[SECURITY-L] Security Hole Found in KaZaA File-Sharing Service

Daniela Regina Barbetti Silva daniela em ccuec.unicamp.br
Sex Jun 7 10:38:07 -03 2002 

----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----

From: Cristine Hoepers <cristine em nic.br>
Subject: [S] Security Hole Found in KaZaA File-Sharing Service
To: seguranca em pangeia.com.br
Date: Fri, 7 Jun 2002 10:12:20 -0300
X-Mailer: Mutt 1.0.1i



[http://www.nytimes.com/2002/06/07/technology/07PRIV.html?ex=1024462571&ei=1&en=348d3c5c8ba17925]


Security Hole Found in KaZaA File-Sharing Service

June 7, 2002
By JOHN MARKOFF and MATT RICHTEL 


Users of KaZaA, a popular Internet service for sharing
music files, frequently expose personal files on their
computers by misconfiguring the program, according to a
study by two researchers at HP Labs. 

The study, which was published on Hewlett-Packard's Web
site on Wednesday, reveals that the peer-to-peer programs,
which are wildly popular for sharing music files, software
and, increasingly, video files, can also pose a serious
threat to computer privacy. KaZaA, a product of Sharman
Networks, is currently the most widely used of the
services. It is used by an average of two million people at
any time. 

The researchers, Nathaniel S. Good, a computer scientist at
the Information Dynamics Lab at HP Labs, which is
Hewlett-Packard's central research organization, and Aaron
J. Krekelberg, a computer scientist at the University of
Minnesota, found that a significant percentage of KaZaA
users have accidentally or unknowingly allowed private
files like e-mail and financial documents to be shared with
the global Internet. 

The researchers said the flaw exposed a basic vulnerability
that had been frequently ignored by advanced computer
security researchers. "You can have the most secure network
in the world," Mr. Good said, "but if it's prone to user
errors it will undermine the basic security of the system."


The paper raised the second damaging privacy issue that has
confronted KaZaA's file-sharing service recently. In April,
the KaZaA network faced criticism when it was disclosed
that its free file-sharing program included a second
program that could make its users participants in a paid
file-sharing network. 

Critics said the inclusion of the additional program had
not been disclosed, and some referred to it as "sneakware."
The company responded by saying it would not activate any
network without users' permission, and noted that people
would still be able to exchange files for free. 

Mr. Good said he had discovered the new security flaw while
setting up the computer of a friend who was a computer
novice. "I realized he was sharing everything on his hard
disk," he said. 

Initially he assumed that the KaZaA software developers
would quickly correct the problem. However, several months
later he found that the problem had grown worse. 

The two researchers began to run automated programs that
would use the KaZaA software to search for files that store
mail for the Microsoft Outlook Express electronic mail
program. They assumed that no KaZaA user would
intentionally share this kind of a file. 

A total of 443 searches during a 12- hour period revealed
that unintentional file sharing is common on the KaZaA
network: 61 percent of the searches performed in the test
found at least one electronic mail file. By the end of the
12-hour period the researchers had identified 156 users
whose e-mail files were public. 

Mr. Good said the researchers did not download the files
for fear of violating computer crime laws. 

The researchers were also able to determine cases in which
users exposed word processing and financial software files,
as well as the cache showing what Web sites they had
visited. The Hewlett-Packard researchers, who are experts
in the area of computer usability, said they found
shortcomings in the KaZaA software that made it easy for
users to configure their software improperly and
unknowingly share private information. 

The researchers performed a simple usability study and
discovered only 2 of their 12 research subjects - who were
experienced computer users - were able to determine
correctly which folders and files should be shared. 

A spokeswoman for KaZaA, Kelly Larabee, said the company
was investigating the flaws raised in the Hewlett-Packard
paper. 

"At minimum, we will enhance our efforts to educate users
about protecting their data and using shared folders only
for material they choose to share," she said. 


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L