Educause Security Discussion mailing list archives
Re: Marketscore and Higher Ed
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Mon, 3 Jan 2005 14:35:10 -0500
I think the SALSA statement is a good start on documenting the Marketscore-type threat and agree with David that information supporting the proper/intended use of SSL should be included. One approach I was thinking about falls in the 'risk-mitigation' category. The fact that trusted CA certs can get 'easily' installed in users' environment seems to be the major issue. SSL is based on the trust that these certs provide. Perhaps we should find ways of checking/monitoring the trusted root certificate store. I'm under the impression that normal trusted root cert maintenance is a fairly 'static' task so it should be possible to flag certs that should *not* be in a store. With such a method, institutions could create and enforce policy which prevents users from having their SSL use compromised. Mike Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto
I suggest that the SALSA statement of concern (below) fails to identify the most insidious "problem" with MarketScore: it falsifies the only available so-called security mechanism that is in broad use on the Internet today, SSL. While it may be doing nothing "wrong" with the passwords or credit card data it sees, the fact that it isn't obvious to the user makes it a fraud, in my view. They are "consensual" only on the sense that the user had to do something to allow them to be installed. If a person uses their browser at work to access secure business-related web sites, and MarketScore is installed, they potentially are exposing University information to an unknown third party without their knowledge. After all, the browser's padlock icon is "locked" which means (a) they've reached the web site they intended, and (b) the information will be safe in transit - right?. Neither is true. We forbid use of any such software here at UCOP. We monitor the network for any srd/dst addresses known to be associated with such monitoring packages. We wish there was a better way to learn of their existence and kill them on sight. David Re: At 3:13 PM -0500 12/23/04, Mark Poepping wrote:While we may argue about specific intent or technique, the consensual nature of these applications generally excludes them from our classifying them as 'spyware'. However, the use of these applications may expose health, financial, or other protected or personal information to third parties in violation of the security policy of a campus, user, or other external service. Institutions that wish to reduce the likelihood of these types of violations should consider some or all of the following techniques as they assess their own risk-mitigation efforts:********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Marketscore and Higher Ed Schultz, Stephen (Jan 03)
- <Possible follow-ups>
- Re: Marketscore and Higher Ed Mike Wiseman (Jan 03)
- Re: Marketscore and Higher Ed Stephen D. Franklin (Jan 03)
- Re: Marketscore and Higher Ed Daniel Medina (Jan 03)
- Re: Marketscore and Higher Ed Rodney Petersen (Jan 04)
- Re: Marketscore and Higher Ed David Escalante (Jan 04)
- Re: Marketscore and Higher Ed Mike Wiseman (Jan 07)
- Re: Marketscore and Higher Ed Theresa Semmens (Jan 07)
- Re: Marketscore and Higher Ed Jere Retzer (Jan 07)
- Re: Marketscore and Higher Ed Joel Rosenblatt (Jan 07)
- Re: Marketscore and Higher Ed Mike Wiseman (Jan 07)
- Re: Marketscore and Higher Ed Eric Pancer (Jan 07)
(Thread continues...)