data leak posts - Security

March 12, 2009 5:19 PM PDT

This is a screenshot of the e-mail Coleman's campaign sent to supporters warning them about the data leak.

The campaign of Republican Norm Coleman, who is engaged in a fierce legal battle to keep his Senate seat from Democrat Al Franken, has warned supporters that their credit card numbers may have been exposed on the Internet.

His campaign manager, Cullen Sheehan, said the office became aware of a possible security breach of the donor database in January, however an investigation found the data had not been accessed by an unauthorized party, according to a report on Wednesday in the Minneapolis-St. Paul Star Tribune.

Supporters received an e-mail from the nonprofit Wikileaks site on Tuesday night saying the Coleman campaign had leaked donor information and that it was on the Wikileaks Web site, as well as another e-mail providing some of the data in a spreadsheet as evidence, the report says. The spreadsheet contained information for more than 4,700 donors. But Wikileaks said it has data on more than 51,600 Coleman contacts.

Sheehan e-mailed supporters on Wednesday urging them to cancel their credit cards and hinted at political espionage. Coleman has asked federal authorities to investigate, according to the Star Tribune.

A report in The Minnesota Independent quotes an IT professional who says she was testing the security of the campaign's Web site in January and was easily able to access data without hacking.

IT consultant Adria Richards said she got the site's IP address by entering "colemanforsenate.com" into an OpenDNS cache-check tool, and then copied the IP address into a Firefox browser to reveal the Web site directories for colemanforsenate.com, the report says. She then posted a screen capture of what she found online and wrote about the security problems on her blog.

Richards began her investigative computer work after Coleman's campaign was accused of falsely claiming that its Web site crashed after being overwhelmed by traffic from people who were allegedly disenfranchised voters.

Coleman is challenging Franken's lead of 225 votes, following a recount. The case is being heard by a special three-judge panel. Closing arguments are expected to begin Friday in the trial, which has gone on for seven weeks.

Topics:: Privacy and data protection

Tags:: Norm Coleman,; data leak,; Minnesota,; Senator

Share:: Digg; Del.icio.us; Reddit; Facebook; Twitter

March 6, 2009 11:00 AM PST

Can peer-to-peer coexist with network security?

by Elinor Mills

19 comments

Security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out.

Their message may be having an impact in the P2P development community.

A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.

For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.

This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.

Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.

This screenshot illustrates how a peer-to-peer file sharing network works.

(Credit: Tiversa)

Employees: The weak link
The problem, experts say, is that employees are violating corporate policy by using P2P at work or on work laptops to download MP3 files, or they take the work laptop home and their children install file-sharing software on it.

Ninety-three percent of P2P disclosures in the enterprise are inadvertent, said Tiversa Brand Director Scott Harrer. "You can't really guard against human error," he said.

The problem is compounded by the fact that the employees also tend not to be savvy enough to configure the settings so as to protect files they don't want to share from being distributed.

"The default settings tend to err on the side of being more open than more closed," Mark Loveless, a research scientist at technology non-profit Mitre, said on Thursday. This mirrors the security-versus-usability trade-off that software and Web services providers, like Microsoft and Google, often find themselves making.

"The default settings (in P2P software) tend to err on the side of being more open than more closed."

--Mark Loveless, research scientist, Mitre

If the P2P user isn't careful in establishing a shared folder for other users of the file sharing network to access, sensitive files anywhere on the computer can be exposed. For instance, a user can inadvertently open up files in the "My Documents" folder or anywhere in the entire C: drive.

"There are methods to configure the software to only share from a particular directory," said Loveless. "But you're talking about someone who has problems, in many cases, using Microsoft Word or corporate e-mail, apps they've had training on. So I would not expect them to necessarily know how to go about that and correct it."

Beyond having default settings that err on the side of openness and not security, the software is also designed to circumvent firewalls and other attempts to block it, Loveless said.

"P2P programs will use encrypted and sophisticated protocols to be able to talk to the Internet and evade (network monitoring) tools," he said. "They'll use multiple ways to try to get out on the Internet, undetected."

Historically, P2P programs used one specific TCP/IP port for the traffic, but now they can pick a random port to use or they use Port 80, which is used for all kinds of Web traffic, thus thwarting administrator attempts to block P2P traffic by plugging the port, said Sam Hopkins, the co-founder and chief technology officer at Tiversa.

The software also has tricks to get access to files behind firewalls. If a user wants something that is on a computer that is located behind a firewall, the system can communicate behind the scenes to get a third computer to ask the firewall protected computer to send the file out to the seeking user, he said.

And some of the P2P programs can be buggy, particularly software written by young enthusiasts as opposed to paid professionals. Meanwhile, P2P files are being used to spread viruses and other malware to unsuspecting downloaders. For instance, a Trojan circulated on BitTorrent in January in pirated copies of iWorks 09.

There is also malware that can automatically scan a computer and when it finds a media file anywhere on the system it changes the P2P software configuration to share the entire drive the media file is in, Hopkins said.

Minimizing the risk
IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.

Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.

Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.

After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.

The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.

The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.

Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.

"We were concerned about user error in earlier versions of file sharing software where it was easier for users to make those mistakes," Hopkins said. "But a lot has been done to close those loopholes for the new versions."