Headline Feeds
With the Congressional Oversight and Government Reform Committee taking a fresh look at the privacy and security risks posed by using LimeWire and other peer-to-peer file-sharing applications, now is a good time for both home and office users of these services to reassess the safety of their own sensitive data.
Committee members last month directed Mark Gorton, chairman of the Lime Group, which owns LimeWire; U.S. Attorney General Eric H. Holder Jr., and Jon Leibowitz, chairman of the U.S. Federal Trade Commission, to prepare for new hearings on peer network security. The committee was responding to a batch of incidents involving highly sensitive corporate and government files leaked to the Internet at large by way of personal computers.
The committee hinted at the possibility of legal action against LimeWire to cut the security risks. In the wake of those concerns, Gorton wrote to the committee's chairman, Rep. Edolphus Towns, D-N.Y., declaring that the LimeWire software has been completely rewritten to give users more control over which files can be shared.
Despite such claims, peer-to-peer (P2P) networks should be used with the utmost care. A lack of user knowledge about P2P networking remains one of the biggest ways to unwittingly expose private information.
"Peer networks are growing exponentially. We don't believe that users are not going to use them just because of data breaches. That reasoning is the equivalent of saying the Internet is dangerous so don't use it, or don't drive a car because you can get killed in an accident," Keith Tagliaferri, director of operations for peer-to-peer security company Tiversa, told TechNewsWorld.
Useful or Not
Depending on whom you talk to, P2P networks are either incredibly practical Internet tools or a huge drawback due to their inherent security risks.
Peer networks such as LimeWire, Gnutella, BitTorrent, BearShare or any one of the more than 250 P2P networks in popular use are a well-known way for users to locate digital content such as music, movies, software or other data stored on other users' computers. Typically, users download software that identifies their computer as a node on an ad-hoc network of computers. The software catalogs available data on the users' hard drives and then allows other network members to download copies of those files.
Depending on how the P2P software is configured, the client program can locate all types of data stored on a hard drive. Sharing, by actually downloading that data to other users' computers, may violate copyrights on audio and video content, graphics and documents. The nodes can often connect and disconnect on demand without the knowledge or direct interaction of the computer owner or user.
Risky Business
"P2P is too essential to the flow of data. It is not going away. It is actually the future of the Internet in accelerating information exchange," Tagliaferri said.
However, the jury is still out on whether or not P2P networks provide a legitimate vehicle for sharing information. While lawmakers and content providers continue to debate the issue, users have to decide whether the inherent risks undercut the benefits.
P2P software can bypass even the best safeguards. For example, Web browser tools that give users alerts about unsafe Web sites will not protect against P2P threats. These networks can run in stealth mode and bypass even firewall settings, warned Tagliaferri.
"End users really have to be careful. It is pretty scary out there," Sean Morris, director of sales for document and content management firm Digitech Systems, told TechNewsWorld.
Know-How Needed
Peer network users need to look at the type of encryption the network is using and how the network handles the file exchange process. Similarly, P2P organizations need to offer users explanations for what they are doing, according to Morris.
However, the burden is on the user to review the process. This is in many cases the true Achilles Heel of security.
"The biggest factor is educating the network users, especially when children use the service. This is where parental control comes into play. Windows provides numerous ways to control where kids can go online. The public needs to be educated on how to do these things," said Morris.
What Others Do
Often, youngsters will install P2P software on a family computer to get the latest movies and videos. They may not pay attention to the application's privacy settings and wind up having the software run all the time in the background, in the process making everything their parents have on the computer available to the rest of the network's users -- tax info, banking info, etc. Of course, children aren't the only culprits. Parents themselves might install the applications, all the while ignorant of the consequences.
"We have seen that P2P software runs on a family computer and the adults don't realize it is there. Somebody else in the family installed it. The program runs in the background. These networks can download porn, viruses, copyrighted material and a lot more," said Tagliaferri.
It is critical that users know how to set up the user controls. This is not a protection that a typical antivirus scanner will automatically set up. Some of Tiversa's largest corporate customers have every single security protection installed that is available -- yet they still find their documents on the Internet every week, Tagliaferri said.
Security Evasive
P2P networks have no place on business machines, both Morris and Tagliaferri agreed. No one -- except perhaps cybercrime law enforcement officials and the employees of a P2P network itself -- should be using them at work. Businesses that insist on running P2P network software should only install it on a quarantined or dedicated computer.
Firewalls, antivirus software and other intrusion-protection mechanisms are often useless in shoring up privacy and security on P2P networks. P2P applications are designed to not be identified as threats when hard drives are scanned, Tagliaferri warned.
"We have lab computers with two firewalls. It doesn't matter how many you have. P2P bypasses them. When one access port is blocked, P2P just moves to the next port," he explained.
LimeWire Responds
In his letter to LimeWire's Gorton, Congressional Oversight and Government Reform Committee Chairman Towns complained that in the nearly two years since the last hearings, when Gorton promised changes in the software, LimeWire and other P2P providers had not taken adequate steps to address the problem.
"We're confident in the commitment we've made and the work we have accomplished over the last two years to upgrade and improve our software," Linda Lipman, LimeWire spokesperson, told TechNewsWorld. "As we've said, LimeWire 5 (the software's latest version) not only alerts a user to potential inadvertent file-sharing -- but this version of our software has done away with recursive sharing, has done away with directory sharing, has done away with folder sharing and has done away with default sharing. We have complete confidence that with LimeWire 5, our users are downloading the most secure file-sharing software available."
Government Sanctions
Despite the exchanges between lawmakers and P2P networks, Congress could be wasting its time pursuing restrictions on P2P, Tagliaferri said. It is not the peer networks themselves that cause the real problem -- rather, third parties are the culprits.
"It is not about government control. I'm not sure government action is needed," he said.
Over 80 percent of all sensitive consumer information comes from other kinds of leaks, he suggested. For example, doctors, dentists and schools often keep records containing sensitive information about students and patients. This information is sometimes lost, leaked or stolen, and whether that loss happens via someone in the doctor's office using P2P or some other means, the result is the same: Private info is cast to the wind, and another person risks falling prey to identity theft.
"Consumers can do everything right and still have third parties make
disclosures through P2P," Tagliaferri concluded.
