Remember Napster? Kazaa? Limewire? These are some of the names that made peer-to-peer (P2P) networking popular in the late 1990s and 2000s. They were a really big deal and probably most of us got in on the action at some point to download our favorite songs. It may seem like these peer-to-peer services have disappeared, but newer versions like BitTorrent and eMule are still in use today.
A P2P network is a group of computers on the internet that have agreed to share files with one another. The interface to these networks is usually an application that you install on your machine, i.e. the Kazaa or Limewire interfaces. Once you install the application, you can see all of the files that are being shared by the other computers on the P2P network and you can download any of them. If you want, you can also choose to share files with the other users on the network. There is no centralized server storing the shared information on a P2P network, rather, each computer serves as both a client and a server.
Is this raising any security “red flags” for you yet? We hope so.
Peer-to-peer networks can be very dangerous from a security perspective. When you join a peer-to-peer network, you are choosing to trust the very large group of strangers that make up the network. Usually you have to open one or more internet “ports” on your computer so that the P2P network can send files to and from your machine. The problem is that you basically cannot control what goes in and out of those ports once you open them. They are like open doors through which you have given the users of the P2P network access to your machine. Sure, there are some limitations to the access other users of the network can have, but, these open ports can become an easy point of entry for attackers trying to gain access to your machine or your network. You might even invite them in without knowing.
When you download a song or an application file from a stranger’s machine, you can never be sure that you are getting what they say you are getting. “Don’t worry about it!” they say, “This is Justin Timberlake’s hottest new track, that’s all!” Maybe that’s true. Maybe you’ll be grooving to JT’s sweet tones as soon as the file downloads. But maybe there is a Trojan Horse hidden inside that file. Trojans are a form of malware that cybercriminals hide inside other, seemingly innocent files. They can be hidden in music, games, gifs and other types of files you want. Once you let that file in the proverbial “gates of Sparta,” the Trojan malware springs out and, before you know it, you’ve been pwned (Link to our urban dictionary entry for pwned). You might never even know you’ve been pwned. That malware could just sit on your machine doing its dirty work while remaining hidden. I know what you’re thinking, “JT would NOT do that to me.” Well no, you’re right, JT wouldn’t do it himself. But some jerk cybercriminal absolutely would. Check out our malware page for more details.
Another extremely important point when it comes to peer-to-peer networking is that the sharing of files is often illegal. Almost all music, film and TV files are subject to copyright, and are owned by the companies and artists that produced them. Downloading copyright protected material from the internet without paying it is piracy, which is a crime. The same is true for torrenting software. Unless you know the software you are downloading is freeware or open source code, then someone owns that software and it is illegal to download it from a P2P network. Even if you don’t get caught, you will not be able to get support or updates for the illegitimately downloaded software and that can lead to further security problems down the road. See our page on updating software.
So what do we recommend? Between the high risk of computer infection and the slight risk of criminal or civil punishment, we suggest you do not engage in peer-to-peer networking. But, if you are going to use a P2P networks we recommend that you follow these tips.
- Do not use P2P networks at work. – Unless you have a specific business need to use P2P networking for work and written permission from your employer to do so, you should not install a P2P client on you work machine or use P2P functionality at work. This is definitely true on the Ohio State network and most likely holds true at any place of business.
- Limit what you share. – P2P clients usually allow you to select which folders or directories you share with the network. Make absolutely sure that you don’t accidentally share everything on your machine. In general, you should carefully guard what is shared.
- Use a good antivirus solution. – This is a must. You should have a good antivirus solution and you should use it to scan every file you download. Even with good antivirus software and regular scans you can never be sure you will catch every strain of malware, so you’ll need to be hypervigilant in terms of watching for signs of infection.
- Properly configure your firewall for the P2P service. – You should set up firewall rules and port forwarding to allow the absolute minimum access that the P2P network you are using requires. This will vary depending on the P2P network, but do some research to find out how you can set things up as securely as possible for your chosen network.