Data thieves use P2P to grab firms’ secrets

Criminals exploit peer-to-peer software to steal corporate data

Organised criminal groups are exploiting music file-sharing software to steal confidential company documents from users connected to peer-to-peer networks, a former US security chief at eBay and Micro¬soft has warned.

Business documents, systems passwords, credit card details, medical records and classified government records are finding their way onto popular file-sharing networks, creating an international black market in company secrets, said Howard Schmidt, who has also advised the White House on IT security.

The problem arises because staff are unwittingly exposing confidential documents to public access when they take work home or work remotely using computers fitted with poorly configured file-sharing software, said Schmidt. Criminals can conduct a keyword search on the peer-to-peer network to find documents held on a user’s PC.

The warning was supported by Phil Cracknell, director of security consulting at Capgemini, who said that few companies understood the risk that file-sharing software posed to their security.

“Their perception of the threat is not up-to-date. They have not accounted for peer-to-peer networks. They have not considered that home PCs could leak a document,” he said.

Research by Schmidt and US security firm Tiversa, released at an International Information Systems Security Certification Consortium conference last week, revealed that internal audit reports, supply contracts, drugs trial results, product strategies, customer lists and legal documents were publicly available through file-sharing software.

“We have seen incidents where people doing contract work for major organisations, such as an audit report, have the entire report on their PC and it is being shared out,” said Schmidt.

In one case, a US bank discovered that a document containing details of its IT architecture and all of its systems administration passwords had been distributed across the globe. The bank was forced to change its passwords and is now moving to two-factor authentication.

One IT director at a large UK university said his policy was to lock down desktops to minimise the risk of confidential documents leaving the organisation.

“All our desktops and laptops are locked down using Active Directory profiles and Microsoft management tools to maintain configurations. Users are not permitted to store data on local machines and have no access to local drives,” he said.

Schmidt advised businesses to not only block the use of peer-to-peer software on their networks, but to actively carry out searches to identify any confidential information that may have been leaked.

Alan Paller, director of US security body the Sans Institute, said firms were also at risk from unauthorised peer-to-peer software on their internal networks. Although most firms ban it, not every organisation has the technology in place to police it, he said.





Read more on IT risk management