Posted by: Robert Westervelt
Data Breaches and Identity Theft, P2P
An FTC investigation found financial records, drivers’ license and Social Security numbers available for viewing on P2P networks. Monitor your network traffic, experts say.
The FTC this week notified nearly 100 organizations that personal information, including sensitive data on customers and employees had leaked onto peer-to-peer (P2P) file-sharing networks.
The file-sharing programs, popular with music and now video enthusiasts, have long been thought to be a pariah in many corporate networks, but apparently either poor security controls or a lack of communicating security policy to employees has resulted in a resurgence of P2P application use on many endpoint machines. The problem is as the FTC puts it so succinctly, “when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.”
Our site security expert, Kevin Beaver warned in a 2003 tip that P2P programs “introduce more vulnerabilities and open up more entry points to your network than many security managers ever thought possible.”
Beaver’s advice may be old, but it certainly isn’t outdated:
One of the best ways to keep up with P2P applications on your network is to know your traffic. A simple network analyzer sitting on a network hub on the public side of your firewall can show you what P2P traffic is going in and out of your network. There are P2P “air gap” and firewall products that can help control this. Some content filtering products are also now able to detect and stop P2P traffic.
Businesses should take note of the FTC alert on the P2P breaches. FTC Chairman Jon Leibowitz said the FTC found health-related information, financial records, drivers’ license and Social Security numbers available for viewing on P2P networks.
Leibowitz not only issued a warning to companies, but to the developers behind the file sharing programs themselves:
“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”
The FTC said it was conducting an investigation into firms where customer or employee information has been exposed on P2P networks.
A webpage has also been established, Peer-to-Peer File Sharing: A Guide for Business, by the FTC to educate businesses about the problem.