WikiLeaks P2P Searching Claims Highlight File-Sharing Security Risks
Allegations against WikiLeaks have spotlighted a key avenue for data leaks: peer-to-peer (P2P) networks.
According to Tiversa, which specializes in monitoring P2P networks, WikiLeaks has mined popular applications such as Kazaa and LimeWire for data in the past-despite statements from WikiLeaks that it does not actively search for information. As an example, Tiversa contends that on Feb. 7, 2009, it detected four machines in Sweden searching and downloading information via P2P.
Those searches ultimately led to a computer in Hawaii with a survey of the Pentagon's Pacific Missile Range Facility there, Bloomberg News reported. Tiversa reportedly captured the download of the PDF file by one of the Swedish computers. According to Bloomberg News, the document exposed details of infrastructure changes involved in adding a new sensor system. The document was reportedly renamed and posted on WikiLeaks in April 2009.
There were other examples as well, such as Army intelligence documents posted by WikiLeaks in 2009 that were exposed to searching on P2P networks in September 2008. Then there was a spreadsheet posted by WikiLeaks in late 2009 detailing potential targets of terrorism in Fresno County, Calif. The document was reportedly exposed accidentally by a California state employee in August 2008.
WikiLeaks denied Tiversa's claims in an e-mail to Bloomberg News. Regardless, this was hardly the first time P2P networks were found to be home to sensitive information. In February 2010, the U.S. Federal Trade Commission notified nearly 100 organizations that personal information, including customer and employee data, had been shared from the organizations' computer networks and was available on P2P file-sharing networks.
"The massive exposure of sensitive data on P2P networks is not a new issue; however, the awareness of its breadth is," said Scott Harrer, brand director at Tiversa.
Organizations of every size need to be diligent about file-sharing use, he said, adding that large brands with armies of suppliers or a dispersed workforce need to have proactive tools in place to detect and mitigate data loss via P2P.
"Over 90 percent of the data disclosures that we see on P2P emanate from suppliers, partners and remote employees," he said.
Some organizations look to data leak prevention (DLP) technologies to solve the problem.
"Historically, the way to deal with protecting against data leaks over P2P was simply to shut it down with old-style application control products," said Robert Hamilton, senior product marketing manager for DLP at Symantec. "Now, with the consumerization of IT and the blending of work and personal life, it has become harder to simply turn off P2P. Increasingly, people are expecting and asking for access to P2P applications and are using them on personal time. So the new goal is to allow employees to use the P2P applications, just not with confidential data."
There is however no shortage of organizations willing to ignore the issue of insider data loss or theft, said Mike Spinney, a senior privacy analyst at the Ponemon Institute.
"The focus is too much on technology and not enough on people," he said. "In 2009 we did a study on data loss that occurs, for example, when employees are fired, laid off or voluntarily change jobs. It was very high. Fifty-nine percent of those with whom we spoke said they took information with them when they left a job.
"Granted, some people will do this anyway-they will regard proprietary information as their parting gifts-but for most people it wasn't a malicious act but simple ignorance," he continued. "They weren't aware of any policy forbidding them from taking the information, and they felt entitled because they had a role in creating it. So, I can't stress enough the importance of creating meaningful use and governance policies, communicating the policies effectively across all corporate strata, and enforcing the policies."