As peer-to-peer file sharing systems grow in popularity, they are also becoming an increasingly dangerous means of transmitting confidential information. That’s according to a recent study by Dartmouth business school researchers.
P2P use has more than doubled in the past three years, from less than four million in 2003 to nearly 10 million in 2006. And it’s evolving in ways that make it more difficult to keep out of corporate and residential firewalls.
One problem is that many of the programs have interface designs that are confusing or intentionally deceptive, causing users to share more information through the P2P interface than intended. In addition, client software could contain bugs that result in unintentional sharing of file directories.
“It is surprising how much data is out there, accessible on P2P networks and how damaging some of it is. It’s jaw dropping,” says Scott Dynes, one of the study’s co-authors and a senior research fellow at Dartmouth’s Institute for Security Technology Studies.
The new P2P warnings from Dartmouth arrived at about the same time as the announcement of a major P2P-related corporate data breach. A Pfizer worker has been blamed for leaking personal financial information on more than 17,000 current and former Pfizer employees. The information breach came after the employee installed unauthorized file-sharing software on a company laptop. The sensitive files were then accessed by one or more third parties.
Efforts by Internet service providers (ISPs), organizations, and copyright holders to limit P2P both technically and legally have prompted P2P developers to create decentralized, encrypted, and anonymous networks, according to the study. The networks are difficult to track, designed to accommodate large numbers of clients, and capable of transferring vast amounts of data.
The study shows how P2P networks could yield a bounty of sensitive business data, including personal information on customers and employees. The researchers focused on finding information from the top 30 U.S. banks. With the assistance of a P2P monitoring tool from a company called Tiversa, the researchers found about 12,700 documents that might relate to the banks.
Through a largely manual analysis, the researchers found 1,708 documents containing sensitive bank information. Most of the documents appeared to be exposed via home machines that were used for both business and personal computing, according to the study. Such devices typically are not subject to the P2P controls exerted by corporate IT departments, it stated.
In addition to blocking workplace P2P use, companies should also develop clear policies on laptop use and on using business files on home machines, according to the study. Companies also may want to rework their file naming conventions to make it less likely that outsiders will stumble on their sensitive files.