The P2P network may change into an anonymous cyber weapon that could ruin the world | ScanNetSecurity[国内最大級のサイバーセキュリティ専門ポータルサイト]
2017.11.22(水)

The P2P network may change into an anonymous cyber weapon that could ruin the world

特集 コラム

(This article was posted on 3 July 2012 in Japanese)

There are many P2P network services in the world and some of them have critical vulnerabilities. Can you imagine someone depriving the control of a P2P network service with a hundred million users, and forcing it to attack the specific server? This is not fiction. This is a real situation that is going on in our world. I will introduce its risks to you and indicate three aspects of this problem: the features of the P2P network Xunlei as an example, its vulnerabilities, and its threats.

First, I will describe a real P2P network as an example. Xunlei is a famous Chinese P2P network service. It provides a great variety of content services to Chinese people via the Internet, and it also has another protocol to provide content. The users of Xunlei are estimated to be more than a hundred million. This number is based on several reports. See Ref A.

The second aspect of this problem is the vulnerabilities that P2P networks may have. We already know that no system can exist without the possibility of vulnerabilities. Xunlei has four vulnerabilities and while two of them have been fixed, the others haven’t. There are other serious vulnerabilities not being unveiled. These allow attackers to execute "DDos attacks", extract personal information from Xunlei users, and post an arbitrary command to Xunlei users. You can read Jun Xie's masterpiece, "New Threat-Based Chinese P2P Network", which analyzed the Xunlei network and its vulnerabilities. Xie worked for security researcher McAfee Labs China. His report will help you to understand this problem. In addition, the attackers can sabotage targets from inside of Xunlei to outside of China. There is a certain risk that someone can attack any servers on the Internet with more than a hundred million subordinates. All devices that are connected to the Internet face this menace; PCs in the home, cell phones, Internet banking, supply chain systems, power plants, factories, schools, government services etc.

Finally, I would like to explain the risks of Xunlei. If someone succeed in taking control of Xunlei, the person has a power based on a hundred million subordinates and is able to attack any targets on the Internet from anywhere in the world under the disguise of an attack from China. We cannot find who and where the attacker is immediately. It means there is the possibility of anonymous cyber-terror via Xunlei. It could cause serious trouble in nuclear facilities, cause widespread blackouts as well as an enormous number of personal information leaks: we know these incidents that have already happened in the real world. These are not hypothetical incidents.

In conclusion, I described three profiles of anonymous cyber weapons: the actual condition of P2P network Xunlei, its vulnerabilities, and its destructive power. Unfortunately, I have to point out the most important fact, which is that these risks do not come from only Xunlei. Xunlei is just an example as I mentioned before - the tip of the iceberg. We are familiar with many similar services and botnets in the world: they may also change into anonymous cyber weapons. There is the possibility that many people look for the vulnerabilities because they could be the key to taking control of anonymous cyber weapons. If they find it, they will have the power to ruin the world. I can easily predict that there will be a simple and powerful tool to take control of anonymous cyber weapons, so anyone could cause serious damage to our society regardless of technique. Japanese housewives may penetrate worldwide financial networks to increase their pin money. How do you feel about this situation? You may feel it’s silly because over-serious dangers appear ridiculous sometimes, so I should say it again; this is not fiction; this is a clear and present danger in our world. We are already living in the world of SF fictions that we had read about in our childhood.

(Kazuki Ichida with editorial assistance from Jennifer Mitchell)

REFERENCES
REF A About Xunlei company and its network services
Peer-to-Peer not piracy
P2P statistics of corporate usage
Application usage rates of corporate user

REF B About vulnerabilities of Xunlei network
New Threat Based Chinese P2P Network
Xunlei vulnerabilities
CVE Xunlei : Security Vulnerabilities
JVNDB-2012-002060 Xunlei vulnerability
Potential New Xunlei 0-day Exploit
《ScanNetSecurity》

Scan PREMIUM 会員限定記事

もっと見る

Scan PREMIUM 会員限定記事特集をもっと見る

Scan BASIC 会員限定記事

もっと見る

Scan BASIC 会員限定記事特集をもっと見る

[Web小説] サイバー探偵 工藤伸治の事件簿サーガ (シーズン 1~6 第1話)

もっと見る

[Web小説] サイバー探偵 工藤伸治の事件簿サーガ (シーズン 1~6 第1話)特集をもっと見る

カテゴリ別新着記事

特集 カテゴリの人気記事 MONTHLY ランキング

  1. グローバルで活躍するプロフェッショナル - EYのサイバーセキュリティ部隊に仕事とキャリアを聞く

    グローバルで活躍するプロフェッショナル - EYのサイバーセキュリティ部隊に仕事とキャリアを聞く

  2. ここが変だよ日本のセキュリティ 第30回「ダメンズ・オーディット! 上場企業なら避けて通れない監査対応に監査感激!」

    ここが変だよ日本のセキュリティ 第30回「ダメンズ・オーディット! 上場企業なら避けて通れない監査対応に監査感激!」

  3. クラウドセキュリティ認証「ISO 27017」「ISO 27018」の違いとは? ~クラウドのよさを活かす認証コンサル LRM 社 幸松 哲也 社長に聞く

    クラウドセキュリティ認証「ISO 27017」「ISO 27018」の違いとは? ~クラウドのよさを活かす認証コンサル LRM 社 幸松 哲也 社長に聞く

  4. 工藤伸治のセキュリティ事件簿 シーズン 7 「アリバイの通信密室」 第8回 「はした金」

  5. [対談] 人工知能は重要経営課題となったサイバーリスクに対抗できるか

  6. 工藤伸治のセキュリティ事件簿 シーズン 7 「アリバイの通信密室」 第9回「勤怠簿」

  7. マンガで実感 !! サイバーセキュリティ 第1話「静かなる目撃者」

  8. 工藤伸治のセキュリティ事件簿 シーズン6 「誤算」 第1回「プロローグ:七月十日 夕方 犯人」

  9. 工藤伸治のセキュリティ事件簿 シーズン 7 「アリバイの通信密室」 第1回 「プロローグ:身代金再び」

  10. 工藤伸治のセキュリティ事件簿 シーズン 7 「アリバイの通信密室」 第7回 「三人の容疑者」

全カテゴリランキング

★★Scan PREMIUM 会員限定コンテンツにフルアクセスが可能となります★★
<b>★★Scan PREMIUM 会員限定コンテンツにフルアクセスが可能となります★★</b>

経営課題としてサイバーセキュリティに取り組む情報システム部門や、研究・開発・経営企画に携わる方へ向けた、創刊19年のセキュリティ情報サービス Scan PREMIUM を、貴社の事業リスク低減のためにご活用ください。

×