Security

In response to the reopening of an investigation into inadvertent file sharing with peer-to-peer software, an executive for Lime Wire told Congress in a letter on Friday that the new version of the program is "the most secure file-sharing software available."

The main investigative committee in the U.S. House of Representatives reopened a probe of Lime Wire and other peer-to-peer file-sharing companies last week, citing data breaches blamed on the technology.

In February, a security firm alleged that information about President Obama's helicopter was breached via P2P. There have also been reports of inadvertent exposure of consumer financial data and medical records over peer-to-peer, according to the Committee on Oversight and Government Reform.

In a letter sent Friday to the Committee and congressional members, Mark Gorton, the chairman of Lime Wire parent Lime Group, said LimeWire 5, released on December 8, was designed to eliminate inadvertent file sharing in response to privacy concerns.

LimeWire 5 by default does not share documents, it automatically un-shares documents a user may have shared using an older version of the software, and by default will not share documents regardless of whether they exist in a folder that has been shared or whether a user shared the document in an older version, said Gorton's letter, a copy of which was obtained by CNET News.

"In short, there is absolutely no way to access a LimeWire 5 user's documents unless that user affirmatively elects to make them available," he wrote. "LimeWire 5 does not share any file of any type without explicit permission from the user."

Meanwhile, the company has no specific information about the reports of data breaches that the Committee had mentioned, Gorton said.

The Committee initially launched its probe into inadvertent file-sharing with P2P in mid-2007 and had called Gorton and others to testify.

Meanwhile, another congressional subcommittee is planning to hold a hearing on P2P technology. The House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection has scheduled a hearing for Monday at 2 p.m. EDT on the "Informed P2P User Act," introduced by California Rep. Mary Bono Mack, a Republican, her office said.

Scheduled to testify at the hearing are the Federal Trade Commission, the Business Software Alliance, the Center for Democracy & Technology, the Electronic Privacy Information Center, the Distributed Computing Industry Association, Tiversa, and the Progress and Freedom Foundation.

Lime Group's letter assures Congress that its new peer-to-peer software eliminates inadvertent file-sharing.

(Credit: Lime Group)

Security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out.

Their message may be having an impact in the P2P development community.

A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.

For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.

This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.

Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.

This screenshot illustrates how a peer-to-peer file sharing network works.

(Credit: Tiversa)

Employees: The weak link
The problem, experts say, is that employees are violating corporate policy by using P2P at work or on work laptops to download MP3 files, or they take the work laptop home and their children install file-sharing software on it.

Ninety-three percent of P2P disclosures in the enterprise are inadvertent, said Tiversa Brand Director Scott Harrer. "You can't really guard against human error," he said.

The problem is compounded by the fact that the employees also tend not to be savvy enough to configure the settings so as to protect files they don't want to share from being distributed.

"The default settings tend to err on the side of being more open than more closed," Mark Loveless, a research scientist at technology non-profit Mitre, said on Thursday. This mirrors the security-versus-usability trade-off that software and Web services providers, like Microsoft and Google, often find themselves making.

If the P2P user isn't careful in establishing a shared folder for other users of the file sharing network to access, sensitive files anywhere on the computer can be exposed. For instance, a user can inadvertently open up files in the "My Documents" folder or anywhere in the entire C: drive.

"There are methods to configure the software to only share from a particular directory," said Loveless. "But you're talking about someone who has problems, in many cases, using Microsoft Word or corporate e-mail, apps they've had training on. So I would not expect them to necessarily know how to go about that and correct it."

Beyond having default settings that err on the side of openness and not security, the software is also designed to circumvent firewalls and other attempts to block it, Loveless said.

"P2P programs will use encrypted and sophisticated protocols to be able to talk to the Internet and evade (network monitoring) tools," he said. "They'll use multiple ways to try to get out on the Internet, undetected."

Historically, P2P programs used one specific TCP/IP port for the traffic, but now they can pick a random port to use or they use Port 80, which is used for all kinds of Web traffic, thus thwarting administrator attempts to block P2P traffic by plugging the port, said Sam Hopkins, the co-founder and chief technology officer at Tiversa.

The software also has tricks to get access to files behind firewalls. If a user wants something that is on a computer that is located behind a firewall, the system can communicate behind the scenes to get a third computer to ask the firewall protected computer to send the file out to the seeking user, he said.

And some of the P2P programs can be buggy, particularly software written by young enthusiasts as opposed to paid professionals. Meanwhile, P2P files are being used to spread viruses and other malware to unsuspecting downloaders. For instance, a Trojan circulated on BitTorrent in January in pirated copies of iWorks 09.

There is also malware that can automatically scan a computer and when it finds a media file anywhere on the system it changes the P2P software configuration to share the entire drive the media file is in, Hopkins said.

Minimizing the risk
IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.

Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.

Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.

After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.

The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.

The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.

Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.

"We were concerned about user error in earlier versions of file sharing software where it was easier for users to make those mistakes," Hopkins said. "But a lot has been done to close those loopholes for the new versions."

President Obama's first flight in Marine One.

(Credit: White House)

An Internet security company claims that Iran has taken advantage of a computer security breach to obtain engineering and communications information about Marine One, President Barack Obama's helicopter, according to a report by WPXI, NBC's affiliate in Pittsburgh.

Tiversa, headquartered in Cranberry Township, Pa., reportedly discovered a security breach that led to the transfer of military information to an Iranian IP address, according to WPXI. The information is said to include planned engineering upgrades, avionic schematics, and computer network information.

The channel quoted the company's CEO, Bob Boback, who said Tiversa found a file containing the entire blueprints and avionics package for Marine One.

"What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback told WPXI.

Tiversa makes products that monitor the sharing of files online. A representative for the company was not immediately available for comment.

Boback believes that the files probably were transferred through a peer-to-peer file-sharing network such as LimeWire or BearShare, then compromised.