Downloads may pose security risk

[InfoSec News <isn () c4i org>]

Forwarded from: Steve Munyon <steve.munyon () vericept com>

http://www.denverpost.com/Stories/0,1413,36%257E33%257E823486%257E,00.html
 
Downloads may pose security risk 
By Jennifer Beauprez 
Denver Post Business Writer 
Wednesday, August 28, 2002 
 
Downloading that new Britney Spears hit from the Net may come at a
cost that includes divulging personal bank account information, credit
card numbers and even company secrets.

Millions of people, following the trend first set by Napster, use
file-sharing websites not only to copy and download free music, but
also find pictures, video clips, pirated software and documents from
millions of others who open their computers to a virtual network.

These so-called peer-to-peer websites allow people to download free
files - primarily songs - stored on the computers of millions of other
file-sharing users.

Yet many people don't know they can inadvertently open private content
- their entire hard drive - to the world if they rush through
installation of the software for those services. They could also put
their files at risk if they later move the folder that contains that
music.

The risks? A home user may unwittingly divulge financial records or
personal e-mail. Business employees could inadvertently disclose
marketing plans, internal memos, secret software code or corporate
budgets from their own computer or any server to which they are
connected.

"The risk of exposure is just massive," said Michael Reagan, senior
vice president of marketing for Vericept Inc., a Denver company that
sells software to alert employers when workers chat, shop, view
pornography or share files on the Net.

"Most people haven't realized what peer-to-peer is, and if they do
know, they don't understand there is a big problem," Reagan said. He
said Vericept's software can alert companies when confidential
information is leaked.

More and more companies forbid file-sharing because of the leaks as
well as copyright concerns and congestion on their networks.

"It's a huge bandwidth hog," said Corey Smith, information technology
manager for Optika Inc., a Colorado Springs software maker that banned
all file-sharing at work. "It only took two to three people to bring
us to our knees, crashing our e-mail servers."

Internet file-sharing has grown exponentially since the debut of
controversial song-swapping service Napster, which filed for
bankruptcy and has been offline for the past year following copyright
lawsuits by record labels.

Despite the copyright fight, people still sign up for file-sharing on
a number of other sites, including Kazaa.com and Gnutelliums.com, and
search for MP3 music files to download. They start by giving the site
a user name and an e-mail address.

People run into trouble when they breeze through installation of their
file-sharing software, clicking "next" without reading each screen's
text in detail. If the user later changes configurations or moves the
folders for downloaded material, the software can share more files
without that person's knowledge.

Experts say people are safe if they turn off the file-sharing option
when they install the software. But most click "okay" without seeing
the option.

"A lot of people want to hurry up and get everything installed so they
can start downloading and make that great CD," said Fitz Miller, an
engineer with IT Communications, a Colorado Springs network security
assessment firm.

In fact, eight in 10 people - even the most computer savvy - don't
recognize they have disclosed personal files when using the service,
according to research by Nathan Good, a researcher at H-P Labs in Palo
Alto, Calif.

Good first learned about the risks of file-sharing in June, when his
brother complained that his computer was too slow.

Good said his brother was sharing everything on his hard drive with
the 85 million users of Kazaa.com. His research told him it wasn't an
isolated case.

In fact, his research showed that searches on Kazaa.com for
"inbox.dbx" over a 12-hour period showed that 156 people accidentally
shared their e-mail inboxes for anyone to download. That included
their sent, saved and deleted messages.

The documents are easy to find with keyword searches.

A recent search using key words such as "account #," and "credit card"  
on Kazaa.com turned up a number of documents from corporate and
personal computers.

One Microsoft Word document listed dozens of credit card numbers and
expiration dates; another, extracted from a Texas company's computer,
listed the names, addresses, social security numbers and salaries of
employees.

Vericept's Reagan also discovered a document with the account number
and recent stock trade information for a Salomon Smith Barney
customer.

Reagan later talked to the woman, who said her granddaughter had
downloaded MP3 files on her home computer and inadvertently shared her
grandmother's personal financial information.

A Salomon Smith Barney broker said the woman was unavailable for
comment.

Such problems are typical of families in which multiple people are
using the same computer, experts say. A parent could have a secure
connection to a corporation for downloading and working on
confidential files, only to have them inadvertently shared by a
teenage son or daughter without either's knowledge.

Many people don't know about file-sharing's security risk. But some
opportunistic people do.

"Unfortunately, the wrong people are finding out about it," said Aaron
Krekelberg, lead Web developer at the University of Minnesota, who
collaborated with Good on the study.

Krekelberg and Good set up a server with phony documents that were
shared on Kazaa.com to see if other users downloaded the private
information.

Within 24 hours, five people downloaded documents containing phony
credit card numbers and e-mail inbox files.

"They're coming in and grabbing (these documents,)" Krekelberg said.  
"It's horrible."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.