[ISN] 'Spyware' steps out of the shadows

From: InfoSec News (isn@private)
Date: Wed Nov 19 2003 - 22:10:28 PST

  • Next message: InfoSec News: "[ISN] Symantec CEO Warns of Drop in Internet Use"

    http://zdnet.com.com/2100-1104_2-5108965.html
    
    By John Borland 
    CNET News.com
    November 19, 2003
    
    Late in July, an e-mail that hit employee in-boxes at a British credit 
    card and finance company carried a secret payload--"spyware" capable 
    of recording confidential corporate data and sending it over the Net. 
    
    Labeled "Wedding Invitation," the e-mail looked at first like spam or 
    an ordinary worm. But consultants at security company Clearswift now 
    believe that the e-mail was part of a targeted attack on the victim 
    company aimed at extracting specific information--a nightmare scenario 
    in the corporate security world. 
    
    Clearswift says the incident highlights a dangerous new trend in 
    computer breaches, where spyware applications increasingly play a 
    starring role. Relatively benign attacks intended to win attention by 
    disrupting networks are being eclipsed by sophisticated attempts to 
    steal passwords and other confidential information that can be used to 
    deliver cash. 
    
    "The good old days of script kiddies and geeks are well gone," said 
    Pete Simpson, manager of Clearswift's ThreatLab division. "These are 
    criminal gangs, and the motive is clearly profit." 
    
    After several years of mounting concern, fears about "spyware" are now 
    starting to come to a head in computer security and policy circles 
    around the world. The term itself is slippery, frequently used fuzzily 
    to apply both to the information-thieving programs such as that 
    identified by Clearswift, and the often-annoying advertising programs 
    typically bundled with free software programs such as Kazaa or 
    Grokster. 
    
    Both sides of this spectrum of software are coming under increasing 
    scrutiny, however. A congressional committee will hear testimony on 
    the issue Wednesday, while studying an antispyware bill introduced by 
    Rep. Mary Bono, R-Calif., which would outlaw many of the practices 
    that most irritate consumers. 
    
    Meanwhile, a consortium of private companies is pursing a different 
    path toward the goal of stomping out spyware. Dubbed the Consortium Of 
    Anti-Spyware Technology Vendors and led by the creators of the popular 
    Ad-Aware and Pest Patrol software programs, the group is trying to 
    create standard definitions of "spyware," "adware" and other pests, 
    and give best-practices recommendations to the companies that want to 
    avoid being blocked by their software. 
    
    "We're working to figure out a standard definition of what's 
    acceptable, and what's not," said Pete Cafarchio, Pest Patrol's vice 
    president of business development. "We have vendors waiting in wings 
    to see what we come up with. They want to see what's ethical." 
    
    Little pests and big problems
    
    Security companies say they've seen a rise in several trends in the 
    past few months that run from the annoying to the dangerous. 
    
    On the irritating side, many more companies are producing "browser 
    helper objects"--little programs that attach themselves to Internet 
    Explorer and do everything from serve ads to monitor Web surfing. 
    While these are often marketed as Net download speeders or search 
    tools, they often have features that consumers don't immediately 
    understand and are difficult to uninstall when found, security 
    consultants say. 
    
    Many more "adware" programs are routinely installed along with free 
    software such as digital video viewers or file-swapping programs. Some 
    of them monitor users' surfing habits and report back aggregate data 
    to their parent companies; others simply serve up ads displayed inside 
    the software program. 
    
    More dangerous are the kinds of software programs like the one found 
    by Clearswift in its "Wedding Invitation" e-mail. That program, a 
    commercially available "remote surveillance" application called 
    iSpyNow, allows the spying software to be disguised on a computer, and 
    then reports back every keystroke that is made on the computer to 
    whoever installed it. 
    
    These kinds of remote-spying applications were solely the property of 
    hackers or other malicious computer programmers, but for the past few 
    months they have been marketed by some vendors as ways to keep tabs on 
    children's or spouses' computer use. Corporations are increasingly 
    worried that these types of "key loggers" might also be installed by 
    hackers or spammers on employees' machines, capturing confidential 
    data. 
    
    Security experts point to employees who work remotely, either from a 
    home computer or a laptop, as high risks of spyware infection. Because 
    these machines can surf the Net outside the corporate firewall, and 
    then use a virtual private network to log into the corporate network, 
    they threaten to bring in spyware that can communicate with the 
    outside. 
    
    "Those machines aren't under the control of the network," Cafarchio 
    said. "In most environments firewalls are designed to keep bad guys 
    out. But if communication is initiated from the inside, most firewalls 
    let it out." 
    
    What's a spy, anyway?
    
    This variety of programs, from hacker-like tools to simple advertising 
    plug-ins, continues to make efforts to control spyware difficult. 
    
    Bono's bill, the first major piece of legislation intended to address 
    the issue, highlights that point. Staffers for the congresswoman say 
    she is in the midst of rewriting her original proposal in response to 
    concerns that it would have blocked ordinary Web features such as 
    cookies and automatic update features such as those in Microsoft 
    software. 
    
    In a report released Tuesday, the Center for Democracy and Technology, 
    a Washington D.C.-based privacy advocacy group, argued against any 
    legislation that specifically targets spyware, because of its 
    inherently slippery nature. Much of the worst software-spying that 
    corporations fear is already illegal under computer privacy, 
    antihacking or Federal Trade Commission laws, the report said. 
    
    Instead, consumers would be better served by a broad-ranging privacy 
    legislation that forced all software programs to give clear notice if 
    they were collecting information, and give computer users the ability 
    to turn them off or easily uninstall them. 
    
    Most importantly, consumers should study software programs' terms of 
    service before installing them, and use software such as Lavasoft's 
    Ad-Aware if they think their computer might have spyware installed, it 
    said. 
    
    "The distinction that we're trying to make is whether there is notice 
    or meaningful choice," said CDT Associate Director Alan Davidson. "The 
    question is do people know how their computer is being used, and do 
    they have a meaningful choice to uninstall a program if they don't 
    want it. In the most troubling cases of spyware, the answer is still 
    no." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 20 2003 - 02:02:59 PST