With the Congressional Oversight and Government Reform Committeetaking a fresh look at the privacy and security risks posed byusing LimeWire and other peer-to-peer file-sharing applications, nowis a good time for both home and office users of these services toreassess the safety of their own sensitive data.
Committee members last month directed Mark Gorton, chairman of theLime Group, which owns LimeWire; U.S. Attorney General Eric H.Holder Jr., and Jon Leibowitz, chairman of the U.S. Federal TradeCommission, to prepare for new hearings on peer network security. Thecommittee was responding to a batch of incidents involving highlysensitive corporate and government files leaked to the Internet at large by way ofpersonal computers.
The committee hinted at the possibility of legal action againstLimeWire to cut the security risks. In the wake of those concerns,Gorton wrote to the committee’s chairman, Rep. Edolphus Towns, D-N.Y., declaring that the LimeWire software has beencompletely rewritten to give users more control over which files can be shared.
Despitesuch claims, peer-to-peer (P2P) networks should be used with theutmost care. A lack of user knowledge about P2P networkingremains one of the biggest ways to unwittingly expose privateinformation.
“Peer networks are growing exponentially. We don’t believe that usersare not going to use them just because of data breaches. Thatreasoning is the equivalent of saying the Internet is dangerous sodon’t use it, or don’t drive a car because you can get killed in anaccident,” Keith Tagliaferri, director of operations for peer-to-peersecurity company Tiversa, told TechNewsWorld.
Useful or Not
Depending on whom you talk to, P2P networks are either incredibly practical Internet tools or a huge drawback due to their inherent security risks.
Peer networks such as LimeWire, Gnutella, BitTorrent,BearShare or any one of the more than 250 P2P networks in popular use are a well-known way for users to locate digital content such as music, movies, software or other datastored on other users’ computers. Typically, users download software thatidentifies their computer as a node on an ad-hoc network of computers.The software catalogs available data on the users’ hard drives and thenallows other network members to download copies of those files.
Depending on how the P2P software is configured, the client programcan locate all types of data stored on a hard drive. Sharing, byactually downloading that data to other users’ computers, may violatecopyrights on audio and video content, graphics and documents. The nodes can often connect anddisconnect on demand without the knowledge or direct interaction of thecomputer owner or user.
“P2P is too essential to the flow of data. It is not going away. It isactually the future of the Internet in accelerating informationexchange,” Tagliaferri said.
However, the jury is still out on whether or not P2P networks provide alegitimate vehicle for sharing information. While lawmakers andcontent providers continue to debate the issue, users have todecide whether the inherent risks undercut the benefits.
P2P software can bypass even the best safeguards. Forexample, Web browser tools that give users alerts about unsafe Web siteswill not protect against P2P threats. These networks can run in stealthmode and bypass even firewall settings, warned Tagliaferri.
“End users really have to be careful. It is pretty scary out there,”Sean Morris, director of sales for document and content managementfirm Digitech Systems, told TechNewsWorld.
Peer network users need to look at the type of encryption the networkis using and how the network handles the file exchange process.Similarly, P2P organizations need to offer usersexplanations for what they are doing, according to Morris.
However, the burden is on the user to review the process. This is in many cases the true Achilles Heel of security.
“The biggest factor is educating the network users, especially whenchildren use the service. This is where parental control comes intoplay. Windows provides numerous ways to control where kids can goonline. The public needs to be educated on how to do these things,”said Morris.
What Others Do
Often, youngsters will install P2P software on a family computer toget the latest movies and videos. They may not pay attention to the application’s privacysettings and wind up having the software run all the time in thebackground, in the process making everything their parents have on the computer available to the rest of the network’s users — tax info, banking info, etc. Of course, children aren’t the only culprits. Parents themselves might install the applications, all the while ignorant of the consequences.
“We have seen that P2P software runs on a family computer and theadults don’t realize it is there. Somebody else in the familyinstalled it. The program runs in the background. These networks candownload porn, viruses, copyrighted material and a lot more,” saidTagliaferri.
It is critical that users know how to set up the user controls. This is not a protection that a typical antivirus scanner will automatically set up. Someof Tiversa’s largest corporate customers have every singlesecurity protection installed that is available — yet they still find theirdocuments on the Internet every week, Tagliaferri said.
P2P networks have no place on business machines, both Morris andTagliaferri agreed. No one — except perhaps cybercrime law enforcement officials and the employees of a P2P network itself — should be using them at work. Businesses that insist on running P2P network software should onlyinstall it on a quarantined or dedicated computer.
Firewalls, antivirus software and other intrusion-protectionmechanisms are often useless in shoring up privacy and security on P2P networks. P2P applications are designed to not be identified as threats when harddrives are scanned, Tagliaferri warned.
“We have lab computers with two firewalls. It doesn’t matter how manyyou have. P2P bypasses them. When one access port is blocked, P2P justmoves to the next port,” he explained.
In his letter to LimeWire’s Gorton, Congressional Oversight and Government Reform Committee Chairman Towns complained thatin the nearly two years since the last hearings, when Gorton promisedchanges in the software, LimeWire and other P2P providers had nottaken adequate steps to address the problem.
“We’re confident in the commitment we’ve made and the work we haveaccomplished over the last two years to upgrade and improve oursoftware,” Linda Lipman, LimeWire spokesperson, told TechNewsWorld. “As we’ve said, LimeWire 5 (the software’s latest version) not only alerts a user topotential inadvertent file-sharing — but this version of our softwarehas done away with recursive sharing, has done away with directorysharing, has done away with folder sharing and has done away withdefault sharing. We have complete confidence that with LimeWire 5, ourusers are downloading the most secure file-sharing softwareavailable.”
Despite the exchanges between lawmakers and P2P networks, Congress could be wasting its time pursuing restrictions on P2P, Tagliaferri said. It is not the peer networks themselves that cause the realproblem — rather, third parties are the culprits.
“It is not about government control. I’m not sure government actionis needed,” he said.
Over 80 percent of all sensitive consumer information comes from other kinds of leaks, he suggested. For example, doctors, dentists and schools often keep records containing sensitive information about students and patients. This information is sometimes lost, leaked or stolen, and whether that loss happens via someone in the doctor’s office using P2P or some other means, the result is the same: Private info is cast to the wind, and another person risks falling prey to identity theft.
“Consumers can do everything right and still have third parties makedisclosures through P2P,” Tagliaferri concluded.