Slyck.com
 
Slyck Chatbox - And More

Pfizer P2P Security Breach

Discuss Slyck's latest news
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

Pfizer P2P Security Breach

Postby SlyckTom » Wed Jun 20, 2007 11:16 am

It’s the same story we keep hearing over and over again. Go on just about any spoon-feeding P2P network, such as FastTrack and Gnutella, and conduct a search for a personally oriented file such as “resume” and there’s bound to be hundreds – if not thousands – of results.

It’s part of an epidemic in the file-sharing community – the irresponsible and unknowledgeable use of P2P applications. P2P applications by their very nature aren’t difficult to use. The easiest clients to use, such as Kazaa or LimeWire, generally appeal to those whose computer skills are inferior to those who prefer more advanced networks such as BitTorrent, eDonkey2000 or Usenet. And those inferior computer skills manifest themselves with the irresponsible usage of P2P clients.

During the installation process, these clients generally streamline the process by asking the end user what folder(s) he or she wishes to share. The shared folder interface often times looks like something from the days of PC Tools, and can be confusing to novice computer users. As a result of this confusion and/or lack of experience, users often times choose to share their entire root directory. In other words, they choose to share the entire “C:\” drive. At this point everything – including the contents of “My Documents”, emails, naughty pictures, and the family pet – is shared over the P2P network.

P2P networking is often primary blamed for this type of security breech. Many high profile events have stemmed from such misusage, from the sharing of secrete military documents, social security numbers, and other sensitive documents. While its easy enough to blame P2P, since its already “responsible” for the decline of the music industry, the death of CD sales, and unfettered movie piracy, the technology often appears as the scapegoat for security vulnerabilities.

Yet the <a href=http://www.pharmalot.com/2007/06/pfizer-17000-employees-suffer-privacy-breach/ target=_blank>latest news</a> from the drug manufacturer Pfizer indicates that once again, it’s the end user who is responsible for a massive security breach. The actions of one individual caused over up to 16,950 past and present Pfizer employee’s sensitive personal information to be shared on an undisclosed P2P network.

According to a <a href=http://doj.nh.gov/consumer/pdf/Pfizer2.pdf target=_blank>correspondence</a> from Pfizer’s legal counsel to the Attorney General of New Hampshire, an employee brought the laptop home, where the individual’s spouse installed the P2P application and proceeded to inadvertently share the computer’s contents.

“The [unauthorized] software allowed outsiders access to a number of files that include the names and social security numbers of the affected Pfizer employees. Based upon Pfizer’s thorough investigation to this point, it appears that the affected employees can be grouped into two categories – approximately 15,700 who actually had their data accessed and copies, and approximately 1,250 who may have had their data accessed and copied.”

It’s important to note that certain software is unauthorized on company equipment. P2P software usually falls under this category. The P2P software in question didn’t magically install itself and begin sharing sensitive documents. An individual manually downloaded and installed the program, while inadvertently permitting the client to share sensitive information.

Because of this, the nearly 17,000 Pfizer employees will receive a heartwarming letting dictating that their identities have been compromised on a P2P network.

“The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home. Due to the unauthorized installation of certain file sharing software on the laptop, files stored in the laptop containing names, social security numbers, and in some instances, addresses and bonus information of approximately 17,000 present and former Pfizer colleagues, were exposed to one or more third parties. Our investigation revealed that certain files containing your data were accessed and copied.”

Pfizer’s letter included advice on how to protect the compromised individual’s identity, as their investigation yielded “one or more” third parties may have downloaded the information. While most people who look for such information do so for laughs and giggles, 17,000 compromised identities is a substantial security breach. However personal behavior and responsibility, not P2P, is the real determining factor in whether such events repeat themselves.
Follow us on Twitter @SlyckDotCom
Join our Facebook Fan page
SlyckTom
 
Posts: 5713
Joined: Fri Jul 26, 2002 7:22 pm
Location: New York City

Postby qm2003 » Wed Jun 20, 2007 11:40 am

This also shows the total lack of basic IT security measures from the corporate IT department.

A whole database of employees sensitive information on a personal laptop taken home ?

Give me a break.
How is this possible in the first place ?

Pfizer should fire its complete IT department.
How to setup Emule. A small checklist Schmu's MuleDoc
P2P is not piracy, it's marketing. In fact, if your music or movie is NOT being downloaded, you should be WORRIED !
If you can't even give it away for free, how do you expect to sell it, stupid ?
qm2003
 
Posts: 852
Joined: Fri Sep 02, 2005 8:11 am

Postby Andu » Wed Jun 20, 2007 11:51 am

Well people copy all kinds of sensitive information onto their work laptops and take them home. Sometimes they have to to finish projects in time.
The problem are those morons that install p2p software without having a clue. And why do they change the default paths for temp and incoming files anyway if they don't have a clue what they are doing? I'm pretty sure that there is no p2p software where default settings of the installer pose any risk for the users confidential documents.
User avatar
Andu
 
Posts: 875
Joined: Mon Jul 04, 2005 1:12 pm

Postby TorrentMama » Wed Jun 20, 2007 12:20 pm

qm2003 wrote:This also shows the total lack of basic IT security measures from the corporate IT department.

