Citation :
WHEN SHARING IS RISKY: P2P
by Fred Wamsley and Marion Kee
Beryllium Sphere, LLC <http://www.berylliumsphere.com/>
[EDITOR'S NOTE: WatchGuard's LiveSecurity Service provides articles on how to keep business computer networks secure. However, it turns out some business people have families. (Who knew?) So occasionally, we address the computer security needs of home users. Feel free to forward this article to individuals you know who could benefit from better understanding the risks of using peer-to-peer file sharing software such as Grokster, Limewire, and BitTorrent. --Scott Pinzon]
---------------------------------------------------------------
For an easier-to-read HTML version of this article, go to: https://www.watchguard.com/archive/ [...] pack=25590
---------------------------------------------------------------
SO YOUR KID WANTS to run a file sharing program with a name like "Morpheus." How safe is it to download a file sharing program and then use it to share files from the Internet? What happens when you install that kind of program on a home network? Why does it matter? Here are some reasons why installing most file sharing programs puts your home network at risk.
WHAT IT MEANS TO BE A SERVER
The file sharing programs most people use are "peer-to-peer" (P2P) programs, which completely change your security situation. Normally you sit behind a firewall, which is (at its simplest) like a one-way valve for connections. The firewall prevents outsiders from starting a conversation with your computer. A peer-to-peer file sharing program actively listens for requests from other computers on a network, and sends files to them. It turns your machine into a computer that receives incoming connections and answers them. That's the definition of a "server."
Servers have special security needs. Servers require high maintenance, because they're vulnerable to influences from outside the local network. A typical server can't use a simple "one-way valve" like a firewall does, because it needs to listen for connections from outside. A server at a business like Amazon.com will have a full-time staff of experts to take care of its health and security.
When a file sharing program turns your home computer into a server, here's the problem. P2P programs allow incoming connections in spite of your firewall by forcing you to leave your firewall at least partly open. Some programs make this "easy" for you by jamming the firewall open from the inside. The program may not tell you that it's doing this, but either it's opening the door itself, or it will ask you to open it, and perhaps to leave it open. Then, of course, the program starts sharing some of your files, typically from a "shared folder" you tell the program about.
What P2P means:
* You're a server
* You're running software from strangers
* You're accepting files from strangers.
RUNNING SOFTWARE FROM STRANGERS
At least one famous file sharing program, Kazaa, came with spyware <http://www.watchguard.com/infocenter/editorial/135282.asp>
attached. Respected security writer David Piscitello reflects the opinion of many experts when he says, "Public peer-to-peer applications are notorious sources of spyware."
Wonder why anyone would want to track what you click on and what Web pages you visit? The answer is that they get a couple of dollars or more for doing it. Advertisers will pay that much for access to a spyware-infected machine. It's nothing personal -- typically, you'll be a random victim.
Sometimes you can avoid spyware -- excuse us, "adware" -- by upgrading from the free version of a program to a paid version. Sometimes you can turn it off during program installation. Some programs are just plain clean to begin with. When you install new software, usually it presents you with an End User License Agreement. To learn everything that software is doing, read the fine print!
Even legitimate software can cause security problems if it connects to the Internet and has bugs. File sharing software puts you at ongoing risk because it connects to the wild side of the Internet where it typically encounters uncontrolled data. We've seen serious security holes in Grokster, iMesh, and Kazaa that could have allowed bad guys to take over your machine if you'd been running the vulnerable version of these P2P programs.
If you install a P2P program, you also need to know exactly how much of your system you're sharing. Check the file-sharing program's configuration settings to make sure your "shared folder" is where you think it is, and then make sure you don't have anything personal in that folder. In some really embarrassing cases, people have shared the entire contents of their hard disks with everyone on the same P2P network. There have also been bugs that let file sharing programs share more than they were told to share. Oops.
ACCEPTING FILES FROM STRANGERS
No matter what file-sharing program you use, do look a gift horse in the mouth when you (or your kids) download files. Four million people may log in to the eDonkey P2P network on a typical day. Not all of them will be nice. Some will upload nasty programs and mislabel them as music or movies. Others may upload a movie file that triggers a security flaw in your media player so they can take over your machine if you play their file. Then the infection could spread to the other machines on your network.
Keep your anti-virus software up to date and it will protect you some. Anti-spyware software is important, too. We recommend using more than one anti-spyware program. Microsoft is beta-testing an anti-spyware program which is getting good reviews. <http://tinyurl.com/47cus> You can find other free anti- spyware programs listed here <http://hhi.corecom.com/spyware.htm>.
Take the reports from the anti-spyware programs with a grain of
salt: some of them freak out over just seeing a P2P application installed, whether or not that particular application is actually a problem. Less obviously, keep checking for updates on the software you use to play the files you get from the Internet.
You can also protect yourself against fake and possibly booby- trapped files by checking a digital fingerprint for the file you're downloading. The software may call this a "hash," a "hash code," a "message digest," or something like "MD4," "MD5," or "SHA1." It's a medium-sized string of letters and numbers computed from the contents of the file, and it's hard to forge. Your file-sharing program should have a feature that allows you to compare the fingerprint of the file you wanted (in the P2P listing) with the fingerprint of the file you just downloaded. If the file you downloaded isn't exactly what it's labeled as being, the fingerprints won't match. Such files should be deleted, not opened.
P2P technology has important, legitimate uses. Independent artists and podcasters use it to distribute their songs and videos. Linux and much more good free software goes out over P2P. But let's face
it: if your kids are installing P2P software, the most likely reason is to share their music collection with four million of their closest friends. Copyright law takes a dim view of that. The record companies can't sue every one of the millions of people sharing files, but they are trying to. They're not choosy about their targets. Expect to be out several thousand dollars if they notice you.
