Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/15/2007
02:20 AM
50%
50%

Prophetic Warnings

Just days after a university researcher warned of the dangers of P2P, Pfizer felt the vulnerability's wrath

10:20 AM -- The security industry is full of warnings. Every day, we try to alert businesses to potential vulnerabilities and new exploits from attackers. But seldom have we seen a warning so prophetic as we did this past week, when Dartmouth University researchers offered cautions about the dangers of file sharing networks.

At a conference last Thursday, the Dartmouth researchers shared the results of a study on the potential vulnerabilities of peer-to-peer networking. The researchers demonstrated how simple searches of P2P networks could yield a bounty of sensitive business data, including personal information on customers or employees.

The researchers also noted that P2P's popularity as a means of downloading music and video content has led many individuals to install the file sharing software on the laptops they bring home from work. As a result, they observed, these individuals unknowingly expose critical business documents to P2P file searches. (See P2P's Unintended Leaks.)

Little did the researchers know that while they were warning organizations of this very danger, privacy officers at Pfizer -- one of the world's largest chemical and pharmaceutical firms -- were informing employees that their personal data had been hacked using this very attack vector.

It seems that a Pfizer employee brought a laptop home and installed P2P software on it, violating the company's policy about the use of such applications. After the software was installed, one or more third parties accessed the files on the laptop -- including sensitive files containing the names and Social Security numbers of some 17,000 current and former employees. (See Pfizer Falls Victim to P2P Hack.)

Of course, the Dartmouth researchers aren't the only ones who have tried to raise the red flag about P2P vulnerabilities. On May 21, the U.S. Patent and Trade Office issued a report that blames P2P for causing the inadvertent disclosure of business- and government-related documents. And on May 1, Promisec published a study showing that 4 percent of corporate endpoints carry some form of P2P software. (See Security Audit Reveals Threat Potential.)

Still, it's hard to remember a time when such security "trend" warnings were followed by such a concrete example of an exploit. On Thursday, researchers were warning organizations to do something about P2P or they'd be sorry. On Tuesday, Pfizer experienced the exact problem the researchers had warned about, to the tune of 17,000 sorry employees.

It all goes to show that security warnings, though highly voluminous and sometimes gratuitous, are often right. If you see a vulnerability alert and you wonder whether your organization might be at risk, it probably is. It's worth wading through those warnings to find the ones that might affect you.

— Tim Wilson, Site Editor, Dark Reading

  • Promisec Ltd.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Lessons from the NSA: Know Your Assets
    Robert Lemos, Contributing Writer,  12/12/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19807
    PUBLISHED: 2019-12-15
    In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
    CVE-2014-8650
    PUBLISHED: 2019-12-15
    python-requests-Kerberos through 0.5 does not handle mutual authentication
    CVE-2014-3536
    PUBLISHED: 2019-12-15
    CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
    CVE-2014-3643
    PUBLISHED: 2019-12-15
    jersey: XXE via parameter entities not disabled by the jersey SAX parser
    CVE-2014-3652
    PUBLISHED: 2019-12-15
    JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.