A whole database of employees sensitive information on a personal laptop taken home ?

Give me a break.
How is this possible in the first place ?

Pfizer should fire its complete IT department.


amen to that.

This must have been an executives computer; no low level employee would have all of that information on a laptop that they could leave with. Heads are going to roll.

It shows how deep file sharing has been embedded in our culture when even the rich won't pay 99 cents for a song. I wonder what the "spouse" was trying to download.
Lionel Hutz, court-appointed attorney. I'll be defending you on the charge of... Murder One! Wow! Even if I lose, I'll be famous!
User avatar
TorrentMama
 
Posts: 2827
Joined: Wed Aug 16, 2006 3:42 pm

Postby cramer » Wed Jun 20, 2007 3:47 pm

qm2003 wrote:This also shows the total lack of basic IT security measures from the corporate IT department.
...
How is this possible in the first place ?

The IT department has very little control over the day-to-day activities of users. For example, IT has no way to stop you from putting whatever sensitive information you may know in a spreadsheet or text document on your local system. (no write access to the local drive at all is not an option, esp. for a laptop.)

I've cut-n-paste information from one system to another. I've dumped the entire customer database from an AS/400 database to a text file on my laptop (for building the customer records in rwhois, btw. so nothing really sensitive or valuable.) And I've seen entire directories of "salary planning" spreadsheets completely unprotected (editable), visable to anyone on the company network (which includes anyone who brings a laptop in the building) created by the HR department meatheads -- 100% unknown to IT.

Sorry. IT cannot stop users from being stupid, much less stop a users's spouse from being stupid.
cramer
 
Posts: 13
Joined: Wed May 31, 2006 6:48 pm
Location: Earth

Postby qm2003 » Wed Jun 20, 2007 4:13 pm

This is actually a management problem and this says a lot about a corporation itself.

Any corporate IT department worth its money can enforce a corporate wide security policy.
But only if the top management stands behind them and doesn't falter at the first complaint about "inconvenient data access".

There is absolutely NO excuse for sensitive data being openly accessible just because the users are too dumb or too lazy.


If i was a customer of such a corporation, i'd think twice about continuing to do business with them.
How to setup Emule. A small checklist Schmu's MuleDoc
P2P is not piracy, it's marketing. In fact, if your music or movie is NOT being downloaded, you should be WORRIED !
If you can't even give it away for free, how do you expect to sell it, stupid ?
qm2003
 
Posts: 852
Joined: Fri Sep 02, 2005 8:11 am

Postby piXelatedEmpire » Wed Jun 20, 2007 10:26 pm

Why wasn't the data encrypted?

What amazes me is how did anyone know what to search for to find this information on a P2P network.

No wonder the divorce rate is so high :lol:
Ross Wheeler, CEO of Albury.net.au, referring to the Australian Governments internet filtering plan wrote:"It's the most ill-conceived pile of stupidity by the biggest bunch of cretins that I've ever seen in my life"
piXelatedEmpire
 
Posts: 4680
Joined: Tue Mar 14, 2006 4:45 pm
Location: ESPNs NBA page

Postby LurkinHawk » Thu Jun 21, 2007 1:55 pm

piXelatedEmpire wrote:Why wasn't the data encrypted?

What amazes me is how did anyone know what to search for to find this information on a P2P network.


Depending on the client used, doing a global search for "resume" accomplishes that task easily.

Encrypted hasn't helped much either with laptops taken home or 'stolen'. In the last year, we've heard horror stories from Medicare, Peachcare, Social Security Administration, IRS, and NSA, to name a few. Granted, all of those are governmental (hmmm ... add that word to the oxymoron list right before 'jumbo shrimp'), so lack of management would have to be the problem...
Always near, never seen, seldom heard
User avatar
LurkinHawk
 
Posts: 84
Joined: Fri Jul 08, 2005 12:22 am

Postby RadicalSatDude » Thu Jun 21, 2007 4:49 pm

If the computer in question wasn't locked down properly, then IT are to blame, but if it was, then the only way to curmvent that is using portable apps like 'Opera USB', 'Portable Opera' or any other application that'll run without installation.

However as Steve Gibson said in one of his 'Security Now' podcasts, that all of this can be easily secured using hardware DEP (Data Execution Prevention).
RadicalSatDude
 
Posts: 5
Joined: Wed Jun 21, 2006 5:50 am

Postby elf » Sat Jun 23, 2007 5:51 am

a chain of stupid events
elf
 
Posts: 4
Joined: Wed Jun 20, 2007 4:07 pm


Return to Slyck News

Who is online

Users browsing this forum: No registered users and 0 guests

© 2001-2008 Slyck.com