Q&A: Tiversa co-founder talks about P2P leak
Updated at 3 p.m. PST: An earlier version of this report misidentified Sam Hopkins' position at the company. He is chief technology officer and a co-founder.
Earlier this weekend, I pointed to a report that a Pittsburgh area Internet security firm had discovered a file containing government blueprints and avionics for President Obama's helicopter on an IP address in Tehran.
During a traffic analysis, the company, Tiversa, headquartered in Cranberry Township, found that one particular file was actively being shared via a P2P protocol. On Sunday, I spoke by phone with the company's co-founder and chief technology officer, Sam Hopkins. Here's what he had to say.
Question: What tipped your team off to the possibility of classified information being leaked to outsiders?
Hopkins: Let me first back up and offer some perspective. There are millions of people who in the last couple years have installed P2P software to share their hard drives...You may go to a hospital and give me your Social Security number and your name and address. That hospital may have the best information protections in the universe, but then they give that information to a billing company and that company accidentally leaks it. This happens all the time. In this case, we weren't actively looking for this, but (the information) came back to our data center and matched one of our signatures which we then analyzed.
Q: Talk about the chronology. When did your team first pick up on the leak?
Hopkins: Around the October to November (2008) time frame. We get about 100,000 or 200,000 confidential files that we bring back and if we find something really bad, we will contact that company and say that your information is out there on a peer-to-peer network. In this case, it was over in Iran, where they were actively trolling for information. We notified the defense contractor and they went through their steps to notify the Department of Defense.
Q: And it was a P2P connection that led to the leak?
Hopkins: It was on the Gnutella network. Someone installed it and it may have been a buggy client. All it takes is for someone to say, "Hey, do you have anything on this client?" and it gets downloaded. We see 50 of those a day. There was a large publicly traded company which accidentally just disclosed all their forecasts and M&A plans throughout 2009. A person leaked all his files and all his internal e-mail conversations as well as his calendar and all his contact information.
Q: In this case your company is reporting, what information was breached?
Hopkins: The entire avionics system of the president's helicopter, and various upgrades by contractors.
Q: So your team concluded that the materials fell into the hands of Iran. Is it possible that other actors also are trying to take advantage of similar openings in the system?
Hopkins: Heck yeah. Every nation does that. We see information flying out there to Iran, China, Syria, Qatar--you name it. There's so much out there that sometimes we can't keep up with it.
Q: I would have assumed military contractors would use more secure networks to communicate.
Hopkins: Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.'s who wanted to listen to music would install software on secure computers and it got compromised.
Q: This is what your company specializes in, obviously, but what's your professional opinion about the extent of this sort of thing?
Hopkins: This is the biggest security problem of all time. Coming from me, it sounds biased. But you can get 40,000 Social Security numbers out there at the drop of a hat. We've had people come into our data center and we've shown them things that are out there on P2P and they go away with their minds blown.
Charles Cooper has covered technology and business for more than 25 years. Before joining CNET News, he worked at the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet. E-mail Charlie. 
1) We found these documents on Gnutella in Iran (of course it's Iran, right?). They're likely all over the world, but you picking Iran will make this guy the most money.
2) We actually have no idea how they got on the network (there literally is no way for them to know), but let's go with the idea that an employee installed a p2p application, because that's our entire business, and we've been working on demonizing p2p for years now.
3) Everyone needs to contract with us right away to protect their networks.
For this to happen, someone, somewhere has to intentionally publish this file. This guy repeatedly makes it sound as if just installing a file sharing program exposes your entire hard drive. Wrong. Someone *intentionally published this*, that's just how it works, and it's even more disturbing. His "buggy clients" thing is total BS, and he knows it. So frustrating these scheisters (sp?) make a living at all.
If you want to secure your networks, folks, talking to this joker is not the path you want to take.
