems unlikely--surely people 
wouldn't be that sloppy. Like a 19th century prospector, I decided to 
dip my pan into the stream to see what I could find.

The results were shocking and scary--loads of confidential business 
documents and enough personal information to ruin any number of lives 
and create PR nightmares for quite a few companies. Among the business 
documents were spreadsheets, billing data, health records, RFPs, 
internal audits, product specs, and meeting notes, all found in a quick 
expedition, using simple tools.

It's doubtful that so many people were sharing such sensitive files on 
purpose. More likely, the users, or even their children, had installed a 
P2P program to download music or a TV show, and clicked "OK" to all the 
questions during the install process. One of those questions is which 
folder to share files from, and often the default is the Windows My 
Documents folder. The result was plain--and in many ways worse than the 
lost laptops that have made so much news, because the files are 
available to the entire world and leave no trace when they're taken. If 
my sampling is any indication, it's clearly time to add P2P file sharing 
to your list of security threats.


CHOOSE YOUR NETWORK

There are several popular P2P protocols, each with a number of client 
programs that can access the network. While user numbers are hard to 
estimate, BitTorrent is thought to be the top network, with more than 10 
million users of just one of its tracker sites, ThePirateBay.org. 
(Tracker sites track the whereabouts of P2P files so they can be 
accessed.) BitTorrent operates differently from other P2P networks, in 
that a user must take deliberate steps to share a file. It's also the 
network that's used the most for legitimate purposes, as much open 
source software is distributed via BitTorrent to save developers on 
bandwidth costs.

I focused on the Gnutella network because many of the clients are open 
source. The authors, driven by idealism, often require that files be 
shared and include default sharing options that expose more than a user 
intends. Gnutella, like a few other P2P networks, lets you browse all 
the files a remote computer is sharing, so you can pivot from a 
promising search result to related files from the same user. Its most 
popular client, LimeWire, has a market share of more than a third of all 
P2P clients and reportedly is installed on more than 18% of all 
computers. Other client software with sizable installed bases include 
Kazaa, Morpheus, and Soulseek.

Even though the basic version of LimeWire is free, I bought LimeWire Pro 
because it allows connections to more servers, which should turn up more 
in less time. Choosing good search terms is essential. Since Gnutella 
supports only file-name searches, I had to think of how people might 
name the files that I was looking for, rather than what the content 
might be. I put together a list of search terms, including "audit," 
"RFP," "proposal," and "minutes" and limited searches to "documents" to 
avoid being inundated with results for media files.

My search for "audit" turned up about 20 results. None were too 
promising, so I used LimeWire's connections tab to remove all the 
servers I was connected to, causing LimeWire to reconnect to other 
servers. Gnutella is unique in that it has no central server cataloging 
shared files, and every client is also a server. If a search with one 
set of servers doesn't turn up desired results, then try different 
servers, which will provide varied views of the files on the network.

I then clicked on "Get More Results" and found a file with a promising 
name: "internal audit plan." This is where the true power of LimeWire's 
"Browse Host" button paid off, letting me explore all the files shared 
by that computer. It turned up a feast of documents, along with some 
really bad music. Apparently, I'd found a computer used by a consultant 
for a major accounting firm. Besides the internal audit plan and some 
Foreigner tunes, I had audit results from several engagements, interview 
notes from internal investigations, and a few companies' financial 
results.

Giddy from my quick success, I tried other search terms and slogged 
through dozens of computers full of tailings such as High School Musical 
and Fall Out Boy, until I entered "ssn" for Social Security number. 
LimeWire, which displays the IP address of the computer hosting each 
file a search returns, showed an entire page of results for ssn, all 
with the same IP address. Using "browse host," I discovered a mother 
lode of bank passwords and credit card numbers, a few dozen files 
labeled as Equifax credit reports, and a handful of tax returns.

I'd stumbled upon what's known as an information concentrator. These are 
people who do what I was doing--troll the P2P networks for files with 
personal data. But their intentions are far more sinister--typically 
identity theft. Most likely this person was inadvertently resharing the 
confidential information he had found, making the same mistakes with P2P 
that his prey had made.


WHO'S TO BLAME?

As I honed my technique, I got more reliable results. The search term 
"minutes" led me to what looked like the computer of a highly placed 
staffer of a state political party. There were files with the home and 
cell phone numbers of senators, confidential meeting notes, and 
fund-raising plans.

I came across a veterinary clinic, with listings of pets and their 
owners' billing information. A medical office revealed spreadsheets 
listing patients' names along with their HIV and hepatitis status. Wow. 
In between the vacation photos, there were piles of resums, and one 
computer had a slew of court documents regarding a sticky divorce.

Among all this, a pattern emerged. Someone was sharing a large number of 
design specifications and orders for clothing, each labeled with the 
major retailer that had ordered the designs, along with correspondence 
between the suppliers and factories concerning the orders.

Another person appeared to be the owner of a cell-tower consulting firm. 
In front of me were files with site surveys and feasibility studies of 
various tower locations for several national carriers. Were I so 
inclined, I could probably buy up properties for which no suitable 
alternative locations were mentioned, then hold the phone company 
hostage for a high price.

After finding the RFPs and bids of a small consulting firm working for 
several government agencies, it hit me. Most large companies have 
security measures to prevent data leaks, but they work with many small 
suppliers and partners, entrusting them with confidential data. And it 
was mostly these small businesses, probably without any IT support or 
formal security policies, that were leaking the large companies' data.

Based on what I was able to find with simple tools in a short time, it's 
clear that there's really a lode of important corporate data coursing 
through P2P networks. It's essential that companies not just implement 
strong policies and pre- ventive measures covering their own computers 
and networks, but also address those used by employees at home and the 
practices of partners and suppliers.

Avi Baumstein is an information security analyst at the University of 
Florida's Health Science Center.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Mar 17 2008 - 00:44:21 PST