File-sharing breach at investment firm highlights dangers of P2P networks -- again

July 9, 2008 (Computerworld) Wagner Resource Corp. recently learned the hard way what Pfizer Inc. and many other companies have similarly discovered in the past: installing peer-to-peer file-sharing software on corporate computers is a bad idea.

The Alexandria, Va.-based investment firm last week had to notify about 2,000 of its clients that their names, Social Security numbers and birth dates had potentially been exposed on the LimeWire P2P network, according to a story published Wednesday by The Washington Post. Among the individuals whose personal data was exposed in the Wagner compromise was Supreme Court Justice Stephen Breyer, according to the Post.

Wagner didn't immediately respond to a request for comment about the incident. But the Post reported that the compromise resulted from the use of LimeWire's file-sharing software by a Wagner employee. The employee apparently downloaded the software to his company-issued PC last year, so he could share music and other media files with fellow LimeWire users. But the software ended up exposing all of the contents on the employee's computer to other users of the P2P network.

The Post said that the leak wasn't discovered until last month, when one of its online readers found the data about Wagner's clients while using the LimeWire network.

Breaches such as the one at Wagner highlight the continuing dangers that companies face from employees using P2P software on their work computers, said Christopher Gormley, chief operating officer at Tiversa Inc., a Cranberry Township, Pa.-based P2P network monitoring firm that Wagner has hired to try to help it mitigate the data leak.

The P2P software offered on networks such as LimeWire and Kazaa is designed to help users easily share media files, and to aid them in finding files on the computers of other users. The problem is that if P2P users aren't careful, the software can expose not just the media files they want to share but almost everything else on their computers.

Numerous organizations have suffered data leaks as a result of such carelessness. Last year, for instance, the personal data of about 17,000 Pfizer employees was exposed after an employee installed unauthorized P2P software on her laptop. And at a Senate hearing last year, lawmakers heard testimony from several witnesses about the abundance of classified government and military documents as well as corporate data freely available on P2P networks.

The data said to be available included a full diagram of the Pentagon's secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio-frequency manipulation techniques for dealing with improvised explosive devices in Iraq; the complete minutes of a board meeting held at a large financial services company; and the detailed launch plan of a start-up company, complete with growth targets and other business forecasts.

Despite such examples, and the fact that the dangers of P2P networks have been talked about for several years now, there continues to be an almost startling lack of awareness of the threat that file-sharing software can pose to corporate data, Gormley said.

"There's a lack of awareness across the board," he said. Few companies know about either the need for or the existence of controls for preventing P2P data leaks from occurring, according to Gormley. In addition, companies often have a poor idea of the amount of sensitive data that is being taken beyond their network perimeters on corporate laptops or systems belonging to contractors, service providers and business partners, he said.

Further exacerbating the problem, Gormley said, is the increased searching and scouring of P2P networks by cybercriminals looking for data they can use to commit fraud or espionage. On average, about 1.5 billion searches take place on P2P networks daily compared with 180 million on Google, he claimed, adding that a growing number of the searches are being done for malicious purposes. Gormley said that Tiversa also has noticed the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.

The key to limiting P2P exposures is to have not just the proper controls in place but also policies for enforcing them, said Phil Neray, a vice president at database security software vendor Guardium Inc. in Waltham, Mass. It's hard to completely prevent employees from downloading P2P software, because some people will find a way around the controls, Neray said. So, he added, the focus should be more on monitoring and filtering the content that is traveling into and out of corporate networks, in order to stop sensitive data from leaking out.