Tuesday, December 06, 2005

Extreme File Sharing

Brian Krebs in his October 17, 2005 Washington Post Security Fix column writes:
"[I] spent a few hours over the weekend poking around Limewire, an online peer-to-peer file-sharing network where an estimated 2 million users share and swap MP3 files, movies, software titles and just about anything and everything else made up of ones and zeroes (including quite a few virus-infected files).
"I was sifting the lists not for music or movie files, but for the stuff Limewire users may not know they're sharing with the rest of the network. I quickly found what I was looking for, and then some: dozens of entries for tax and payroll records, medical records, bank statements, and what appeared to be company books.
"A search for "cookies" or "paypal," for example, turned up cookie files for a number of financial institutions. Having cookie files exposed might be a little less dangerous if you couldn't also click your way through every shared file on a user's machine. For the most part I found that users who shared sensitive information were also sharing the contents of their entire hard drives.
"Some users were sharing many megabytes' worth of e-mails and addresses from their Microsoft Outlook inboxes and archives. But perhaps most revealing was a search for "keylog.txt," which turned up several huge text files no doubt generated by a keystroke logger -- a nasty bit of malware that records everything a victim types and relays the data back to the attacker.
"At first, I felt a little weird looking at records of one apparent victim's private (and frequently explicit) online chat conversations from just a few months back. But I wanted to find some contact information in there so I could at least notify this person that their system had been compromised. I found an AIM instant message ID -- but alas, that screen name wasn't signed on. I even found what appeared to be the victim's cell phone number, but got a fast-busy signal upon dialing it.
"As I read on, however, it became clear that the victim at some point realized his machine was infected with some sort of virus, as evidenced by his IM complaints to a friend that his antivirus software had alerted him to something evil on his machine.
"Over the course of several days (the first 10 or so pages of the keylog record) it appears that the victim tried to repel whatever had invaded his computer. Apparently he failed, because not long after he seems to have stopped searching (or at least stopped complaining about it) -- even though the keylogger was clearly still doing its job.
"My guess is that this guy ran an antivirus or anti-spyware scan which found and deleted something, so he figured everything was back to normal.
"This reminds me of a concept that security professionals understand all too well: When a computer system is compromised by a virus or worm, the only way to truly clean it is to back up the data and reinstall the operating system, including any software patches issued since the computer was purchased. This can be a bitter pill to swallow for home users, many of whom have trouble understanding why someone would go through the trouble of trying to hack their system in the first place.
"None of this to say that antivirus tools and other security applications can't remove these intrusive programs on their own; often they do the job quite nicely. But many of today's more aggressive threats are designed to open the door for other intruders, which might not be so easily detected by security software.
"Obviously, the lessons here are: If you're going to use file-sharing networks, be extremely careful about what you download; and, pay close attention to the files and folders you are letting the rest of the world see."

It's a pity that well-considered opinions like this get drowned out by the chattering classes who don't understand security and get the story completely wrong, by mixing up the security risks of sharing files with non-existent security flaws.

By Brian Krebs | October 17, 2005; 03:40 PM ET

No comments:

Warning: The NSA and 4 million other sick weirdos with "security clearance" have intercepted this page and know that you are reading it.