Network News

X My Profile
View More Activity

Congress Investigating P2P Data Breaches

A key oversight panel in the House of Representatives said this week that it is re-opening an investigation into the "indavertent sharing" of sensitive government and consumer data through popular peer-to-peer file swapping programs such as BearShare and Limewire.

The inquiry from the House Committee on Oversight and Government Reform comes just weeks after revelations that blueprints for Marine One -- President Barack Obama's helicopter -- were being traded on P2P networks.

Committee Chairman Edolphus Towns (D-N.Y.) and ranking Republican Darrell E. Issa (Calif.) sent a letter (PDF) to Attorney General Eric Holder, asking the Justice Department to detail what it is doing to protect Americans from the dangers of data breaches via P2P networks. The committee also asked (PDF) Federal Trade Commission Chairman Jonathan Leibowitz what his agency was doing to investigate P2P networks, and whether the makers of P2P software were adequately disclosing to consumers the risks associated with using the programs.

In addition, the panel demanded answers (PDF) from Mark Gorton, chairman of The Lime Group, the New York, N.Y., company whose software powers the Limewire network. Gorton's office did not return calls seeking comment by the time of publication.

At a hearing before the committee on P2P-based breaches in July 2007, the committee heard testimony from witnesses who obtained bank records, health records, military files, tax returns, corporate documents, and other sensitive documents through LimeWire. Gorton told the committee he was unaware that classified information was available over the network and that people were searching for credit card data via P2P.

"It appears that nearly two years after your commitment to make significant changes in the software, LimeWire and other P2P providers have not taken adequate steps to address this critical problem," Towns wrote.

The committee went on to list a series of recent high-profile data breaches attributed to P2P use. For example:

-In March, A 35-year-old Seattle man was sentenced to 51 months in jail for stealing banking and credit information from file-sharing users, and then using that data to open fraudulent credit accounts or make unauthorized purchases.

-On Feb. 23, a Dartmouth College professor published paper reporting that over a two-week period he was able to search a P2P network and uncover tens of thousands of medical files containing names, addresses, and Social Security numbers for patients seeking treatment for conditions such as AIDS, cancer, and mental health problems. The professor found links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

-On July 9, 2008, The Washington Post reported that an employee of an investment firm who allegedly used LimeWire to trade music or movies inadvertently exposed the names, dates of birth, and Social Security numbers of about 2,000 of the firm's clients, including Supreme Court Justice Stephen Breyer.

On a separate note, I will be hosting another Security Fix live online chat this Friday at 11 a.m. ET. Please join us for the discussion then, and/or send me a question early.

By Brian Krebs  |  April 22, 2009; 3:28 PM ET
Categories:  U.S. Government  | Tags: bearshare, data breach, house government reform, limewire, p2p  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Time for an Internet A-Team?
Next: Obama's Cyber Czar Offers Few Details on Govt. Strategy

Comments

Hi Brian,

Last summer I posted a blog article (below)on how PC users without admin rights can install and run software such as P2P. Since then, this article has represented roughly 40% of all the search engine based site visits. There's clearly a demand for this as illustrated with your article.

This is a problem my company strives to counter with our AppGuard and EdgeGuard products and services.

The federal folk I've met with this year are quite interested but must await the results of comprehensive prioritization and budgeting exercises.

Article: Can End-users Install Software Without Administrative Privileges? Yes They Can!

http://www.securitynowblog.com/endpoint_security/can-end-users-install-software-without-administrative-privileges-yes-they-can

Posted by: eiverson1 | April 23, 2009 12:17 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company