FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

Posted on February 23, 2010 by Gabriel M. Helmer

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC.  For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing"). 

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet.  As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network."  The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf).  The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access.  The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks." 

Tags: , , , , , ,

Incident(s) of the Week: February A Tough Month For Hackers

Posted on February 19, 2010 by Gabriel M. Helmer

1.  Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn 

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities.  On January 14, 2010, commuters on Moscow's Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography.  The video, as well as the resulting traffic problems, was thanks to a hacker who is described as a 40 year old, unemployed man living in Novorossiisk.  Apparently, the hacker directed his attack from computers in Chechnya believing that Russian authorities would not bother to track him down.  A month later, the hacker is pleading guilty to criminal charges, insisting that  "he only wanted to entertain people."

2. China Shuts Down Largest Hacker Training Site

Last week, Chinese officials arrested three individuals allegedly responsible for running the Black Hawk Safety Net, a website that was known as the largest hacker training site in China.  The site apparently disseminated training materials and offered users the ability to download virus software, trojan programs and other hacker tools.  According to China Daily, Black Hawk Safety Net had more than 170,000 users and collected more than 7 million yuan in membership fees by the time authorities shut it down.  Authorities seized $1.7 million yuan, 9 servers and one automobile in the raid.

 

Tags: , , , , , ,

Incident of the Week: Patents Help Crack Encryption Used in Cordless Telephones

Posted on February 11, 2010 by Gabriel M. Helmer

This week cryptographers Karsten Nohl from University of Virginia and Erik Tews of the Darmstadt University of Technology announced that they had broken the DECT encryption standard.  Who cares, you ask?  The Digital Enhanced Cordless Telecommunications or DECT standard is what prevents someone parked outside your house from being able to listen in on telephone conversations you are having on your 1.9 GHz DECT cordless phone.  (So, that's what that label on the receiver means.) 

Nohl told Dan Goodin from The Register that he cracked the code by putting the DECT chip under the electron microscope and then comparing his findings with information disclosed in the published patent(s).  According to Nohl, it might take him 4 hours of monitoring to listen in on a particular telephone call, but only 10 minutes to crack the DECT encrypted credit card transmissions at a restaurant.  Even more worrisome, is Nohl's expectation that better hackers are likely to be able to decode these transmissions even more quickly.  "We expect that some smarter cryptographers than ourselves will find better attacks, of course. . . We found the algorithm and then implemented the first attack. It's almost guaranteed that this is not the best attack."

Tags: , , , , , , ,

Incident of the Week: Free iPhone Password Breaker Released

Posted on February 5, 2010 by Gabriel M. Helmer

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while the program is in beta testing, Elcomsoft is even giving the program away for free

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files.  This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it.  With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems). 

Tags: , , , , , , , ,