Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

ShmooCon | P2P Snoopers Know What's In Your Wallet

People send their most sensitive personal information out over P2P networks, and the bad guys are watching.

By , Senior Editor

February 05, 2010CSO

WASHINGTON D.C. -- Being security researchers and all, Larry Pesce and Mick Douglas thought it would be a hoot to take a look at some of the information people send out over peer-to-peer (P2P) networks. They were taken aback by what they found.

At the 2010 ShmooCon security conference Friday, the duo showed off the extremely sensitive information they've been able to intercept, including driver's licenses and passports, tax return forms with Social Security numbers; someone's last will and testament and information on one man's secret activities that could potentially be exploited by terrorists.

Also from ShmooCon: The Bigger the Security Arsenal, the Harder the Fall (podcast)

Douglas and Pesce were inspired to look at P2P networks after highly-publicized incidents where details on a U.S. Secret Service safe house for the First Family leaked out on a LimeWire file-sharing network. In another incident, classified data on the communications, navigation and management systems on Marine One were found in a publicly available shared folder on a computer in Tehran, Iran, after apparently being leaked over a P2P network.

As part of the experiment, the duo used such search terms as word, doctor, health, passwd, password, lease, license, passport and visa. File names used included password.txt, TaxReturn.pdf, passport.jpg, visa.jpg,license.jpg,signons2.txt, and signons3.txt. They also hunted for material with the following file extensions: .pst, .cfg, .pcf, .doc, .docx, .xls, .xlsx, .pdf, .tax, .qdb, .qmd, .qsd, .qtx, .idx, .qif, .mny, .ofx, .ofc, .txt.

Pesce described the findings as a lesson in stupidity and compared the act of stealing identities through P2P to "clubbing baby seals."

Along with the typical malware samples, music and porn, the researchers unearthed some of the following:

  • A 2008 Cheerleading World's event schedule, complete with the cheerleaders' names, flight and bus schedules, hotel room locations and performance dates and locations.
  • A retirement analysis form that included the prospective retiree's savings account total up to that point and estimates on what he/she would have to take in for income.
  • A form from the Internal Revenue Service with someone's taxpayer identification number scrolled across the bottom
  • A completed Turbo Tax form with all of the taxpayer's personal information filled in.
  • A letter of recommendation for a student who wanted to help U.S. forces in Iraq that included this sensitive piece of detail: "[Person's name] is forced to live a secret life that he must hide from family and friends to protect them, as well as himself, from torture and certain death at the hands of terrorists."

    • RESOURCE CENTER