Saturday, June 30, 2007

Japanese cop exposes confidential information on 6,000 people using P2P (file-sharing) software

Japanese police car picture courtesy of Flickr

We spend a lot of MONEY protecting computer systems and the information in them. Despite this, information is stolen or compromised from computers, pretty frequently.

One reason for this is it only takes one person, with access to compromise a system and it's security.

Recently, Japan Today, disclosed that a policeman did just this by using P2P file sharing software:

Personal information on some 12,000 people related to criminal investigations has leaked onto the Internet from a computer of a Tokyo police officer via Winny file-sharing software, the Metropolitan Police Department said Friday. This is believed to be the largest volume of data leaked from the police on record, the department said.

In case you've never been exposed to P2P (file sharing) software, it's normally used to share porn, movie, or music files.

Wikipedia lists the dangers of using this type of software, of which there are many:
  • poisoning attacks (e.g. providing files whose contents are different from the description)

  • polluting attacks (e.g. inserting "bad" chunks/packets into an otherwise valid file on the network)

  • defection attacks (users or software that make use of the network without contributing resources to it)

  • insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware)

  • malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware)

  • denial of service attacks (attacks that may make the network run very slowly or break completely)
  • filtering (network operators may attempt to prevent peer-to-peer network data from being carried)

  • identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them)
  • spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack)

Using any of these services, normally slows a computer down to a slow crawl. It can even destroy your computer.


Besides that, it's illegal to share copyrighted material (I think it's considered stealing). Not a very good situation for a policeman to get caught up in. What was he thinking?


Japan Today story, here.


Here is another post, I wrote about the murky world of P2P last year:


How P2P Software like Limewire Compromises Personal and Financial Information

Attrition.org tracks how often information is compromised, and the reasons why, here.

5 comments:

Anonymous said...

Wow... you're joking, right?

There's nothing at all inherently wrong with p2p. In the hands of an incompetent administrator, no machine is safe. If an individual computer running it is compromising data, the fault often lies with the person running the malconfigured program. Many people are in fact embracing p2p to efficiently share their own legal data.

Organizations do need to protect themselves from compromise, but they need to deal with their users, not some bogeyman.

This article says a lot about this blog.

Ed Dickson said...

The fact that you post anon says everything about you.

p2P is used to abuse a lot of people and I stand by what I wrote.

Enough said.

Anonymous said...

I wouldn't stand by what you said too much. p2p has *many* legitimate uses. In fact, the opensource Linux operating system is often distributed via p2p (i.e. Bittorrent). The same goes for the opensource OpenOffice. The Demoracy Internet TV system is built on p2p bittorrent technology for distributing legitimate video content. The list goes on and on and includes cable companies who are looking for cheaper ways of distributing content.

The simple fact is that p2p allows companies and organizations to disseminate content at lower costs by spreading the bandwidth over many peer computers using p2p technology.

Sure, there are abuses. Your same argument applies to the Internet as a whole: how much piracy and crime takes place via email, newsgroups, chatrooms, instant messaging, etc?

And don't criticize people for speaking anonymously. This is the Information Age. Privacy is a dying luxury and anonymity does not make factual statements less factual.

Ed Dickson said...

There are always legitimate uses for most technology that is abused. I'm not criticizing legitimate use, as long as it doesn't enable uses that are abusive.

What I am criticizing are the large number of seemingly legitimate services that use P2P as a means to lure people (often) children into downloading all kinds of software they never intended to.


The reason I write about this stuff (going back to your original comment about it being the user's fault)is that an awful lot of people are unaware of what they are downloading when they use some of these services.

The only way to correct this problem is to educate them.

PS: If you could show me legitimate uses and how the p2P industry is using them responsibly - I would be happy to include them on this blog.

The problem is how to distinguish between the two?

You are always welcome to drop me a line at edwarddickson@SBCGlobal.net.

Anonymous said...

Individuals who P2P google, bad endpoint security, not being aware how unsafe Internet generally is and people who do know and who pinpoint and focus on retrieving information from unknowing filesharers that can either be personally detremental or even for their employer government or private sector. Not that long ago we found with a simple search on a P2P network, eletrical schemes of a NY powerplant, invoices and offers to local government agencies, student reports and evaluations..to name a few. In a years time it's become worse....not just home users but also corporate and government users seem to have found P2P works...even when there is a firewall installed (improperly) in their network. Nothing amazes me anymore after 17 years Internet. Awareness is the key to understanding, endpoint or corporate security solutions is another and a more active service provider could improve the situation...but up to date there are few changes and the underground and criminals are always a step ahead of the rest.

Yes and I am more or less anonymous as I prefer to .....