- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - Being security researchers and all, Larry Pesce and Mick Douglas thought it would be a hoot to take a look at some of the information people send out over peer-to-peer (P2P) networks. They were taken aback by what they found.
At the 2010 ShmooCon security conference Friday, the duo showed off the extremely sensitive information they've been able to intercept, including driver's licenses and passports, tax return forms with Social Security numbers; someone's last will and testament and information on one man's secret activities that could potentially be exploited by terrorists.
Also from ShmooCon: The Bigger the Security Arsenal, the Harder the Fall (podcast)
Douglas and Pesce were inspired to look at P2P networks after highly-publicized incidents where details on a U.S. Secret Service safe house for the First Family leaked out on a LimeWire file-sharing network. In another incident, classified data on the communications, navigation and management systems on Marine One were found in a publicly available shared folder on a computer in Tehran, Iran, after apparently being leaked over a P2P network.
As part of the experiment, the duo used such search terms as word, doctor, health, passwd, password, lease, license, passport and visa. File names used included password.txt, TaxReturn.pdf, passport.jpg, visa.jpg,license.jpg,signons2.txt, and signons3.txt. They also hunted for material with the following file extensions: .pst, .cfg, .pcf, .doc, .docx, .xls, .xlsx, .pdf, .tax, .qdb, .qmd, .qsd, .qtx, .idx, .qif, .mny, .ofx, .ofc, .txt.
Pesce described the findings as a lesson in stupidity and compared the act of stealing identities through P2P to "clubbing baby seals."
Along with the typical malware samples, music and porn, the researchers unearthed some of the following:
Of course, Pesce said, such a letter would be useful to a terrorist who could easily crack the same P2P traffic. "This could absolutely get him killed," he said.
To help other security specialists conduct the same research and, in the process, help organizations tighten up the flow of information they share over P2P, Pesce and Douglas started what they call The Cactus Project.
The Cactus Project page on pauldotcom.com names best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol.
As for the final takeaways, the researchers said it's clear security education hasn't reached the "unwashed masses" and that it remains far too easy to put sensitive data on P2P networks.
"We have to keep trying to educate people, but through this kind of research" [security practitioners] can take steps to better protect their own organizations going forward, Douglas said.
Read more about privacy in CSOonline's Privacy section.