P2P file sharing could leave you with your slip showing

Once again, the improper use of peer-to-peer file-sharing applications has led to the inadvertent exposure of sensitive information stored on government and corporate computers.

The Federal Trade Commission recently notified almost 100 organizations that personal information, including sensitive data about customers and employees, had been shared from those organizations’ computer networks and was available on peer-to-peer file-sharing networks.

It might be old news, but apparently it still is news: Once a peer-to-peer file-sharing application is installed, it can expose almost any kind of data on your computer to thousands of outsiders whom you have implicitly invited into your computer to browse around. You should be cautious in using peer-to-peer applications, allowing employees to use them, or dealing with partners that allow their use.

Users of BearShare, LimeWire, KaZaa, eMule, Vuze, uTorrent, BitTorrent and other applications form peer-to-peer networks for sharing files. They are typically used for sharing video and audio files, and users can search the exposed files of other users and download any files they find. At the same time, files on a user’s computer are available for upload by others on the network, essentially making every computer on the network a server.

Users can designate which folders or drives are available for sharing on the network, but that is not foolproof security. The wrong folders can be included in the share list, documents could mistakenly be filed or copied in an exposed folder, and malware can reconfigure folder access lists.

According to a 2006 report from the U.S. Patent and Trademark Office on some of the unsavory features included in peer-to-peer file-sharing applications, if a downloaded file is moved out of the shared folder, that file can give file-sharing applications access to all the data in the new folder, too. If the new folder happens to contain a tax return or corporate information in addition to your MP3s and MP4s, all of your peers have access to that, too. Some of the peer-to-peer programs included a search wizard to scour hard drives for other interesting folders for sharing.

The breaches identified by FTC included schools and local governments in addition to small businesses and large corporations. The breaches not only exposed personal information, such as health and financial records and driver's license and Social Security numbers that someone could use for identity theft, but also made the organizations potentially liable for failing to properly secure the data.

FTC has published a guide for file-sharing security that includes some common-sense recommendations, including:

• Delete sensitive information you don’t need and restrict where users can save files that contain sensitive information.
• Minimize or eliminate the use of peer-to-peer file-sharing programs on computers used to store or access sensitive information.
• Use appropriate file-naming conventions.
• Monitor your network to detect unapproved peer-to-peer file-sharing programs.
• Block traffic associated with unapproved peer-to-peer file-sharing programs at the network perimeter or network firewalls.
• Train employees and others who access your network about the security risks inherent in using peer-to-peer file-sharing programs.

Above all, organizations need a workable, enforceable policy to control file-sharing applications. FTC said the policy should include how to control the use of peer-to-peer applications, enforce a ban, protect sensitive information, protect against applications installed on computers used for remote access, train employees and determine whether your policy is working.