Friday, February 26, 2010

FTC: Beware P2P Breach

The Federal Trade Commission is warning 100 companies and organizations that their data has been compromised by P2P software. According to the FCC press release data on both employees and customers is involved.

The release also indicates that the breach is not because of any new exploit, but because of poorly configured P2P clients. Some P2P clients, like Limewire, set a specific share folder and only make files in that folder available to the network by default. Others share the entire hard drive by default. If you are using a client that shares the entire drive by default and don't set it to only show one specific folder, anything on your HD can be seen and downloaded by anyone else on the network.

This is nothing new, but it is obviously something that is still relevant. FTC Chairman Jon Leibowitz said,
“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,”

I remember being amazed at what I could find with gnutella way back when. Sadly, it's not surprising that more than a decade since I first noticed really neat stuff that obviously shouldn't be on a P2P network the neat stuff that shouldn't be there still is. P2P is really neat, and really useful (not just for sharing music). But if you are a business, and you use P2P, or one of your employees decides he needs to use P2P on his work computer and it shares the wrong folder or the whole drive you could find yourself in violation of laws such as the Gramm-Leach-Bliley Act or HIPAA. As an individual, you know that Quicken or Microsoft Money file that has all of your banking info and can connect to your bank account? Your neighbors 14 year old in now has access to all your money. And all he wanted was music.

The FTC isn't just talking about the users of P2P software. The say that it's just as important that companies who "distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing. The easy way to do that is to have the P2P software's default setting "share this folder." And that's what you need to do if you are developing P2P software.