At last week's ShmooCon security conference, researchers Larry Pesce and Mick Douglas showed off the information that they were able to harvest using popular peer-to-peer (P2P) networks. It shows how there is still a lot of education to do regarding the protection of privacy on the Web.
By using search terms such as word, doctor, health, passwd, password, lease, license, passport and visa and file names like password.txt, TaxReturn.pdf, passport.jpg, visa.jpg, license.jpg, signons2.txt and signons3.txt, the security experts were able to access personal files containing full contact information, fully filled tax return forms and more. Files extensions .pst, .cfg, .pcf, .doc, .docx, .xls, .xlsx, .pdf, .tax, .qdb, .qmd, .qsd, .qtx, .idx, .qif, .mny, .ofx, .ofc and .txt were also used in their research.
Finding files containing personal data and getting access to them is not reserved to advanced hackers. In fact, it is so easy that an average twelve-year-old could do it. P2P networks and software are used by many people including teenagers and kids for sharing multimedia files and others. They are used to make select files on one's system available for download by other users, who in turn share their files. It seems though that some users blindly make very sensitive files available through those P2P network.
Here are a couple of examples of what Pesce and Douglas could find that were particularly disturbing:- "A 2008 Cheerleading World's event schedule, complete with the cheerleaders' names, flight and bus schedules, hotel room locations and performance dates and locations.
- A retirement analysis form that included the prospective retiree's savings account total up to that point and estimates on what he/she would have to take in for income.
- A form from the Internal Revenue Service with someone's taxpayer identification number scrolled across the bottom
- A completed Turbo Tax form with all of the taxpayer's personal information filled in.
- A letter of recommendation for a student who wanted to help U.S. forces in Iraq that included this sensitive piece of detail: '[Person's name] is forced to live a secret life that he must hide from family and friends to protect them, as well as himself, from torture and certain death at the hands of terrorists.'"
There are lots of ways that a person could use all this information for fraud and identity theft. But the last case is particularly striking. If a simple search on a public network is all it took to find this file, the said terrorists could also find it anytime.
As Douglas said, "we have to keep trying to educate people." And some people clearly need to start at pre-school level.
|
