P2P puts your hard drive at risk

Mike Reagan: When someone downloads a file-sharing program, they could be sharing company or personal secrets at the same time. Here's some preventative maintenance.

In September 2002, a man used his computer to view the entire hard drive contents of the Aspen, Colorado city government network administrator. The Toronto native was using a file-sharing program to locate a copy of a recent movie, but instead found that he had access to a range of Aspen government information, including the passwords of the entire police department. The Aspen network administrator had installed a file-sharing program on his computer, not realising that by doing so he had opened his system to the world. That's a security hole.

I've had direct experience with this myself, because I have a list of all the salaries at a large company in Texas. I have another list that includes several peoples' credit card numbers. I have the account number of a major brokerage house customer, along with her balances and recent stock trade activity. I don't want to have this information and I acquired it almost by accident. I was trying out a popular peer-to-peer file-sharing application, searched for ".xls" files, and soon knew precisely what each person makes at that Texas company, as well as the credit card numbers and the stock transactions.

I've since deleted all this information and called the owners to warn them that they should protect themselves. That's how I handled it, but right now someone else with the same information may be out there charging up a storm on the credit cards. You take that chance if you open the giant security hole into your life that's called peer-to-peer file-sharing.

In the last few years peer-to-peer, or P2P, has become very popular. It's the technology that enabled millions of Napster users to share music files until the music industry fought back to save their revenue stream. It's the technology behind Kazaa.com, Gnutella.com, Morpheus.com and many other popular file-sharing sites and applications. The P2P idea seems idealistic and innocent: I can designate certain files on my computer to be accessible to anyone, and they can do the same thing. Then I can launch a simple search for a song, a movie clip, a graphic, or a certain type of file. My system will find it and download it. Other people can do the same thing with my files. It's like a virtual swap meet, but there's a big problem.

In many cases users are not savvy enough to restrict access to the right files. They inadvertently open up large sections of their disks -- perhaps even all of it. Even worse, some of these file-sharing applications have default settings that expose vast sections of a user's files, and the user may not even know it. If a user later moves some folders they may be exposing previously restricted information to free downloading. That's how I accidentally came to be looking at the salaries of everyone in a large company someone in personnel or finance had not protected the Excel spreadsheet files, so they were open for all to see. This is a security disaster, and with the increasing popularity of file-sharing applications, it's going to get worse. So what can we do? Fortunately, there are several steps that any user can take to protect their vital information: 1. Know what you're installing, and how it works.
Don't just download a file-sharing application and start using it. That's easy to do, but dangerous. Learn about the application, understand its default settings and be very careful about the access you grant to your files. Read each installation window carefully before you click "next." It's likely you'll want to set different defaults. 2. In a business setting, involve your IT people. Whether you should be file-sharing on company time and on company systems is your decision, but if you're installing an unauthorised application on a company system you'd better let your IT department know about it. A file-sharing application on one system can open the door to files throughout the company. By installing a rogue application you can put your company's intellectual property at risk. Also, file-sharing applications can be huge bandwidth hogs. You can dramatically reduce system performance and tie up corporate bandwidth, reducing everyone's productivity. 3. In a company, create an appropriate use policy.
It's up to your company what it says, but I suggest that the best approach is to have a corporate policy that prohibits the installation and use of unauthorised file-sharing applications on company systems. 4. Use a traffic content monitor.
Today there are sophisticated and relatively low-cost software and hardware products that can alert you when proprietary information is leaked. These monitors scan Web-surfing, email, instant messaging and file downloads in real-time to identify inappropriate activities. They provide near-real-time alerts about the activity and detailed follow-up reports. Such monitors can't block inappropriate file-sharing before it happens, but they can identify the source of these downloads so quickly that the IT department can fix the problem before the damage spreads, plugging these gaping security holes. P2P file-sharing is not going away. We've all heard the expression "information wants to be free," and it's the nature of the Internet to constantly find new ways to enable people to access information -- regardless of whether they should or not. So, as file-sharing sites and programs spread, the security risks to your personal and corporate information will increase. The steps I've described can begin to provide some initial protection. These deal primarily with changing behaviour and encouraging individuals and organisations to become more vigilant. But as file sharing spreads, it's going to take more than just changing behaviour. You're going to need dedicated technology -- hardware or software -- that can recognise security risks, report them and stop them before the damage spreads. You wouldn't leave your house for a week with all the doors and windows open. You shouldn't do this with your computer, either. Mike Reagan is senior vice president of Vericept Corporation (www.vericept.com), a Denver, Colorado-based supplier of advanced content monitoring technology. He is an expert in Web, email and messaging abuse, and is frequently quoted in publications discussing employee communications abuse and network security topics. To have your say online click on TalkBack and go to the ZDNet UK forums.