Yesterday the US House of Representatives approved legislation that would specify and limit open-network P2P usage by government employees and contractors on systems authorized to connected to federal computers and network resources. As with everything in life, there are exceptions. Requests to use open-network P2P applications can be made for the following purposes:

  1. necessary for the day-to-day business operations of the agency;
  2. instrumental in completing a particular task or project that directly supports the agency’s overall mission;
  3. necessary for use between, among, or within Federal, State, or local government agencies in order to perform official agency business; or
  4. necessary for use during the course of a law enforcement investigation.

You might be wondering what the government considers , and doesn't consider, P2P software. Here's the list - provided directly from the act:

PEER-TO-PEER FILE SHARING SOFTWARE- The term ‘peer-to-peer file sharing software’--

(A) means a program, application, or software that is commercially marketed or distributed to the public and that enables--

(i) a file or files on the computer on which such program is installed to be designated as available for searching and copying to one or more other computers;

(ii) the searching of files on the computer on which such program is installed and the copying of any such file to another computer--

(I) at the initiative of such other computer and without requiring any action by an owner or authorized user of the computer on which such program is installed; and

(II) without requiring an owner or authorized user of the computer on which such program is installed to have selected or designated another computer as the recipient of any such file; and

(iii) an owner or authorized user of the computer on which such program is installed to search files on one or more other computers using the same or a compatible program, application, or software, and copy such files to such owner or user’s computer; and

(B) does not include a program, application, or software designed primarily--

(i) to operate as a server that is accessible over the Internet using the Internet Domain Name system;

(ii) to transmit or receive email messages, instant messaging, real-time audio or video communications, or real-time voice communications; or

(iii) to provide network or computer security (including the detection or prevention of fraudulent activities), network management, maintenance, diagnostics, or technical support or repair.

Consequently, this comes a few weeks after the DoD lifted its ban on removable thumb drives and about the same time the Air Force is implementing stringent mandates on the use of Air Force issued BlackBerrys (http://www.afspc.af.mil/news/story.asp?id=123195273)

Historically, open-network P2P applications have had their share of problems with distribution of copyrighted material, software piracy and malware distribution - to name a few. And since P2P applications can bypass firewalls and filters, sensitive information can be leaked out of any machine that implements various types of file-sharing software. One caveat that many users don't realize is that depending on the application that's been installed, by default a significant amount of data can be automatically shared with the rest of the world without the user being aware of the default setting. This was clearly the case in this article regarding tax returns 

I'm sure if you searched hard enough (it doesn't require much effort) you would be able to find various reports of security incidents tied to P2P information exfiltration. For instance, do you recall when first lady's safehouse location was leaked to the public (http://www.scmagazineus.com/first-ladys-safe-house-location-leaked-on-p2p/article/140820/)? Or how about when the Marine One blueprints and avionics information was leaked via P2P (http://www.wpxi.com/news/18818589/detail.html)? 

There are currently over 200 file-sharing applications in circulation today. A good example of the extend of what can be found on file-sharing networks can be seen in the MSNBC video (http://www.msnbc.msn.com/id/3032619/vp/29454879#29454879). In the interview, the reported stated that they were able to find:

  1. 150,000 tax returns from the state of NY
  2. 600,000 credit reports
  3. 25,000 student loans

So, how do you determine if P2P apps are being used in your home or place of business? Here are a few helpful pointers (this list could be huge) so I'll limit it to a handful of items:

  1. a large number of movies and/or music files on a computer
  2. unfamiliar programs running in the system tray (this could be indicative of other problems as well)
  3. unfamiliar programs in the add/remove programs list
  4. a few of the popular file-sharing apps to look out for: eDonkey, Kazaa, LimeWire, BearShare, eMule, Bittorrent, WinMX, Morpheus
  5. UDP traffic is a decent indicator of P2P traffic, but not always
  6. port identification is possible, but difficult because applications like uTorrent have a setting for randomizing ports as well as manual selection of ports
  7. in the end it's a matter of knowing bandwidth usage and traffic patterns - and spotting the anomalies 

This post opens up the potential for a lot of feedback in regard to spotting P2P apps and traffic. I look forward to the comments.

It's the end of a long week with lot's of security-related events. So long, and thanks for all the fish...

Jeff Debrosse

Sr. Director, Research