[Dataloss] Our P2P Investigation Turns Up Business Data Galore
security curmudgeon
jericho at attrition.org
Mon Mar 17 08:46:17 UTC 2008
[Great.. loads of billing data, health records and more, but absolutely no
details. Fun project and nice resulting article, but no follow through on
properly warning the companies or consumers? -- jericho]
---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
http://www.informationweek.com/story/showArticle.jhtml?articleID=206903417
By Avi Baumstein
InformationWeek
March 17, 2008
Are peer-to-peer networks really filled with sensitive corporate data just
waiting to be plucked and abused? It seems unlikely--surely people
wouldn't be that sloppy. Like a 19th century prospector, I decided to dip
my pan into the stream to see what I could find.
The results were shocking and scary--loads of confidential business
documents and enough personal information to ruin any number of lives and
create PR nightmares for quite a few companies. Among the business
documents were spreadsheets, billing data, health records, RFPs, internal
audits, product specs, and meeting notes, all found in a quick expedition,
using simple tools.
It's doubtful that so many people were sharing such sensitive files on
purpose. More likely, the users, or even their children, had installed a
P2P program to download music or a TV show, and clicked "OK" to all the
questions during the install process. One of those questions is which
folder to share files from, and often the default is the Windows My
Documents folder. The result was plain--and in many ways worse than the
lost laptops that have made so much news, because the files are available
to the entire world and leave no trace when they're taken. If my sampling
is any indication, it's clearly time to add P2P file sharing to your list
of security threats.
[..]
More information about the Dataloss
mailing list