Peer-To-Peer Security problems

[Adhgh]

P2P:

hey guys, i need your help, I'm tring to find out about the security problems that faced P2P companies, and why they were unable to deal with them, and by this i tend to mention the unauthorized access to other ones' files, where this is a major security question.

thanx
Adham

 

[dduardo]

I don't understand your question. The only real issue is that most p2p programs broadcast your IP Address, which can be used for hacking or tracking.

 

[PerennialII]

Don't many (most?) p2p programs require quite a bit of system priviledges in order to operate ? Like "server" level rights in firewalls, enabling them to effectively bypass it and causing a sort of a security concern. Although didn't quite get the question altogether ...

 

[ramollari]

P2P messaging programs are more secure than the client-server ones. They can run on a local network without needing to access distant servers on the internet (as in msn, yahoo, irc, etc). So the P2P programs are going to be used more if security is a concern.
Security issues with P2P still remain, such as 'sniffing'. This is easy to overcome with encryption of messages. What remains difficult to deal with is the problem of social engineering that is the root of a number of attacks. For example as you mentioned a problem is with file sharing. If you download a malware file it can act as a virus, or worse as a trojan horse that communicates with the source computer.
Yet I don't see any security problem that is inherent in the P2P model.

 

[Adhgh]

Thanks even though you didnt give what i want, i will give an example for this issue:
you are (X), and you have(Y) shared files and (N) not shared files. N are private. oneday in the upload section you see (U) another P2P user uploading a file from N.

my question is why this happens?, and why companies are unable to solve this problem?

thanks
Adham

 

[dduardo]

PerennialII, p2p programs can use port 80 and you don't have to run the server with privleges, so that really isn't an issue.

I have to agree with ramollari. P2P isn't inheretly any less secure than say your average IM client. If you set your shared folder to you complete drive/sensitive data that is just plain dumb on the user's part.

 

[PerennialII]

PerennialII, p2p programs can use port 80 and you don't have to run the server with privleges, so that really isn't an issue.

I have to agree with ramollari. P2P isn't inheretly any less secure than say your average IM client. If you set your shared folder to you complete drive/sensitive data that is just plain dumb on the user's part.

Yep, appears that avoiding the same crackpot pitfalls as usual can make it pretty smooth sailing (didn't know that specific port limitations have been all but erased). Remember seeing somewhere that e.g. antivirus apps have been added with "p2p shields" in order to limit the inflow of malware etc.

 

[ramollari]

Thanks even though you didnt give what i want, i will give an example for this issue:
you are (X), and you have(Y) shared files and (N) not shared files. N are private. oneday in the upload section you see (U) another P2P user uploading a file from N.

my question is why this happens?, and why companies are unable to solve this problem?

thanks
Adham

Do you mean "downloading a file from N", because "uploading a file from N" makes no sense?
Every application instance in a P2P environment is also a miniature server. So any client in P2P can be endowed with all capabilities (including security) of a file server.
Maybe, since a P2P client has a myriad of other features, the developers could overlook the security aspects and access privileges of file transfer.

 

[lyapunov]

Thanks even though you didnt give what i want, i will give an example for this issue:
you are (X), and you have(Y) shared files and (N) not shared files. N are private. oneday in the upload section you see (U) another P2P user uploading a file from N.

my question is why this happens?, and why companies are unable to solve this problem?

thanks
Adham

Well, if that's a real life example, that would count as a violation of certain viewing rights in my book, so I grant you your worries over possible more hidden glitches in the software. What you cannot see you cannot hack, or at least not so easily. I also think they should be patching such a thing ASAP, if not rethink the whole setup.

Also the malware is getting smarter in bypassing shares and firewalls once inside. There's even talk of more malicious ghost-like software, and not by idiots, but by Microsoft itself. They even developed a detection program for it, called Strider Ghostbuster, no joke. So I don't think this issue is totally OTT.

http://www.eweek.com/article2/0,1759,1766413,00.asp

 

[Adhgh]

Do you mean "downloading a file from N", because "uploading a file from N" makes no sense?
Every application instance in a P2P environment is also a miniature server. So any client in P2P can be endowed with all capabilities (including security) of a file server.
Maybe, since a P2P client has a myriad of other features, the developers could overlook the security aspects and access privileges of file transfer.

i mean another user uploads from your PC and downloads on his PC, for instance in kazaa there is two ways of traffic for every user( upload, download).
anyway, it turned out there is no such a problem exactly, but its that P2P are not secure for many reasons i have no idea about?

Thanks

 

[dduardo]

Your rambling.

Other users cannot upload files to your computer. You must explicitly download the files off of the p2p networks.