The personal information of 200,000 soldiers and 20,245 hospital patients, along with other critical data from government networks, is being made to the public through peer-to-peer (P2P) networks, according to testimony yesterday at a hearing of the House Government and Oversight Committee.
The security breach included data like names, Social Security Numbers, addresses, illnesses, next of kin, employer and insurance provider information for the soldiers and patients, according to Robert Boback, CEO of P2P research company Tiversa, who testified during yesterday’s hearing.
But those weren’t the only revelations of sensitive data appearing on the file-sharing networks. Other data available on P2P networks included over 2 million tax returns, according to Thomas Sydnor II, senior fellow and director of the Center for the Study of Digital Property, Progress & Freedom Foundation (PFF).
And Tiversa found “the [Microsoft Outlook] .PST file of a high-ranking officer involved in the merger-and-acquisition area of a Fortune 100 company,” Boback reported.
The revelations come as only the latest incident in the growing problem of secure data appearing on P2P networks. Earlier this year, the government admitted that the plans of the F-35 Joint Strike Fighter (JSF) were available on P2P networks.
Also earlier this year, data concerning Marine One, the helicopter used by the President, was found through a P2P file-sharing network to be stored on a computer in Iran.
In many cases, malicious activity isn’t to blame. Instead, simple errors cause sensitive data to be made available on P2P, experts said.
A “‘User error’ scenario occurs when a user downloads a P2P software program without fully understanding the security ramifications of the selections made during the installation process,” Tiversa’s Boback said in his testimony.
The problem is understood by system administrators, but they often lack the tools to solve it, Graham Cluley, a researcher at security firm Sophos, said in a blog post.
“A Sophos survey found that uncontrolled applications are causing serious concern for system administrators,” he said. “For example, 86.5 percent of respondents said they want the opportunity to block P2P applications, with 79 percent indicating that blocking is essential.”
As a result, individual breaches go undetected. “In one instance, we identified one small company with fewer than 12 employees that provides third party billing services to hospitals,” Tiversa’s Boback said.
Yet some P2P activity can still be criminal, he alleged.
“Military families are prime targets for identity theft as the thieves are aware that the soldiers are probably not checking their statements or credit reports very closely due to the serious nature of the work that they are performing,” Boback said.
Lime Wire on the hot seat
Yesterday’s hearing targeted one company’s file-sharing software in particular: Lime Wire. Since 2007, the company, whose LimeWire software uses the Gnutella and BitTorrent P2P networks, has worked with Congress, the FTC, and with several states’ attorneys general to solve the issue of accidental file sharing.
While executives from Lime Group, Lime Wire’s parent, defended their efforts to help, critics said that they hadn’t gone far enough.
“The problem of inadvertent sharing has persisted for nine years because distributors of file-sharing programs like Lime Wire LLC have repeatedly responded to even the most serious and well-documented concerns about inadvertent sharing with half-measures, misrepresentations, whitewash, and other conduct that, considered in its entirety, could strongly suggest bad faith — an intent to cause and perpetuate inadvertent sharing,” the PFF’s Sydnor said in his testimony.
The comments echoed claims made by Sydnor in a report released earlier this month and titled “Inadvertent File-Sharing Re-Invented: The Dangerous Design of LimeWire 5,” which took additional shots at the company, describing LimeWire as “a dangerous program that can both cause and
perpetuate inadvertent sharing.” (That report is available here in .PDF format.)
During yesterday’s testimony, Sydnor also cited a Washington Post story that law enforcement officials found child pornography on 20,000 computers in the state of Virginia on peer-to-peer networks such as those used by LimeWire.
But Lime Group officials fired back at the criticism.
“The numbers of factual discrepancies in Mr. Sydnor’s report are too many for me to cover in my opening statement,” said Lime Group chairman Mark Gorton in his testimony. “Unfortunately, the popular perception of Lime Wire regarding inadvertent file sharing fails to match Lime Wire’s excellent record in addressing this problem. A good part of this misperception is due to the distribution of inaccurate and misleading information concerning Lime Wire.”
“I am confident that with LimeWire 5.2.8 any sharing is intentional sharing,” he added. “Lime Wire is proud to have taken a leadership role in the reduction of inadvertent file sharing and, if the Committee desires, Lime Wire is happy to be of assistance with any efforts to ensure that other makers and distributors of P2P software follow suit.”
Testimony from yesterday’s speakers is available here in .PDF format.