Re: Marketscore and Higher Ed

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

I think the SALSA statement is a good start on documenting the Marketscore-type threat and
agree with David that information supporting the proper/intended use of SSL should be
included. One approach I was thinking about falls in the 'risk-mitigation' category. The
fact that trusted CA certs can get 'easily' installed in users' environment seems to be
the major issue. SSL is based on the trust that these certs provide. Perhaps we should
find ways of checking/monitoring the trusted root certificate store. I'm under the
impression that normal trusted root cert maintenance is a fairly 'static' task so it
should be possible to flag certs that should *not* be in a store. With such a method,
institutions could create and enforce policy which prevents users from having their SSL
use compromised.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

> I suggest that the SALSA statement of concern (below) fails to
> identify the most insidious "problem" with MarketScore: it falsifies
> the only available so-called security mechanism that is in broad use
> on the Internet today, SSL.  While it may be doing nothing "wrong"
> with the passwords or credit card data it sees, the fact that it
> isn't obvious to the user makes it a fraud, in my view.  They are
> "consensual" only on the sense that the user had to do something to
> allow them to be installed.
>
> If a person uses their browser at work to access secure
> business-related web sites, and MarketScore is installed, they
> potentially are exposing University information to an unknown third
> party without their knowledge.  After all, the browser's padlock icon
> is "locked" which means (a) they've reached the web site they
> intended, and (b) the information will be safe in transit - right?.
> Neither is true.
>
> We forbid use of any such software here at UCOP.  We monitor the
> network for any srd/dst addresses known to be associated with such
> monitoring packages.  We wish there was a better way to learn of
> their existence and kill them on sight.
>
>        David
>
> Re:
> At 3:13 PM -0500 12/23/04, Mark Poepping wrote:
> > While we may argue about specific intent or technique, the consensual
> > nature of these applications generally excludes them from our classifying
> > them as 'spyware'.  However, the use of these applications may expose
> > health, financial, or other protected or personal information to third
> > parties in violation of the security policy of a campus, user, or other
> > external service.  Institutions that wish to reduce the likelihood of
> > these types of violations should consider some or all of the following
> > techniques as they assess their own risk-mitigation
> > efforts:
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion
> list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion
> list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.