Web-Surfing Employees, Part 2: They may be the Pirate, but you get to pay the gold Bullion!

March 23, 2008 - By Justin E. Gehrke

By Justin E. Gehrke, CISSP, MCSA, Security+, A+

In the last article, I talked about some credit card vulnerabilities posed by Point of Sales (POS) computers with internet connectivity. In this article, though, we’ll discuss the threat from pirates. That’s right. It’s not a typo. I said pirates. Instead of wearing an eye patch, a hooked hand or a peg leg, this pirate receives a W-2 from you at the end of the year and has to be reminded of the difference between a break and a sabbatical.

The most newsworthy legal liabilities relating to internet traffic involve copyright infringement or the electronic piracy of music, movies, television shows, software applications, and computer games. Are these all 14-year old kids locked in their bedrooms? No! These pirates come in all age and size. More than likely, you know one. If you are a truly lucky employer or manager, you have one sitting in your offices, quietly honing his pirating skills. Where do they find it? How do you download it? I will avoid going into detail, since I don’t want to add to the problem.

The problem, itself, began with Peer-to-Peer (P2P) file sharing software and eventually evolved into a platform known as Bit-Torrent. Both types rely on the sharing of media, such as music, movies, etc. Its original design was not intended for this purpose. It was truly designed to provide collaboration capabilities between geographically-separated computer users, around the world. For example, a group of open source software developers could easily provide the capability for a developer across the country to find, download, and integrate another developer’s tools, for use in the betterment of another open source software. Unfortunately, less ethical parties discovered that the technology could be used and, more accurately, exploited to facilitate the illegal sharing of copyrighted materials. An unfortunate residual effect of this evolution is the proliferation of viruses, via the software, to users around the world. Unaware and unprotected computer users are often the ultimate victim of denials of service, corruption of files, and, in the worst cases, identity theft!

More recently, the theoretical foundation of P2P software was used to develop an alternative file sharing method. It has no technical name but takes many forms, via webhosting services, such as RapidShare, Mega-Upload, etc. Essentially, users download software, which breaks large software, movies, music, etc. into “chunks” no larger than 100MB. These are then uploaded, by the user, to an external webserver (versus being hosted on their home computer). Once posted, internet users around the world are able to search for, find, download, and rejoin the files to their original form. This methodology has greatly magnified the problem of copyright infringement and electronic piracy, since the contributors of the files remain largely anonymous. The companies that host the files remain largely untouchable, since they are incorporated and hosted outside of the United States. By hosting from countries with few or no laws covering electronic piracy, it creates a difficult situation for law enforcement entities, who must geographically locate them and initiate cease and desist actions.Assuming that you or your IT staff took the time to securely configure the company’s computers, ensured user accounts were configured to prohibit the installation of unapproved software and equipped all computers with a self-updating antivirus application, you can safely say that you’re covered, right? Well, that isn’t exactly true. The file sharing websites that actually host the files don’t require any special software to download the files. To add to this problem, most operating systems come with a built-in utility to “zip” and “unzip” files that may be downloaded. This means that your secure configuration, account restrictions, and antivirus software have no interaction with the downloading and unarchiving process. As long as the downloaded files are contained in their entirety in a single file download, your employees are now free to find, download, and export as much copyrighted content that your company’s bandwidth will support. Ultimately, you have two problems: a legal one in the form of copyright infringement (which is a federal crime) and a technical one caused by one employee’s unauthorized use of the company’s bandwidth (which is definitely not free for you).So how can you prevent it? The problem can be easily been avoided. Whether a single computer with internet connectivity or a small Local Area Network (LAN) routing traffic through a server, a simple web-filtering application could have been installed to limit employee traffic. Think your firewall will stop it? Not a chance! There is no way to enter all of the potentially dangerous Internet Protocol (IP) addresses in your rule-set. More importantly, many firewalls are configured to allow and not even log traffic inbound and outbound on Port 80 (the one used most commonly by your web-browser). Web filtering software has decreased greatly in price over the last several years. At the same time, its effectiveness has increased, as configuration features now allow access to a website, while blocking any potential downloads (by file extension) or viewing of streaming media (e.g. online videos). Depending upon you or your IT staff’s level of “technical know-how”, it may be possible to buy and implement web-filtering software yourself.If you are unsure how to get it done, there are many IT certified professionals (e.g. CISSP, GIAC, CompTIA Security+, etc.) who not only have the experience in which you can trust, but, more importantly, have taken the time to complete industry-recognized training and certification that ensure you are paying for a true professional. One of the most important things to remember, as a business owner or manager, is that your Internet Service Provider (ISP) has the capability to identify traffic to websites associated with copyright infringement and electronic piracy. In the event that the owner of the content, software, etc. pursues legal action, your ISP will gladly provide them with the information pertaining to your IP address (the link connecting you to the internet) and your company’s information. In the end, your financial investment in webfiltering and other security-related tools will be far less than the legal, court, and settlement fees that you will incur to clean up a mess that could have been prevented in the first place. I’ll leave you with a question. If it happened, what can you do the employee involved? That will be the topic of a future blog. Until then, I wish you safe (and legal) computing!

Justin E. Gehrke is the founder of Geek Shui Living and an admitted obsessive-techno-compulsive who loves all things Geek. As a right and left-brained, packet-based being, he is available for independent consulting in the areas of IT and Network Security planning and testing, as well as web development and creative design. Send packets to him at GeekusGrandeus@geekshuiliving.com