FYI
-----Original Message-----
From: UNIRAS (UK Govt CERT)
Sent: 30 April 2002 11:22
To: Undisclosed Recipients
Subject: UNIRAS Briefing - 121/02
- UNIRAS - Security implications of
using peer-to-peer file sharing software
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------------
--------
UNIRAS (UK Govt CERT) Briefing Notice - 121/02 dated 30.04.02 Time:
11:19
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
- --------------------------------------------------------------------------
--------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
- --------------------------------------------------------------------------
--------
Title
=====
Security implications of using peer-to-peer file sharing software
Summary
=======
The security risks of using peer-to-peer (P2P) file sharing software are
well
documented, and have been widely discussed. Recent advances in P2P
technology
highlight the need for users to be aware of the implications of using such
software, and for system administrators and Departmental and Company
security
officers to ensure that policies and procedures are in place to minimise the
risk.
Detail
======
Before the advent of P2P technology, systems for sharing files between
computers
were largely confined to Local Area Networks (using built-in network
software)
and exchange of files with known individuals over the Internet (mainly using
File Transfer Protocol, FTP or chat networks such as Internet Relay Chat
(IRC)
or ICQ). P2P applications set up direct communications between computers to
share or transfer data, increasing the scope of peer networks dramatically.
By
downloading software such as Napster, Gnutella or KaZaA, a user makes the
files
available in specified directories available to all other users who have
downloaded
the same application, and is able to search for and retrieve files
(typically music,
video, picture or software) from a potentially enormous network of unknown
users.
The potential risks of participating in P2P file sharing networks include
the
following:
1. Vulnerability to viruses and Trojans contained in the files downloaded
onto
your computer. The W32/Gnuman worm, which appeared in February 2001,
illustrated
the potential for virus writers to take advantage of P2P networks. The worm
was
an executable file with a name that matched key words used in a search,
making
users believe the file contained desired content. Once downloaded and run,
the
worm attempted to spread itself to other Gnutella users, but fortunately
Gnuman
was a concept virus and did not carry any destructive payload.
2. Denial of service - either with malicious intent, or due to unforeseen
flaws
in the software. The P2P application may be incompatible with software or
hardware
used on a network, causing an unintended denial of service, or it may
contain
security flaws that could provide attackers with ways to crash computers or
access confidential information.
3. Loss of control over what data is shared outside an organisation. When a
user
launches a P2P file sharing application, they are also able to share
information
on any of their local or network accessible disk drives with people outside
of the
organisation. It is possible for a user to misconfigure their client, so
that
files which should have restricted access become available to anyone sharing
the
same P2P software.
4. Bandwidth problems. In addition to the demands on the network that may be
posed
by the size of the rich media and audio video files that are shared, there
may be
unforeseen problems due to other aspects of the functionality of P2P
applications.
Remediation
We strongly recommend that P2P file sharing applications are not used, and
that
written policies regarding P2P software usage are in place. Policies
determining
what applications can and cannot be installed on desktop PCs, and defining
acceptable uses for corporate computers, should include mention of P2P file
sharing
applications. Given the popularity and growing use of these applications, it
is
all the more important that system administrators and Departmental and
Company
security officers review their policies, and ensure that users are educated
about
the reasons for these policies, and the potential risks of using this
software.
If it is nevertheless suspected that P2P applications are being used on a
network,
then the ports which these applications use should be blocked by the
firewall on
the network perimeter. A list of potential TCP and UDP ports which should be
blocked are as follows:
KaZaA (1214, 1285, 1299, 1331,1337, 3135, 3136 and 3137)
Napster (6699, 8875, 8876, 8888)
Gnutella (6346, 6347)
WinMX Windows client for Napster (6257, 6699)
NB. This list is intended to be indicative rather than comprehensive. The
reasons
for this are that services may be bound to different ports and a large
number of
P2P applications exist. It is strongly recommended that ports are only
opened on
your firewall if you have a business need for a particular network service
and are
aware of the security implications of running that service.
The detection and prevention of their use is a very complex issue. P2P
products are
designed to work in most environments, whether home, small business or
enterprise,
and as a result they have a number of features that can defeat existing
security
measures such as firewalls. Activity on the above ports, trace route
activity
originating from your internal network and/or high CPU usage on your
computers may
well indicate the presence of P2P applications on your computer network.
Further
advice on detecting the unauthorised use of such software, and on minimising
potential risks, is contained in the references below.
P2P or not to P2P
(http://www.infosecuritymag.com/articles/february01/cover.shtml)
Peer-to-peer Networking security
(http://www.networkmagazine.com/article/NMG20020206S0005)
P2P taps the Enterprise (http://www.networkcomputing.com/1306/1306ws1.html)
P2P Networking Portal (http://cnscenter.future.co.kr/hot-topic/p2p.html)
- --------------------------------------------------------------------------
--------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@private
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- --------------------------------------------------------------------------
--------
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- --------------------------------------------------------------------------
--------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBPM5va4pao72zK539AQFRdgP/WtKegqt8FLgJ7PbWOy1VaYheI/MH/92s
p7i6k5FYm2UIBadA0qPNdUnyZOLv/zd7/fSi00zEXwkPmhfFmBUpMrkc2+pHdZXu
MebBUy+tP9AvTMs3P+edeKSJu/E7/fIvDg5Usdo0jOsHbf2A3qsILDCdfufIG6eX
0qSt/nXIqu0=
=Sw3C
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:44 PDT