Educause Security Discussion mailing list archives

Re: P2P sensitive data searches

From: "Consolvo, Corbett D" <cc72 () TXSTATE EDU>
Date: Thu, 24 Apr 2008 11:18:20 -0500

We are searching the P2P networks in general (across the Internet).  The data in question that was discovered was 
personal data not related in any way to Texas State University.  We have discovered some need to see whether our data 
is being shared in general, not just on campus.  We don't run a P2P network ourselves and generally block P2P at our 
edge.  We are first most interested in looking for institutional data but anything we can do to protect student data is 
certainly high on the list.

Thanks,
Corbett

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Thursday, April 24, 2008 10:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] P2P sensitive data searches

Hi Corbett,

 Is your P2P inspection on your local resnets, and/or academic or
administrative networks? I'm not clear on whether or not the information
you found is institutional data, or if it is data being leaked from a
student's personal computer, for example. If you are checking resnets,
I'm guessing your objective is bigger than just institutional data, and
also includes the general intent to protect students?


~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College







________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
        Sent: Thursday, April 24, 2008 7:17 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] P2P sensitive data searches



        Scenario:

          We have begun doing investigation in to whether any sensitive
data from our institution (Texas State University) is showing up on P2P
networks.  We are doing this right now through keyword searches.



        Issue:

          We are coming across sensitive/confidential personal
information (SSN, Drivers License, etc.).  While a lot of this seems to
be fake (perhaps a honeypot situation), a small amount of legitimate
information looks to be accidentally shared.



        I feel that we have an ethical obligation to at least make an
attempt to either pass the information to an appropriate agency or
contact the individual.  Does anyone have any suggestions or thoughts
about the path to take as well as any possible issues with pursuing
this?



        Thanks for any input,

        Corbett Consolvo

        Texas State University

        Cc72 () txstate edu

Current thread:

P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- <Possible follow-ups>
- Re: P2P sensitive data searches Jenkins, Matthew (Apr 24)
- Re: P2P sensitive data searches Basgen, Brian (Apr 24)
- Re: P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- Re: P2P sensitive data searches Kathy Bergsma (Apr 24)