[ISN] Stop blaming Winny, fix the real problem

InfoSec News isn at c4i.org
Thu Mar 16 05:02:49 EST 2006


The Yomiuri Shimbun
Mar. 15, 2006

Should all the blame fall on the Winny file-sharing software? 

Not quite. Anyone dealing with sensitive information has an extremely 
heavy obligation in this regard. 

A number of cases of large amounts of government secrets and personal 
information being accidentally disclosed on the Internet have come to 
light in recent weeks, and Winny has been singled out for criticism in 
all these incidents. 

Winny was created to enable computer users to exchange music and video 
files over the Internet. However, the development of the software has 
been followed by the emergence of computer viruses that can infect 
Winny, making it act in ways not intended. 

If infected, Winny can upload data from computers on which it is 
installed onto the Internet without the knowledge of users. 

In all the information disclosures reported, the victims had stored 
important data on personal computers that were running copies of Winny 
that had been infected with viruses. This has prompted many people to 
point a finger at the file-sharing software. 

The recent spate of Winny-related incidents includes the disclosure of 
information about investigations by the Okayama and Ehime prefectural 
police. The tendency to single Winny out for criticism can be seen in 
remarks made by senior officials at the National Police Agency, an 
organ charged with supervising prefectural police authorities. "Police 
personnel who use Winny on their personal computers have no awareness 
of their professional duties," NPA Commissioner General Iwao Uruma 


Lax security true culprit 

But blaming Winny alone means blinkering oneself to the true culprit, 
and one needs to look further. It is disturbing to see that the 
organizations affected by the incidents were extremely lackadaisical 
in protecting information and secrets. 

Questions should be raised about why those responsible for the 
disclosures were able to copy sensitive information from their office 
computers onto their own computers, and take it home without 
permission from their superiors. The ease with which this was done 
means no measures had been taken to protect the confidentiality of 
information held by these offices. 

What if such massive amounts of information had been stored on paper, 
not computers, and disclosed? The spate of disclosures would be 
considered highly abnormal. 

We all have good reason to raise questions about how the organizations 
affected by the disclosures protect their secrets and data. Are 
personnel at their offices allowed to duplicate important documents 
and take them outside? Are they permitted to take such documents home? 
Are the central and local governments properly equipped to manage the 
many secrets and personal information entrusted to them? 

The government and other pertinent organizations must thoroughly 
reexamine their information-control systems. 


Govt must accept responsibility 

The Defense Agency intends to buy all its personnel new computers to 
help them carry out their duties. The decision came after the agency 
had second thoughts about its standing practice of allowing employees 
to use their own computers for work. 

But this purchase must be complemented by efforts to ensure 
information stored on these computers is properly controlled. If 
agency officials are allowed to copy data from their office computers 
onto their personal computers and take them out, the agency will 
remain susceptible to the disclosure of secrets and data. 

Winny is not the only software that can be perverted to disclose data 
stored on computers, there are others. The Defense Agency must ban 
personnel from using the newly supplied computers for personal use. 

No government employee should be allowed to take data outside the 
workplace. Government information and data must be encoded if taken 
out from the office. Doing so would prevent the data from being 
understood if disclosed to an outsider. Thorough measures should be 
implemented to educate government employees about how to properly 
control data they handle. Furthermore, periodic inspection are needed 
to ensure these safeguards are being followed. 

Any organization that has a bitter experience of having secrets and 
data disclosed has already taken such measures. Government 
organizations must learn what it means to protect the confidentiality 
of their information and data. 

(From The Yomiuri Shimbun, March 15) 

More information about the ISN mailing list