Network News

X My Profile
View More Activity

U.S. Supreme Court Judge Data Exposed Via P2P

The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer. I was able to trace the breach back to a former employee who accidentally shared the company's client list while browsing for files on the LimeWire peer-to-peer network.

I'm calling attention to this story because this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P. He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts. His tale caught my attention because I'd heard a nearly identical account from another attorney I contacted for today's story who had asked not to be named in the piece.

One interesting detail that didn't make it into the final edition of the paper this morning involves the source of my story. When he first tipped me off on how to find the data on LimeWire, he told me he downloaded the file from a computer those Internet address traced back to Tijuana, Mexico. When he selected "browse host" to check out the rest of the files being shared by that user, that's when he discovered dozens of similar documents, including tax returns from different U.S. states, as well as lists of credit, debit and bank account numbers.

Lynt said the thief used an online mortgage application system to obtain a credit report listing his various accounts. Investigators told him that in convincing the bank employee to wire the funds, the thief claimed he was on vacation in Mexico and had lost his wallet. The bank ultimately refunded Lynt the fraudulent wire transfer, but in the meantime a check he wrote to the Virginia Bar Association bounced.

"That was pretty embarrassing," Lynt said. "This guy really knew how to work the system."

Then, in March, someone using the same technique tried to withdraw cash from his accounts again, but the transaction failed because Lynt had since protected all of his accounts with difficult-to-guess passwords. Lynt said he was contacted recently by a fraud investigator from his mortgage company, who was looking into 75 to 80 potentially related cases.

A handful of readers also contacted me today to complain that my story was trying to demonize P2P use. Nothing could be further from the truth. In fact, I think LimeWire is among the leaders in P2P software makers for making it more difficult for users to unknowingly share private data (at least in the latest versions of the software). What's more, I'm actually a big fan of P2P: I find plenty of interesting and useful information on these networks.

All kidding aside, far too many people who use P2P software fail to take the one or two minutes required to ensure they're not inadvertently sharing private or proprietary data.

Yes, there are plenty of companies out there who offer hardware and software solutions to businesses who want to prevent employees from using P2P software. But a far simpler and less expensive approach is for companies not to let their employees run their computers using all-powerful administrator accounts, which have full rights to install software and monkey with important security and file integrity settings on the machine (obligatory plug for the limited user approach here).

It's fine for companies to have policies clearly stating that employee use of P2P software is a potentially career-ending offense, but once that company's data is up on P2P networks, it becomes extremely hard to stuff that genie back into the bottle.

By Brian Krebs  |  July 9, 2008; 4:40 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Patch (The Entire Internet) Tuesday
Next: Ghosts of Java Haunt Users

Comments

While companies may have policies in place that state that no P2P software should be used or installed on a corporate system, finding the offender and proving that he or she transferred files using Limewire can be daunting. The reason is that Limewire encrypts its transfers. Most network monitoring software is unable to decrypt encrypted traffic. Adding to the problem is the fact that a router or proxy might be between the monitoring sensor and the user's system, making it difficult, if not virtually impossible, to track the offender down. Limewire and other P2P software now use dynamic port assignments making it difficult to block the protocol at the router or firewall. So, it's also an arms race. While least privilege is a great policy for desktop administration, it can be negated by laptops and mobile users to an extent.

Posted by: John Moore | July 9, 2008 11:53 PM | Report abuse

No disrespect, but proof-reading your stories would be a good idea.

Posted by: R | July 10, 2008 3:52 AM | Report abuse

I've always equated using P2P software to risky behavior like unsafe sex with random strangers. It's only a matter of time before you pick up every conceivable piece of malware out there. And in most cases, as is documented in this article, expose the contents of your hard drive to the world. Then again, people do stupid things all the time, seems increasingly so these days. I chalk it up to sloth.

Posted by: TJ | July 10, 2008 9:30 AM | Report abuse

@R -- If you see a typo, why not let me know so I can correct it?

Posted by: Bk | July 10, 2008 11:07 AM | Report abuse

Dear Mr. Krebs:

Thank you for your work on this issue over the years, which I have cited in some of my own work.

I have to disagree, however, that LimeWire is entitled to any praise for their conduct related to inadvertent sharing. In 2002, they did distribute a file-sharing program that made it more difficult than most for users to share files inadvertently. But after computer-science researchers identified "features" in other programs that were causing users to inadvertently share files, the distributors of LimeWire incorporated more aggressive versions of those known-to-be-dangerous "features" into their program. They then left those features in their program for years--even after identifying one of them as a probable cause of users inadvertently sharing classified military data. Those are not the acts of a responsible program distributor.

