TLAnews Is Napster a Security Risk

*Telecom and Logistics Associates*	TLAalert *Security Service*
Translate this page from:	publication: Christian ALT

Save Time and Money

TLAnews: Security NEWs Service

20.7.2000 Security: Is Napster a Security Risk
20 million people sharing their ressources in the the vanguard of the so-called "peer-to-peer" computing trend, some security experts warn of the potential risks. But for the moment no security flaw was found with Napster

En français: Est-ce que Napster est un risque de sécurité
20 millions de personnes partagent leurs ressources informatique dans une mouvance avangardiste d'échange entre partenaires, les experts de sécurité mettent en garde contre les risques potentiels. Mais pour le moment aucune faiblesse n'a été trouvée.

Home

TLAnews

TLAnews.com
Information for security concerned people

English version

Do you have a lot of MP3 exchanges on your network

What do your bandwidth statistics say? Some users are exchanging much more information over Internet than others.

Why do they exchange so many files?

The answer might be that you found among your users some adicts of the napster service, allowing them to access audio files all over the world with other 20 million people sharing their ressources to form one of the largest library of audio files.

How do they share all those files?

They use Napster. It is the vanguard of the so-called "peer-to-peer" computing trend, in which users' own PCs become the storehouse for the millions of recordings handled each day. By understanding its behaviour we will also learn the security risks associated with such a distributed environment and how to protect our networks.

Résumé en français

Avez-vous beaucoup d'échange de type MP3 sur votre réseau?

Que disent les statistiques de votre bande passante ? Certains de vos utilisateurs échangent beaucoup plus d'information que les autres.

Plus de 20 million d'utilisateur dans le monde utilisent Napster pour partager leurs ressources informatique pour créer une des plus grandes librairies de fichiers audio. L'utiisateur peut ainsi rechercher à l'aide de Napster le fichvier audio qui lui manque et se le transfèrer.

Les experts de sécurité sont alertés par cette situation car il craignent des méthodes d'infiltration dans les réseuax en exploitant ce logiciel.

Pour le moment il n'y a pas de faille connue, mais nous vous proposons quelques astuces de protection pour la configuration des "firewalls".

Napster's chief engineer says a key factor that makes Napster a relatively low security threat is that it doesn't allow "executable" files onto its system. Napster only handles data files that carry music.

But is Napster 100 percent guaranteed to be safe?

It hasn't happened yet, it doesn't mean that it couldn't . With Napster, you are establishing a connection with somebody you don't know or trust -- you're sharing code and an IP address (Internet protocol address) with them.

Whenever a computer user's IP address is known, it could invite a visit from an intruder or a denial-of-service attack, in which the address is flooded with messages until it shuts down.

Napster is very popular and works best with high-speed access.

Napster, by its anarchistic nature, probably wouldn't be a favourite target of hackers. Ubiquitous Microsoft software is a much bigger target.

But if intruders do decide to go after individuals, their targets won't have the secure systems that corporations have.

Napster itself just handles the index of the records on its members' hard drives, and provides technology that facilitates the sharing of the music.

"There are no known exploits in Napster, but it's a vulnerability waiting to happen," said Russ Cooper of the security firm NTbugtraq.com

To protect your network from Napster

Here is a good scenario proposed by Jamie Fraser to explain how Napster will work through a firewall

      My _admittedly_limited_ understanding of Napster is that it circumvents
restrictions on inbound connections unless both ends of a connection are
behind firewalls restricting inbound connections. (Or you are restricting
outbound connections to known protocols, The Good Thing To Do (R))

How?
Let's say User A is within my firewall, and User B is out in the dangerous
criminal world of the Internet.

(1) When User A starts Napster, they create an (obviously) outbound
connection to Napster's servers.

(2) B does the same, and searches for a file/recording. Napster returns the
results for User A's hard drive.

(3) If B can't connect to A (which he can't in this scenario), she sends a
request to the Napster server. The Napster server, which has maintained the
connection that A started above in (1), lets the Napster software on A know
that B wants something from A.

(4) _A_ will initiate a connection with B, so that B can download software.

Get it? This circumvents the existence of a poorly setup firewall, or NAT,
or various other moderate security measures. It will fail if both A and B
are behind firewalls restricting inbound connections.

I hope that was clear, and no, I'm not absolutely postive of any of this,
but this is what I gathered from two minutes of perusing Napster's web
site.

What I'm more interested in is whether any real world exploits are known
using Napster client.


Jamie Fraser
jamie.fraser@doblin.com

The servers are often changing you can track them on

www.napigator.com to get the current list of servers use http://www.napigator.com/list.php

In the "older" days Napster was using some central server for exchange of information

How to block napster through a firewall

      Napster appears to use any available free port.  One way to defeat
it is to block all incoming and outgoing tcp/ip ports except the ones
that you want to let through (http, ftp, etc).  The other way is to
block out the ip ranges that Napster servers use.  I did this and it
seems to be pretty effective.  The information is as follows:

1. Create 5 network objects in FW-1. Make external and disable broadcast.
    a. IP: 208.178.163.56 mask: 255.255.255.248
    b. IP: 208.178.175.128 mask: 255.255.255.248
    c. IP: 208.49.239.240 mask: 255.255.255.240
    d. IP: 208.49.228.0 mask: 255.255.255.0
    e: IP: 208.184.216.0 mask: 255.255.255.0
2. Put them all into a group (group-napster-deny)
3. Build a rule that says:
    a. Source Any to Destination group-napster-deny Service any Action
Reject/Drop Time Any

We want to let our users access Napster but we do not want incoming Napster connexions . How should we configure our firewall.

Source	Destination	Service	Action	Track	Install on
Internal-net	Any	7777 6699 8888 9009	accept	log	firewall
any	Internal-net	7777 6699 8888 9009	drop	log	firewall

Related information:

more security information with TLAnews ...

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.

Author information. Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved. Revised: juillet 20, 2000 .

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 20, 2000 .