It Happened: First ID Theft Using P2P
By Allan Holmes | Friday, September 07, 2007 | 11:33 AM
By Allan Holmes | Friday, September 07, 2007 | 11:33 AM
What was once thought to be theoretically possible is no longer. The Justice Department has arrested a Seattle man charging him with using peer-to-peer software to snoop through personal computers to commit identity theft, according to an Associated Press article. Gregory Thomas Kopiloff used the peer-to-peer software LimeWire to steal personal financial information stored on individuals' computers. The Justice Department said it is the first case in which someone used peer-to-peer software to commit identity theft.
LimeWire allows users who have downloaded the software the ability to primarily share music but it can also be used to share any file on the computer. Many users are not aware of the risk that LimeWire and other peer-to-peer applications present. In a hearing this summer, Rep. Henry Waxman, D-Calif., grilled Lime Group CEO Mark Gorton about how the peer-to-peer software, which had been downloaded onto government computers, put sensitive government information at risk of theft. Here’s a related Tech Insider post on the subject.
According to the AP, Kopiloff used LimeWire to steal identities this way:
When other users might search on LimeWire for "Madonna," Kopiloff would search for "federal tax return," or for student financial aid forms or other financial information, [assistant U.S. attorney Kathryn] Warma said. And instead of getting access to a few hundred files containing "Like a Virgin" or "Papa Don't Preach," he would get a few hundred files containing tax returns.He would vet his victims before opening accounts in their name, ensuring they earned at least $150,000 a year and had good credit, Warma said.
In what may prove to be prescient, Rep. Darrell Issa, R-Calif., during the summer congressional hearing on peer-to-peer software, warned Gorton about lawsuits if LimeWire is proved to be used to steal identities. According to a ZDNet article:
Rep. Darrell Issa, R-Calif., warned Gorton that LimeWire's practices may open the company up to serious legal liability.“Would it surprise you if you have a string of lawsuits for inherent defect in your product if people like Charlie Mueller of Missouri finds out he's lost his IRS filings and feels he's been damaged?” Issa asked.
Gorton repeatedly defended his company's practices and said he wasn't aware of the extent to which national security information was being accessed through his network.
LimeWire strives to make its product easier to understand and is working on a new version even more tailored to the “neophyte” user, Gorton said. The software incorporates a number of warnings intended to stave off inadvertent file sharing, he added. For instance, pop-up messages appear when users attempt to share folders, such as the all-encompassing “My Documents” folder and the root directory, which are considered likely to contain sensitive information.
“A lot of the information that gets out there now is because people accidentally share directories that they wouldn't mean to share clearly," Gorton said. "Those warnings are not enough, at least in a handful of cases.”
This may be one of those cases.
Comments
(2nd trans, corrected)
Daniel, could you define “burglary tools” for me? Heck, a flat tipped screwdriver will get you through the sheet metal skin of a mobile home in no time flat. Does it qualify as a burglary tool?
Burglary tools are merely tools, normally used in the conduct of legitimate business, that are employed for illicit purposes. In court of law, unlike most houses of religion, acts count more than intentions; normally. I’ve concerned about utility programs that may be used for legitimate purposes being construed by whatever software police are interested in for the moment.
Most hacker tools are actually applications required for system administration or, upon new discovery, swiftly co-opted into the security game.
What will define the difference between those and these "burglary tools"? In my eyes, only intent (non-provable) or use in illegal acts.
I don't agree with Daniel. The question is not burglary tools. Is it illegal to make hammers and crowbars? No. Is it possible to use legal tools to commit crimes? Yes. It's not the manufacturer, it's the user. A gun by itself is not a murer weapon until a person uses it to commit murder. Not the tools, it's the user.
John | Wednesday, September 12, 2007 | 12:03 PMDaniel, could you define “burglary tools” for me? Heck, a flat tipped screwdriver will get you through the sheet metal skin of a mobile home in no time flat. Does it qualify as a burglary tool?
Burglary tools are merely tools, mostly used in legitimate business, that are employed for illicit purposes. In court of law, unlike most houses of religion, acts count more than intentions; normally.
Most hacker tools are actually required applications for system administration.
So based on this article, one can also postulate matches cause forest fires, guns kill people, alcohol causes drunk driving, et cetera. How about blaming the person(s) responsible and not the tool. Tools are simply tools until used illegally.
Robert | Tuesday, September 11, 2007 | 07:34 AMThis incident is not a first; just the first time someone was caught & prosecuted...
US | Monday, September 10, 2007 | 11:05 AMRhetorical, but drawing parallels to the non-virtual world that we all more readily comprehend:
Is it illegal to manufacture burglary tools?
...to sell burglary tools?
...to merely possess burglary tools?
...to use burglary tools in order to gain unauthorized access?
The last two are problematic (i.e., illegal) in just about any U.S. jurisdiction.
I'm not asserting that all P2P software should be equated to burglary tools or construed as contraband, but there are significant security implications associated with P2P. While the recent Congressional scrutiny is long overdue, the topic is certainly relevant and should routinely be on the minds of management and IT security professionals.
Daniel | Sunday, September 09, 2007 | 11:18 PMABOUT THIS BLOG
Allan Holmes on what's happening and what's being discussed in the world of federal information technology.
feed