Content

Information Disclosure via P2P Networking

Peer-To-Peer Networking Information Gathering

Users of P2P networks will sometimes inadvertently disclose too much information via the files they are sharing from their computer. With the potentially large amount of personal data one can gather, all manner of fraud and identity theft is much easier to accomplish.

P2P Research & Results

At the PenTest Summit ’09 in Las Vegas, Larry Pesce and Mick Douglas revealed their findings based on reconnaissance of the Gnutella P2P network. This reconnaissance was inspired by the breach of top secret details pertaining to the Joint Strike Fighter Aircraft. This breach allegedly happened via a P2P client installed on a system with this highly sensitive information.
Harkening back to the now defunct seewhatyoushare.com, the duo attempted to see what sort of information can be gathered via Gnutella. The results were shocking and rather sobering.
In this first round of research, using readily available software, they focused on the acquisition of personal information one could use to perpetrate fraud. They were able to acquire high resolution images of social security cards, passports, visitation visas, tax returns, retirement planning forms, and drivers licenses. In one instance, they were able to uncover personal data on an former Iraqi national who fled to the US fearing retribution for themselves and their family for assisting the US lead coalition forces.

usa-passport.jpg

Based off these findings, they are strongly suggesting that users think twice before installing and using P2P software of any sort. Additionally, network and systems administrators should be reminded to check for the presence of P2P systems which violate company policies. If you must use P2P software, please be extremely cautious about the data you share with others.
You can download the slides from out presentations section and listen to the audio recording on Security Weekly Episode 154 where is was the feature technical segment. Those who wish to learn more about this research are encouraged to contact Larry and Mick at the following email address: psw /at/ securityweekly.com.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Researcher for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds