Feeds

P2P eavesdrop 'guilt by association attack' developed

Free BitTorrent countermeasure released

Using blade systems to cut costs and sharpen efficiencies

US engineering researchers say they have identified a new privacy threat to users of peer-to-peer (P2P) networks such as BitTorrent and (perhaps) Skype. Obligingly, however, they have freely released a protective plugin designed to work with a popular torrent client.

According to Fabián Bustamante, computer science prof at Northwestern Uni, BitTorrent users - without realising it - form identifiable "communities" over time, in which their computers connect much more often to certain other users' machines.

"This was particularly surprising because BitTorrent is designed to establish connections at random, so there is no a priori reason for such strong communities to exist," Bustamante says.

However, he and his colleagues found that identifying the spontaneous torrent communities would be a "powerful threat to user privacy", described by the researchers as a "guilt-by-association attack". It would allow an organisation monitoring P2P traffic to reliably identify groups of users showing similar behaviour - for instance with relation to particular copyrighted works - much more swiftly and economically than would normally be the case.

According to the Northwestern researchers, clued-up eavesdroppers would be able to pick out groups of clients of interest to them 85 per cent of the time by analysing just 0.01 per cent of the total users on the network. Normally, P2P users tend not to worry too much about monitoring - there are so many users that the chance of being identified and targeted is slim.

Not so much now, according to Bustamante. A relatively minor surveillance effort will allow the RIAA or whoever to pick just the people they're after, ignoring the countless thousands of ordinary users. Quite apart from pigopolists tracking down media sharers of particular interest to them, the Northwestern researchers hint that this could also be a very handy technique for feds, spooks or whoever listening in on P2P VoIP services such as Skype. Listeners wouldn't need to crack any crypto or tap anyone's home line: they could simply establish a few thousand active Skype clients themselves - a trivial matter for an agency such as the NSA - and identify "communities" of interest with ease.

That said, the Northwestern group's research so far has been confined to the BitTorrent network; their mention of P2P VoIP is speculative.

But fear not, says Bustamente - or at least, fear not if you use Vuze/Azureus. He and his colleagues have developed a client plugin they call SwarmScreen, downloadable here, which will prevent a user being picked out in a "guilt by association" torrent trawl.

"With P2P networks increasingly under surveillance from private and government organizations," say the researchers. "SwarmScreen provides a practical and effective solution to disrupt [guilt-by-association] attacks".

SwarmScreen works by downloading random stuff from across the wider P2P network, as well as the things a user has told his or her client to collect. This means that a traffic monitor won't identify that client as part of any given "community".

The downside, of course, is that this wastes bandwidth. However Bustamente and Co have included an "intuitive tuning knob to control the privacy/performance tradeoff - higher privacy may result in some performance loss as some of your bandwidth is allocated to hide your real traffic". Or you can turn down the privacy and accept a greater risk of being fingered in exhange for faster downloads.

Problem solved, at least in the case of BitTorrent. However, the truly paranoid will be unconvinced, noting the source of funding for Bustamente's group in this project. Yes, you guessed it - none other than the US federal government itself. ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.