Think Napster and its file-swapping cousins are only a concern for the music industry? Think again. Peer-to-peer (P2P) file-sharing software poses a considerable threat to IT security. Plus, illegal file swapping could even result in a knock on the door from federal agents or the Recording Industry Association of America (RIAA). Never heard of the RIAA? Well, a Tempe, AZ-based consulting company by the name of Integrated Information Systems probably never did either, until recently.
That company had a dedicated MP3 file server so employees could share music. Sounds like a nice perk to please the high-tech crowd, but it was not a very bright idea. Newsbytes has reported that the RIAA was tipped off to the MP3 file server (and its resulting copyright infringement) last year and Integrated Information Systems just settled all legal claims by paying a $1 million penalty in order to avoid litigation.
Of course, legal and financial penalties and the possibility of prosecution under federal copyright laws are not the only threats posed by these innocent-seeming music files and the related file-sharing software. If you never gave Napster and similar peer-to-peer utilities a second thought, try viewing it this way. Peer-to-peer networks are simply an organized way to give complete strangers your IP address and allow them to share code with your system(s). If that doesn’t give you chills, you're in the wrong profession.
According to a CNET News.com report, a serious vulnerability in Napster exposed users’ IP addresses. Among other things, this means that if people were sharing music from work, the company could be tracked down and possibly prosecuted for copyright violations. If users did this at your company, and you haven’t been contacted by the RIAA yet, that doesn’t mean you won’t be.
Assessing the P2P security risk
Okay, Napster is essentially dead for the moment, but that is just the best-known example of peer-to-peer technology. Many other P2P programs are still in use daily, and many of the Napster security concerns apply to them as well. For example, Gnuman has already seen proof of concept worm attacks such as W32/Gnuman.
Napster and other file-swapping networks such as Gnutella and KaZaA are centrally indexed exchanges. That means that the client software logs on to a server and then allows shared files to be indexed and downloaded by other users of the software, and vise versa. With Napster, the file types were limited to MP3 music files, often copyrighted popular music, which is illegal to share under U.S. Copyright laws. In case you missed the nuances of the legal battles over Napster, there was never any real doubt that sharing the files was a copyright violation. The only battle was over whether Napster itself was doing anything illegal by allowing others to use its system to exchange these files.
When Napster began having legal problems, similar programs, including BearShare, Furi, Gnotella, Limewire, Gnut, and MP3 Rage (commonly known collectively as Gnutella), became increasingly popular—and they can expose companies to the same sort of legal difficulties recently experienced by Integrated Information Systems. KaZaA and Morpheus also formed a popular rival network (until Morpheus recently switched to the Gnutella network).
Ultimately, these new P2P software programs pose a much greater threat than Napster did because they allow users to designate any file folder on a system for sharing files. This might seem safer than simply having all MP3 files on the system indexed and available as they usually were with Napster, but that is definitely not the case because it opens up far more dangerous possibilities.
In an attempt to provide more functionality than Napster, Gnutella, Morpheus, and other P2P software now allow users to share many types of files—essentially, almost anything placed in the designated file folder. Although DOC files are slightly more difficult to share, MP1, MP2, MP3, AVI, MPEG, WAV, and even EXE and ZIP files are supported by the default settings.
Imagine this scenario. A user on your corporate network wants to get a copy of a popular new game. The user decides to download a copy from Morpheus, which another user has uploaded in the form of a ZIP file. (This is a common practice.) The user eats up a bunch of corporate bandwidth by downloading this file. Then, he opens up the ZIP file and runs the Setup.exe program to install the game (on his company machine, mind you). However, the .exe file doesn't invoke a setup routine. Instead, it's a virus that starts propagating itself on your corporate network. Or perhaps it installs the game, but it also secretly installs keystroke capturing software that e-mails keystrokes to hackers. Do those examples sound far-fetched? In fact, they are both very real threats that could easily be perpetrated by a hacker.
Securing against the P2P demons
Some weak security protections are built into these P2P programs, but it should be obvious that there are a number of dangers in allowing this sort of software on your business computers. First, there may well be vulnerabilities in software programs themselves that allow outside users to poke around inside your corporate desktop systems. In fact, CNET News.com recently revealed that KaZaA has been distributing a hidden piece of additional P2P software as part of its standard installation.
Another worry for administrators is that employees could either intentionally or accidentally place sensitive corporate files in their shared file-swapping folders, making them available to anyone around the world. A recent University of Chicago memo warned users to disable peer-to-peer file sharing and listed the following programs as just a sample of the programs to be concerned about. These are links to directions on disabling the file-sharing aspect of these software programs, which would still allow users to illegally download copyrighted material as well as other nefarious software files:
- Audiogalaxy Satellite
- Direct Connect
- Morpheus (Old)
- Morpheus PE (Current)
Keep in mind that P2P networking creates decentralized security administration structures that bypass firewalls. The majority of P2P programs take advantage of port 80 (HTTP). HTTP doesn’t, by itself, provide a way through the average firewall because it normally rejects any attempt to initiate a connection from outside. But most P2P file-sharing utilities make use of a publicly addressable or rendezvous node that already has two-way firewall permission.
When users install file-swapping software, they are essentially becoming network administrators. And few, if any, have the skills or knowledge, let alone permission, to do anything so potentially risky.
Thus, you may want to consider setting up a company policy that prohibits users from installing peer-to-peer software on company systems due to the security risks, legal issues, bandwidth problems, and lost productivity that accompany rampant use of these programs. If you take that step, you'll also want to put some procedures in place for enforcing it by finding ways to locate installations of popular P2P programs on your machines and blocking and/or locating saved MP3s on file servers and local machines.
While peer-to-peer file swapping may provide some harmless fun for home users, many employees are loading file-swapping programs on their corporate machines and are unwittingly connecting their corporate networks to P2P networks that could introduce IT security risks and pose legal problems for businesses.
If you never gave this a second thought before, perhaps the example made of Integrated Information Systems with the million-dollar settlement and threat of prosecution will get your attention. Maybe you can now see the potential dangers that users could introduce to your network by downloading a dangerous .exe file masquerading as a cool new game or MP3 player.
I can see some business uses for these P2P file-sharing networks as long as they are configured by experienced network managers and used for some specific tasks within the company or between the company and outside vendors or clients, but I still consider them a high risk.