Popular P2P apps could expose sensitive files, report says
Kazaa, LimeWire and Morpheus were among the programs cited
Computerworld - Did the distributors of popular peer-to-peer file-sharing programs such as Kazaa, LimeWire and Morpheus include features in their products that they knew, or should have known, could cause users to inadvertently share sensitive information on their computers with other users of the software?
According to the U.S. Patent and Trademark Office (USPTO), the answer is an unequivocal yes. The agency last week released an 80-page report based on an analysis of five specific features included in file-sharing software from Kazaa, LimeWire, Morpheus, BearShare and eDonkey between 2003 and 2006.
It concludes that the distributors of the programs repeatedly deployed features "that had a known propensity to trick users" into unknowingly sharing files on their computers with others. "Some distributors even responded to reports of inadvertent sharing by releasing new versions of their programs that seemed improved, but actually perpetuated inadvertent sharing caused by features previously deployed," the report noted.
More investigation is needed to determine whether the distributors included the features with the intent to induce copyright infringement or inadvertent file sharing, the report noted.
The issues raised in the report go beyond just copyright infringement and illegal file sharing, because the features that were studied pose a real threat to the security of personal, corporate and government data on computers in which such programs are running, said Jon Dudas, under secretary of commerce for intellectual property and director of the USPTO.
The primary objective in releasing the report is to raise awareness of the issue among those who can do something about it, Dudas said. He added that copies of the report have been forwarded to the Department of Justice, the Federal Trade Commission and the National Association of Attorneys General.
The distributors of Morpheus, Kazaa and LimeWire did not immediately respond to requests for comment. EDonkey's software is no longer available.
Among the features that were analyzed in the report were the following: redistribution features that, by default, caused users to automatically upload and share all of the files they downloaded with strangers; share-folder and search-wizard features that enabled not just the sharing of copyrighted files but also of other information on a user's computer; and coerced-sharing features that made it far more difficult for users to disable the sharing of folders used to store downloaded files.
Several of these features were previously known to be dangerous, Dudas said.
For example, research from as far back as 2003 had shown that inadvertent file sharing could be caused by the search-wizard and share-folder features, the report noted. However, that did not stop the distributors from deploying "more aggressive" versions of such functions in later products, it said. The same is true of the other features that were studied in the report as well.
The USPTO report also provided examples in which the inadvertent sharing of information enabled by such features resulted in serious consequences. It quoted a 2005 information bulletin from the U.S. Department of Homeland Security mentioning documented incidents of peer-to-peer file sharing resulting in sensitive government documents ending up on "non-U.S computers." It also mentioned a November 2006 case in which the district attorney in Denver indicted a gang of identity thieves who had used LimeWire to steal names and account information from scores of individuals and businesses around the country.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!