Cybereye | The peer-to-peer threat
An investment firm in Virginia has joined the ranks of organizations embarrassed, or worse, by a data breach caused by peer-to-peer file sharing. An employee at Wagner Resource Group using LimeWire inadvertently exposed the personally identifiable information for several thousand clients, including one U.S. Supreme Court justice.
Similar breaches have occurred at the pharmaceutical company Pfizer, at Walter Reed Army Medical Center and scores of other organizations with lower profiles. Employees who install unauthorized file-sharing software on work computers end up exposing much more than they intended.
The threat from such services should be no secret: They expose to your peers more than just the music, video and other files you have downloaded. They also can open up any other files stored with them.
The U.S. Patent and Trademark Office produced a report in 2006 on some of the unsavory features included in peer-to-peer file-sharing applications. Researchers focused on five applications: BearShare, eDonkey, KaZaA, LimeWire and Morpheus. Their first finding was that these programs give other network users access to files that have been stored in a shared folder. This was no surprise; file sharing is what these applications are all about. But less well known is the report's second finding: All five programs also made all files stored in a new folder available for sharing. Some of the P2P programs PTO tested included a search wizard to scour hard drives for other interesting folders. Putting shared files anywhere on your computer is like throwing water on a grease fire. It only spreads the problem.
Peer-to-peer applications get a bad rap because they are associated with illegal sharing of copyrighted materials. However, the technology should not be condemned just because it can be misused. Peer-to-peer networking is a potentially powerful and useful tool that is likely to be seen in many more forms as IPv6 is enabled on government networks.
The problem is unauthorized use of applications that have been built for informal communities that may or may not be skirting the law.
In short, it is not a good idea to put LimeWire or any other unauthorized application on your work computer. In government, the adoption of the Federal Desktop Core Configuration should help eliminate this problem, but as long as data is transferable, the risk will always be there.