Security Web Digest: Congress Investigates Peer-To-Peer, Wi-Fi Security Developments ... and More

Are P2P networks a criminal goldmine? ... Security weaknesses in tax software... 3rd party security options for wireless LANs... and more from around the web.

Peer to Peer Threats

Witnesses and representatives at the U.S. House Judiciary Committees Subcommittee on Courts, the Internet and Intellectual Property hearing Thursday expressed fears that profits from widespread copying of movies, music and software outside the U.S. were being funneled into terrorist organizations, but the hearing produced no concrete examples of that happening. Lamar Smith, a Texas Republican, and several others at the hearing noted that selling illegally copied materials can be more lucrative than selling illegal drugs, and several at the hearing compared the copyrighted materials trade to the drug trade. Illegally copied materials can have markups of 900 percent, Smith noted.

Meanwhile, during a hearing of the House Government Reform Committee, politicians complained of two problems: The allegedly widespread distribution of illegal child pornography on peer-to-peer (P2P) networks, and the ease by which a youth could stumble across sexually explicit files that may be legal for adults but inappropriate for minors. Rep. Henry Waxman of California, the top Democrat on the committee, asked: "Can anyone on the panel tell us if pornographers are making money by putting pornographic files on the file-sharing programs?" Rep. Christopher Shays, R-Conn., suggested P2P network operators are getting rich through aiding and abetting porn-swapping. Another committee member told the chief executive of P2P file-trading network Grokster that "for all practical purposes, youre the pornographer. Youre the vehicle by which people are doing these things."

PivX Solutions Geoff Shively warned of a worst case scenario in which a misconfigured peer-to-peer file-sharing application could make unencrypted TurboTax and Tax Cut data files available to anyone searching for the correct file extensions. Security Firm PivX released two advisories warning users that the Tax Cut files with .sbr extensions can be opened with a plain text editor. The .tax files from TurboTax can only be fully viewed if opened in TurboTax with no password necessary. Opening the TurboTax .tax files with a text editor will only net a name and social security number.

Wireless Security

The Wi-Fi Alliance expects to certify by May its WPA (Wi-Fi Protected Access) set of specifications in the first of several efforts to provide greater security to users of high-speed wireless networks, said Andrea Vocale, a technical expert with the alliance, speaking Monday at a news conference at the CeBIT trade show. WPA is a subset of the 802.11i security standard, which has yet to be approved by the IEEE ( Institute of Electrical and Electronics Engineers). Once approved and certified, the 802.11i standard will be called WPA2 and will be backward compatible with WPA, according to Brian Grim, marketing director for the alliance. Products with 802.11i-standardized security features should be available later in the fourth quarter.

In the meantime, users who require secure wireless LANs are turning to supplemental security, which falls into two camps: IP Security (IPSec) remote-access VPN gear and equipment made by a pack of mainly young companies specializing in wireless LAN security, among them Bluesocket, Cranite Systems, Fortress Technologies, ReefEdge and Vernier Networks. The need to spend time, money and staff to beef up security is hobbling wireless LANs, but even so, customers still spent $1.68 billion on wireless gear in 2002 and are expected to spend $2.72 billion by 2006, according to Infonetics Research.