While that was good news for those particular firms, it did nothing to lessen the potential nightmare the KaZaA file-sharing program poses for IT administrators.
KaZaA, in fact, poses three main threats:
a) It opens up gaping security holes
As the Fizzer worm (w32.fizzer@mm) that hit in May demonstrated, KaZaA offers one more route for bringing harmful code into the network. This worm, which could spread either as an e-mail attachment or via KaZaA, seeks to disable any existing antivirus software and has a keystroke-logging component which can be used to steal passwords or credit card information. It also automatically sets up IRC and AOL Instant Messenger accounts to receive further instructions from the virus writer.
But KaZaA users also can inadvertently set up systems to allow others access to a corporation's files. Dennis Peasley, Information Security Officer for Zeeland, Mich.-based furniture manufacturer Herman Miller, Inc. reports finding employees people setting up folders on the company drives that they can then access at home. However, this also means that those drives can be located by people running scripts across KaZaA to locate such files.
"People who do that believe that they are the only ones who will have access to the files, but they are really opening them up to the world," says Peasley. "What spooks me is that it will be a large repository network drive somewhere."
b) Resource consumption
The second problem lies in the area of consumption of resources. To begin with, there is the waste of company bandwidth to share MP3s or other files which aren't part of company business. On top of that is all the spyware that comes loaded with it, which is both a resource hog and a security threat.
Peasley reports tracking down what appeared at first to be a port scan on the firewall, but then noticed it was the outgoing ports, not the incoming ports, that were being hit. He tracked it down to a machine running KaZaA.
"KaZaA was beating the life out of the firewall, starting another process and giving it the next higher IP address," he says. "It was being real diligent about trying to get out."
c) Copyright infringement penalties
But security holes and resource consumption may well be dwarfed in importance when compared to the threat posed by copyright infringement. Last year, for example, the Recording Industry Association of America (RIAA) reached a $1 million dollar settlement agreement with Integrated Information Systems, Inc. (Tempe, Ariz.) whose employees had been illegally downloading MP3s at work. That organization has ramped up its efforts to outlaw the downloading of copyrighted music files at work.
"The RIAA is looking for another 'poster child' of a corporation permitting illegal downloading," Peasley says.
Shutting the Door
There are several approaches to take to keep KaZaA out of the network. Peasley has centrally managed personal firewalls from Zone Labs, Inc. (San Francisco) installed on all the company's laptops. He has it configured to block the port KaZaA normally uses and also has the firewall set to block any outgoing traffic generated by the kazaa.exe application. In addition, he uses a packet shaper at the border to limit the amount of traffic that users are allocated, which would also shut down the regular transfer of large files.
It would seem that shutting off file sharing in Windows would work as an additional means of protection, but Peasley found this not to be the case. He installed KaZaA on a test machine and when he was done with it he disabled file sharing, but left KaZaA installed. KaZaA then checked for updates and then automatically turned file sharing back on without any intervention from the user.
But, while these actions can block KaZaA from communicating once it is installed, what about removing it from your systems? And then, once you have done that, how do you locate and remove all the files that employees may have downloaded?
The first action is to do an inventory of what software is installed on all the machines in the network and filtering it for KaZaA, MP3s or any other file types you want to remove. If you already have an asset management program such as Computer Associates Inc.'s Unicenter Asset Management or Microsoft's Systems Management Server, you already have the ability to conduct software inventories.
If you don't have one of these packages, and don't want to purchase one, there are several simpler and lower-cost inventory applications out there. These include Executive Software Inc.'s Sitekeeper 2.0 and Vector Networks Inc.'s PC-Duo Enterprise 2.0.
In addition to having to answer popup questions, KaZaA also keeps running even when it is closed, so that process needs to be killed. On top of that, KaZaA also ships with a targeted advertising program which is not completely removed with the KaZaA uninstall process.
Hopefully your inventory scan turned up few, or no, computers with KaZaA installed which means it is not too much work to manually remove the software. If, however, your company has been lax in the past on letting users install software on their own, particularly if you have a lot of mobile users operating outside the corporate firewall, you will want a method to automatically perform all the necessary steps over the network.
Executive Software systems engineer Michael Materie has devised a script for performing all the actions to completely remove the file-sharing software which he details in an article on the company's Web site.
Once you have removed KaZaA and any illegally downloaded files, you still need to do regular inventories. Sure, your policies, firewalls and antivirus software should keep these out. But, in reality, hackers are always looking for any possible ways to circumvent these systems, not to mention what employees might come up with, so you must keep a close eye on the systems and make sure no other unauthorized software gets installed.