US p2p study reveals glaring security holes

A study into p2p apps on government systems has revealed glaring security holes.

When a staff group experimented with Kazaa’s Find More from Same User feature, among other 'personal' files they found:

• Military information on chemical warfare
• Correspondence from the office of a state senator to constituents
• Internal correspondence on state political organization
• Sensitive business correspondence, including memos on board of directors decision making
• Navy medical records

They were preparing a report for reps Tom Davis and Henry Waxman, chairman and ranking member of the Committee on Government Reform.

As a result, a mere day after it was introduced yesterday, legislation to guard US federal agency computers against p2p apps was passed by the House Government Reform Committee.

The staff report found:

• Many users of file-sharing programs have inadvertently made highly personal information available to other users. Committee investigators found that file-sharing programs could be used to obtain tax returns, medical records, attorney-client communications, and personal correspondence from P2P users. A search of one P2P network found at least 2,500 Microsoft Money backup files, which store the user’s personal financial records, available for download.
• P2P file-sharing software tested by Committee investigators introduce 'spyware' or 'adware' onto users’ computers. In Committee testing, spyware and adware programs, which collect personal information for marketers, were bundled with file-sharing programs. These spyware and adware programs caused computer difficulties, including increased 'pop-up' advertisements, increased targeted spam e-mail, unusual browser activity, new and unwanted desktop software installations, and, in some instances, software conflicts and system crashes.
• P2P file-sharing software can spread viruses, worms, and other malicious computer files. Computer security experts consulted by the Committee reported that file-sharing programs can place users’ computers at additional

An internet.com report here says instead of banning P2P networks on government computers, a spokesman for Davis said, "We didn't want to be that draconian," going on, "Neither the legislation, the staff committee report nor the Davis spokesman could site how many government computers have P2P software installed.

"The legislation does contains language that states, 'Innovations in peer-to-peer technology for government applications can be pursued on intragovernmental networks that do not pose risks to network security.'

"Davis added, 'File sharing technology is not inherently bad, and it may turn out to have a variety of beneficial applications. However, as our committee has learned, this technology can create serious risks for users. This bill takes a common sense approach to protect the computers and networks of the federal government and the valuable information they contain'."