Peer-To-Peer Networking Information Gathering
Users of P2P networks will sometimes inadvertently disclose too much information via the files they are sharing from their computer. With the potentially large amount of personal data one can gather, all manner of fraud and identity theft is much easier to accomplish.
P2P Research & Results
At the PenTest Summit ’09 in Las Vegas, Larry Pesce and Mick Douglas revealed their findings based on reconnaissance of the Gnutella P2P network. This reconnaissance was inspired by the breach of top secret details pertaining to the Joint Strike Fighter Aircraft. This breach allegedly happened via a P2P client installed on a system with this highly sensitive information.
Harkening back to the now defunct seewhatyoushare.com, the duo attempted to see what sort of information can be gathered via Gnutella. The results were shocking and rather sobering.
In this first round of research, using readily available software, they focused on the acquisition of personal information one could use to perpetrate fraud. They were able to acquire high resolution images of social security cards, passports, visitation visas, tax returns, retirement planning forms, and drivers licenses. In one instance, they were able to uncover personal data on an former Iraqi national who fled to the US fearing retribution for themselves and their family for assisting the US lead coalition forces.
Based off these findings, they are strongly suggesting that users think twice before installing and using P2P software of any sort. Additionally, network and systems administrators should be reminded to check for the presence of P2P systems which violate company policies. If you must use P2P software, please be extremely cautious about the data you share with others.
You can download the slides from out presentations section and listen to the audio recording on Security Weekly Episode 154 where is was the feature technical segment. Those who wish to learn more about this research are encouraged to contact Larry and Mick at the following email address: psw /at/ securityweekly.com.