Feeds

Desktop port proliferation a security risk?

Oh no! Not the desktop port proliferation!

  • alert
  • submit to reddit

Build a business case: developing custom apps

Software maker Opera's decision to support BitTorrent has added to some security experts' worries that applications which require open connections through firewalls are becoming increasingly popular.

Last week, the Norwegian company revealed that its latest technical preview adds support for downloading BitTorrent files, or torrents. BitTorrent, a peer-to-peer protocol that speeds files sharing by allowing every client to serve up pieces of a large file, requires that firewalls allow connections to the client software.

With the adoption, the alternative Internet browser is the latest application to ask users to open ports, the numerical addresses that software applications use for communication. Some voice-over-Internet applications also require a direct connection to the Internet and need ports to be open if the hardware is placed behind a firewall.

If such applications grow more popular, security may suffer, said Johannes Ullrich, chief research officer for the Internet Storm Center, a network-threat monitoring service hosted by the SANS Institute.

"Opening more ports is never a good idea," he said. "Adding more functionality to heavily attacked applications like Web browsers isn't that great (of an idea) either."

BitTorrent is the latest peer-to-peer application to gain general popularity beyond its core group of file sharers. While many security experts worry about Trojan horses spreading through file sharing networks, the fact that voice-over-IP and BitTorrent protocols can require exceptions to firewall protections has worried others.

"At this point, we see almost no malicious activity in this space, but I think it's the big underdeveloped malware market," Ullrich said.

Opening ports in network or personal firewall protections increases reliance on the security of the program that receives the data. Yet, in many cases, unsophisticated users are placing peer-to-peer software on their computers, without considering whether the programs have made security a priority, said Rick Robinson, senior security architect for voice-over-IP security provider Avaya.

"There are the hobbyist applications, such as games and file sharing, where your concern is not about reliably or security, but achieving the execution of the application," he said. "With such unsophisticated software, you are running the risk of weak security."

The creator of BitTorrent, Bram Cohen, argues that such concerns are overstated.

To date, no major flaw in the main BitTorrent clients has been publicly disclosed. Moreover, even though a random list of Internet addresses downloading a particular file can be easily obtained, the protocol uses hashes to prevent man-in-the-middle attacks.

"The BitTorrent protocol is designed to be very simple and clean, so the chance that there is a flaw in there is much less than, say, an HTML parser," said Cohen, who also founded BitTorrent.com. "Moreover, if you are using the main BitTorrent client, the chance of being exploited by a peer is very small."

Cohen acknowledges, however, that much of the security of BitTorrent--and other programs that allow incoming connections--rely on the peer-to-peer client software's security.

"If you are accepting incoming connections, then that opens up the possibility that you could be exploited if there are flaws in your code," he said.

Cohen has not seen Opera's implementation of BitTorrent.

While Opera has added a warning dialog box to the process of downloading torrent files, adding BitTorrent support to the browser does not increase risk, said Christen Krogh, vice president of engineering for Opera.

"When you leave a program open for downloading things from the Net or leaving ports open, you should always consider security," he said. "But having support for the BitTorrent protocol for the browser, doesn't skew the security picture very much."

Other peer-to-peer software makers have managed to avoid the issue altogether.

Voice-over-IP software provider Skype, for example, allows incoming connections through firewall software without explicitly opening ports. Hardware-based services, such as Vonage, typically call for the VoIP gateway to be placed in front of the firewall. Only when the hardware is placed inside a local network does the user need to open ports.

Blizzard Entertainment uses the BitTorrent protocol for updating its massively multiplayer online role-playing game, World of Warcraft. While updates can still be downloaded from behind a firewall, the transfer rate is much slower.

However, the software only opens up communication for a very short time, the company said in a statement.

"This does not present any additional security risk compared to any other standard Internet-based network communication," the company said. "The port is opened by the Blizzard Downloader, is used for patch up/downloads, and it remains closed otherwise."

Such peer-to-peer software should still undergo increased scrutiny for security holes, said Brian Martin, a moderator for the Open Source Vulnerability Database.

"Just because of their deployment and popularity, the programs should definitely be audited more heavily," he said. "If a popular (peer-to-peer) client did have a vulnerability, you are probably talking about tens to hundreds of thousands of people who might be vulnerable."

Copyright © 2005, SecurityFocus logo

Related stories

Opera bakes in BitTorrent
BitTorrent inventor lambasts Avalanche 'vaporware'
StreamCast updates Morpheus P2P with BitTorrent

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?