Cyber-criminals Use P2P Tools for Identity Theft, Security Analyst Warns
EAST PALO ALTO, Calif.Cyber-criminals are multiplying quickly and becoming more sophisticated in the ways in which they take advantage of unwitting Internet individual users and companies, a nationally recognized cyber-security specialist told an SD Forum seminar audience June 22.
And peer-to-peer networks such as Limewire, Kazaa, Grokster and others arent helping to quell the increase in crimes committed via the Internet, he said.
"It used to be only burglaries from peoples homes and businesses," said Howard Schmidt, a former cyber-security adviser to the Bush administration, former chief information security officer at Microsoft and eBay, and now a principal in R&H Security Consulting in Issaquah, Wash.
"Those still happen, of course, but now, its so much more lucrative to break into peoples online information and steal someones identity, that a lot of bad people around the world are spending an awful lot of time learning to do it."
Schmidt, a co-architect of the national cyber-security policy presented to the presidents Critical Infrastructure Protection Board in 2003 by himself and then-Homeland Security Secretary Tom Ridge, prefers to call the Internet the "Evernet" and points to careless or ignorant use of P2P applications as a major part of the current identity theft problem.
The term Evernet has been used to describe the convergence of wireless, broadband and Internet telephony technologies that will result in peoples ability to be continuously connected to the Web anywhere using virtually any information device.
"We are connected today like weve never been connected before," Schmidt said.
"We depend on the Evernet like nothing we have before. And nobodyI repeatnobody has privacy. Ever opened one of those offers to see your free credit report? If you havent, do it. You may be surprised to find whats in there, whether its right or wrong. And youre not the only one who can get to it, either. Its amazing how much information is available to anybody who really wants to look for it."
People who use P2P applications to download music, software, photos and other items may leave themselves wide open to identity theft by simply being unaware of their computer settings. Its like leaving the front door wide open for a burglar, Schmidt said.
"For example, one womans credit-card information was found in such disparate places as Troy, Mich., Tobago, Slovenia, and a dozen other places. Why? We found that the shared folder in her music-downloading application was in fact making readily available her entire My Documents folder to that apps entire P2P audience, 24 hours per day," Schmidt said.
Cyber-criminals are becoming more sophisticated about how to use searchespecially within these P2P apps, Schmidt said.
"Were not just searching for music," Schmidt said with a laugh.
Simply by typing in common search terms such as "bank May statement," "stop payment," and others in Limewires search function, for example, valuable personal information is often getting into the wrong hands, enabling cyber-looting.
Another problem area involves online health records, Schmidt said.
"In one case of this sort, a criminal searched for and found 117,000 medical-record passwordsjust by knowing how to search in a P2P app on the Web," Schmidt said.
Medical records by their very nature contain a great deal of information besides a persons health and medicine history; they include addresses, phone numbers, Social Security numbers, payment information, insurance information and much more, he said.
What can be done about closing these online security gaps?
Schmidt said there is a five-point national program in place for securing cyberspace:
- a national cyberspace task force to track virus creators around the world;
- a Threat and Vulnerability Reduction Program aimed at developers, "so that they will become more aware of writing tighter code and self-healing applications that will eventually be able to take care of these problems by themselves," Schmidt said;
- a national awareness and training program, to teach people how to be more cognizant of their own security issues;
- a Secure Government Systems program that works with U.S. government value-added resellers to raise awareness of these issues; and
- an international cooperation program for all of the above.
"There are now an estimated 840 million regular users of the Evernet," Schmidt said.
"Itll be up to 1 billion by next year. All those users cant do their security all by themselvesthey need all the help they can get."
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.