Your P2P Empowered Computer: Over 1,000,000 Served!

January 30, 2010 – Did you know that sharing your music or your videos on the net could expose you an entire network of criminals trying to access your personal data? And while you may be smug in the feeling that you are sharing just a few music files, you may be sadly mistaken. A study was recently conducted by Dartmouth College’s Tuck School of Business to examine the dangers of inadvertent data disclosure on file-sharing networks. This study involved the examination of data relating to P2P searches and files of 30 top US banks.

A search engine technology from Tiversa Inc. was used by the study group to collect and scrutinize all the P2P traffic that mentioned the banks under study by name, or mapped them to a particular digital footprint that was created by the University for each of the financial institutions that were being studied. Latest networks such as BitTorrent, FastTrack, Gnutella and eDonkey were used to gather the data for the study. The study found that an exceedingly high number of consumers doing simple tasks such as sharing music software on the P2P networks were inadvertently divulging sensitive data such as bank account and credit card details to criminals lurking around for such information. As per Eric Johnson, a study author and Professor of Operations at the Dartmouth’s Center for Digital Strategies, a significant number of individuals as well as firms face this risk from the peer-to-peer file sharing networks.

What happens is the following. When people share their files such as free music software and just plain music also, they are inadvertently, many times and unless they specifically restrict the folders or file types to be shared, exposing the entire contents of their computers to the entire network. This is quickly lapped up by criminal minds lurking around for this very purpose. The reason for the exposure is that the popular P2P clients like BearShare, Limewire, Morpheus, Kaaza etc are specifically designed to search for and retrieve certain types of media files on a user’s system. If the music files have accidentally been included in another folder, the contents of the entire folder can be exposed to the P2P network. If this folder happens to contain sensitive information, then rest assured that all of that sensitive information is being uploaded right along with the music recording that you were kind enough to share with your friends. Thus, it becomes extremely important to control the access of the folders being shared. Another reason for the exposure is the confusing interfaces of some P2P clients, which result in sharing of a folder that was not intended to be shared. Wizards included with the clients often manage to complicate the problem further, by searching for and recommending sharing of all kinds of media files in the entire computer. Just one of these files needs to be in a folder containing sensitive information.

While some of the information could be leaked inadvertently, cyber-criminals are increasingly using P2P networks to specifically search for and harvest such data. A considerable portion of the search terms that were analyzed appeared to be looking for account and user information, databases, routing and PIN numbers and passwords. Sadly, it is the home users that account for a majority of the leaked information – as high as 80% of the entire data comes from them. Most have limited knowledge of computer and network security, so they are inherently more vulnerable to data theft. For businesses, it is important to ensure that computers, servers, and other connected devices are securely configured and that restrictions are in place to install software without formal review and approval. For home users (especially parents), remain vigilant to ensure that potentially dangerous software isn’t installed by computer-saavy teens, who might want to share a few tunes but may unknowingly share much, much more.

Ivan Vazquez, AKA The Reaper, is a CompTIA Security+ certified, IT professional with more than 15 years of experience in the Information Technology universe. He specializes in network intrusion prevention, incident identification and analysis, and vulnerability scanning and analysis. His past experience includes tenures with nationally and internationally-known technology companies. Have feedback or questions? Don’t be afraid to send them to The Reaper.