I have published two reports on these issues. The more comprehensive report is available here:

http://www.uspto.gov/web/offices/dcom/olia/copyright/oir_report_on_inadvertent_sharing_v1012.pdf

A report focusing on LimeWire and the problems with its more recent anti-inadvertent-sharing features is available here:

http://pff.org/issues-pubs/pops/pop14.22inadvertentfilesharing.pdf

I hope these are useful. --Tom

Posted by: Tom Sydnor | July 10, 2008 11:44 AM | Report abuse

While I can understand Mr. Sydnors position on the responsibility (or lack thereof) in regards to Limewire...one has to question the lack of control and/or responsibility of a network administrator and management in general that allows file sharing software with no conceivable legitmate use on a network. Especially one that contains classified military data.

Posted by: Charles Decker | July 10, 2008 12:00 PM | Report abuse

I certainly hope the information about the Tijuana computer is being shared with the proper authorities and that this #@$%^ thief is brought to justice...
I cannot begin to tell you what a time-consuming hassle dealing with this has been for the last year! And I caught it on the first day it happened due to a credit monitoring service I used. It took me nearly a year, and I had to threaten to sue under the FCRA, to get all three major credit bureaus to remove the fraudulent inquiries this guy caused in July 2007 and March 2008 from my credit reports - they were affecting my credit score! The problem is out of control - and the local police (Fairfax County) have "no resources to deal with it" according to them today on the phone - the FBI just refers you to the FTC to file an Identity Theft Report, no enforcement action is taken there, they dont have enforcement authority - ever heard of Catch-22? The Secret Service says $1000 is below their jurisdictional limits - the bank and credit card companies just write off the losses and pass them on to paying customers - and somewhere out there, some guy got, conservatively, $80,000 using this pilfered data and a good con-line, and nobody it seems is going to bust him! The March 2008 attack made IndyMac Bank pretty upset, their on-line mortgage system was cracked into, and they've hired an investigator to track this crook down.
BTW, I am one of those paranoid types who shreds everything, has paperless statements, uses 16 character passwords, encrypts my hard drive, etc. But between the NSA and the crooks, and possibly negligent companies, we have no privacy anymore - we have to assume all of our data is out there for all to see - and the congress gives retroactive immunity to the telecoms! Join the Electronic Frontier Foundation at http://www.eff.org/ - what else can we do? Rage against the machine?

Posted by: CHRISTOPHER LYNT | July 10, 2008 4:41 PM | Report abuse

This article is a stark reminder that companies need to be aware of what their employees are doing with company computers.

Many businesses do not have a full understanding of the software being used in their organization and have inadequate controls to ensure lawful software use. To avoid exposure to cyber security and legal risks, businesses must create, communicate, and enforce an effective software asset management (SAM) program. Businesses can download a variety of free basic SAM tools from the Business Software Alliance website at www.bsaaudit.com .

Meanwhile, Congress has been discussing for years and should adopt pending legislation that protects consumers' data while providing a workable, technology-neutral framework to businesses that handle such data.

Robert Holleyman
President and CEO
Business Software Alliance

Posted by: Robert Holleyman, BSA | July 11, 2008 10:53 AM | Report abuse

In addition to securing peer-to-peer communications, enforcing limited user permissions, and establishing organizational policies for acceptable and restricted email, file and computer communications; network security officers in Washington DC, may consider consulting with New Zealand authorities concerning an anti-spam raid in Christchurch, December 2007. There is a direct connection from the New Zealand operation, which is international in nature, to a Washington DC establishment located in the financial district which obtains access to the email addresses of their patrons as a requirement for entry.

Posted by: Anonymous | July 12, 2008 4:14 AM | Report abuse

I am so disappointed in people that suffers from greed. They just rather steal from others, possible because they aren't as brilliant as they want people to think they are, nor are they as responsible, for if they were, they would invest their own finances and there wouldn't be any problem for them to live comfortable, but oviously, they learned how to be currupt, got away with it once and figured they will continue to do it, until they get caught. Well, in my oppinion, those are the ones, that should be incarcerated and then maybe, they'll learn a very important lesson, which is, that what belongs to another, only becomes yours, if they want you to have it, not by you stealing it or threatening another to allow them to have it! Extortion, has totally gotten out of hand, as well and we wonder why people are tired? It's all over the news. Banks are allowing individuals to conduct themselves in such matter, but I say, get the head and the tail will follow! I hope everyone who has fallen victim of such individuals, will receive their monies back!

Posted by: ELois Poole-Clayton | July 15, 2008 4:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company