US Congress accidentally leaks confidential report

Peer-to-peer (P2P) file sharing networks are causing unintentional and embarrassing data leaks in the US government.

A recent report by The Washington Post found that house ethics investigators in Congress have been scrutinising the activities of more than 30 lawmakers and several aides in inquiries about issues including defence lobbying and corporate influence peddling.

The investigation was discovered after a report was inadvertently placed on a publicly accessible computer network. The Washington Post claimed that the ethics committee is one of the most secretive panels in Congress, with its members and staff members signing oaths not to disclose any activities related to its past or present investigations.

Identity theft expert Robert Siciliano claimed that failure to correctly set up P2P programs can lead to unintentional sharing of important and sensitive files and can result in data breaches, credit card fraud and identity theft.

Siciliano said: “I've seen numerous reports of government agencies, drug companies, mortgage brokers, and others discovering P2P software on their networks after sensitive data was leaked. Savvy users lock down their file sharing software to prevent others from tooling around with their settings.”

Kevin Beets, anti-virus researcher at McAfee Avert Labs, claimed that most people who deal with the problem of P2P networks add anti-virus, firewalls, monitoring of network flows for P2P traffic, and outright banning of P2P applications.

However, he also pointed out that bits and bytes flow in two directions – in and out. Beets said: “For argument's sake, let's say that you do in fact employ those workers who are of the highest moral character, you've firewalled the outside, banned the applications, monitor the network traffic, and you've updated your anti-virus signatures.

“So what happens when one of your employees is out sick — yet a big presentation is still due on Friday? Any chance they may take work home to finish when ‘there just aren't enough hours in the day'?

“The vector does not even need to be company-owned. If an employee is emailed the presentation, or if they copy it onto a USB device, this is the time that the data is the most vulnerable — it's out of your control.

“Most home users do not implement the same security practices that a company does. If that data is moved into a directory reachable by the P2P application, it is reachable by potentially millions of users on the same P2P network. Do you think a file called ‘OurSecretFormula.doc' would look enticing?”

See original article on scmagazineuk.com