Popular P2P apps could expose sensitive files, report says
Kazaa, LimeWire and Morpheus were among the programs cited
Computerworld - Did the distributors of popular peer-to-peer file-sharing programs such as Kazaa, LimeWire and Morpheus include features in their products that they knew, or should have known, could cause users to inadvertently share sensitive information on their computers with other users of the software?
According to the U.S. Patent and Trademark Office (USPTO), the answer is an unequivocal yes. The agency last week released an 80-page report based on an analysis of five specific features included in file-sharing software from Kazaa, LimeWire, Morpheus, BearShare and eDonkey between 2003 and 2006.
It concludes that the distributors of the programs repeatedly deployed features "that had a known propensity to trick users" into unknowingly sharing files on their computers with others. "Some distributors even responded to reports of inadvertent sharing by releasing new versions of their programs that seemed improved, but actually perpetuated inadvertent sharing caused by features previously deployed," the report noted.
More investigation is needed to determine whether the distributors included the features with the intent to induce copyright infringement or inadvertent file sharing, the report noted.
The issues raised in the report go beyond just copyright infringement and illegal file sharing, because the features that were studied pose a real threat to the security of personal, corporate and government data on computers in which such programs are running, said Jon Dudas, under secretary of commerce for intellectual property and director of the USPTO.
The primary objective in releasing the report is to raise awareness of the issue among those who can do something about it, Dudas said. He added that copies of the report have been forwarded to the Department of Justice, the Federal Trade Commission and the National Association of Attorneys General.
The distributors of Morpheus, Kazaa and LimeWire did not immediately respond to requests for comment. EDonkey's software is no longer available.
Among the features that were analyzed in the report were the following: redistribution features that, by default, caused users to automatically upload and share all of the files they downloaded with strangers; share-folder and search-wizard features that enabled not just the sharing of copyrighted files but also of other information on a user's computer; and coerced-sharing features that made it far more difficult for users to disable the sharing of folders used to store downloaded files.
Several of these features were previously known to be dangerous, Dudas said.
For example, research from as far back as 2003 had shown that inadvertent file sharing could be caused by the search-wizard and share-folder features, the report noted. However, that did not stop the distributors from deploying "more aggressive" versions of such functions in later products, it said. The same is true of the other features that were studied in the report as well.
The USPTO report also provided examples in which the inadvertent sharing of information enabled by such features resulted in serious consequences. It quoted a 2005 information bulletin from the U.S. Department of Homeland Security mentioning documented incidents of peer-to-peer file sharing resulting in sensitive government documents ending up on "non-U.S computers." It also mentioned a November 2006 case in which the district attorney in Denver indicted a gang of identity thieves who had used LimeWire to steal names and account information from scores of individuals and businesses around the country.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts