CRIME UNIRAS Briefing - 121/02 - UNIRAS - Security implications of using peer-to-peer file sharing software

From: Wanja Eric Naef [IWS] (w.naef@private)
Date: Tue Apr 30 2002 - 03:31:15 PDT

  • Next message: Tim Kramer: "Re: CRIME Computer Crime Books"

    FYI
    
    -----Original Message-----
    From: UNIRAS (UK Govt CERT)
    Sent: 30 April 2002 11:22
    To: Undisclosed Recipients
    Subject: UNIRAS Briefing - 121/02
     - UNIRAS - Security implications of
    using peer-to-peer file sharing software
    
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    
    - --------------------------------------------------------------------------
    --------
       UNIRAS (UK Govt CERT) Briefing Notice - 121/02 dated 30.04.02  Time:
    11:19
     UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
    Centre)
    - --------------------------------------------------------------------------
    --------
      UNIRAS material is also available from its website at www.uniras.gov.uk
    and
             Information about NISCC is available from www.niscc.gov.uk
    - --------------------------------------------------------------------------
    --------
    
    Title
    =====
    
    Security implications of using peer-to-peer file sharing software
    
    Summary
    =======
    
    The security risks of using peer-to-peer (P2P) file sharing software are
    well
    documented, and have been widely discussed. Recent advances in P2P
    technology
    highlight the need for users to be aware of the implications of using such
    software, and for system administrators and Departmental and Company
    security
    officers to ensure that policies and procedures are in place to minimise the
    risk.
    
    Detail
    ======
    
    Before the advent of P2P technology, systems for sharing files between
    computers
    were largely confined to Local Area Networks (using built-in network
    software)
    and exchange of files with known individuals over the Internet (mainly using
    File Transfer Protocol, FTP or chat networks such as Internet Relay Chat
    (IRC)
    or ICQ). P2P applications set up direct communications between computers to
    share or transfer data, increasing the scope of peer networks dramatically.
    By
    downloading software such as Napster, Gnutella or KaZaA, a user makes the
    files
    available in specified directories available to all other users who have
    downloaded
    the same application, and is able to search for and retrieve files
    (typically music,
    video, picture or software) from a potentially enormous network of unknown
    users.
    
    The potential risks of participating in P2P file sharing networks include
    the
    following:
    
    1. Vulnerability to viruses and Trojans contained in the files downloaded
    onto
    your computer. The W32/Gnuman worm, which appeared in February 2001,
    illustrated
    the potential for virus writers to take advantage of P2P networks. The worm
    was
    an executable file with a name that matched key words used in a search,
    making
    users believe the file contained desired content. Once downloaded and run,
    the
    worm attempted to spread itself to other Gnutella users, but fortunately
    Gnuman
    was a concept virus and did not carry any destructive payload.
    
    2. Denial of service - either with malicious intent, or due to unforeseen
    flaws
    in the software. The P2P application may be incompatible with software or
    hardware
    used on a network, causing an unintended denial of service, or it may
    contain
    security flaws that could provide attackers with ways to crash computers or
    access confidential information.
    
    3. Loss of control over what data is shared outside an organisation. When a
    user
    launches a P2P file sharing application, they are also able to share
    information
    on any of their local or network accessible disk drives with people outside
    of the
    organisation. It is possible for a user to misconfigure their client, so
    that
    files which should have restricted access become available to anyone sharing
    the
    same P2P software.
    
    4. Bandwidth problems. In addition to the demands on the network that may be
    posed
    by the size of the rich media and audio video files that are shared, there
    may be
    unforeseen problems due to other aspects of the functionality of P2P
    applications.
    
    Remediation
    
    We strongly recommend that P2P file sharing applications are not used, and
    that
    written policies regarding P2P software usage are in place. Policies
    determining
    what applications can and cannot be installed on desktop PCs, and defining
    acceptable uses for corporate computers, should include mention of P2P file
    sharing
    applications. Given the popularity and growing use of these applications, it
    is
    all the more important that system administrators and Departmental and
    Company
    security officers review their policies, and ensure that users are educated
    about
    the reasons for these policies, and the potential risks of using this
    software.
    
    If it is nevertheless suspected that P2P applications are being used on a
    network,
    then the ports which these applications use should be blocked by the
    firewall on
    the network perimeter. A list of potential TCP and UDP ports which should be
    blocked are as follows:
    
    KaZaA (1214, 1285, 1299, 1331,1337, 3135, 3136 and 3137)
    Napster (6699, 8875, 8876, 8888)
    Gnutella (6346, 6347)
    WinMX Windows client for Napster (6257, 6699)
    
    NB. This list is intended to be indicative rather than comprehensive. The
    reasons
    for this are that services may be bound to different ports and a large
    number of
    P2P applications exist. It is strongly recommended that ports are only
    opened on
    your firewall if you have a business need for a particular network service
    and are
    aware of the security implications of running that service.
    
    The detection and prevention of their use is a very complex issue. P2P
    products are
    designed to work in most environments, whether home, small business or
    enterprise,
    and as a result they have a number of features that can defeat existing
    security
    measures such as firewalls. Activity on the above ports, trace route
    activity
    originating from your internal network and/or high CPU usage on your
    computers may
    well indicate the presence of P2P applications on your computer network.
    Further
    advice on detecting the unauthorised use of such software, and on minimising
    potential risks, is contained in the references below.
    
    P2P or not to P2P
    (http://www.infosecuritymag.com/articles/february01/cover.shtml)
    Peer-to-peer Networking security
    (http://www.networkmagazine.com/article/NMG20020206S0005)
    P2P taps the Enterprise (http://www.networkcomputing.com/1306/1306ws1.html)
    P2P Networking Portal (http://cnscenter.future.co.kr/hot-topic/p2p.html)
    
    - --------------------------------------------------------------------------
    --------
    
    For additional information or assistance, please contact the HELP Desk by
    telephone or Not Protectively Marked information may be sent via EMail to:
    
    uniras@private
    Tel: 020 7821 1330 Ext 4511
    Fax: 020 7821 1686
    
    - --------------------------------------------------------------------------
    --------
    Reference to any specific commercial product, process, or service by trade
    name, trademark manufacturer, or otherwise, does not constitute or imply
    its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
    and opinions of authors expressed within this notice shall not be used for
    advertising or product endorsement purposes.
    
    Neither UNIRAS or NISCC shall also accept responsibility for any errors
    or omissions contained within this briefing notice. In particular, they
    shall
    not be liable for any loss or damage whatsoever, arising from or in
    connection
    with the usage of information contained within this notice.
    
    UNIRAS is a member of the Forum of Incident Response and Security Teams
    (FIRST)
    and has contacts with other international Incident Response Teams (IRTs) in
    order to foster cooperation and coordination in incident prevention, to
    prompt
    rapid reaction to incidents, and to promote information sharing amongst its
    members and the community at large.
    - --------------------------------------------------------------------------
    --------
    <End of UNIRAS Briefing>
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQCVAwUBPM5va4pao72zK539AQFRdgP/WtKegqt8FLgJ7PbWOy1VaYheI/MH/92s
    p7i6k5FYm2UIBadA0qPNdUnyZOLv/zd7/fSi00zEXwkPmhfFmBUpMrkc2+pHdZXu
    MebBUy+tP9AvTMs3P+edeKSJu/E7/fIvDg5Usdo0jOsHbf2A3qsILDCdfufIG6eX
    0qSt/nXIqu0=
    =Sw3C
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:44 PDT