Features : Corporate Users Snared In A Tangled Web


File-sharing programs are creating security risks for the global finance industry’s computer systems.


Safe at home: Simple precautions can help ensure corporate data security.

Businesses in the global finance industry are waking up to the hard fact that no matter how well they protect their computer networks, a workplace notebook computer linked to a music file-sharing service such as LimeWire can menace company security. The reason? It turns out that many people—or their children—using file sharing programs at home during their off-hours on workplace notebook computers are inadvertently sharing company files in addition to the music files they share.

Some of these users are also unintentionally downloading files—including some that have been renamed to seem innocuous, other people’s tax returns and more—and then unwittingly toting those files back to work on their computers.

While the problem is not considered epidemic at this point, web security experts and government officials warn that the security risk with peer-to-peer, or P2P, networks is real and that it is common knowledge to many hackers. “With millions of users worldwide sharing music, video, software and pictures, file movement on these networks represents a significant percentage of Internet traffic,” says Eric Johnson, director of the Center for Digital Strategies at Dartmouth College. “Our research shows that criminals trawl P2P networks and opportunistically exploit the information they find.”

The source of the vulnerability is a “shared folder” that music file-sharing software programs create on a person’s PC when he or she joins a P2P network. While the shared folder is meant for music only, it is easy to misconfigure and often results in the sharing of many more files than the user intends.

Indeed, in some cases, the entire hard drive of people’s PCs can now easily be searched through the many P2P software programs available because of the way their music “shared folder” has been configured, Johnson says. Commonly used P2P software programs with the vulnerability include LimeWire, Kazaa, Morpheus, eMule and BearShare, he adds.

Compounding the problem is the ease with which sensitive files can be unearthed on P2P networks, according to Pasquale Giordano, president and COO of SafeMedia, a company that specializes in P2P blocking technology.

Essentially, finding those files is often as effortless as typing in key phrases like “tax return,” “Scotland Yard” or “Pentagon” while logged onto a P2P network and seeing what pops up, Giordano says. “We found everything from Pentagon network server secrets to other sensitive information on P2P networks that hackers dream about,” says US retired general Wesley Clark, a board member of Tiversa, a P2P file-sharing risk assessment and monitoring service.

US congressman Henry Waxman, who chairs the House Committee on Oversight and Government Reform, found similar results. “We used the most popular P2P program, LimeWire, and ran a series of basic searches,” he says. “What we found was astonishing: personal bank records and tax forms, attorney-client communications, the corporate strategies of Fortune 500 companies, confidential corporate accounting documents, internal documents from political campaigns, government emergency response plans and even military operation orders.” Waxman adds: “All these files were found in unpublished, Microsoft Word document format. It is truly chilling to think of what private information an organized operation or a foreign government could acquire with additional resources.”

Mike Groton, founder and chairman of LimeWire, says many of the file-sharing problems arising from his company’s software can be traced to user inexperience and not flaws in the software’s design. LimeWire users are able to easily view which files are being shared and how many times a file has been uploaded, he says. Users can also permit or forbid sharing on a file-by-file or folder-by-folder basis. And users are always given warnings when they attempt to share folders that are likely to contain sensitive information, such as the “My Documents” folder on Microsoft Windows.

“Despite our warnings and precautions, a small fraction of users override the ‘safe default’ setting that comes with the program and end up inadvertently publishing information that they would prefer to keep private,” Groton says. Consequently, LimeWire is working to develop a new version of the software that promises to make it easier for users to see the files they are sharing, as well as make the software’s controls more intuitive, according to Groton.

Web security experts say businesses looking to get out in front of the problem should install special hardware/software solutions that prevent direct access to unauthorized P2P networks at work. In addition, staff using P2P networks at home should be alerted to best practices for mitigating the security risk associated with those networks.

Giordano’s SafeMedia, for example, offers a hardware/software appliance, dubbed “Clouseau,” that automatically blocks a blacklist, which SafeMedia continuously updates, of suspect P2P networks. Companies that would prefer to create their own blacklist of P2P networks may instead want to evaluate CopySense Network Appliance (CNA) from Audible Magic. That product enables IT departments to pick and choose the P2P networks to ban or allow. Firms can also use CNA to block all P2P file transfers outright or only those transfers containing copyrighted content or other content a firm deems offensive.

CS-8 Pro, a similar filtering device from ComSifter, enables IT to install up to eight different P2P filters on a network, based on the varying needs of all the individuals using the system. An IT manager may want to use CS-8 Pro to allow P2P use by certain trusted staff members while banning others.

Staff who must use—or are determined to use—P2P networks are advised by Johnson and others to take the following precautions:

• Don’t be sloppy about what goes into a shared folder. While music-sharing folders often start out for one purpose, other types of data—including corporate information—sometimes get dropped in by mistake.

• Don’t be duped by file-sharing rewards incentives. Some file-sharing software programs offer users a sliding scale of rewards contingent on the number of files they share. Many users succumb to the temptation, adding as many files and folders as possible.

• Be on guard against P2P malware. There are stealth software programs in circulation designed specifically to more easily expose personal and corporate data over the P2P networks.

• Don’t let the “wizard” do it. Some file-sharing programs use wizards to recommend folders that users should share. If an extremely sensitive folder has an image or music file in it, chances are the wizard will recommend the user to designate that folder for sharing.

• Be vigilant with all computerized devices. While notebooks are the most common source of P2P vulnerability, PDAs, Pocket PCs and similar devices can create the same havoc. Ditto for flash drives plugged into notebooks and later taken to work.

• Don’t become an unwitting “mule” for the dissemination of classified or other information in a workplace. Because P2P networks are so share friendly, it is possible to wind up with a file you never intended to download.

Unwanted files are often hard to spot, too. A hacker can easily rename a porn file, stolen credit file or classified government secret as a pop song and then watch the “fun” ensue as thousands of fans download the file to their computers. Such files create a real liability for a company if taken into work on a company-owned computer and then disseminated throughout the firm’s computer network.

Joe Dysart