Committee Grills LimeWire CEO Over P2P Security

A Congressional hearing on Tuesday investigating inadvertent file sharing over peer-to-peer (P2P) networks unexpectedly put a spotlight on LimeWire Chairman Mark Gorton over the government and personal information that can be acquired over P2P networks without users' knowledge. Gorton's company makes the peer-to-peer software LimeWire. He is also CEO of the parent company, Lime Group.

Seemingly caught off-guard by the barrage of questions, Gorton told the committee that he was not aware of the extent of security problems nor the flow of information being shared over the network.

Military Info, Tax Records

Gorton was at the hearing to provide testimony about LimeWire. He promised federal officials that he would pursue changes in the software to prevent the continuation of the problem.

Numerous committee members and computer experts testified about the types of information discovered on computers on which LimeWire software was installed. The documents mentioned in the testimony included classified government military orders, confidential corporate accounting documents and localized terrorist threat assessments. Other documents included personal information such as federal workers' credit card numbers, bank statements, tax returns and medical records.

What may have caught committee members most off-guard was learning that tax return information from both British and U.S. citizens was easily located by simply entering the term "tax return" in the LimeWire search window.

Beneficial and Harmful

P2P technology has some benefits to government agencies and consumers alike, both committee members and some witnesses said. However, they also warned that file-sharing networks will continue to seriously endanger national security, intrude on personal privacy and violate copyright law if its use is not adequately restricted.

Government Reform Committee Chairman Henry A. Waxman (D-Calif.) is considering new laws aimed at addressing the problem, but did not offer specifics. He said he was troubled by the possibility that foreign governments, terrorists or organized crime could gain access to documents that reveal national secrets.

A major problem with current P2P technology is that it tricks users into sharing files, according to Thomas Sydnor, an attorney-advisor in the Patent Office's copyright group.

In response, Gorton said that default program settings insured protection of files users intended to keep private. Those settings may be changed by users without knowing what they are doing, he said.

Mincing Words

In response to questions regarding the security risks associated with LimeWire, Gorton defended the program and blamed a handful of inexperienced users.

"Right now the defaults are secure ... I had no idea about the amount of classified material being found," Gorton told the committee.

Committee member Rep. Darrell Issa (R-Calif.) told Gorton that LimeWire's practices could expose his company to thousands of lawsuits over the disclosure of private information.

Issa refuted Gorton's view that problems with privacy disclosures were minor and occasional.

"It's not an anecdotal thing. It is not only once in a while," Issa said.

Committee member Rep. James Cooper, D-Tenn., told Gorton that he was very unimaginative in not knowing how his software be abused by others to make it a threat to the security of the country.

"I absolutely want to do everything in my power to fight inadvertent file sharing. I'm sorry to say that I didn't know the scope of the situation and didn't have the imagination ..." Gorton replied.

Personal Test

TechNewsWorld experimented with the software Tuesday by downloading and installing a copy of LimeWire onto a Linux computer.

Within four minutes of making the Limewire connection, the computer's firewall reported eight blocked connection attempts from other computer systems presumably running the LimeWire software. Those attempted incursions stopped once the connection was severed. Upon reconnection, similar attempts were caught by the Linux computer's firewall and blocked.

Private information was quickly found using search terms as simple as "tax return."

Other Examples

"I'm not an expert, just someone who downloaded their software [LimeWire] and was hacked by some tweakers out in Oregon," Kelly Fitzgerald, managing partner at Breakaway Communications in New York, told TechNewsWorld. "The clever Portland police investigated a house of meth users and found my name on a list of people who they hacked, and they hacked me through LimeWire,"

The police told her that LimeWire was often found as the entry mechanism for these hackers to steal personal information. The computer intruders used her credit card to buy hotel stays and software, she said.

"I immediately called LimeWire, told them about the situation, and the woman literally said, 'What do you want me to do about it?'" explained Fitzgerald, adding that she suggested to the LimeWire phone agent that the company needs to fix the software.

The LimeWire phone agent had no answer, said Fitzgerald.

"Unless no one talks to their CEO there, they were well aware of the problem," she said.

Being Safe

Users of file-sharing programs need to understand two major security risks from P2P file download services, according to Rohyt Belani, managing partner at Intrepidus Group, an information security consultancy.

One is that P2P connections allow either communicating party to determine the Internet Protocol (IP) address of the other. With the advent of accurate geo-location services, it is possible to determine the exact physical location of that party based on the IP address. More importantly, this information can be gathered without the "victim" even realizing, as long as the P2P software is running.

The other is that attackers often masquerade malicious executables as innocuous files and share them via P2P software. These files, when executed by the unaware downloader, can result in a compromise of their systems. If the victim is on a corporate resource (laptop or network) such an attack can result in the compromise of confidential corporate data or the spreading of viruses, he explained.

P2P networks do pose security risks, similar to setting up a wireless network in one's home or office, warned Robert Siciliano, CEO of IDTheftSecurity.com.

"It's not the technology. It's those setting them up who are the risk. Those who install these technologies aren't aware of how to set them up," Siciliano told TechNewsWorld.