"Dad, mind if i borrow the keys to the network tonight? I'll be real careful. I'm just going to swap files with millions of strangers, maybe accidentally download a Trojan or two, and leave a truck-sized hole in our firewall."
It's rarely put to you that way-at home or at work. But that's the likely outcome if an employee installs a peer-to-peer (P2P) file-swapping program on one of your PCs. Hackers may be already using your network as if it were their own. In fact, developers of these programs may be using your computing resources as their own as well.
More than 100 million copies of KaZaA-the current fave for music-, game- and video-swapping-have been downloaded so far, says developer Sharman Networks. Millions more use Morpheus, Gnutella and other rec-ware. Considering the resources required, it's long odds that none are trafficking over the storage-rich, broadband-connected LANs of their employers.
"I guarantee this is already on some business computers," says Jay Jacobson, CEO of Edgeos Inc. in Phoenix. His security firm rates P2P software as "high-risk"-a characterization most experts enthusiastically support.
"The whole concept of P2P is frightening from a security standpoint," says Barry Stauffer, CEO of Corbett Technologies, a government security consulting firm in Alexandria, Virginia.
Why so tense? A P2P program puts a hole in the company firewall, explains Stauffer. KaZaA uses port 1226 to broadcast to the world that this PC is a swap meet. But open any of a PC's 65,550 ports without close monitoring, and the welcome mat is out for bad guys.
Swapsters also get their kicks from hacker sites and chat rooms, Jacobson says. They're the favorite patsies of expert crackers, and there's no way to tell how many have accepted infected programs from Internet buddies.
The Benjamin worm was the first hitchhiker on KaZaA downloads. It was quickly followed by a software fix, but, like all fixes, don't expect all the KaZaA-nocenti to use it. Even if they do, Benny is just the first of many bugs that will be brought home to momma.
P2P software, notes Jacobson, behaves like the DDOS Trojans hackers use to hijack thousands of PCs yearly. Like any Trojan on your hard drive, P2P software broadcasts the availability of your files to strangers and enlists your PCs in activities beyond your control.
It makes an open-ended claim on your processor and drive resources and can gobble up network bandwidth. According to Sharman, up to four people can download something from each of your PCs at any one time-with the fifth, sixth or 50th waiting in line.
"People who use this software always have something going on inside their computers," says Michael Erbschloe, vice president of research at Computer Economics, "but they never know what."
A study by Nathan Good, an HP Labs computer scientist, found KaZaAsters often don't use the software correctly-exposing e-mail and financial records, even entire PCs to cyber-beachcombers.
Even worse, when Windows Network Neighborhood is on, any network directory visible from that PC is just as visible to someone outside the firewall. Even if it isn't, once inside your firewall, an experienced hacker will run amok. "Networks are like M&Ms," explains Mark Lobel, senior manager of security services at PricewaterhouseCoopers. "The firewall is the hard outer shell; the PCs and servers inside are soft."
Sadly, the first to exploit rec-ware customers weren't hackers, but their benefactors. You can't support a business by giving stuff away, so P2P developers sell their customers' PC resources, eyeballs or personal browsing information to business partners.
Spyware and adware often piggyback on P2P downloads, then work in the background to record surfing habits or pop-up ads unrelated to browsed Web sites. Until outed by the media, Sharman was secretly installing Brilliant Digital's Altnet network to redirect surfers to partner sites. Now Altnet is used to push for-pay content ahead of KaZaA's free files. Permission for this is given by clicking on long, seldom-read licensing agreements. Once installed, these programs are difficult to remove. Also, it's unclear what your liability will be if someone is harmed.
According to Michael Gartenberg, research director at Jupiter Media Metrix, "Trading software raises intellectual property rights issues for an employer and puts the company at risk."
Just Say No
Security experts agree that the only answer to unauthorized file-sharing at the office is to just say no. But firewall quality varies, and even if yours is industrial-strength, it must be configured correctly and regularly updated. Consider intrusion detectors and external security audits, too.
Even then, security measures are only as good as those who use them. KaZaA itself may be no less secure than Microsoft Internet Explorer. But with the way P2P works-anonymously, quickly and without control- it breeds mistakes.
Sharman's answer is to use third-party virus protection and to "be careful out there."
That's the kind of attitude hackers just love to hear.
Mike Hoganis Entrepreneur's technology editor.
- Computer Economics
5841 Edison Pl., #130, Carlsbad, CA 92008, http://www.computereconomics.com
- Corbett Technologies
(703) 519-8639, www.corbett-tech.com
(480) 961-5996, www.edgeos.com
- HP Labs
- Jupiter Media Metrix
(212) 780-6060, www.jmm.com
(646) 471-5731, www.pwcglobal.com/security