Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/15/2007
02:20 AM
50%
50%

Prophetic Warnings

Just days after a university researcher warned of the dangers of P2P, Pfizer felt the vulnerability's wrath

10:20 AM -- The security industry is full of warnings. Every day, we try to alert businesses to potential vulnerabilities and new exploits from attackers. But seldom have we seen a warning so prophetic as we did this past week, when Dartmouth University researchers offered cautions about the dangers of file sharing networks.

At a conference last Thursday, the Dartmouth researchers shared the results of a study on the potential vulnerabilities of peer-to-peer networking. The researchers demonstrated how simple searches of P2P networks could yield a bounty of sensitive business data, including personal information on customers or employees.

The researchers also noted that P2P's popularity as a means of downloading music and video content has led many individuals to install the file sharing software on the laptops they bring home from work. As a result, they observed, these individuals unknowingly expose critical business documents to P2P file searches. (See P2P's Unintended Leaks.)

Little did the researchers know that while they were warning organizations of this very danger, privacy officers at Pfizer -- one of the world's largest chemical and pharmaceutical firms -- were informing employees that their personal data had been hacked using this very attack vector.

It seems that a Pfizer employee brought a laptop home and installed P2P software on it, violating the company's policy about the use of such applications. After the software was installed, one or more third parties accessed the files on the laptop -- including sensitive files containing the names and Social Security numbers of some 17,000 current and former employees. (See Pfizer Falls Victim to P2P Hack.)

Of course, the Dartmouth researchers aren't the only ones who have tried to raise the red flag about P2P vulnerabilities. On May 21, the U.S. Patent and Trade Office issued a report that blames P2P for causing the inadvertent disclosure of business- and government-related documents. And on May 1, Promisec published a study showing that 4 percent of corporate endpoints carry some form of P2P software. (See Security Audit Reveals Threat Potential.)

Still, it's hard to remember a time when such security "trend" warnings were followed by such a concrete example of an exploit. On Thursday, researchers were warning organizations to do something about P2P or they'd be sorry. On Tuesday, Pfizer experienced the exact problem the researchers had warned about, to the tune of 17,000 sorry employees.

It all goes to show that security warnings, though highly voluminous and sometimes gratuitous, are often right. If you see a vulnerability alert and you wonder whether your organization might be at risk, it probably is. It's worth wading through those warnings to find the ones that might affect you.

— Tim Wilson, Site Editor, Dark Reading

  • Promisec Ltd.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cybersecurity Industry: It's Time to Stop the Victim Blame Game
    Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
    Google Adds More Security Features Via Chronicle Division
    Robert Lemos, Contributing Writer,  2/25/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-9431
    PUBLISHED: 2020-02-27
    In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
    CVE-2020-9432
    PUBLISHED: 2020-02-27
    openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    CVE-2020-9433
    PUBLISHED: 2020-02-27
    openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    CVE-2020-9434
    PUBLISHED: 2020-02-27
    openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    CVE-2020-6383
    PUBLISHED: 2020-02-27
    Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.