Attacks/Breaches
3/14/2008
05:44 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: De-Fanging P2P

Peer-to-peer has gotten a bad rap, but there are ways to secure its legitimate use in your organization

The dangers of peer-to-peer (P2P) file-sharing have been expounded upon countless times since Napster first made headlines. If the issues of copyright violation and threats of lawsuits weren’t enough of a deterrent or reason to be more cautious about what was being downloaded and shared, P2P users then started getting duped into downloading what they thought was the latest Top 40 song -- only to have malware infect their computers. Sounds bad, right? Add a sprinkling of vulnerabilities in P2P software and the situation becomes downright scary for the average user.

While many corporate networks have taken a firm stance on P2P technologies and enacted policies and technical controls to block them entirely, there are still a large number of networks where P2P users are allowed to roam free. Shocking, but true. As a security professional at a university with a large focus on research, there has always been a large push from researchers and faculty to have “academic freedom” when it comes to the network.

Philosophy aside, P2P isn’t inherently bad and has legitimate uses. Vance Ikezoye, CEO of Audible Magic, which makes the CopySense P2P network monitoring appliance, agrees. He says the issue is that there’s a large amount of copyrighted content being transmitted over the same P2P networks as legitimate traffic. As with most anything, there will be those who choose to abuse technology for their own ends, but that shouldn’t stop P2P from being used for legit things like moving Linux distributions, updates to software (such as the World of Warcraft Downloader), and the virtual machine from ShmooCon’s "Hack or Halo" contest.

Opponents of P2P have a variety of reasons for banning it, but it’s mainly about three issues: the negative impact to bandwidth, legal liability of allowing users to share copyrighted content, and the potential exposure of sensitive information. Those issues certainly have merit, but the risks associated with each one can be mitigated in order to allow legitimate use to continue.

Decreased network performance is the more noticeable issue of the three, because it has a negative impact on normal business traffic (and everyone notices when the network slows down). As a member of several higher-education mailing lists, I’ve seen a common trend of universities successfully handling the bandwidth issue by limiting the traffic, with packet shaping solutions like the Packeteer PacketShaper or Allot NetEnforcer. While packet shaping to limit the bandwidth P2P protocols use doesn’t directly deal with the legal issues or data exposure, it can help organizations manage that traffic at a more easily monitored load.

The legal liabilities associated with allowing users on your network to share copyrighted material (whether you know they’re doing it or not) is not clear, as the lawsuits from the RIAA thus far have primarily focused on the user responsible for the sharing. But there’s always the chance that the network owner could become a target of a lawsuit for allowing the behavior. Last month, the College Opportunity and Affordability Act (COAA), which requires higher-education institutions to filter P2P network traffic and provide a legal alternative to P2P-sharing of copyrighted content, passed though the House of Representatives.

One alternative to filtering P2P traffic entirely is to monitor and block just the traffic identified as being copyrighted, which is what the folks at Audible Magic say their CopySense network appliance is designed to do. Audible Magic’s Ikezoye says the CopySense appliance doesn’t block all copyrighted content, but because copyright holders must register their content with Audible Magic first, it does cover the majority of popular copyrighted content that's being shared today.

The most damaging threat of P2P is the data leakage that could result from P2P users misconfiguring their clients to share out their entire hard drives. It doesn’t even have to be an error on the user’s part. Chris Gormley, COO of Tiversa, says his company has seen numerous examples of malware on P2P networks disguised as interesting content that tricks users into running it. Then unbeknownst to the victim, the malware changes his or her sharing preferences.

Tiversa handles sensitive data leakage by monitoring P2P networks and looking for content on behalf of their customers, notifying them if they spot their sensitive data. Then the client can address the leak more quickly.

Data leakage prevention (DLP) technology would seem to be a good fit to prevent P2P leakage, but Gormley says that most of the time, the surprise leaks organizations suffer come from the weakest link in the information custody chain: "Corporations have to think outside the perimeter because P2P is very liquid. Fifty to 60 percent of the exposures they uncover are through third parties like accountants, medical transcription companies, consultants, and attorneys." It’s the impact of what Tiversa calls the "extended enterprise" that can’t be controlled by today’s DLP solutions.

In a perfect world where a security professional’s coffee cup is never empty and users never click on naughty URLs, P2P isn’t an issue. It’s blocked, so users never know what P2P was to begin with, and they don’t know what they’re missing. But for the rest of us who can’t block it due to legitimate usage or organizational philosophy, we must take steps to mitigate the associated risks. That means going beyond simple corporate policies telling users what they should and shouldn’t do. Thankfully, there are technical solutions to help enforce those policies.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Tiversa Inc.
  • Allot Communications (Nasdaq: ALLT)
  • Packeteer Inc. (Nasdaq: PKTR)

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-2595
    Published: 2014-08-31
    The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

    CVE-2013-2597
    Published: 2014-08-31
    Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

    CVE-2013-2598
    Published: 2014-08-31
    app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

    CVE-2013-2599
    Published: 2014-08-31
    A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

    CVE-2013-6124
    Published: 2014-08-31
    The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.