Can peer-to-peer coexist with network security?
Following congressional complaints about sensitive data leaks, P2P software providers are modifying their apps to make them safer for use in enterprises.
Security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out.
Their message may be having an impact in the P2P development community.
A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.
For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.
This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.
Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.
Employees: The weak link
The problem, experts say, is that employees are violating corporate policy by using P2P at work or on work laptops to download MP3 files, or they take the work laptop home and their children install file-sharing software on it.
Ninety-three percent of P2P disclosures in the enterprise are inadvertent, said Tiversa Brand Director Scott Harrer. "You can't really guard against human error," he said.
The problem is compounded by the fact that the employees also tend not to be savvy enough to configure the settings so as to protect files they don't want to share from being distributed.
"The default settings tend to err on the side of being more open than more closed," Mark Loveless, a research scientist at technology non-profit Mitre, said on Thursday. This mirrors the security-versus-usability trade-off that software and Web services providers, like Microsoft and Google, often find themselves making.
If the P2P user isn't careful in establishing a shared folder for other users of the file sharing network to access, sensitive files anywhere on the computer can be exposed. For instance, a user can inadvertently open up files in the "My Documents" folder or anywhere in the entire C: drive.
"There are methods to configure the software to only share from a particular directory," said Loveless. "But you're talking about someone who has problems, in many cases, using Microsoft Word or corporate e-mail, apps they've had training on. So I would not expect them to necessarily know how to go about that and correct it."
Beyond having default settings that err on the side of openness and not security, the software is also designed to circumvent firewalls and other attempts to block it, Loveless said.
"P2P programs will use encrypted and sophisticated protocols to be able to talk to the Internet and evade (network monitoring) tools," he said. "They'll use multiple ways to try to get out on the Internet, undetected."
Historically, P2P programs used one specific TCP/IP port for the traffic, but now they can pick a random port to use or they use Port 80, which is used for all kinds of Web traffic, thus thwarting administrator attempts to block P2P traffic by plugging the port, said Sam Hopkins, the co-founder and chief technology officer at Tiversa.
The software also has tricks to get access to files behind firewalls. If a user wants something that is on a computer that is located behind a firewall, the system can communicate behind the scenes to get a third computer to ask the firewall protected computer to send the file out to the seeking user, he said.
And some of the P2P programs can be buggy, particularly software written by young enthusiasts as opposed to paid professionals. Meanwhile, P2P files are being used to spread viruses and other malware to unsuspecting downloaders. For instance, a Trojan circulated on BitTorrent in January in pirated copies of iWorks 09.
There is also malware that can automatically scan a computer and when it finds a media file anywhere on the system it changes the P2P software configuration to share the entire drive the media file is in, Hopkins said.
Minimizing the risk
IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.
Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.
Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.
After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.
The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.
The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.
Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.
"We were concerned about user error in earlier versions of file sharing software where it was easier for users to make those mistakes," Hopkins said. "But a lot has been done to close those loopholes for the new versions."