[ISN] Universities struggling with SSL-busting spyware

From: InfoSec News (isn@private)
Date: Wed Dec 01 2004 - 03:10:19 PST


http://www.nwfusion.com/news/2004/1130univestrug.html

By Paul Roberts
IDG News Service
11/30/04

U.S. universities are struggling with a flare-up of dangerous spyware
that can snoop on information encrypted using SSL. Experts are warning
that the stealthy software, called Marketscore, could be used to
intercept a wide range of sensitive information, including passwords
and health and financial data.

In recent weeks, information technology departments at a number of
universities issued warnings about problems caused by the Marketscore
software, which promises to speed up Web browsing. The program, which
routes all user traffic through its own network of servers, poses a
real threat to user privacy, security experts agree.

Columbia University, Cornell University, Indiana University, The State
University of New York (SUNY) at Albany, and The Pennsylvania State
University are among those noting an increase in the number of systems
running Marketscore software in recent weeks. Each institution warned
their users about Marketscore and posted instructions for removing the
software.

The software is bundled with iMesh peer-to-peer software, and may have
made it onto university networks that way, said David Escalante,
director of computer security at Boston College.

The company that makes the software, Marketscore, has headquarters in
Reston, Va., at the same mailing address as online behavior tracking
company comScore Networks. ComScore Networks did not respond to
repeated requests for comment.

Reports of infected systems on campuses ranged from a handful up to
about 200 on one large campus network, Escalante said.

Marketscore is just the latest incarnation of a spyware program called
Netsetter, which first appeared in January, said Sam Curry, vice
president of eTrust Security Management at Computer Associates.

"Basically it takes all your Web traffic and forces it through its own
proxy servers," he said.

Ostensibly, the redirection speeds up Web surfing, because pages
cached on Marketscore's servers load faster than they would if they
were served directly from the actual Web servers for sites such as
Google.com or Yahoo.com. However, those performance benefits have been
elusive.

"People who have installed the software complain to us that they're
not getting any improvement," Curry said.

Richard Smith, an independent software consultant in Boston, is also
skeptical of performance improvement claims made by Marketscore and
others, especially since many Internet service providers already offer
Web caching for their dial-up customers, he said in an e-mail message.

At Cornell, the university IT Security Office blocked connections
between Cornell's network and the Marketscore servers, according to a
message posted on the university's Web site. Administrators at SUNY
Albany took similar steps, according to a message posted on that
university's Web site.

While other legal software programs make similar claims about
improving Web browsing speed as Marketscore, Internet security experts
are troubled that the software creates its own trusted certificate
authority on computers. That certificate authority intercepts Web
communications secured using SSL, decrypting that traffic, then
sending it to the Marketscore servers before encrypting the traffic
and passing it along to its final destination. That traffic could
include sensitive information, including passwords, credit card and
Social Security numbers, Curry said.

Marketscore should be a big concern for companies -- especially those
like banks with employees who handle sensitive data, Escalante said.

"I don't know how good it is for parties on either end of a
transaction to have a third party listening in," he said.

If nothing else, all the extra decrypting and encrypting slows down
SSL traffic, casting doubt on Marketscore's claims to be an Internet
accelerator, Smith said.

CA's eTrust anti-virus software labeled Marketscore "spyware" up until
June of this year, but stopped doing so after Marketscore appealed
that designation using an established vendor appeal process, he said.  
CA is currently re-evaluating the "spyware" designation using a
complicated, multifactor scoring system. The software is less
repugnant than its predecessor, Netsetter, which did not clearly
disclose to users what it did when installed and made itself difficult
to remove.

Marketscore is better on both those counts, clearly stating both in
the end user license agreement and during the installation process
what the product does, and providing users with an easy uninstall
program. CA considers Marketscore an example of a new breed of
software that lies in the gray area between spyware and legitimate
software, Curry said.

"Under the old definition, (Marketscore) clearly qualified as spyware.  
But there are new categories emerging," he said.

While Marketscore clearly tracks user behavior, it doesn't hijack Web
browser home pages, spew pop-up advertisements or conceal its
presence, like earlier generations of spyware did, Curry said.

"There's more granularity. Companies have responded and ... are adding
benefits and value to these programs. We're looking at ways to more
accurately identify this," he said.

Perhaps trying to increase its appeal, Marketscore is now advertising
itself as an e-mail protection service, in addition to an Internet
accelerator. According to the Marketscore.com Web site, members will
receive Symantec's CarrierScan Server anti-virus technology at no
cost.

However, that promise doesn't sit well with Symantec, which said it
has no relationship with Marketscore and, in fact, considers the
software "spyware," said Genevieve Haldeman, a company spokeswoman.

"We don't have relationships with companies that make software we
consider malicious," she said. Symantec is considering legal action to
force Marketscore to stop using its name and logo on the
Marketscore.com Web site, she said.

Spyware or not, the lesson of Marketscore is that "if it sounds too
good to be true, it probably is," Curry said.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Wed Dec 01 2004 - 13:53:09 PST