Can peer-to-peer coexist with network security?
Security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out.
Their message may be having an impact in the P2P development community.
A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.
For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.
This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.
Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.
This screenshot illustrates how a peer-to-peer file sharing network works.
(Credit: Tiversa)
Employees: The weak link
The problem, experts say, is that employees are violating corporate policy by using P2P at work or on work laptops to download MP3 files, or they take the work laptop home and their children install file-sharing software on it.
Ninety-three percent of P2P disclosures in the enterprise are inadvertent, said Tiversa Brand Director Scott Harrer. "You can't really guard against human error," he said.
The problem is compounded by the fact that the employees also tend not to be savvy enough to configure the settings so as to protect files they don't want to share from being distributed.
"The default settings tend to err on the side of being more open than more closed," Mark Loveless, a research scientist at technology non-profit Mitre, said on Thursday. This mirrors the security-versus-usability trade-off that software and Web services providers, like Microsoft and Google, often find themselves making.
If the P2P user isn't careful in establishing a shared folder for other users of the file sharing network to access, sensitive files anywhere on the computer can be exposed. For instance, a user can inadvertently open up files in the "My Documents" folder or anywhere in the entire C: drive.
"There are methods to configure the software to only share from a particular directory," said Loveless. "But you're talking about someone who has problems, in many cases, using Microsoft Word or corporate e-mail, apps they've had training on. So I would not expect them to necessarily know how to go about that and correct it."
Beyond having default settings that err on the side of openness and not security, the software is also designed to circumvent firewalls and other attempts to block it, Loveless said.
"P2P programs will use encrypted and sophisticated protocols to be able to talk to the Internet and evade (network monitoring) tools," he said. "They'll use multiple ways to try to get out on the Internet, undetected."
Historically, P2P programs used one specific TCP/IP port for the traffic, but now they can pick a random port to use or they use Port 80, which is used for all kinds of Web traffic, thus thwarting administrator attempts to block P2P traffic by plugging the port, said Sam Hopkins, the co-founder and chief technology officer at Tiversa.
The software also has tricks to get access to files behind firewalls. If a user wants something that is on a computer that is located behind a firewall, the system can communicate behind the scenes to get a third computer to ask the firewall protected computer to send the file out to the seeking user, he said.
And some of the P2P programs can be buggy, particularly software written by young enthusiasts as opposed to paid professionals. Meanwhile, P2P files are being used to spread viruses and other malware to unsuspecting downloaders. For instance, a Trojan circulated on BitTorrent in January in pirated copies of iWorks 09.
There is also malware that can automatically scan a computer and when it finds a media file anywhere on the system it changes the P2P software configuration to share the entire drive the media file is in, Hopkins said.
Minimizing the risk
IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.
Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.
Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.
After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.
The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.
The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.
Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.
"We were concerned about user error in earlier versions of file sharing software where it was easier for users to make those mistakes," Hopkins said. "But a lot has been done to close those loopholes for the new versions."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Source?
n3td3v March 6, 2009 11:36 AM PST
Torrents allow me to pause the download, resume the download later whenever I want or in case the connection has dropped, and in some cases torrents have even been used to repair corrupted files by redownloading the few small chunks that have been damaged. Also, I can give back to the community and use torrents to take the bandwidth load off someone else that's trying to distribute gigantic files for whatever net community they're currently focused on. Also, as time goes on files and data are only going to get bigger. Because of this I bet torrents will become ever more popular for just everyday things that have nothing to do with piracy.
Also, your 0.3% is probably entirely wrong, because if only %0.3 percent of people used some kind of P2P technology for legal purposes it is highly unlikely any of those %0.3 of people would have noticed your post in the big mass that is the internet. The fact that I replied to you so fast probably means statistically there are many more people than you think using P2P for legal means. However, we don't really have enough data or evidence to say that, but that'd be my guess.
Linux is not the only free software program on the planet. I say people also use torrents as a download manager for anything that's big and not just Linux. I'm sad now that you couldn't figure that out. A storm or something messed up the net in my neighborhood. Downloads became very slow and connections were dropping for everyone for about a week while they fixed it.
This around when the latest Open Office came out. So, as to make sure my download would not fail I also downloaded OO via torrent. My friends and I have also seeded torrents to each other of video that we've shot because some of us are into photography and video editing. That's a lot data. Gigs and gigs. A little too much to be transferring through an instant messenger connection. I could give you example after example.
Has nothing to do with Linux. Your just gonna have to face the fact that your bias is wrong. Add up all the large software programs and content that's out there and you'll find many people use torrents for completely valid things. I's just a protocol like HTTP or FTP. It doesn't mean the content is all illegal. You could shut it down if you want, but you can download pirated stuff via HTTP and FTP just the same. You're not fixing the problem, you're just ruining a completely awesome technology that can be used for good or bad. Just like any other technology.
You think I never downloaded an MP3 or ISO file via HTTP before? I have, and guess what? Stolen music mostly comes in MP3 format and many stolen videos come in ISO format and much stolen software comes in ISO format. Pirated material can be transferred with or without torrents. So, your bias against torrents is just ignorant. It won't solve the problem, however using P2P technology can save companies loads of bandwidth like when Blizzard uses torrents to download updates for their games.
You're really just uneducated and don't know what your taking about here. You don't understand P2P is a bandwidth saving technology. It's not designed for the purpose of pirated material. Just like HTTP and FTP wasn't designed for that either. Pirates just use whatever technology is available to them including the internet. Following your solution to its logical conclusion would mean shutting down the entire internet because as long as it's up, pirates will take advantage of it. If you actually feel that way then please feel free to hit the power button on your computer.
If P2P is necessary for one to do her job, there are plenty of business friendly solutions, but the employee should never be allowed to install anything for any reason.
More work for IT departments? Yes, but the long term cost savings is worth it.
- by getwired March 8, 2009 9:39 PM PDT
- The person who installed the software and compromised the document should be brought up on criminal espionage charges. They did not perform the duties of their job, to protect confidential information.
- Like this Reply to this comment
-
(19 Comments)