Using Kazaa to TestYour Security Posture

Ben Rothke, CISSP

An effective corporate information security policy will com-pletely ban the use of peer-to-peer (P2P) file sharing software,such as Morpheus and Kazaa. Rightly so, as such software posesnumerous security and privacy risks. The fact that P2P softwareare some of the most downloaded files on the Internet shouldgive information security managers pause. As of October 15,2003, Download.com reported that the Kazaa Media Desktophas been downloaded over 285 million times.

Since P2P networks open the shared computer to millions ofcomputers worldwide, even an inadvertent mistake can havehuge repercussions.

Just some of the risks associate with P2P software include:

❏ Spread of worms and viruses. There are scores of reportedcases of files downloaded being trojaned or virus-infected.

❏ Hogging of bandwidth. P2P networks are notorious forbringing networks to their knees.

❏ Legal issues/copyright infringement. Copyright laws are of-ten violated on P2P networks.

❏ Bypasses internal controls. Sharing files over P2P eliminatesthe file-size restrictions of many email systems

❏ Spyware/Adware. P2P software is replete with Spyware andAdware, which is software that reports back to a vendor site auser’s usage habits and patterns. Usually this information isused in an advertising context.

❏ Misconfigured File Sharing. Users very often misconfiguretheir P2P software and end up sharing their entire hard drive.

❏ Launching pads for social engineering attacks. Once an at-tacker has internal information, he or she can use that to theiradvantage in a social engineering attack, since internal infor-mation provides access to authentic-sounding corporate ver-nacular and nomenclature.

Most users in your organizations know that P2P is great for get-ting music, but are often completely unaware of the security riskswith the software. The risks are huge, and all users need to bemade aware of them.

From an information security perspective, it can be quite valu-able to use it yourself to see just how much of your proprietaryand confidential data is available on P2P networks. The reasonfor this is that while the P2P software is meant to share musicfiles, users often incorrectly configure their software and ratherthan sharing their My Music folder, they often share their entirehard drive (for examples, see “Identity Theft Made Easy,” Alert

September 2003). This is a serious problem when the computerbeing used contains confidential and proprietary corporate data.

Port and vulnerability scanning is a required part of a securityassessment. Now with the ubiquitous use of P2P file sharing,checking to see if your corporate files are being shared shouldnow be part of that assessment.

Using Kazaa as an example, do a search on your companyname. Make sure to highlight the Auto Search More button.This gives Kazaa the ability continuously search for the file frommore and more places, rather than a single search and stopping. Besides searching on your company name, the following key-words should be searched:

❏ Specialized project names❏ Project codes❏ Product names❏ Manufacturing sites❏ Employee ID numbers❏ Financial forms❏ Backups of entire email boxes

What can you expect to find? Anything that an employee canstore on their hard drive can be uploaded via P2P. Companiesthat have done such P2P searches have often found treasuretroves of information.

The danger is that information on P2P networks quickly mul-tiplies. If a file is loaded and its sharing commences, it can easilybe on a thousand hard drives within a few hours.

CountermeasuresIf you don’t like what you find (or fear what you may find inthe future), you’re not without options. Some countermeasuresinclude:

Port blocking. For Kazaa, block TCP sessions on ports 1214,1285, 1299, 1331, 1337, 3135, 3136 and 3137. This is not a in-fallible method, but a start.

Policies and procedures. Let users know that they should nothave P2P software on corporate computers. If they have corpo-rate data on their home computers, and are running P2P soft-ware, additional controls must be put in place.

Software monitoring. Software from Vericept and SilentRunnercan be used to see exactly what users are doing on the network.

In short, P2P programs are hugely popular and can’t be stopped.But by being aware of the real security and privacy issues, userscan be more vigilant in their use of such systems. Companiesthat are not proactive with regard to P2P file sharing will findthat much of their supposed competitive advantage is quicklyshared with the masses and thereby lost.

Ben Rothke, CISSP is a New-York based security consultant with ThruPoint, Inc. McGraw-Hill has just published his

Computer Security: 20 Things Every Employee Should Know.He can be reached at brothke@thrupoint.net

ATTENTION: COPYRIGHTED MATERIAL. It is unlawful to photocopy this page without express written permission of Computer Security ALERT.

4

TOOLS & TECHNIQUES