Popular P2P apps could expose sensitive files, report says
Kazaa, LimeWire and Morpheus were among the programs cited
Computerworld - Did the distributors of popular peer-to-peer file-sharing programs such as Kazaa, LimeWire and Morpheus include features in their products that they knew, or should have known, could cause users to inadvertently share sensitive information on their computers with other users of the software?
According to the U.S. Patent and Trademark Office (USPTO), the answer is an unequivocal yes. The agency last week released an 80-page report based on an analysis of five specific features included in file-sharing software from Kazaa, LimeWire, Morpheus, BearShare and eDonkey between 2003 and 2006.
It concludes that the distributors of the programs repeatedly deployed features "that had a known propensity to trick users" into unknowingly sharing files on their computers with others. "Some distributors even responded to reports of inadvertent sharing by releasing new versions of their programs that seemed improved, but actually perpetuated inadvertent sharing caused by features previously deployed," the report noted.
More investigation is needed to determine whether the distributors included the features with the intent to induce copyright infringement or inadvertent file sharing, the report noted.
The issues raised in the report go beyond just copyright infringement and illegal file sharing, because the features that were studied pose a real threat to the security of personal, corporate and government data on computers in which such programs are running, said Jon Dudas, under secretary of commerce for intellectual property and director of the USPTO.
The primary objective in releasing the report is to raise awareness of the issue among those who can do something about it, Dudas said. He added that copies of the report have been forwarded to the Department of Justice, the Federal Trade Commission and the National Association of Attorneys General.
The distributors of Morpheus, Kazaa and LimeWire did not immediately respond to requests for comment. EDonkey's software is no longer available.
Among the features that were analyzed in the report were the following: redistribution features that, by default, caused users to automatically upload and share all of the files they downloaded with strangers; share-folder and search-wizard features that enabled not just the sharing of copyrighted files but also of other information on a user's computer; and coerced-sharing features that made it far more difficult for users to disable the sharing of folders used to store downloaded files.
Several of these features were previously known to be dangerous, Dudas said.
For example, research from as far back as 2003 had shown that inadvertent file sharing could be caused by the search-wizard and share-folder features, the report noted. However, that did not stop the distributors from deploying "more aggressive" versions of such functions in later products, it said. The same is true of the other features that were studied in the report as well.
The USPTO report also provided examples in which the inadvertent sharing of information enabled by such features resulted in serious consequences. It quoted a 2005 information bulletin from the U.S. Department of Homeland Security mentioning documented incidents of peer-to-peer file sharing resulting in sensitive government documents ending up on "non-U.S computers." It also mentioned a November 2006 case in which the district attorney in Denver indicted a gang of identity thieves who had used LimeWire to steal names and account information from scores of individuals and businesses around the country.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts