Register |  Lost Password?
eSchool News

Schools fall victim to P2P security breaches

Federal investigation uncovers hundreds of schools and businesses that have seen networks compromised

Schools fall victim to P2P security breaches

 

Sharing files over unsecured P2P networks can result in data breaches.

Sharing files over unsecured P2P networks can result in data breaches.

 

Peer-to-peer file sharing in schools and colleges has come under scrutiny again after a Federal Trade Commission (FTC) probe turned up massive security breaches that made student grades, Social Security numbers, and medical records accessible to anyone connected to the peer-to-peer networks at several institutions.

The FTC sent letters to 100 schools and companies Feb. 22, warning them of data breaches that made sensitive information vulnerable to an unknown number of people on open P2P networks.

P2P networks, when working correctly, allow groups to share information online, such as software, music, videos, and documents. The openness of these networks, however, can leave sensitive data available to people who are supposed to be barred from seeing that information if the file-sharing software is not configured properly.

In a statement, FTC Chairman Jon Leibowitz said schools, colleges, and businesses “should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

Leibowitz added: “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Letters sent to school and campus administrators included federal warnings that student and faculty information might have been exposed through popular file-sharing sites BitTorrent and Limewire. The letters urged campus decision makers to consult their technology officials about how to protect information from exposure on P2P networks.

The FTC also directed institutions to contact employees, students, and customers who might have been affected by the security breach. The agency would not disclose which institutions received letters.

Schools victimized by the security breaches might have broken a federal law that requires institutions using P2P networks to take “reasonable and appropriate security measures to protect sensitive personal information.”

“Failure to prevent such information from being shared to a P2P network may violate such laws,” according to the FTC’s web site.

Campus technology officials have struggled to find legal file-sharing alternatives to illegal sites once prevalent on campuses, used by students to download songs and movies for free.

Last year, Ruckus—a download service supported by advertisements and available free of charge to college students—shut down, continuing a string of early departures by free or low-cost music sites. Ruckus went under after Universal Music Group and Sony did away with their Total Music venture, which owned Ruckus.

Cdigix, along with Napster, which switched to a legal downloading service after beginning as a controversial free file-sharing site in the late 1990s, were other affordable music sites that have closed down or stopped catering to colleges in recent months.

Low-cost digital music services have failed on college campuses in part because music choices were so limited that students were driven to illegal file-sharing web sites where more songs were available—and free.

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
1  2  Next >  

You must be logged in to post a comment Login

Comments:

  1. blumanfry

    February 24, 2010 at 3:11 pm

    This is a huge concern for schools! When I worked with the school district near Portland, OR, we had decided to implement an IPS solution by 3Com. It was absolutely amazing! Through the Tipping Point (http://www.tippingpoint.com/) web console, we could instantly see what computers in the district were running IM, P2P as well as other possibly problematic applications. The really cool thing about Tipping point is that it doesn’t matter the port number or proxy address these applications try to run on; it looks at the full packet coming to/from the network and analyzes it to see if it matches any know packet types. If your IM/P2P users try to proxy or use other port number, it doesn’t really matter since it’s looking at the packet level within the traffic to do the analysis. It also does packet inspection on potentially hazardous packets that may be used in attempts to crack into the network and do these types of mischief. Stop the hacking packets in their tracks! Truly amazing technology 5 years ago and now I feel that this technology should almost be standard within organizations that contains sensitive information such as SS#, student information, medical, police… Its not hard to implement and is very cost effective for the protection you get!

    Shane Crockett
    =======================
    http://www.blumanfry.com
    http://twitter.com/blumanfry

  2. blumanfry

    February 24, 2010 at 3:11 pm

    This is a huge concern for schools! When I worked with the school district near Portland, OR, we had decided to implement an IPS solution by 3Com. It was absolutely amazing! Through the Tipping Point (http://www.tippingpoint.com/) web console, we could instantly see what computers in the district were running IM, P2P as well as other possibly problematic applications. The really cool thing about Tipping point is that it doesn’t matter the port number or proxy address these applications try to run on; it looks at the full packet coming to/from the network and analyzes it to see if it matches any know packet types. If your IM/P2P users try to proxy or use other port number, it doesn’t really matter since it’s looking at the packet level within the traffic to do the analysis. It also does packet inspection on potentially hazardous packets that may be used in attempts to crack into the network and do these types of mischief. Stop the hacking packets in their tracks! Truly amazing technology 5 years ago and now I feel that this technology should almost be standard within organizations that contains sensitive information such as SS#, student information, medical, police… Its not hard to implement and is very cost effective for the protection you get!

    Shane Crockett
    =======================
    http://www.blumanfry.com
    http://twitter.com/blumanfry

  3. jrep

    February 24, 2010 at 4:06 pm

    The pertinent question, it seems to me, is not “what or where were P2P networks running,” but rather “how did this sensitive information get into the P2P network?” The article is not clear: in this case, did someone with legitimate access to this data transfer the data from secure storage into the P2P net? Or was the P2P net itself actually enabled to see into the “secure” store? If the former, then controlling the P2P network itself is no more helpful than banning cafeteria tables because someone left a printout on one.

  4. jrep

    February 24, 2010 at 4:06 pm

    The pertinent question, it seems to me, is not “what or where were P2P networks running,” but rather “how did this sensitive information get into the P2P network?” The article is not clear: in this case, did someone with legitimate access to this data transfer the data from secure storage into the P2P net? Or was the P2P net itself actually enabled to see into the “secure” store? If the former, then controlling the P2P network itself is no more helpful than banning cafeteria tables because someone left a printout on one.

