New ZeuS Variants Get Instructions Through P2P Network

The most recently detected variants of ZeuS/SpyEye are receiving instructions not from command-and-control (C&C) servers, but through peer-to-peer (P2P) networks. C&C servers have increasingly become the targets of takedown orders and monitoring by authorities. A version detected last year used P2P as a means of communication if C&C servers became unavailable, but the newest version has made C&C servers unnecessary.

Read the full story online.


FTC Cracking Down on File Sharing

A recent news story in the Washington Post revealed that the Federal Trade Commission (FTC) has uncovered widespread data breaches at companies, schools and local governments whose members are swapping music, software and movie files over the Internet.

It sent nearly 100 letters to organizations where information on customers and employees, including health and financial data and Social Security and driver’s license numbers leaked through peer-to-peer Web services. It warned that the security breaches could lead to identity theft or fraud, and it recommended that the groups review their policies and inform the affected individuals.

Read the full story here.

The P2P Controversy

There has been some discussion within the government recently about the risks of peer-to-peer (P2P) file sharing to data security.

In November, bill HR 4098, the Secure Federal File Sharing Act, was introduced in Congress to ban P2P file sharing on US government, and government contractor computers. Sensitive Defense Department documents were lost through P2P networks earlier this year, likely prompting the proposal of this bill.

In higher education the use of P2P software produces a different reaction than the one mentioned above. As a file sharing tool it has great potential for playing a positive role in fulfilling the institutional missions of teaching, research, and the dissemination of knowledge. However, as we know, it is typically used for illegally sharing copyright protected music, movies and software.

The bigger issue that Congress is considering, namely ensuring that sensitive data and personally identifiable information is protected against leakage via file-sharing networks, also applies to universities. Is there any reason why computers containing sensitive data should have such a potentially dangerous application installed on them?

Since P2P networks are transfer tools, they are vulnerable to exposure of data and the distribution of malware. Hackers can attack these networks by changing legitimate files through the installation of malware, implanting malware into shared directories, exploiting vulnerabilities in the coding protocol of the network, and creating denial of service and spamming attacks that attempt to harass the users of the P2P network.

MIT does not put limits on the use of P2P programs. However, as a result of the 2008 Higher Education Opportunity Act (HEOA), regulations were issued and finalized by the Department of Education in October 2009, with several of these regulations addressing unauthorized file sharing (and the use of P2P programs) on campus networks.

We may therefore see some changes when enforcement goes into effect in July 2010. Changes could include possible restrictions to file sharing networks, alternatives to illegal downloading, and disclosure to students describing file sharing and campus policies related to copyright law.

Risks of illegal downloading hit home quite recently. In November a Boston University student was ordered to pay $675,000 in damages for illegally downloading songs and sharing them online.

More information can be found here: