Prophetic Warnings

Just days after a university researcher warned of the dangers of P2P, Pfizer felt the vulnerability's wrath

10:20 AM -- The security industry is full of warnings. Every day, we try to alert businesses to potential vulnerabilities and new exploits from attackers. But seldom have we seen a warning so prophetic as we did this past week, when Dartmouth University researchers offered cautions about the dangers of file sharing networks.

At a conference last Thursday, the Dartmouth researchers shared the results of a study on the potential vulnerabilities of peer-to-peer networking. The researchers demonstrated how simple searches of P2P networks could yield a bounty of sensitive business data, including personal information on customers or employees.

The researchers also noted that P2P's popularity as a means of downloading music and video content has led many individuals to install the file sharing software on the laptops they bring home from work. As a result, they observed, these individuals unknowingly expose critical business documents to P2P file searches. (See P2P's Unintended Leaks.)

Little did the researchers know that while they were warning organizations of this very danger, privacy officers at Pfizer -- one of the world's largest chemical and pharmaceutical firms -- were informing employees that their personal data had been hacked using this very attack vector.

It seems that a Pfizer employee brought a laptop home and installed P2P software on it, violating the company's policy about the use of such applications. After the software was installed, one or more third parties accessed the files on the laptop -- including sensitive files containing the names and Social Security numbers of some 17,000 current and former employees. (See Pfizer Falls Victim to P2P Hack.)

Of course, the Dartmouth researchers aren't the only ones who have tried to raise the red flag about P2P vulnerabilities. On May 21, the U.S. Patent and Trade Office issued a report that blames P2P for causing the inadvertent disclosure of business- and government-related documents. And on May 1, Promisec published a study showing that 4 percent of corporate endpoints carry some form of P2P software. (See Security Audit Reveals Threat Potential.)

Still, it's hard to remember a time when such security "trend" warnings were followed by such a concrete example of an exploit. On Thursday, researchers were warning organizations to do something about P2P or they'd be sorry. On Tuesday, Pfizer experienced the exact problem the researchers had warned about, to the tune of 17,000 sorry employees.

It all goes to show that security warnings, though highly voluminous and sometimes gratuitous, are often right. If you see a vulnerability alert and you wonder whether your organization might be at risk, it probably is. It's worth wading through those warnings to find the ones that might affect you.

— Tim Wilson, Site Editor, Dark Reading

  • Promisec Ltd.