File sharing's threat to agency data is growing, analysts say

The security breach that led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer, is becoming increasingly common in the federal government, according to a peer-to-peer intelligence company.

Comment on this article in The Forum.Justice Breyer was among those clients whose private information, including birth dates and Social Security numbers, was exposed by a security breach at Wagner Resource Group, an investment firm in McLean, Va., according to Chris Gormley, the chief operating officer at Tiversa, which monitors peer-to-peer networks for questionable material. Wagner hired the company to investigate the breach and to tighten security at the firm.

"This is happening literally to millions of people in our country," Gormley said. He praised Wagner for taking proactive steps to tighten security, saying the company was now doing more to prevent a serious theft than what most companies or government agencies do.

The breach occurred when an employee loaded the file-sharing program LimeWire onto his computer. Users download LimeWire and other peer-to-peer file-sharing programs to share files, most commonly music and movies, with other computer users. The software does not require them to access a central server to download files. Peer-to-peer software allows them to download files directly from other users' hard drives, but if a user hasn't properly configured the software, such as blocking access to files that may contain personal information on a hard drive, then anyone with the peer-to-peer software can access and copy personal files.

The recording industry has fought against peer-to-peer programs for years over who is legally responsible for the data that is shared.

Gormley said most users often are not aware that files they share can include all documents and files on their computer, not just music or movies, and do not understand the information they are making available to anyone logged on to the same peer-to-peer network. Stealing credit card numbers, health care information, industry secrets and trafficking in child pornography are some of the ways that criminals exploit peer-to-peer technology.

The government also has experienced significant problems with peer-to-peer file sharing. Last month at least 1,000 patients from Walter Reed Army Medical Center had their medical records and Social Security numbers compromised. At a hearing in July 2007, executives from Tiversa told the House Oversight Committee that military documents, including classified documents, were readily available for download on popular peer-to-peer networks.

"It hasn't stopped despite the hearing," Gormley said about the classified documents. "You never expect to see classified documents out on networks open to the public. All you have to do is type in the right words. . . . Foreign governments are out there looking for it."

Peer-to-peer programs not only open up government data for theft, but also make it easy for users to exploit the computing resources of other users, said Alan Paller, director of research at the SANS Institute, a security research group in Bethesda, Md. He said one large agency found that an employee had downloaded a peer-to-peer client onto a computer that had access to the agency's data servers. The security center noticed a spike in traffic to one server and learned that the agency had become one of the largest suppliers of child pornography in the nation.

"It's a two-sided problem," Paller said. "You open your data up for others to see and you open your computers up for others to use."

Peer-to-peer theft is increasing because agencies and companies are relying more on virtualization and telework and are outsourcing work to contractors. "When they work from home, people do whatever they want," Gormley said. "They're not under the IT [department's] watch."

For example, in a case cited at the House hearing, the chief privacy officer at the Transportation Department exposed sensitive information through a peer-to-peer application while working from home. Gormley said agencies should have security policies that make users aware of the risks of using file-sharing programs on computers they use for telework.

The trend to outsource more government work also has led to more security breaches. "More outsourcing means trusting a third party with the data," Gormley said. "Forty to 60 percent of breaches are from a third party. Smaller organizations don't have the kind of IT oversight that bigger companies have. For most companies, these organizations are the weak links in the chain."

Phil Neray, vice president of marketing at database security company Guardium, said the best practice agencies can take is to establish policies regarding the use of file-sharing clients, instant messaging programs and other peer-to-peer technologies. "The vast majority of cases are not people with malicious intent. People are not being very careful and are not being told what the policy is," Neray said.

He said programs such as LimeWire rarely have any use for the office, and workers should be informed about what is and isn't permissible to download onto their office computer. He also said an agency's technology office should monitor content to watch out for peer-to-peer traffic and unusually high traffic to sensitive data.

"You need three things: people, process and technology," Neray said. "Educate the people about what's not acceptable, have a process and policies in place to deal with it, and technology to enforce the policies. If you only implement one of the three, you're not going to be effective in preventing unauthorized behavior."