Beware P2P Networks With A Tunnel To Confidential Data, Study Warns

Many of the biggest breaches in recent years were inadvertent disclosures, Dartmouth business school researchers found.
Identity theft has become a bleak fact of life for many people. Many would-be identity thieves simply troll the Internet looking for sensitive information mistakenly posted to Web sites. Johnson and his colleagues have tracked this behavior by ordering credit cards and phone cards and then publicly disclosing account information via the Web. "We leaked a live Visa card so we could watch what the thieves were doing with the information," he says, adding that he found that cyberthieves were using the stolen accounts in conjunction with PayPal and other online payment services to try to cover their tracks.

Johnson and his colleagues found lots of supposedly confidential information floating freely out on the Web, including job performance reviews and a bank's spreadsheet containing 23,000 business accounts including their contact names and addresses, account numbers, company positions, and relationship managers at the bank. He even found the results of a "confidential" security audit that a company had commissioned. Whoops.

One of the most effective ways to prevent business information from being leaked through peer-to-peer networks is to understand how these services are used. "Security people say they've blocked ports inside their firewalls so that users can't connect into peer-to-peer networks," Johnson says. "That's fine until those employees take their laptops home at night or go to a Starbucks and connect to a peer-to-peer network."

There are ways of tracking whether corporate data has been leaked onto peer-to-peer networks. Security pros can set up their own accounts on the most popular peer-to-peer networks, which include Gnutella, FastTrack, and eDonkey, and search to see if any information being offered resembles their proprietary data or intellectual property.

"Create a digital footprint for your company," Johnson says. Keep track of all searchable keywords that would lead a Web surfer to your company, including firm names, abbreviations, ticker symbols, brand names, subsidiaries, etc., and use those terms to search the peer-to-peer networks.

The idea for the Dartmouth study came from Homeland Security Department-sponsored work Johnson and his colleagues had been doing in studying international cyberattacks on U.S.-based targets. As the Internet increasingly becomes a part of the country's critical infrastructure, like telephone networks or power grids, Homeland Security wants businesses to protect themselves from cyberthreats.

Editor's Choice
Mary E. Shacklett, President of Transworld Data
James M. Connolly, Contributing Editor and Writer