At the ShmooCon hacker conference in Washington, D.C., last week two security researchers showed the very sensitive information that people inadvertently make available over peer-to-peer networks.

In their presentation, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals,” pen testers Larry Pesce and Mick Douglas said they found a lot of music, porn, malcode collections and the following:

  • driver’s licenses, passport and tax return forms with Social Security numbers;
  • someone’s will
  • A retirement analysis form with savings account totals and income estimates;
  • An IRS form with taxpayer identification number;
  • A completed Turbo Tax form with personal information filled in.

The two have started The Cactus Project to help security specialists do similar research to help organizations tighten up the information they share over P2P. They list best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol on their site http://pauldotcom.com/cactusproject.html.

The Network World story quotes Douglas: “”We have to keep trying to educate people, but through this kind of research [security practitioners] can take steps to better protect their own organizations going forward.

Network World story here.

These guys are clearly having too much fun. Below is a quote from the pauldotcom.com site:

“I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in one of the coolest fields.” (http://pauldotcom.com/cactusproject.html)