A few days ago, the security firm Tiversa announced that Wikileaks obtained private and classified documents from peer to peer (P2P) networks. Tiversa, which specializes in monitoring P2P networks, stated that Wikileaks obtained a portion of the documents it released last November by searching popular file sharing services like Kazaa and Limewire—an allegation that Wikileaks vigorously denies. Notwithstanding, the security firm provides further evidence that many documents from earlier leaks were similarly sourced.
In an article from Wired Magazine, Tiversa CEO Robert Boback suggests that over the past several years, Wikileaks might have obtained up to half of its documents from popular music and file sharing networks.
We’ve warned against P2P networks on numerous occasions; this story brings the point home in a way with national security consequences. Assuming Tiversa’s findings are accurate, simple file searches on P2P applications have disclosed sensitive documents from organizations like the Pentagon and the Department of Defense.
It should serve as a reminder even to smaller organizations that allowing P2P software like Kazaa and Gnutella puts them at significant risk. The risk includes not just the loss of sensitive information, but subsequent legal and regulatory costs as well. It cost a company we know more than $150,000 to respond to an FTC investigation following the loss of employee social security numbers via a P2P leak.
It’s not enough for an organization to prohibit P2P. In the situation leading to the FTC investigation, social security numbers were lost when an employee with a P2P on his home computer accessed a corporate file from home.
Two Take Aways from WikiLeaks and P2P:
- Management should prohibit P2P applications at work.
- Management should make their employees aware of the dangers of P2P at home and deny remote access to a home computer unless there is assurance that there is no P2P software on the home computer.