P2P breaches you don’t read about in the news...
Technorati Tag: Security Breach
I know I promised to publish this yesterday, but you know how things happen.
A friend of mine recently updated me about what he’s been working on and what he’s found in the past 30 days on P2P networks. Rian Wroblewski is the Director of Open Source Cyberintelligence at RedTeam Protection and he’s a skilled information security researcher, especially when it comes to finding sensitive information on P2P networks.
His recap, as provided to me:
The information above is only a recap of what Rian has shared with us recently. No personnel from The Breach Blog or FRSecure LLC were involved in the discovery and disclosure of these breaches other than what has been printed here. We can make no representation other than through the information we have been given.
I am grateful for the work that people like Rian do in responding to breaches and disclosing the risks involved with using P2P networks improperly. Maybe if more information security professionals work together, more exposure will be given to the importance of information security and less exposure will be given to sensitive information.
Check out RedTeam Case Studies - P2P Breach Remediation for more up to date information. You are also encouraged to contact RedTeam Protection if you require more information regarding the breaches outlined above.
A friend of mine recently updated me about what he’s been working on and what he’s found in the past 30 days on P2P networks. Rian Wroblewski is the Director of Open Source Cyberintelligence at RedTeam Protection and he’s a skilled information security researcher, especially when it comes to finding sensitive information on P2P networks.
His recap, as provided to me:
A doctor in Hawaii leaked 1,767 files onto the Gnutella file sharing network. These files contained several hundred medical records along with personal identifiers. The doctor was contacted and the P2P application was removed.
A government contracted construction company, stationed in Iraq, leaked 2,519 sensitive files relating to building security and ongoing operations. US headquarters personnel were notified advised to remove the P2P application.
The location manager for a major film production published onto the Gnutella network the personal call sheets listing the direct cell numbers of well known celebrities.
An agent to well known rap artists published the personal contact information and flight/hotel itinerary data onto the P2P networks. The agent was notified and advised to remove the Limewire program.
A biopharmaceutical corporation leaked 967 confidential files onto the P2P networks, including data on confidential drug trials. Corporate counsel was notified.
A regional manager of an Indian bank published 9.521 confidential files onto the Gnutella P2P network, which included bank transfer data, and internal corporate correspondence. Personnel at the bank’s US office were notified of the breach. The transmission of confidential information from bank was stopped shortly thereafter.
An IT consultant to a well known chemical manufacturer leaked an undetermined amount of proprietary code and SAP development data. RedTeam reached out to the CSO and provided the data needed to close the exposure.
An international production and casting consultancy published 6,278 confidential files onto the Gnutella file sharing network. This included the scripts to future advertisements, as well as confidential call sheets. The production and casting company was contacted and advised to remove the P2P program.
An insurance claims adjuster was responsible for the compromise of over 100 confidential mental health assessments over the Gnutella P2P network. The adjuster was contacted by RedTeam and advised to remove the P2P application.
A high level recruiter for a large scale software company published 5,446 sensitive candidate files onto the P2P networks. RedTeam contacted the responsible party, and advised removal of the BearShare application.
A California chiropractor leaked 9.947 files (his entire c: drive) onto the Gnutella network. These files included confidential treatment records and billing statements.
A military contractor to the Iraqi police training initiate published 6,755 files onto the Gnutella file sharing network. RedTeam was able to directly inform the organization, as this was the second such reported breach.
An executive level procurement employee of a European ISP leaked 9.257 confidential purchase orders and other internal corporate data onto the P2P networks. The ISP was contacted and the P2P application was removed promptly.
An international police officer published 1,272 confidential internal files onto the P2P networks. Included were reports of ongoing investigations, in addition to security procedures and dignitary protection itineraries. RedTeam contacted the organization and stopped the exposure.
The Director of Procurement for an overseas Ministry of Finance published 3,175 confidential files onto the Gnutella network. The embassy was contacted and provided with the intelligence to close the breach.
The commander of a SWAT team at a local police department, published 1,615 files, many including internal training manuals. RedTeam contacted the party and had the LimeWire application removed.
The chief of police of a highly populated Asian city published 690 confidential active case files onto the Gnutella file sharing network. The responsible party was notified, and the connection was removed from the Gnutella network.
A North Carolina based mental health provider, published 913 confidential mental health profiles, complete with Medicaid numbers, onto the Gnutella file sharing network. RedTeam contacted the administrator and had the P2P application removed.
The information above is only a recap of what Rian has shared with us recently. No personnel from The Breach Blog or FRSecure LLC were involved in the discovery and disclosure of these breaches other than what has been printed here. We can make no representation other than through the information we have been given.
