P2P Security Concerns

I recently read an interesting article in the March 17 issue of Information Week, “We Strike Data Galore” by Avi Baumstein (yes, I am behind in my reading).

The article pointed out how many P2P network users are unintentionally exposing very sensitive data while using the networks.  Examples include popular P2P networks such as BitTorrent, and Gnuttella.  Clients used to browse P2P networks include LimeWire, Kazaa, Morpheus, and Soulseek.

It’s likely the sharing is not intentional.  Rather, the P2P user installed the browsing client and accepted all the default installation settings.  If the default option is to share your My Documents folder, well you’ve just shared all the documents on your computer with others who have access to the same P2P network.  As pointed out in the article, this is actually worse than loosing a laptop because people can take the files without leaving any trace, or without the owner even knowing that the files have been shared.

Finding sensitive materials is easy, just type in search terms such as spreadsheets, billing data, health records, RFPs, internal audits, product specs, meeting notes, etc.  As the author discovered, if you really want to find some sensitive materials try terms like SSN, tax return, or credit card numbers, or HIV patient.

What to do about this potentially disastrous PR nightmare?  The author recommends having your companies security staff search the P2P networks in an attempt to find examples of your company’s documents ultimately tracing the host computer back to it’s owner via the IP address.

I’d also recommend that you set specific policy regarding the usage of P2P networks on company owned computers.  And if you think that there’s a chance that your employees would figure a way to work around your policy (there is a chance), I’d also educate them on how easy it is to share the wrong documents and the potential ramifications of giving such documents away.

I welcome your comments,
Mike Brannan