  5. janice33rpm

    February 25, 2010 at 10:41 am

    In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

  6. janice33rpm

    February 25, 2010 at 10:41 am

    In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

  7. mark ward

    February 25, 2010 at 4:54 pm

    Jrep;
    Once on a p2p file sharing application, instead of searching for a song, search for *xls. It will search all “sharers” machines for excel spreadsheets (in this example). Many in the file sharing community (millions even), when setting up their p2p app will inadvertently share more than their “music” folder. Often times they will share their whole machine and whatever the machine is mapped too on the network. Not a good thing if your in accounting, or work with student records.
    Blumanfry: Tippingpoint is an excellent tool, but what if IM is allowed? Or Twitter, the new IM, and not only allowed, but many districts encouraged. It is the “content” that is important here. Analyze re-constructed packets into sessions with sophisticated linguistic and mathematical algorithms, all ports, all protocols for full visibility, coupled with safe online use (K12) education is the future. To “stop” this type of activity with technology ie blocking (URL or signature) is a no win situation and an inherently flawed approach. Yes, we need blocking, IDS, IPS etc…but what we really need is high, full content visibility coupled with educating the humans and holding them accountable for their actions (that is when it stops). Vericept is the only AUP, DLP and full investigative software that will give one the visibility to fix the problem where it resides…the student or human doing it in the first place. People problem, people solution.

  8. mark ward

    February 25, 2010 at 4:54 pm

    Jrep;
    Once on a p2p file sharing application, instead of searching for a song, search for *xls. It will search all “sharers” machines for excel spreadsheets (in this example). Many in the file sharing community (millions even), when setting up their p2p app will inadvertently share more than their “music” folder. Often times they will share their whole machine and whatever the machine is mapped too on the network. Not a good thing if your in accounting, or work with student records.
    Blumanfry: Tippingpoint is an excellent tool, but what if IM is allowed? Or Twitter, the new IM, and not only allowed, but many districts encouraged. It is the “content” that is important here. Analyze re-constructed packets into sessions with sophisticated linguistic and mathematical algorithms, all ports, all protocols for full visibility, coupled with safe online use (K12) education is the future. To “stop” this type of activity with technology ie blocking (URL or signature) is a no win situation and an inherently flawed approach. Yes, we need blocking, IDS, IPS etc…but what we really need is high, full content visibility coupled with educating the humans and holding them accountable for their actions (that is when it stops). Vericept is the only AUP, DLP and full investigative software that will give one the visibility to fix the problem where it resides…the student or human doing it in the first place. People problem, people solution.

  9. blumanfry

    March 2, 2010 at 1:03 pm

    mark ward: Tipping point give you more control over what is flowing in and out of the network. If you want AOL IM to work (for instance) but not Yahoo, it’s really all in the configuration of the rules you apply in the system. I believe you can also allow specific protocols that may be associated with a program, and disallow others (AOL IM OK, but AOL share file disallowed, as an example), or even just log activity (not record the IM session, but just access), but not restrict. I posted about TippingPoint as it was an invaluable tool in helping get control on our bandwidth within the school district, as well as closing off access to specific networks such as P2P applications that were being used by students to pirate copyrighted material, or programs that were just being downright problematic. You can turn on/off specific protocols/applications from accessing the network, so if you had IM or P2P software that was supported, encouraged or managed by the district, those applications could be used, and others that were not allowed, to be turned off. Its just another tool in the IT department’s tool-kit that can help lessen the management burden so that the IT staff can focus on servicing the students and adding to their learning experience, instead of putting out fires or issues that are caused by these unwanted programs/traffic. I know most districts have limited staff for IT, so to give the tech’s a few hours or so a week (or more) to focus on servicing the student environment would be extremely beneficial to the education experience.

    Just my 2.5 cents.

    Shane Crockett
    =======================
    http://www.blumanfry.com
    http://twitter.com/blumanfry

  10. blumanfry

    March 2, 2010 at 1:03 pm

    mark ward: Tipping point give you more control over what is flowing in and out of the network. If you want AOL IM to work (for instance) but not Yahoo, it’s really all in the configuration of the rules you apply in the system. I believe you can also allow specific protocols that may be associated with a program, and disallow others (AOL IM OK, but AOL share file disallowed, as an example), or even just log activity (not record the IM session, but just access), but not restrict. I posted about TippingPoint as it was an invaluable tool in helping get control on our bandwidth within the school district, as well as closing off access to specific networks such as P2P applications that were being used by students to pirate copyrighted material, or programs that were just being downright problematic. You can turn on/off specific protocols/applications from accessing the network, so if you had IM or P2P software that was supported, encouraged or managed by the district, those applications could be used, and others that were not allowed, to be turned off. Its just another tool in the IT department’s tool-kit that can help lessen the management burden so that the IT staff can focus on servicing the students and adding to their learning experience, instead of putting out fires or issues that are caused by these unwanted programs/traffic. I know most districts have limited staff for IT, so to give the tech’s a few hours or so a week (or more) to focus on servicing the student environment would be extremely beneficial to the education experience.

    Just my 2.5 cents.

    Shane Crockett
    =======================
    http://www.blumanfry.com
    http://twitter.com/blumanfry