Educause Security Discussion mailing list archives

Re: P2P sensitive data searches

From: Kathy Bergsma <kbergsma () UFL EDU>
Date: Thu, 24 Apr 2008 12:30:28 -0400

It gets worse.  Tiversa arhives p2p content.  For a significant cost, they will
monitor p2p networks for content from your institution.  Their process involves
archiving the content and, if private data is found from any institution
(whether you use the service or not), we have trust that they won't expose it.

http://www.tiversa.com/

Consolvo, Corbett D wrote:

We are searching the P2P networks in general (across the Internet).  The data in question that was discovered was personal 
data not related in any way to Texas State University.  We have discovered some need to see whether our data is being shared 
in general, not just on campus.  We don't run a P2P network ourselves and generally block P2P at our edge.  We are 
first most interested in looking for institutional data but anything we can do to protect student data is certainly high on 
the list.

Thanks,
Corbett

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Thursday, April 24, 2008 10:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] P2P sensitive data searches

Hi Corbett,

 Is your P2P inspection on your local resnets, and/or academic or
administrative networks? I'm not clear on whether or not the information
you found is institutional data, or if it is data being leaked from a
student's personal computer, for example. If you are checking resnets,
I'm guessing your objective is bigger than just institutional data, and
also includes the general intent to protect students?


~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College







________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
        Sent: Thursday, April 24, 2008 7:17 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] P2P sensitive data searches



        Scenario:

          We have begun doing investigation in to whether any sensitive
data from our institution (Texas State University) is showing up on P2P
networks.  We are doing this right now through keyword searches.



        Issue:

          We are coming across sensitive/confidential personal
information (SSN, Drivers License, etc.).  While a lot of this seems to
be fake (perhaps a honeypot situation), a small amount of legitimate
information looks to be accidentally shared.



        I feel that we have an ethical obligation to at least make an
attempt to either pass the information to an appropriate agency or
contact the individual.  Does anyone have any suggestions or thoughts
about the path to take as well as any possible issues with pursuing
this?



        Thanks for any input,

        Corbett Consolvo

        Texas State University

        Cc72 () txstate edu


--
Kathy Bergsma
UF Information Security Manager
352-392-2061

Current thread:

P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- <Possible follow-ups>
- Re: P2P sensitive data searches Jenkins, Matthew (Apr 24)
- Re: P2P sensitive data searches Basgen, Brian (Apr 24)
- Re: P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- Re: P2P sensitive data searches Kathy Bergsma (Apr 24)