-Adam Fisk
Hopkins: This is the biggest security problem of all time.
someone needs to help this poor guy before they let him talk to the press again...
http://www.ffwtech.com/?p=177
"Peer-To-Peer" in OS/2 must be really damn good; and, the "Russians" may have known about this all along; thus, providing compelling reasons to rely on it for their Carrier Rockets' Launches!!!
Go The Smart Way Like The Russians, Go OS/2!
Snake oil salesman.
"Oh my god, this guy is a complete snake oil salesman, and everyone's buying. I wrote a good deal of the code for LimeWire"
Oh really? Go to Limewire or any other P2P client... Restrict your search to "documents"... Type in some keywords "tax" "tax return" "passwords" "credit report" "strategy", "bank', "banking", etc. Within minutes you'll have dozens of PDF files of people's personal tax returns, banking information, etc. In many cases you'll be in a queue behind several others downloading the information. Maybe Limewire's 5.0 will take care of this, maybe it won't. P2P has been promising to fix this for years, but they don't because it's not a priority for them.
The security vulnerabilities are very real my misinformed friend. If you wrote the code you should know that. I know it's inconvenient for the P2P companies to admit this, and for the P2P users who are using the client to ILLEGALLY download movies, games, tv shows, software, etc.
See the story on NBC last night. Family had their identity stolen because their girls were downloading music off of P2P. The thief stole their $2000 tax refund check when he got ahold of their SSN. The money was going to the girls' college fund... Too bad for them. I guess their IS a cost after all to using these services.
I just wanted to follow up and maybe educate you on this security threat. 500 million people have installed a software product that shares the files on their computer system with millions of individuals. Confidential information is exposed via P2P for a plethora of reasons. Whether it is buggy software, a child selecting the C: drive as the share, or a virus resetting the shared folder to the entire drive - it can, does, and is happening. There are plenty of well published examples of P2P security breaches, some including LimeWire. You can find them by doing a search on the web. Secondly, we know for a fact that malicious and terroristic individuals and foreign governments are actively downloading this information. An example of this is the Marine One breach that you are commenting on. If you?d like a domestic example, do a search for ?Gregory Kopiloff?, an identity thief who used LimeWire P2P software to download tax returns of unsuspecting individuals and used this information to commit crimes. Don?t take my word for it though. Take the word of leading security experts such as US-CERT and Gartner, or maybe read the SANS Top 20 Security Risks report.
In answering your specific break down statements:
1. Are you saying that President Obama?s helicopter plans in Iran is not cause for alarm? Would it make a difference if the plans were in the hands of a malicious person in Washington DC? I think you are really missing the point here. While I would love for these plans to have been in the hands of a 9 year old in Idaho, the fact remains they were located on a malicious person?s computer system in Iran.
2. While you cannot speak to our technology, I can. Our technology allows us to detect, track, and locate the originating source of the disclosure. We utilize this each and every day to protect our clients.
3. Organizations do not have to contract with us. However, if they want to know about their extended enterprise, meaning the vendors, contractors, partners, employees, etc that possess and expose their confidential information ? all of which is often outside of their ?four walls? - then they should. Perhaps you should call your doctor, accountant, or employer and ask them what they are doing to ensure that YOUR personal information is secured from being disclosed via the P2P. Once you are done talking to them, contact every other person or organization that you ever gave your SSN to and ask them what they are doing.
Also, just to correct you, you don?t have to *intentionally publish a file* to expose it via the P2P ? that would be the World Wide Web, which we?re not talking about. To make a file available to the P2P you simply place it in a shared directory on your computer, which in most cases is C:, My Documents, or My Desktop. Also, to your comment of the senate hearings, the chairman of LimeWire stated under oath that Tiversa knew more about P2P security then LimeWire did. Feel free to watch it, it should be online.
Samuel Hopkins
CTO ? Tiversa
- by judgesmells March 4, 2009 6:18 PM PST
- Hi,
- Reply to this comment
-
(13 Comments)I was wondering if it is standard operating procedure for Tiversa to submit such findings to the DOD? If so, does the DOD actually respond? I worked in government years ago, and I cannot imagine anybody does anything about such issues.