You can protect yourself from the copyright police by downloading only from authorized sources like Apple's iTunes Music Store, <http://www.apple.com/itunes/store/> Weed <http://www.weedshare.com/>, or (in the near future) Mashboxx <http://www.mashboxx.com/>. If your kids roll their eyes and say "You don't get it because you don't understand computers," you can tell 'em that Microsoft CEO Steve Ballmer has told his kids to respect copyrights <http://tinyurl.com/7tvu3>.
You could have another problem if you use a cable modem for file sharing. Some cable companies have secret limits on the "unlimited" service they offer. They'll cut you off if you use "too much" bandwidth. They won't tell you how much is too much, but busy file trading seems to hit the secret limits pretty often.
CONCLUSIONS
In the physical world, it's dangerous to do illegal things. Even if you don't get caught, you have to visit bad neighborhoods and deal with bad people. It's the same in the digital world. The safest way to use P2P file sharing software is for the kind of trading that the copyright owner permits, with reputable software -- ideally on a machine you use for nothing else. As always, never start a downloaded program (even if it's labeled "Installer" ) unless you know exactly what it does.
With a little searching, you can find free or "for donation" legitimate versions of almost anything file sharing programs provide illicitly. So why bother with them? From a security viewpoint, "free" files from a P2P service might cost too much. ##
-- References and Resources
* The Federal Trade Commission has documents about the risks
of file sharing: PDF 1 (806 KB)<http://tinyurl.com/d6awv>
PDF 2 <http://tinyurl.com/cu738>
* Microsoft's anti-spyware program
<http://tinyurl.com/47cus>
* LiveSecurity article: Why bad guys target obscure home users
<http://www.watchguard.com/infocenter/editorial/1719.asp>
* LiveSecurity introduction to spyware
<http://www.watchguard.com/infocenter/editorial/135282.asp>
* Spyware terms defined and explained
<http://www.watchguard.com/infocenter/editorial/15744.asp>
* Learn which programs come with spyware or adware
<http://www.slyck.com/guides.php>
* C|NET story on the current legal status of P2P
<http://tinyurl.com/7oxn6>
-- About the Authors
Beryllium Sphere, LLC <http://www.berylliumsphere.com/> is a Northwest security consultancy which offers independent common-sense solutions for small to medium businesses. Frederick Wamsley, CISSP, comes from a software engineering background (you probably have some of his code on your computer now) and covers technical and non- technical security measures. Marion Kee, the other partner in Beryllium Sphere, has an M.S. degree in computational linguistics from Carnegie Mellon and is an expert on natural language processing and knowledge representation. Beryllium Sphere publishes the Security Mentor <http://www.berylliumsphere.com/security_mentor>
newsletter for normal people and The Security Nerd < http://www.berylliumsphere.com/security_nerd> for specialists.
Comments? E-mail 'em to us at: mailto:your.opinion.matters@watchguard.com.
===============================================================
FEEDBACK: This e-mail was sent from an unattended mailbox,
so please do not reply to it.
For helpful articles, log into the LiveSecurity Archive https://www.watchguard.com/archive/broadcasts.asp.
---------------------------------------------------------------
UNSUBSCRIBE: You received this e-mail because you subscribed
to the WatchGuard LiveSecurity Service, which advises about virus alerts, security best practices, new hacking exploits, and more. To stop receiving future e-mails, or to change which e-mail address receives this content, please log in at https://www.watchguard.com/archive/preferences.asp.
For technical support, visit https://support.watchguard.com/inci [...] cident.asp
or call 1-877-232-3531.
---------------------------------------------------------------
No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features or functionality will be provided on an if and when available basis.
---------------------------------------------------------------
Copyright 2005 WatchGuard Technologies, Incorporated. All Rights Reserved. WatchGuard, LiveSecurity, Firebox, and any other word listed as a trademark in the "Terms of Use" portion of the WatchGuard Web site that is used herein, are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners.
You may not modify, reproduce, republish, post, transmit
or distribute this content except as expressly permitted
in writing by WatchGuard Technologies, Inc.
===============================================================
|
![[:sebkom]](https://forum-images.hardware.fr/images/perso/sebkom.gif "[:sebkom]")
![[:maitresse]](https://forum-images.hardware.fr/images/perso/maitresse.gif "[:maitresse]")
![[:rofl]](https://forum-images.hardware.fr/images/perso/rofl.gif "[:rofl]")
ça faisait longtemps![[:rofl2]](https://forum-images.hardware.fr/images/perso/rofl2.gif "[:rofl2]")
![[:shakalagoons]](https://forum-images.hardware.fr/images/perso/shakalagoons.gif "[:shakalagoons]")
![[:punky4]](https://forum-images.hardware.fr/images/perso/punky4.gif "[:punky4]")
![[:ddr555]](https://forum-images.hardware.fr/images/perso/ddr555.gif "[:ddr555]")
![[:wam]](https://forum-images.hardware.fr/images/perso/wam.gif "[:wam]")
![[:acadman]](https://forum-images.hardware.fr/images/perso/acadman.gif "[:acadman]")
![[:dawa]](https://forum-images.hardware.fr/images/perso/dawa.gif "[:dawa]")
![[:kiki]](https://forum-images.hardware.fr/images/perso/kiki.gif "[:kiki]")
HFR = la France + tous les "apparentés", j'adore...
...
![[:ban]](https://forum-images.hardware.fr/images/perso/ban.gif "[:ban]")
![[:aloy]](https://forum-images.hardware.fr/images/perso/aloy.gif "[:aloy]")
![[:jef34]](https://forum-images.hardware.fr/images/perso/jef34.gif "[:jef34]")
désolé...j'ai lu ton post trop vite...je croyais qur tu avais reçu ce truc par mail et non par mp