BearShare Warning!

Marty Weiner

Flashlight Enthusiast
Joined
Oct 31, 2002
Messages
1,038
Location
Same Area Code As Death Valley
CBS did a story this morning about the dangers of a software sharing program called BearShare.

It seems that people who downloaded it to share music files are also having their financial data shared with complete strangers across the county.

One man interviewed found over 100 tax returns attached to a music file that he shared with others. This man called each and every person involved (don't forget that he had complete phone and bank records as shown on an electronically filed tax return). Of course, the person at the other end of the phone was in complete shock.

The company that produces BearShare says it's working on a fix. Duh!
 

kakster

Flashlight Enthusiast
Joined
Feb 6, 2003
Messages
1,903
Location
London, UK
It's not just BearShare that does this, but nearly all P2P filesharing apps. The problem occurs when you injstall it for the first time and it searches your hard drive for files to share. You can set specific folders and directories to share from, but by default, it will share ALL your files on the C drive.

For a good example of how many people are caught out by this, do a search on BearShare or Kazaa for "DSC" which is the default filename prefix for pictures taken on ALL sony digicams. You'll see a surprising amount of photos being unwittingly shared.
 

idleprocess

Flashaholic
Joined
Feb 29, 2004
Messages
7,197
Location
decamped
I'm a bit confused how one would inadvertently find something like a tax return attached to a music file. Unless the app really screwed up by appending a bunch of files together (likely resulting in a useless junk file), it's more likely that the guy downloaded the contents of a directory.

Given that BearShare installs a webserver (or at least it did years ago when I last used it), it's hardly surprising that people have found ways around its minimal security. I found a way to use the Bearshare webserver to host a regular website - albeit with zero tweakability, and on a wierd port.

No, this sounds like more media hype than anything. The media will interview damn-near any self-proclaimed "internet" or "security" expert for these distinctly yellow stories.

I think kakster has got it right - someone browsed directories and downloaded personal data.

There is an outside chance that something more sinister is at work here. Maybe identity thieves are using P2P networks to traffic personal data. If one is slightly clever with a hex editor (or even the right kind of text editor), one could append an MP3 file with a bunch of data in such a fashion that the MP3 would play just fine. The file would be larger than necessary with a non-audio "tail," and nearly impossible for the average (unwitting) distributor on P2P to detect.

However, I doubt this scenario - I don't think a typical P2P user would detect my proposed "trojan." It takes some knowledge to investigate such things and given the propensity of P2P users to install bad applications so they can get free stuff instantly... /ubbthreads/images/graemlins/evilgrin07.gif
 

ACMarina

Flashlight Enthusiast
Joined
Sep 10, 2004
Messages
3,119
Location
Brookston, IN
Yeah, from what I've seen even the *best* P2P apps default to the "My Documents" folder, where a boatload of personal stuff is stored. I guess I'll have to find another way to get the newest Linux distros, huh??
 
Top