Brilliant Thinking

According to Christopher Gormley, chief operating officer at Tiversa Inc., a Cranberry Township, Pasadena-based P2P network monitoring firm: On average, about 1.5 billion searches take place on P2P (peer to peer) networks daily compared with 180 million on Google, and that a growing number of the searches are being done for malicious purposes. Gormley also said that Tiversa also has noticed the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.

1.5 billion compared to 180 million is almost 10 times as many searches. And given they are being done on P2P networks, this means that these searches are uncovering the files stored on individual computers connected to the Inernet, computers which vary from individuals at home right through to computers in the heart of large corporations. And direct access to information on these computers could reveal a lot more than the person intended - P2P software often allows access to many of the folders on the computer on which it is installed by default rather than by permission. This means that the person who installed the P2P software often unwittingly exposes all the data on their computer to the rest of the world, and this can include password files, personal information, private lists and much more.

Numerous organisations have suffered data leaks as a result of such carelessness. Last year, for instance, the personal data of about 17,000 Pfizer employees was exposed after an employee installed unauthorized P2P software on her laptop. And at a US Senate hearing last year, lawmakers heard testimony from several witnesses about the abundance of classified government and military documents as well as corporate data freely available on P2P networks.

The data said to be available included a full diagram of the Pentagon’s secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio-frequency manipulation techniques for dealing with improvised explosive devices in Iraq; the complete minutes of a board meeting held at a large financial services company; and the detailed launch plan of a start-up company, complete with growth targets and other business forecasts.

Naturally, the immediate reaction is to not allow P2P software and so remove the risk of this happening. But people are creative and find ways around the rules which means P2P software will creep in and the risk resurface. And while the main threat comes from public P2P software (e.g. Limewire, Kazaa), P2P technology is also being used as a business enabler in many organisations.

So, the big question is how do we mitigate against confidential data loss? One thought is to focus attention on network monitoring to see which files are being sent in and out of corporate networks. However, I am not sure how this benefits us as it doesn’t directly prevent illegal transmission versus legal transmission - it simply gives us an audit trail we can dissect when the proverbial excrement hits the fan.

However, there may be a more straightforward solution … most connected systems use specific port numbers over which they transmit data. A corporate network should have a know port topology - ie we should be able to define exactly which ports are needed for communication with the outside world, and in which direction that communication should be. So, for example, if we needed port 6346 to be open (which is Limewire’s default communication port), we could easily define which direction traffic was allowed. We could block outbond traffic with a simple rule in the firewall and so stop all outbound traffic dead in its tracks. We could work through all the ports (OK there are a lot) and define a full firewall map and so manage corporate network traffic exactly as we needed to. The remaining ports could be monitored if required, but this would be a more manageable task.

Quick reference lists of common port numbers abound, and so a network administrator would be able to quickly present a route-map to securing their corporate network and earn a few brownie points from their CIO. Of course, implementing or even suggesting such a plan of action might be met with blank stares because few people are fully aware of the risk to their sensitive data from unctontrolled P2P applications.

IRC Beginners Reference
List of Common TCP/IP numbers (PDF)

Let’s hope this article helps IT departments get a head start on securing their networks, or at least raising awareness of the issue to the execs.

Article inspired by: File-sharing breach at investment firm highlights dangers of P2P networks — again

Towards the end of May, the AVG Security Suite started spewing fake hits to websites across the web which appear as web stats in your web analytics reports. Given there are approximately 20 million users of the new AVG suite, this amounts to a very large amount of fake traffic.

In February, AVG acquired Exploit Prevention Labs and its LinkScanner tool, then bundled the tool in the latest AVG release. What the LinkScanner does - in an effort to protect the user from being hacked, spammed or spoofed - is to pretend that it is a human and “clicks” on every link found in search engine results. So when you visit Google and search for something, every single result found is visited by LinkScanner to determine if the website linked is legitimate or a link to malware. The end result is what appears to be real traffic on the website.

For small sites, this is not going to make much difference, although it may appear you have more visitors than usual. For larger sites with high traffic volumes, this will mean a large spike in traffic. But, it will also potentially mean larger bills because website owners have to pay for bandwidth (small sites are below the minimum threshold so this doesn’t become an issue).

Adam Beale, who runs a UK-based internet consultancy, says that across his small stable of clients, traffic has spiked as much as 80 per cent on some sites. And this is more than just an inconvenience. After all, sites live and die by their traffic numbers. And net resources aren’t free.

“Although [the AVG LinkScanner] might be good for the security of users, it’s a real pain for website owners and webmasters. It’s causing people to think their traffic is increasing, costing those who pay for bandwidth, and wasting disk space with large amounts of unnecessary lines in log files.”

One of his clients, Beale says, normally pulls in 140GB of bandwidth a month, and for June, he predicts a 5 per cent jump.

At the moment, there is a way of filtering AVG traffic from log files. But it’s unclear whether this method would filter out legitimate traffic as well. After all, the traffic appears to come from numerous legitimate IP addresses of general web users. And AVG suggests that - in the name of high security - they may make changes that prevent such filtering. After all, if you can filter it, so can the malware producers they are trying to block.

“A situation like this generates false traffic, bogus data, and this leads to wrong budget decisions and marketing activities,” says Barry Parshall, director of product management at WebTrends, a popular web analytics firm. “I completely get the value proposition [of LinkScanner], but it would be responsible of them to identify themselves, with agent code or whatever it might be, so legitimate businesses can serve their customers properly.”

AVG have promised a fix to alleviate this condition, but until then pay close attention to the number of very short duration visits you receive on your website (assuming you have good analytics software that shows you this kind of statistic). If you are using basic log file analysis software that does not show the duration of visits or allow you to drill down into the details, it may be time to upgrade or consider more thorough tools such as Google Analytics, Yahoo!, comScore, or Nielsen NetRatings.

UPDATE: 31st July - AVG has now been updated to prevent the spurious web stats issues from the LinkScanner tool. More here.