Computer Crime Research Center

Downloads may pose security risk
(By Jennifer Beauprez)

Downloading that new Britney Spears hit from the Net may come at a cost that includes divulging personal bank account information, credit card numbers and even company secrets.

Millions of people, following the trend first set by Napster, use file-sharing websites not only to copy and download free music, but also find pictures, video clips, pirated software and documents from millions of others who open their computers to a virtual network.

These so-called peer-to-peer websites allow people to download free files - primarily songs - stored on the computers of millions of other file-sharing users.

Yet many people don't know they can inadvertently open private content - their entire hard drive - to the world if they rush through installation of the software for those services. They could also put their files at risk if they later move the folder that contains that music.

The risks? A home user may unwittingly divulge financial records or personal e-mail. Business employees could inadvertently disclose marketing plans, internal memos, secret software code or corporate budgets from their own computer or any server to which they are connected.

"The risk of exposure is just massive," said Michael Reagan, senior vice president of marketing for Vericept Inc., a Denver company that sells software to alert employers when workers chat, shop, view pornography or share files on the Net.

"Most people haven't realized what peer-to-peer is, and if they do know, they don't understand there is a big problem," Reagan said. He said Vericept's software can alert companies when confidential information is leaked.

More and more companies forbid file-sharing because of the leaks as well as copyright concerns and congestion on their networks.

"It's a huge bandwidth hog," said Corey Smith, information technology manager for Optika Inc., a Colorado Springs software maker that banned all file-sharing at work. "It only took two to three people to bring us to our knees, crashing our e-mail servers."

Internet file-sharing has grown exponentially since the debut of controversial song-swapping service Napster, which filed for bankruptcy and has been offline for the past year following copyright lawsuits by record labels.

Despite the copyright fight, people still sign up for file-sharing on a number of other sites, including Kazaa.com and Gnutelliums.com, and search for MP3 music files to download. They start by giving the site a user name and an e-mail address.

People run into trouble when they breeze through installation of their file-sharing software, clicking "next" without reading each screen's text in detail. If the user later changes configurations or moves the folders for downloaded material, the software can share more files without that person's knowledge.

Experts say people are safe if they turn off the file-sharing option when they install the software. But most click "okay" without seeing the option.

"A lot of people want to hurry up and get everything installed so they can start downloading and make that great CD," said Fitz Miller, an engineer with IT Communications, a Colorado Springs network security assessment firm.

In fact, eight in 10 people - even the most computer savvy - don't recognize they have disclosed personal files when using the service, according to research by Nathan Good, a researcher at H-P Labs in Palo Alto, Calif.

Good first learned about the risks of file-sharing in June, when his brother complained that his computer was too slow.

Good said his brother was sharing everything on his hard drive with the 85 million users of Kazaa.com. His research told him it wasn't an isolated case.

In fact, his research showed that searches on Kazaa.com for "inbox.dbx" over a 12-hour period showed that 156 people accidentally shared their e-mail inboxes for anyone to download. That included their sent, saved and deleted messages.

The documents are easy to find with keyword searches.

A recent search using key words such as "account #," and "credit card" on Kazaa.com turned up a number of documents from corporate and personal computers.

One Microsoft Word document listed dozens of credit card numbers and expiration dates; another, extracted from a Texas company's computer, listed the names, addresses, social security numbers and salaries of employees.

Vericept's Reagan also discovered a document with the account number and recent stock trade information for a Salomon Smith Barney customer.

Reagan later talked to the woman, who said her granddaughter had downloaded MP3 files on her home computer and inadvertently shared her grandmother's personal financial information.

A Salomon Smith Barney broker said the woman was unavailable for comment.

Such problems are typical of families in which multiple people are using the same computer, experts say. A parent could have a secure connection to a corporation for downloading and working on confidential files, only to have them inadvertently shared by a teenage son or daughter without either's knowledge.

Many people don't know about file-sharing's security risk. But some opportunistic people do.

"Unfortunately, the wrong people are finding out about it," said Aaron Krekelberg, lead Web developer at the University of Minnesota, who collaborated with Good on the study.

Krekelberg and Good set up a server with phony documents that were shared on Kazaa.com to see if other users downloaded the private information.

Within 24 hours, five people downloaded documents containing phony credit card numbers and e-mail inbox files.

"They're coming in and grabbing (these documents,)" Krekelberg said. "It's horrible."

Source: Snipurl.com

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
contacts@crime-research.org

Rambler's Top100 Rambler's Top100