Yesterday the US House of Representatives approved legislation that would specify and limit open-network P2P usage by government employees and contractors on systems authorized to connected to federal computers and network resources. As with everything in life, there are exceptions. Requests to use open-network P2P applications can be made for the following purposes:
You might be wondering what the government considers , and doesn't consider, P2P software. Here's the list – provided directly from the act:
PEER-TO-PEER FILE SHARING SOFTWARE- The term ‘peer-to-peer file sharing software’–
(A) means a program, application, or software that is commercially marketed or distributed to the public and that enables–
(i) a file or files on the computer on which such program is installed to be designated as available for searching and copying to one or more other computers;
(ii) the searching of files on the computer on which such program is installed and the copying of any such file to another computer–
(I) at the initiative of such other computer and without requiring any action by an owner or authorized user of the computer on which such program is installed; and
(II) without requiring an owner or authorized user of the computer on which such program is installed to have selected or designated another computer as the recipient of any such file; and
(iii) an owner or authorized user of the computer on which such program is installed to search files on one or more other computers using the same or a compatible program, application, or software, and copy such files to such owner or user’s computer; and
(B) does not include a program, application, or software designed primarily–
(i) to operate as a server that is accessible over the Internet using the Internet Domain Name system;
(ii) to transmit or receive email messages, instant messaging, real-time audio or video communications, or real-time voice communications; or
(iii) to provide network or computer security (including the detection or prevention of fraudulent activities), network management, maintenance, diagnostics, or technical support or repair.
Consequently, this comes a few weeks after the DoD lifted its ban on removable thumb drives and about the same time the Air Force is implementing stringent mandates on the use of Air Force issued BlackBerrys (http://www.afspc.af.mil/news/story.asp?id=123195273)
Historically, open-network P2P applications have had their share of problems with distribution of copyrighted material, software piracy and malware distribution – to name a few. And since P2P applications can bypass firewalls and filters, sensitive information can be leaked out of any machine that implements various types of file-sharing software. One caveat that many users don't realize is that depending on the application that's been installed, by default a significant amount of data can be automatically shared with the rest of the world without the user being aware of the default setting. This was clearly the case in this article regarding tax returns
I'm sure if you searched hard enough (it doesn't require much effort) you would be able to find various reports of security incidents tied to P2P information exfiltration. For instance, do you recall when first lady's safehouse location was leaked to the public (http://www.scmagazineus.com/first-ladys-safe-house-location-leaked-on-p2p/article/140820/)? Or how about when the Marine One blueprints and avionics information was leaked via P2P (http://www.wpxi.com/news/18818589/detail.html)?
There are currently over 200 file-sharing applications in circulation today. A good example of the extend of what can be found on file-sharing networks can be seen in the MSNBC video (http://www.msnbc.msn.com/id/3032619/vp/29454879#29454879). In the interview, the reported stated that they were able to find:
So, how do you determine if P2P apps are being used in your home or place of business? Here are a few helpful pointers (this list could be huge) so I'll limit it to a handful of items:
This post opens up the potential for a lot of feedback in regard to spotting P2P apps and traffic. I look forward to the comments.
It's the end of a long week with lot's of security-related events. So long, and thanks for all the fish…
Sr. Director, Research
Author ESET Research, ESET