I am grateful for the work that people like Rian do in responding to breaches and disclosing the risks involved with using P2P networks improperly. Maybe if more information security professionals work together, more exposure will be given to the importance of information security and less exposure will be given to sensitive information.
Check out RedTeam Case Studies - P2P Breach Remediation for more up to date information. You are also encouraged to contact RedTeam Protection if you require more information regarding the breaches outlined above.
Posts Atom 1.0
Fantastic post, Evan -- thanks! I just posted the medical ones over on phiprivacy.net with a reminder to people about the dangers of file-sharing apps. I hope Red Team Protection will be willing to share more of their findings. I won't bother hazarding a guess as to whether these entities ever notified the affected patients of the exposure.
Reply to this
Hey Dissent! Very nice to hear from you again and thank you for the compliment. I hope things are well with you.
I gave much thought to commenting on the notification of the people affected. Due to the fact that we did not mention specific names and organizations, I decided to not to go there with this post (yet). As you and I both know, organizations have the obligation (by law in some cases and by ethics in all cases) to notify people affected by breaches involving their personal information.
Rian @ Red Team has been a pretty frequent (behind the scenes) commenter on some of the breaches on the the Breach Blog. We will definitely hear more from him.
Reply to this
I wrote to Red Team to ask them if they'd be willing to provide me with more of their medical/health related findings.
As to the "obligation" to notify that you mention, I hate to disillusion you, but most state notification/disclosure laws specifically exempt HIPAA-covered entities because they foolishly believe that HIPAA will protect the patients. California is the exception, and more power to 'em!
HIPAA does not mandate notification or disclosure. The only obligation is to "mitigate harm" to individuals (if they have experienced harm or are likely to experience harm). This is why we almost never find out about most HIPAA entities' breaches. If a hospital loses control of employee data, that doesn't fall under HIPAA and they would be covered by state law. Lose control of patient data, and the protections aren't the same.
As to ethics, well, in my "real" life, I'm a practitioner and I can tell you that there is nothing in our professional ethics codes that deals with privacy breaches or data losses. We have a responsibility to maintain confidentiality, yes, but the codes don't tell you what to do in the event of an unintended disclosure, dataloss, or breach.
Reply to this
We have also been monitoring privacy breaches on the Gnutella network. We have developed an application we call PrivWatch to collect, anonymize, and scan files collected over P2P networks. The first experiments with PrivWatch sampled more than ten thousand files from P2P users around the world. The results showed that leaks of personal information are common, with over half the files containing at least one piece of personal data. The most common types of personal information were names and addresses, but more sensitive information (such as credit card and bank account numbers) was also found.
More information is available at
http://www.andrewpatrick.ca/research/current-projects/compliance-tools/privwatch/
Reply to this
Interesting post.....I checked out RedTEAMProtection and it appears this Rian may be gilding the lilly a bit. He has called our medical offices in the past claiming that he has found information on P2P and that he can solve it for me. I called friends in NYC law enforcement only to find that he is the ONLY person at Red"TEAM". He is also 24 or 25 years old and working out of his (or someones) residential apartment on the west side of New York.
He (Rian) does talk a big game though.....I'm glad I was able to use my law enforcement contacts before hiring Red "Team"
Reply to this
Bill,
First I want to thank you for reading and commenting. Always appreciated.
Now, I would like to address your comments. Besides the fact that I think you are misusing the phrase "gilding the lilly", I am having problems understanding your point(s).
"He has called our medical offices in the past claiming that he has found information on P2P"
So, did your sensitive information find its way onto P2P or not? Did you do anything about it?
'he is the ONLY person at Red"TEAM"'
What does this matter? Would you feel more comfortable if there were 100 people working for RedTeam? When you contract with a consultant, who/what do you think you are paying for? You are paying for services and often the expertise of one person (or a small few). There are many advantages to working with a small company (or sole proprietorship). For your information, my company FRSecure LLC has two employees. Myself and my partner who does sales, marketing, customer relationship management, and back office work. I am the ONLY consultant. People in business with me appreciate the fact that they get me and me only (of course this will be a challenge when we grow to a point of needing more consultants). They don't have to worry about getting some other person that may or may not be as proficient.
"He is 24 or 25 years old"
What does age have to do with anything? Does it matter if he is 24 versus 44? What age do you look for in a consultant? What matters is whether or not he provides a valuable service and whether or not he is good at what he does. Based on what I have seen (his work product), he is quite good.
"working out of his (or someones) residential apartment"
Again, what is your point? Many (and I venture to say most) consultants start their business journeys working out of their homes. I don't recall reading anywhere that in order to be an effective consultant, you must have an opulent office.
Do you only work with large, established companies? This would be your prerogative, but I think you are missing out on a solid talent pool of consultants. It also seems that image is much more important to you than substance.
