Advisory Notice 19 -- Information Security Resource Center

DEPARTMENT OF ENERGY
INFORMATION SECURITY RESOURCE CENTER
PACIFIC NORTHWEST NATIONAL LABORATORY

ADVISORY NOTICE No. 19
May 27, 1997

UPDATE - POINTCAST NETWORK

BACKGROUND

In October 1996, the Information Security Resource Center (ISRC) produced Advisory Notice 1 on a new commercial software application called PointCast Network (PCN), which was gaining popularity throughout the Department of Energy (DOE). This application is a free commercial software application which provides an interactive multimedia news and information service right to your computer desktop. PCN automatically interfaces with the Internet and provides users with custom, up-to-the-minute downloads of business and international news headlines, stocks, sports, weather, and financial information, as well as Internet access.

The ISRC raised the potential concerns associated with PCN establishing a periodic connection to a user's hard drive to send and receive information. How much information is actually collected by PCN, and can this pathway be exploited by potential adversaries? It was correctly surmised at that time that the proliferation of PCN and similar software products would grow rapidly. With the surge in users within DOE and other government and private communities, additional problems have occurred which should be addressed.

OTHER SECURITY ISSUES

PCN is viewed by some information systems managers as an insidious application. Many companies forbid its users from running the software application because PCN has turned out to be a "bandwidth hog," and could potentially be manipulated to be an automated denial of service. Some information systems managers say that a few hundred PCN users on a corporate network can create enough bandwidth demand to grind the entire network to a halt. This is because every PCN user has a more-or-less continuous connection to the Internet that provides quick updates of headline news and financial reports.

At the DOE federal building in Germantown, it is estimated that at certain times of the day, 80% of their Internet connection bandwidth is covered up with PCN custom downloads and updates to users in the building.

While PCN has released a new version of its Internet-based screen saver in an effort to cut the device's network bandwidth, network managers are still drafting policies to limit and regulate its use. According to a new survey conducted by Zona Research, Inc., 25% of the 110 information systems managers contacted have developed policies regulating the use of PCN among company employees. Of those, 75% either prohibit or discourage its use because of bandwidth problems.

During a four-month period last year, Optimal Networks, a network modeling and analysis software developer, collected just under 100GB of data from the personal computers of 4,000 users at six unnamed Fortune 1000 companies to determine trends in Internet use. This study confirmed that the ten sites that generated the most data on users' desktops were, in order, PCN, Netscape, Yahoo, Adobe, ESPNet Sportszone, CNN, Yahoo Finance, Microsoft, USA Today, and Quicken Financial Network.

In the same study, PCN accounted for 18% of the network traffic. This may appear to be a low percentage when considering the entire Internet, but for an already burdened network, it can really slow down performance.

CONTINUING SECURITY ISSUE

There continues to be a small undercurrent of news group allegations that another reason for the slow operating of PCN is that the application also gathers information about the users which it passes to PCN for marketing and other uses. No verification of this has been found, and PCN abjectly denies the allegation.

At the minimum, PCN does admit that its software collects user data for demographic analysis. The data collected includes the operating system that PCN runs on, the Internet address of the machine and the name and electronic-mail address of the machine's user.

SUMMARY

PCN is one of the new applications which is recognized as a push technology that is actually sending user specified information, regardless of size, through the users Internet connection to the desktop computer. This is opposed to a pull technology such as Netscape, where the user enters a Web address, and pulls the information to the computer. PCN actually pushes the information down the Internet after a specific user profile preference has been received. The user may unknowingly be asking for large files and requesting connections several times a day.

While push pioneers such as PCN have been lauded for broadcasting customized news right to users' computers, it appears that almost a 20% of corporate network traffic stems from push technologies. This is disproportionately high considering that push technology is only used by a small fraction of users. It is becoming apparent that push technologies are taking up excessive bandwidth on government and corporate networks.

The Department does have options that can proactively relieve this potential network strain. Each DOE site can implement network monitoring tools to determine if PCN is debilitating their network connections. If evidence is found that PCN connections are compromising bandwidth and legitimate Internet connections, policy should be put in place which would limit or forbid the use of PCN.

If the PCN software application is to be used within the DOE Complex, employees must also be made aware that there are specific security concerns associated with the application.

Return to Advisory Table of Contents

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001