Blog article
See all stories »

Identity Thieves Love P2P


Last week Palo Alto Networks released the third edition of its Application Usage and Risk Report that found an average of Six P2P variants in 92% of the sample – with some organizations unknowingly hosting as many as 17 P2P variants. The study examines the real traffic of 900,000 users at 60+ organizations (public and private sector). And most of these organizations had security policies and tools directed at preventing P2P usage. 

The House Committee on Oversight and Government Reform is responding to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

What’s interesting is that they didn’t already realize this was going on. Most of the committee members probably have kids, and their own home PCs probably have P2P software installed.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

The House Committee on Oversight and Government Reform sent letters to the Attorney General and FTC Chairman, asking what the Department of Justice is doing to prevent the illegal use of P2P. Which is kind of ridiculous, because it’s not illegal to use P2P programs. Even if it were made illegal, P2P file sharing is a wild animal that can’t be tamed.

The letter also asks what the government is doing to protect its citizens. Okay. I’ve sat with both the FTC and the DoJ. These are not dumb people. I‘ve been very impressed by how smart they are. They know what they are doing and they see the major issues we face. But they are not in a position to prevent an Internet user from installing a free, widely accessible software, and subsequently being stupid when setting it up and unintentionally sharing their C-drive with the world. No government intervention can prevent this. The House Committee on Oversight and Government Reform should focus more on educating the public about the use of P2P file sharing.

Politicians are most likely being lobbied and funded by the recording and motion picture industries to put pressure on the providers of such software. Letters and government noise will not do anything to stop file sharing. While there have been plenty of witch hunts leading to prosecutorial victories, the public will always be vulnerable. It is up to us, as individuals, to protect ourselves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.



Comments: (1)

A Finextra member
A Finextra member 04 May, 2009, 09:38Be the first to give this comment the thumbs up 0 likes

"Don’t install P2P software on your computer. "

I would not draw such straightforward conclusions on P2P. Of course if you talk about Limewire, Kazaa or DC++, the application by default shares your hard disk or parts of it with the community altogether with a filename search, and thus is a serious security risk.

But for BitTorrent networks this does not hold. To share a file on BitTorrent, you first need to compile a torrent file, upload it to a tracker server and then post in on a web site. Although some malware might be able to do this already, it is quite unlikely that BitTorrent would be a reasonable way to steal personal data from the victim.

However, BitTorrent is a powerful way of distributing large files accross the internet without putting too much pressure on one or two download servers. It is actively and legally used to for Linux installation package distribution and other such purposes. 

P2P is now actively tested for distributing video streams for large populations. Also some projects are on the way of using P2P in cell phones to extend network coverage. P2P also has a heavy new meaning in cloud computing.

So please do not judge ALL P2P traffic based on malware-spiced warez distribution networks. There are legal and clean services in P2P, and even more to come.

Now hiring