So after all of this, do you still have insecure P2P application installs affecting your medical offices?
Reply to this
Bingo! Once again, you and I had the same reaction to a situation, although you were more tactful than what I was planning to write.
A lot of professionals in NYC are running offices out of residential apartments or addresses-- doctors, lawyers, accountants, and computer consultants included. When I had part of my practice in NYC, the space I rented was in a residential address. There's frequently no need for a typical office or storefront for some types of work.
As to Rian's age, I agree with you, of course. Maybe Bill is generalizing because doctors can't be experts in a field by their mid-20's, but the same is not true in fields such as information security. And he might be surprised to learn how many security outfits are essentially one-person outfits that bring in consultants and others as needed.
So Rian found that Bill's medical office was leaking data and alerted him and told him that he could fix the problem for him. For Bill to suggest that there's something wrong in Rian trying to get compensated for helping him fix his problem, well... Rian's under no obligation to give away his services to Bill. Bill should be thankful that he was alerted to the problem, but I detected no gratitude at all in his post.
I'm as curious as you are about what Bill did following Rian's alert, other than to investigate Rian. Was Bill's office leaking confidential or patient data? Did he secure the system properly? Did he notify anyone if their data was leaked? Perhaps Bill will tell us. If it was sensitive data, then I would hope Bill would be grateful that Rian didn't just publish it on the web and name him.
For the record: I do not know Rian and have had no contact with him other than email to inquire about his case studies on his site after I saw your post about the p2p breaches. I just got annoyed that Bill would try to impugn Rian's rep based on a faulty understanding of how many security services work and the failure of his law enforcement buddies to tell him that residential addresses or offices in apartments are pretty common in NYC.
Reply to this
This came from Rian in an email to me. His response was too large for him to post the comment himself, so I am posting it on his behalf.
Bill,
You were provided with an IP address, a screen capture with the amount of files shared, a .txt file containing the list of every shared file in the file directory, as well as the location of the p2p application transmitting your confidential information, and a timeline detailing our discovery... free of charge and without obligation.
It is my understanding someone at your office asked about retaining our services to monitor the file list in question. If we provided you with a proposal, you would have been given a contract on company letterhead with our full legal address. You would have also been told that we will treat your information as confidential, whether or not you retain our services, and all information provided to you has been provided free of charge.
I would have expected you to write something like this:
"Rian contacted our offices and informed us of a breach of medical data via the gnutella p2p network. He provided us with enough information to locate the drive in question and immediately remove the p2p application. We decided to handle this matter internally by modifying the source code of gnutella applications to reach a larger section of the 45 million users on the gnutella network. We also created macros to search both the gnutella and other file sharing networks for a period of 30 days, 24/7. Our forensic team analyzed the firewall logs and access dates of exposed files. We used the IP address from Rian's email as a control IP, and measured the volume of transfers from other IP addresses on the gnutella network. We also compared Rian's file list to the library on the P2P application. Thanks to Rian's quick action, we were able to determine no third party was able to download our sensitive information. We asked Rian to destroy all of our data, and he quickly obliged. We informed our patients that their insurance numbers, social security numbers, and health status information had been exposed, and we are offering 10 years of free credit monitoring. While I have some irrelevant and inaccurate information to share, I prefer to keep it to myself."
The fact I have called your medical offices on more than one occasion, is the result of your internal security team neglecting to uninstall a simple file sharing application upon discovery.
Your contact in NYC law enforcement has provided you with inaccurate information, and can not even provide you with my actual age. I presume he found a classmates profile and guessed I was around 18 at the time of graduation.
RedTeam Protection is a division of Tony Josephs and Sons Investigations Inc, A NY state licensed private investigation company which has been in business since 1981 (before I was born). We have not had one complaint against our license in 28 years. A quick call to the Department of State would have provided you with information showing I am not the only employee of this firm. In addition, we use numerous qualified consultants around the world to solve cases beyond our reach and expertise. Tony Josephs and Sons Investigations is a member of several professional investigation associations. Personally, I am an active member of the FBI's NYC Metro Infragard program, a program dedicated to sharing threat related data with regard to the U.S. infrastructure.
Many people have lost their jobs, including end users and IT security staff, based on security alerts we have provided. A lot of those people are in denial, claiming they were "hacked", when the truth is that they hit the wrong button and published a drive. We have forensic evidence in every case to back up our claims. Some people hang up the phone, or even threaten to call a lawyer, or in your case, a law enforcement contact. As we are totally transparent in the way we conduct business, we are prepared to deal with those situations effectively.
"Guilding the lily", implies I have taken something which is perfect, and I have attempted to add something unnecessarily. I think there is a compliment somewhere in your statement.
Reply to this
(Stands up and applauds).
Reply to this