|
Tuesday, July 16, 2002 |
Usability as a security threat: Kazaa file sharing software
Kazaa is one of the most popular post-Napster peer-to-peer file sharing programs. At a recent security conference on campus, it was frequently cited by network admins, both in the audience and on the panels, as a major, recurring problem on their machines - both students and staff would reinstall it and it was both a bandwidth hog and a security risk. At the conference, most people were clearly thinking of the security risks as coming from the unintended effects of installing Kazaa - "holes" caused by additional payloads of adware, spyware, etc. Certainly this is what has kept me away from Kazaa.
A new study describes security problems associated with Kazaa that are not side effects, but which result instead from it doing just what it is supposed to: share files. The issue is that its user interface makes it all too easy to share
They found three important things:
1) Users did not understand the implications of what they were installing, and most of them ended up sharing far more data on the network than they intended. Typical users did not understand that Kazaa shared every file in a directory, not just MP3 files, and unintentionally shared far more directories than they believed they were sharing.
2) Searches of the Kazaa network found numerous sensitive appearing files that were being shared, such as mailbox files and what were apparently files containing credit card information (for obvious ethical reasons, they relied on filenames and did not actually download these files).
3) When they shared dummy files of sensitive information, such as "inbox.dbx" and "credit cards.xls", they observed people both searching for and downloading these files.
We discover that the majority of the users in our study were unable to tell what files they were sharing, and sometimes incorrectly assumed they were not sharing any files when in fact they were sharing all files on their hard drive. We also looked at the current Kazaa network, and determined that a large number of users are currently sharing personal and private files without their knowledge, and from our dummy server we were able to see that other users are indeed taking advantage of this and downloading files such as [base "]Credit Cards.xls[per thou] and email files.
