[ISN] Desktop port proliferation a security risk?

[InfoSec News]

http://www.theregister.co.uk/2005/07/14/desktop_port_security_risk/

By Robert Lemos
SecurityFocus
14th July 2005

Software maker Opera's decision to support BitTorrent has added to
some security experts' worries that applications which require open
connections through firewalls are becoming increasingly popular.

Last week, the Norwegian company revealed that its latest technical
preview adds support for downloading BitTorrent files, or torrents.  
BitTorrent, a peer-to-peer protocol that speeds files sharing by
allowing every client to serve up pieces of a large file, requires
that firewalls allow connections to the client software.

With the adoption, the alternative Internet browser is the latest
application to ask users to open ports, the numerical addresses that
software applications use for communication. Some voice-over-Internet
applications also require a direct connection to the Internet and need
ports to be open if the hardware is placed behind a firewall.

If such applications grow more popular, security may suffer, said
Johannes Ullrich, chief research officer for the Internet Storm
Center, a network-threat monitoring service hosted by the SANS
Institute.

"Opening more ports is never a good idea," he said. "Adding more
functionality to heavily attacked applications like Web browsers isn't
that great (of an idea) either."

BitTorrent is the latest peer-to-peer application to gain general
popularity beyond its core group of file sharers. While many security
experts worry about Trojan horses spreading through file sharing
networks, the fact that voice-over-IP and BitTorrent protocols can
require exceptions to firewall protections has worried others.

"At this point, we see almost no malicious activity in this space, but
I think it's the big underdeveloped malware market," Ullrich said.

Opening ports in network or personal firewall protections increases
reliance on the security of the program that receives the data. Yet,
in many cases, unsophisticated users are placing peer-to-peer software
on their computers, without considering whether the programs have made
security a priority, said Rick Robinson, senior security architect for
voice-over-IP security provider Avaya.

"There are the hobbyist applications, such as games and file sharing,
where your concern is not about reliably or security, but achieving
the execution of the application," he said. "With such unsophisticated
software, you are running the risk of weak security."

The creator of BitTorrent, Bram Cohen, argues that such concerns are
overstated.

To date, no major flaw in the main BitTorrent clients has been
publicly disclosed. Moreover, even though a random list of Internet
addresses downloading a particular file can be easily obtained, the
protocol uses hashes to prevent man-in-the-middle attacks.

"The BitTorrent protocol is designed to be very simple and clean, so
the chance that there is a flaw in there is much less than, say, an
HTML parser," said Cohen, who also founded BitTorrent.com. "Moreover,
if you are using the main BitTorrent client, the chance of being
exploited by a peer is very small."

Cohen acknowledges, however, that much of the security of
BitTorrent--and other programs that allow incoming connections--rely
on the peer-to-peer client software's security.

"If you are accepting incoming connections, then that opens up the
possibility that you could be exploited if there are flaws in your
code," he said.

Cohen has not seen Opera's implementation of BitTorrent.

While Opera has added a warning dialog box to the process of
downloading torrent files, adding BitTorrent support to the browser
does not increase risk, said Christen Krogh, vice president of
engineering for Opera.

"When you leave a program open for downloading things from the Net or
leaving ports open, you should always consider security," he said.  
"But having support for the BitTorrent protocol for the browser,
doesn't skew the security picture very much."

Other peer-to-peer software makers have managed to avoid the issue
altogether.

Voice-over-IP software provider Skype, for example, allows incoming
connections through firewall software without explicitly opening
ports. Hardware-based services, such as Vonage, typically call for the
VoIP gateway to be placed in front of the firewall. Only when the
hardware is placed inside a local network does the user need to open
ports.

Blizzard Entertainment uses the BitTorrent protocol for updating its
massively multiplayer online role-playing game, World of Warcraft.  
While updates can still be downloaded from behind a firewall, the
transfer rate is much slower.

However, the software only opens up communication for a very short
time, the company said in a statement.

"This does not present any additional security risk compared to any
other standard Internet-based network communication," the company
said. "The port is opened by the Blizzard Downloader, is used for
patch up/downloads, and it remains closed otherwise."

Such peer-to-peer software should still undergo increased scrutiny for
security holes, said Brian Martin, a moderator for the Open Source
Vulnerability Database.

"Just because of their deployment and popularity, the programs should
definitely be audited more heavily," he said. "If a popular
(peer-to-peer) client did have a vulnerability, you are probably
talking about tens to hundreds of thousands of people who might be
vulnerable."

Copyright © 2005