'Spyware' steps out of the shadows

[InfoSec News <isn () c4i org>]

http://zdnet.com.com/2100-1104_2-5108965.html

By John Borland 
CNET News.com
November 19, 2003

Late in July, an e-mail that hit employee in-boxes at a British credit 
card and finance company carried a secret payload--"spyware" capable 
of recording confidential corporate data and sending it over the Net. 

Labeled "Wedding Invitation," the e-mail looked at first like spam or 
an ordinary worm. But consultants at security company Clearswift now 
believe that the e-mail was part of a targeted attack on the victim 
company aimed at extracting specific information--a nightmare scenario 
in the corporate security world. 

Clearswift says the incident highlights a dangerous new trend in 
computer breaches, where spyware applications increasingly play a 
starring role. Relatively benign attacks intended to win attention by 
disrupting networks are being eclipsed by sophisticated attempts to 
steal passwords and other confidential information that can be used to 
deliver cash. 

"The good old days of script kiddies and geeks are well gone," said 
Pete Simpson, manager of Clearswift's ThreatLab division. "These are 
criminal gangs, and the motive is clearly profit." 

After several years of mounting concern, fears about "spyware" are now 
starting to come to a head in computer security and policy circles 
around the world. The term itself is slippery, frequently used fuzzily 
to apply both to the information-thieving programs such as that 
identified by Clearswift, and the often-annoying advertising programs 
typically bundled with free software programs such as Kazaa or 
Grokster. 

Both sides of this spectrum of software are coming under increasing 
scrutiny, however. A congressional committee will hear testimony on 
the issue Wednesday, while studying an antispyware bill introduced by 
Rep. Mary Bono, R-Calif., which would outlaw many of the practices 
that most irritate consumers. 

Meanwhile, a consortium of private companies is pursing a different 
path toward the goal of stomping out spyware. Dubbed the Consortium Of 
Anti-Spyware Technology Vendors and led by the creators of the popular 
Ad-Aware and Pest Patrol software programs, the group is trying to 
create standard definitions of "spyware," "adware" and other pests, 
and give best-practices recommendations to the companies that want to 
avoid being blocked by their software. 

"We're working to figure out a standard definition of what's 
acceptable, and what's not," said Pete Cafarchio, Pest Patrol's vice 
president of business development. "We have vendors waiting in wings 
to see what we come up with. They want to see what's ethical." 

Little pests and big problems

Security companies say they've seen a rise in several trends in the 
past few months that run from the annoying to the dangerous. 

On the irritating side, many more companies are producing "browser 
helper objects"--little programs that attach themselves to Internet 
Explorer and do everything from serve ads to monitor Web surfing. 
While these are often marketed as Net download speeders or search 
tools, they often have features that consumers don't immediately 
understand and are difficult to uninstall when found, security 
consultants say. 

Many more "adware" programs are routinely installed along with free 
software such as digital video viewers or file-swapping programs. Some 
of them monitor users' surfing habits and report back aggregate data 
to their parent companies; others simply serve up ads displayed inside 
the software program. 

More dangerous are the kinds of software programs like the one found 
by Clearswift in its "Wedding Invitation" e-mail. That program, a 
commercially available "remote surveillance" application called 
iSpyNow, allows the spying software to be disguised on a computer, and 
then reports back every keystroke that is made on the computer to 
whoever installed it. 

These kinds of remote-spying applications were solely the property of 
hackers or other malicious computer programmers, but for the past few 
months they have been marketed by some vendors as ways to keep tabs on 
children's or spouses' computer use. Corporations are increasingly 
worried that these types of "key loggers" might also be installed by 
hackers or spammers on employees' machines, capturing confidential 
data. 

Security experts point to employees who work remotely, either from a 
home computer or a laptop, as high risks of spyware infection. Because 
these machines can surf the Net outside the corporate firewall, and 
then use a virtual private network to log into the corporate network, 
they threaten to bring in spyware that can communicate with the 
outside. 

"Those machines aren't under the control of the network," Cafarchio 
said. "In most environments firewalls are designed to keep bad guys 
out. But if communication is initiated from the inside, most firewalls 
let it out." 

What's a spy, anyway?

This variety of programs, from hacker-like tools to simple advertising 
plug-ins, continues to make efforts to control spyware difficult. 

Bono's bill, the first major piece of legislation intended to address 
the issue, highlights that point. Staffers for the congresswoman say 
she is in the midst of rewriting her original proposal in response to 
concerns that it would have blocked ordinary Web features such as 
cookies and automatic update features such as those in Microsoft 
software. 

In a report released Tuesday, the Center for Democracy and Technology, 
a Washington D.C.-based privacy advocacy group, argued against any 
legislation that specifically targets spyware, because of its 
inherently slippery nature. Much of the worst software-spying that 
corporations fear is already illegal under computer privacy, 
antihacking or Federal Trade Commission laws, the report said. 

Instead, consumers would be better served by a broad-ranging privacy 
legislation that forced all software programs to give clear notice if 
they were collecting information, and give computer users the ability 
to turn them off or easily uninstall them. 

Most importantly, consumers should study software programs' terms of 
service before installing them, and use software such as Lavasoft's 
Ad-Aware if they think their computer might have spyware installed, it 
said. 

"The distinction that we're trying to make is whether there is notice 
or meaningful choice," said CDT Associate Director Alan Davidson. "The 
question is do people know how their computer is being used, and do 
they have a meaningful choice to uninstall a program if they don't 
want it. In the most troubling cases of spyware, the answer is still 
no." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.