Date: 20 May 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.02 AUSCERT Advisory
File-Sharing Activity Part 1 of 2 -
Security implications of using peer-to-peer file sharing software
20 May 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has recently received increasing numbers of reports regarding large
scale illegal file sharing networks that fall into two distinct categories.
The first category, concerning peer-to-peer file sharing software, is
discussed in this advisory. The second category, concerning compromised
servers being used in file sharing networks, is discussed in AA-2002.03.
The security risks of using peer-to-peer (P2P) file sharing software are
well documented, and have been widely discussed. Recent advances in P2P
technology again reinforce the need for users to be aware of the implications
of using such software, and for network, system and security administrators
to ensure that policies and procedures are in place to minimise the risk.
- ---------------------------------------------------------------------------
1. Description
Before the advent of P2P technology, systems for sharing files between
computers were largely confined to Local Area Networks (using built-in
network software) and exchange of files with known individuals over the
Internet (mainly using File Transfer Protocol, FTP or chat networks such
as Internet Relay Chat (IRC) or ICQ. P2P applications set up direct
communications between computers to share or transfer data, increasing
the scope of peer networks dramatically. By downloading software such as
Napster, Gnutella or KaZaA, a user makes the files available in specified
directories available to all other users who have downloaded the same
application, and is able to search for and retrieve files (typically music,
videos, images or software) from a potentially enormous network of unknown
users.
The risks identified here are not unique to P2P though some risks are
greater with P2P. In most cases, where the use of P2P technologies is
unauthorised or is in breach of an organisation's security policy, the
use of P2P introduces additional risks to the network that go unchecked.
If the use of P2P is authorised and the risks understood and appropriate
mitigation strategies are adopted, then many of the security issues
associated with their use can be managed. However, doing so will introduce
greater complexity into the organisation's security requirements and more
resources will be required to manage these risks.
2. Impact
There are several general security issues network and system administrators
should consider before/if participating in P2P file sharing networks:
A. Vulnerability to viruses and trojans contained in the files downloaded
onto your computer.
The W32/Gnuman worm, which appeared in February 2001, illustrated the
potential for virus writers to take advantage of P2P networks. The worm
was an executable file with a name that matched key words used in a
search, making users believe the file contained desired content. Once
downloaded and run, the worm attempted to spread itself to other
Gnutella users. Fortunately Gnuman was a concept virus and did not
carry any destructive payload.
Attacks involving Trojan horse programs have been known to leverage
P2P networks to enable intruders to coordinate the actions of
compromised computers in attacks against other sites.
By providing direct access to network shares through the use of P2P
applications, worms, viruses and trojans may evade detection and
intervention by virus scanners, particularly by gateway virus scanners.
B. Social engineering.
Social engineering attacks may entice users into taking insecure
actions, such as communicating sensitive information with outsiders or
executing untrusted software. Users should be aware of the potential
for social engineering attacks and use caution in releasing information
and executing untrusted software.
C. Loss of control over what data is shared outside an organisation.
When a user launches a P2P file sharing application, they are also able
to share information on any of their local or network accessible disk
drives with people outside of the organisation. It is possible for a
user to misconfigure their client, so that files which should have
restricted access become available to anyone sharing the same P2P
software.
D. Exposure to software flaws.
Software flaws, such as buffer overflows or insecure configurations,
may be present in P2P client software and may provide a means for remote
users to initiate attacks that execute code on internal systems.
E. Denial of service.
Denial of service can occur, either by malicious intent or due to
unforeseen flaws in the software. The P2P application may be
incompatible with software or hardware used on a network, causing an
unintended denial of service, or it may contain security flaws that
could provide attackers with ways to crash computers.
F. Bandwidth problems.
In addition to the demands on the network that may be posed by the size
of the files that are being shared, there may be unforeseen problems
due to other aspects of the functionality of P2P applications.
G. Legal ramifications
Possible civil and / or criminal ramifications associated with hosting
(and thus having) control or possession of pirated intellectual property
- willingly or otherwise.
3. Workarounds/Solution
Discourage P2P usage in your network
We strongly recommend that P2P file sharing applications are not used,
and that written policies regarding P2P software usage are in place.
Policies determining the applications that can and cannot be installed
on desktop PCs, and defining acceptable uses for corporate computers,
should include mention of P2P file sharing applications. Given the
popularity and growing use of these applications, it is all the more
important that system administrators and departmental and company
security officers review their policies, and ensure that users are
educated about the reasons for these policies, and the potential risks
of using this software.
Block access to P2P services at the network perimeter
If it is nevertheless suspected that P2P applications are being used on
a network, then the ports which these applications use should be blocked
by the firewall on the network perimeter. A list of potential TCP and
UDP ports which should be blocked are as follows:
KaZaA (1214, 1285, 1299, 1331,1337, 3135, 3136 and 3137)
Napster (6699, 8875, 8876, 8888)
Gnutella (6346, 6347)
WinMX Windows client for Napster (6257, 6699)
Please understand that this list is intended to be indicative rather
than comprehensive. Other ports may be used by these and other P2P
applications. For this reason it is strongly recommended that ports
are only opened on your firewall if you have a business need for a
particular network service and are aware of the security implications
of running that service.
The detection and prevention of the use of P2P applications is a complex
issue. P2P products are designed to work in most environments, whether
home, small business or enterprise, and as a result they have a number
of features that can defeat existing security measures such as firewalls.
Activity on the above ports, trace route activity originating from your
internal network and/or high CPU usage on your computers may indicate
the presence of P2P applications on your computer network.
4. Further Information
Further advice on detecting the unauthorised use of such software, and
on minimising potential risks, is contained in the references below.
P2P or not to P2P
http://www.infosecuritymag.com/articles/february01/cover.shtml
Peer-to-peer Networking security
http://www.networkmagazine.com/article/NMG20020206S0005
P2P taps the Enterprise
http://www.networkcomputing.com/1306/1306ws1.html
P2P Networking Portal
http://cnscenter.future.co.kr/hot-topic/p2p.html
UNIRAS Briefing - 121/02 - UNIRAS - Security implications of using
peer-to-peer file sharing software
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%2012102.txt
CERT Incident Note IN-2000-08 - Chat Clients and Network Security
http://www.cert.org/incident_notes/IN-2000-08.html
CERT Incident Note IN-2002-03 - Social Engineering Attacks via IRC
and Instant Messaging
http://www.cert.org/incident_notes/IN-2002-03.html
CERT Incident Note IN-2000-02 - Exploitation of Unprotected Windows
Networking Shares
http://www.cert.org/incident_notes/IN-2000-02.html
- ---------------------------------------------------------------------------
AusCERT would like to thank UNIRAS (UK Govt CERT - www.uniras.gov.uk) for
allowing use of their materials in assembling the information contained
in this advisory: UNIRAS Briefing - 121/02 - UNIRAS - Security
implications of using peer-to-peer file sharing software:
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%2012102.txt
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPQ8oIyh9+71yA2DNAQHunAP/bZpEu0U4byh8QLdDl0qPavkG3qiddF2Q
UNjLAQC4malLztuTi4n5oBTHZEJgBiZVtAdx00k0AM9S3dzmIK22xh08ZinywPj2
/bws/EaoxVFkCOMISlzGqaE6DU0Win2Ld+QZow2J8sX2U2fhJGdpJuyZws+Bl2LH
p7jLi2dqTHY=
=Fk26
-----END PGP SIGNATURE-----
|