What Are You Sharing?

Over the past few years, file-sharing programs have grown inpopularity. Many people use them to share their music and games. Theyalso provide attackers with a convenient medium for infecting userswith Trojans or worms by offering tantalizing files. This kind of riskis well known to users and attackers alike; in Volume XII of Symantec'sInternet Security Threat Report, we noted that six of the top ten new malicious code families spread through file-sharing applications.

Another risk with file sharing, which many people are unaware of, isthe accidental exposure of confidential information. With nothing morethan a misplaced click, a user can unintentionally share the entirecontents of their hard drive, which could include their browserhistory, their personal documents, or their email messages.

Some file-sharing servers, such as certain Direct Connect servers,require a minimum amount of shared files to connect to a server. Thatis, if a user wants to be able to download from users on a server, heor she must first have a certain amount of data shared. The minimumamounts of some servers are often measured in gigabytes, with 5gb,10gb, and 20gb being common requirements. Rather than spending the timeto download large amounts of music or files to share, some usersinstead opt to share the contents of their hard drives, allowing themto artificially inflate their access the more exclusive servers. At thesame time, as previously noted, it may expose a variety of personalinformation.

The consequences of this type of mistake to an individual could bedevastating, if email and browser history are exposed; however, it canbe even more devastating to a corporation. Users in a corporation mayhave confidential files on their computers, such as invoices, customerinformation, employee information, software source code, and so on. Anyof these may be tempting targets for attackers. Although mostcorporations block file sharing at their firewalls, employees may bringlaptops home, plug them into a personal network, and start up theirfavorite file-sharing application.

It would be extremely difficult, if even possible, to find andprosecute the person that stole the information. The only way to trackdown the "thief" would be if the file-sharing server or client softwarekept logs of who downloaded files, or if an intrusion detection system(IDS) protecting the target's computer detected the leak. Additionally,even if the attacker was tracked down, he or she was only using thefile-sharing software in the intended way, so it may be difficult tocharge the downloader with anything.

A more insidious version of this type of attack would be if afile-sharing client had a vulnerability that allowed an attacker toescape from the shared directories on a user's computer and downloadfiles from any directory. I'm not aware of this type of vulnerabilityexisting in any of the major clients, but who knows what the futureholds?