Our P2P Investigation Turns Up Business Data Galore - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance
11:15 AM

Our P2P Investigation Turns Up Business Data Galore

We search the Gnutella network and find hordes of personal and business information that could ruin more than a few lives and give lots of companies PR nightmares.

Are peer-to-peer networks really filled with sensitive corporate data just waiting to be plucked and abused? It seems unlikely--surely people wouldn't be that sloppy. Like a 19th century prospector, I decided to dip my pan into the stream to see what I could find.

The results were shocking and scary--loads of confidential business documents and enough personal information to ruin any number of lives and create PR nightmares for quite a few companies. Among the business documents were spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes, all found in a quick expedition, using simple tools.

InformationWeek Reports

It's doubtful that so many people were sharing such sensitive files on purpose. More likely, the users, or even their children, had installed a P2P program to download music or a TV show, and clicked "OK" to all the questions during the install process. One of those questions is which folder to share files from, and often the default is the Windows My Documents folder. The result was plain--and in many ways worse than the lost laptops that have made so much news, because the files are available to the entire world and leave no trace when they're taken. If my sampling is any indication, it's clearly time to add P2P file sharing to your list of security threats.

There are several popular P2P protocols, each with a number of client programs that can access the network. While user numbers are hard to estimate, BitTorrent is thought to be the top network, with more than 10 million users of just one of its tracker sites, ThePirateBay.org. (Tracker sites track the whereabouts of P2P files so they can be accessed.) BitTorrent operates differently from other P2P networks, in that a user must take deliberate steps to share a file. It's also the network that's used the most for legitimate purposes, as much open source software is distributed via BitTorrent to save developers on bandwidth costs.

I focused on the Gnutella network because many of the clients are open source. The authors, driven by idealism, often require that files be shared and include default sharing options that expose more than a user intends. Gnutella, like a few other P2P networks, lets you browse all the files a remote computer is sharing, so you can pivot from a promising search result to related files from the same user. Its most popular client, LimeWire, has a market share of more than a third of all P2P clients and reportedly is installed on more than 18% of all computers. Other client software with sizable installed bases include Kazaa, Morpheus, and Soulseek.

Even though the basic version of LimeWire is free, I bought LimeWire Pro because it allows connections to more servers, which should turn up more in less time. Choosing good search terms is essential. Since Gnutella supports only file-name searches, I had to think of how people might name the files that I was looking for, rather than what the content might be. I put together a list of search terms, including "audit," "RFP," "proposal," and "minutes" and limited searches to "documents" to avoid being inundated with results for media files.

My search for "audit" turned up about 20 results. None were too promising, so I used LimeWire's connections tab to remove all the servers I was connected to, causing LimeWire to reconnect to other servers. Gnutella is unique in that it has no central server cataloging shared files, and every client is also a server. If a search with one set of servers doesn't turn up desired results, then try different servers, which will provide varied views of the files on the network.

I then clicked on "Get More Results" and found a file with a promising name: "internal audit plan." This is where the true power of LimeWire's "Browse Host" button paid off, letting me explore all the files shared by that computer. It turned up a feast of documents, along with some really bad music. Apparently, I'd found a computer used by a consultant for a major accounting firm. Besides the internal audit plan and some Foreigner tunes, I had audit results from several engagements, interview notes from internal investigations, and a few companies' financial results.

An End To Data Leaks
Find out about extrusion-prevention systems that can drop attackers in their tracks.
Giddy from my quick success, I tried other search terms and slogged through dozens of computers full of tailings such as High School Musical and Fall Out Boy, until I entered "ssn" for Social Security number. LimeWire, which displays the IP address of the computer hosting each file a search returns, showed an entire page of results for ssn, all with the same IP address. Using "browse host," I discovered a mother lode of bank passwords and credit card numbers, a few dozen files labeled as Equifax credit reports, and a handful of tax returns.

I'd stumbled upon what's known as an information concentrator. These are people who do what I was doing--troll the P2P networks for files with personal data. But their intentions are far more sinister--typically identity theft. Most likely this person was inadvertently resharing the confidential information he had found, making the same mistakes with P2P that his prey had made.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll