• Calendar
• A-Z Index

• Yale home
• About Yale
• Academic programs
• Admissions
• Health & medicine
• Working at Yale
• Yale & New Haven
• Yale & the World
• Yale Tomorrow
• News

• Prospective students
• Students
• Parents
• Faculty
• Staff
• Alumni
• Foundations & corporations
• Patients
• Visitors

Find it

• About ITS
• Policies
• Feedback
• Search ITS
• ITS A-Z Index
• System Status

Peer-to-peer (P2P) security

Overview

KaZaA, Napster, Gnutella, FreeNet, WinMX, Morpheus, Skype (telephony) Instant Messaging (AOL Messenger-AIM, MSN Messenger, ICQ) and other peer-to-peer (P2P) applications have become popular among consumers because they allow users to share the massive amount of computing power and storage available on the Internet. When using this software the Internet comes to be seen as one large shared computer (especially for music and video file sharing) or one big real-time chat room. P2P technology has positive potential to increase productivity, but it also has a much more threatening negative potential to introduce a new class of security threats.

P2P technology can undermine network security and can leave computing devices open to threats ranging from violations of intellectual property laws (copyright), viruses, malware (malicious software) that is undetected by antivirus protection, password and data theft, to Denial of Service (DoS) attacks that flood the network with data and incapacitate computers.

University policy 1610 PR1 (7. Avoid activities that may compromise security) details P2P recommendations and requirements. ITS recommends that peer-to-peer (P2P) software NOT be installed on any computing device connected to the University network (including PPP and VPN) that has confidential or protected health information. P2P software can also be used as a conduit for activity (e.g., copyright violation) that is in violation of the Information Technology Appropriate Use Policy (IT-AUP).

What is P2P and what are the issues?

Most P2P applications can be placed into one of three categories:

File Sharing

File sharing makes it possible for one computer to share files with another computer located somewhere else on the Internet. Examples of P2P file sharing are KaZaA, Napster, Gnutella, FreeNet. In addition to the threat of copyright violation, password and data theft, virus, malware and network denial-of-service attacks, P2P file-sharing can create bandwidth utilization issues. The music and video files that many P2P users share for personal use are multi-megabyte files that can clog network links to the detriment of important University clinical, research, teaching and business related traffic.

Instant messaging or IM

This a llows users to send each other text, voice messages and files. Examples of IM are AOL Messenger (AIM), MSN Messenger, ICQ, and Yahoo!Messenger. Most IM clients do not provide strong authentication. If someone gets your screen name and password (relatively easy by using a keyboard logger or reading the registry) it would be very easy to impersonate someone via an IM client. Also, if IM clients are used to discuss sensitive information , they are vulnerable to electronic eavesdropping. Many IM clients now also have file sharing capabilities, so you are vulnerable to the threats of both P2P categories.
Some vendors are offering options for implementing more secure IM software using encryption, stronger authentication and access controls. ITS is working on providing a secure Instant Messaging (IM) solution that should be available in the near future.
If you do NOT have confidential or protected health information on your computing device and you are running IM please follow these guidelines.

Distributed processing

This takes the unused computing power from many desktop computers and uses them together to produce massive computing power. Distributed processing applications seem to be the most innocuous of the P2P programs, but the user is required to download, install and run an executable file on their workstation in order to participate. An unsophisticated user may be socially engineered to download Trojan horse programs disguised to resemble legitimate distributed processing clients. Even if a user downloads and installs a legitimate distributed processing client, the client itself is another possible entry point for an attacker. Examples of distributed processing applications are the SETI © Home project that uses a screen saver program to harness spare CPU cycles to analyze data in the quest for extraterrestrial life; or the Distributed.Net and Electronic Frontier Foundation project that used the processing power of 100,000 Internet-worked PCs to test nearly 245 billion encryption keys per second, to prove that they were able to brute-force crack the 56-bit DES encryption algorithm.

Guidelines to reduce IM security threats

• Make sure you have a strong password, and don't allow the program to automatically sign-in to your IM program upon computer startup
• Don't allow auto-accept file transfers. This is the fastest way for viruses or malware to transfer among IM communities.
• Free Internet IM programs generally do NOT encrypt your session or data, and at no time should anyone consider their IM conversations to be completely secure. Never discuss confidential information.
• Copy and paste important dialogs into an email message to yourself and/or your chat partner to create an audit trail for your records.
• Do not accept incoming messages from sign-in names that are not on your contact list. If someone wants to begin to communicate with you via IM, they should email you or phone you to exchange IM sign-in names.
• Most IM companies will contact you when a new upgrade or security patch is available. Install the upgrade or patch ASAP since many times the company is addressing a security flaw.
• Do NOT install IM on a computing device that has confidential or protected health information, until IM technology is made available as a secure in-house University communications tool.