One of the biggest cyber security threats researchers have ever seen could be upon us on April 1: That’s the day the Conficker virus is set to emerge on the 10 million-plus computers on which it’s been quietly and secretly residing. Once activated, the virus will link together a massive network of hijacked computers that could be used for any number of nefarious activities. One of the more startling possibilities is that it will enable the virus’ creators to search and access the information in every file on every one of the infected computers. Think of it as an underground and malicious Google that would mine the world’s computers for financial and personal data, and then sell it to the highest bidder.
Does this sound like something out of a sci-fi dystopia? It hardly is. On a smaller scale, this type of data leakage is already happening to many of the millions of users who have installed peer-to-peer file-sharing applications, which use the very same protocols for communicating as the Conficker virus.
With this type of information in hand, cybercriminals can blackmail patients or initiate medical identity theft.
We use our home computers for a number of functions: file cabinet, jukebox, accountant, video monitor, and communications portal. But that all-in-one convenience can quickly become a liability with the addition of P2P software, which many people use to download music and movies—sharing that often involves illegal copying of copyrighted material.
Unbeknownst to users, many P2P applications can make all of the files on a user’s machine or network available, not just the songs and movies that users intend to share. They're also sharing tax returns, online shopping receipts, bank statements, passwords, credit information, and more available to the identity thieves and cybercriminals, who eagerly prowl P2P looking for these lucrative nuggets. That’s a lot to give away in exchange for music than can just as easily be acquired at a low cost on sites like iTunes, Amazon, Rhapsody, and other online music stores. The copyrighted material may seem to be "free," but the price of getting it illegally can be quite expensive.
Think your family’s home PC is well-protected? Think again.
A recent NBC Nightly News report showed just how easy it can be for a computer with P2P software to become a searchable treasure trove of personal information for criminals and scammers. With a "simple search on a file-sharing network," NBC’s reporters were able to access more than 150,000 tax-return documents in New York State alone. Those documents have full names, birthdates, and Social Security numbers—the identity thief’s holy trinity.
One family featured by NBC was cheated out of a $2,000 tax refund that was inadvertently shared by the P2P software their teenage daughters had installed on the family computer. Whatever the girls were downloading for “free,” it’s a pretty safe bet that it could have been bought for less than two grand.
But personal financial data isn’t the only thing made vulnerable by P2P. Businesses have had sensitive data go astray because some employees break internal rules and install P2P software that shares private information online while the employees download “free" movies and music.
Recent research by P2P monitoring firm Tiversa and Dartmouth College’s Center for Digital Strategies found a hospital file containing sensitive personal and medical information on 20,000 patients on a P2P network. A search for P2P files from another hospital turned up a former employee’s application for a government job, containing the person’s name, birth date, Social Security number, residence history, employment history, and mother’s maiden name. Ironically, every page in the file had the government’s data security hash code and the words “PRIVACY ACT DATA” printed in bold. It didn't do much to keep his private data from being made public, but at least the paperwork was in order.
With this type of information in hand, cybercriminals can blackmail patients or initiate medical identity theft. If it's bad that cybercriminals can gain access to your secret files, imagine how much worse it is for all of us when they can gain access to our country's top-secret files. It turns out that detailed schematics of Marine One—the helicopter used by the president—have been located on a P2P-connected computer in Tehran. It goes without saying that avionic details about the US President’s helicopter should not be spread around the Internet because some employee of a defense contractor wants to get music for "free."
But to Tiversa CTO Sam Hopkins, these breaches seem the norm. As he told CNET, “We see classified information leaking all the time. When the Iraq war got started, we knew what US troops were doing because GI's who wanted to listen to music would install software on secure computers and it got compromised.”
It’s hard to say what, exactly, will have to happen before people begin to wake up to the dangers of P2P applications and see that “free” music and movie downloads actually carry a high price tag—to individuals, to businesses, and even to our national security. But if some of the gloomier predictions about the Conficker virus prove true, April Fool’s Day 2009 could be a costly wakeup call indeed.
As vice chairman of Public Strategies and president of Maverick Media, Mark McKinnon has helped meet strategic challenges for candidates, causes, and individuals, including George W. Bush, John McCain, Governor Ann Richards, Charlie Wilson, Lance Armstrong, and Bono. McKinnon is co-chair of Arts & Labs, a collaboration between technology and creative communities that have embraced today’s rich internet environment to deliver innovative and creative digital products to consumers.