Unintentional file-sharing a boon for hackers |

Unintentional file-sharing a boon for hackers

Andrew Russell | Tribune-Review
Orion Czarnecki, cyber forensic analyst for Tiversa, a Pittsburgh-based company that tracks peer-to-peer networks, works in its Downtown headquarters. The company can connect to a million computers per second across 2,800 peer-to-peer programs.
Andrew Russell | Tribune-Review
Mike Carulli, senior cyber forensic analyst for Tiversa, a Pittsburgh-based company that tracks peer-to-peer networks, works in its Downtown headquarters. The company can connect to a million computers per second across 2,800 peer-to-peer programs.
Andrew Russell | Tribune-Review
Andrew Russell | Tribune-Review
Keith Tagliaferri, senior vice president of operations for Tiversa, a Pittsburgh-based company that tracks peer-to-peer networks, demonstrates how the company can connect to a million computers per second across 2,800 peer-to-peer programs in Tiversa's Downtown offices.

Thousands of computer users every moment could lose their most personal information — tax returns, credit cards, and banking and investment accounts — even though no one hacked or scammed them.

They give it away, often unknowingly, and potentially expose not only themselves but family, friends and employers.

People who go online to download music and movies on file-sharing or peer-to-peer networks often incorrectly configure default settings so that they end up sharing other files on their computer. Anyone else using those sharing networks at the same time can take whatever they find.

That “free” song download from sharing unexpectedly becomes costly.

Over the past year, 18,000 Americans gave away federal tax returns that way. The problem of identity theft has become so bad the Internal Revenue Service paid out $5.2 billion in false tax returns in 2010.

“This is what I refer to as a silent security risk,” said Howard Schmidt, former “cyber czar” to Presidents George W. Bush and Barack Obama. “We all talk about phishing emails and traditional hacking, but this is a silent piece of that. People inadvertently are giving their stuff up.”

When they do, Pittsburgh-based Tiversa collects almost all of the shared information from open computers. Touted as the Google of file-sharing, the company connects to millions of computers per second across 2,800 networks around the world. It collects shared files and archives them to be searched for information about Tiversa’s clients.

On a recent Monday, Tiversa’s searches of open file-sharing accounts found:

• Medical information on nearly 9,000 patients, including names, Social Security numbers, insurance numbers and home addresses;

• Confidential psychological evaluations for hundreds of patients;

• A U.S. military roster with nearly 500 names, ranks and Social Security numbers;

• A company payroll list of nearly 150 employees with names, Social Security numbers and salaries; and

• Personal information on nearly 3,000 police officers from a major U.S. city, including names, Social Security numbers and birthdates. (They wouldn’t say which city.)

Because information gets shared only when users are online, the number of files available at any moment varies. Based on its searches alone, Tiversa officials suspect most information sharing happens by accident by unknowing computer users, but also criminals intentionally posting specific files.

Analysts on the seventh floor of the company’s Downtown headquarters on Liberty Avenue sit inside a dimly lit, glass-walled room with rows of computers — facing a bank of servers alive with blinking lights behind another glass wall. Workers pore through shared files for information about Tiversa’s corporate clients and individuals who use LifeLock, the identify theft protection service.

They watch for criminal activity. After it became public that someone posted stolen credit reports on first lady Michelle Obama, FBI Director Robert Mueller, Donald Trump and other celebrities online, Tiversa began tracking the information. The company found that computer users in China, Russia, Nigeria and a dozen other countries downloaded and shared the information. It reported the findings to the Department of Justice.

“We see files like this all the time, but not files this well known,” said Mike Prusinski, Tiversa’s chief of staff. “These are the hidden risks of peer-to-peer file-sharing. While they do great things, they also provide some bad opportunities.”

Big Brother niche

Tiversa was founded in 2004 as a business designed to enforce copyrights for Hollywood and the music industry. Company officials quickly realized that wasn’t the whole picture, said Keith Tagliaferri, Tiversa’s senior vice president of operations.

“A lot more than movies and music was being shared on these file-sharing networks,” he said. “One of our analysts looked and they saw spreadsheets, and another looked and they saw jihadist-training videos.”

What Tiversa does might seem like Big Brother snooping — even illegal. But the company takes only files that users have openly shared, said Jon Ramsey, chief technology officer at Dell SecureWorks, an Atlanta-based company that researches computer security threats. He said people should think of Tiversa as a Google search engine for information that people shared via peer-to-peer networks rather than over the Internet.

“Whether they know it or not,” Ramsey said, computer users who install sharing software and click “accept” to questions about default settings and the user agreement could make information public. “You’ve lost control of it at that point.”

Georgia medical company LabMD sued Tiversa in 2011, claiming the Pittsburgh firm accessed confidential medical information from its computers and then sought to do business with it to stop the data from being dispersed.

In August 2012, a federal court dismissed the lawsuit, saying LabMD did not have jurisdiction to sue Tiversa in Georgia. A federal appeals court upheld that ruling in February, and LabMD has appealed again. If LabMD loses again, the medical firm could file suit in U.S. District Court in Pittsburgh.

In an unrelated ruling that impacts computer users, the U.S. Court of Appeals for the Ninth Circuit found that a California man convicted of having child pornography on his computer had no legal expectation of privacy for anything he shared on an open file-sharing network.

The judges found the defense argument that the defendant “lacked the technical savvy or good sense” to keep his pornography files from being shared on the open network he was using was “like saying he did not know enough to close his drapes.”

Easy targets

“As we’ve seen, people put in information they didn’t know they were sharing, and suddenly very sensitive information is being shared,” said Bob Schoshinski, assistant director of the Federal Trade Commission’s Division of Privacy and Identity Protection.

File-sharing makes up about 70 percent of Internet traffic with files that may contain large amounts of data. It can be fertile ground for finding criminals because, unlike the rest of the Web, about 90 percent of users intend to break the law if only to get free music, movies and more.

In the best circumstances for people using file-sharing networks, they obtain copyrighted material for free. At the worst, criminals steal credit card numbers, pedophiles share pictures of children, and terrorists plot.

Criminals troll file-sharing programs to find people sharing personal data or they insert malicious software into files that users can download, said Will Dormann, a software vulnerability analyst at CERT, a division of Carnegie Mellon University’s Software Engineering Institute.

Dartmouth College researchers tested file-sharing criminal behavior by posting an email message that contained the number for a debit card. The account was depleted within a week. Then they posted fake banking documents that looked like internal communications, and cyber thieves took those as well.

Potential victims are not limited to people using file-sharing networks either, said former cyber czar Schmidt, an adjunct distinguished fellow at Carnegie Mellon University and unpaid adviser to Tiversa.

“If I elect to take the risk of putting something either inadvertently or intentionally online about myself, that’s my decision,” he said. “But oftentimes we have interactions with family members, friends, co-workers, businesses that we work for. That information is not designed to be shared.”

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or [email protected].

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.