A couple of years ago privacy advocates were bringing cookies, and the privacy issues related to them, to the attention of the general public.
Last summer the focus was on web bugs and this year the debate centers on spyware. The common thread of privacy connects these subjects.
Cookies are text files that hold user information in order to personalize web pages. A cookie generally operates on six basic parameters, of which only one, the 'value,' is required. They include: the name of the cookie, the value, the expiration date if any, the domain in which the cookie operates, the path in which it operates, and whether it requires a secure connection. As you can see, this information is pretty straightforward and non-threatening. Also, the user can delete or block a cookie at any time.
An example of the excellent use of cookies is Amazon.com, which uses cookies to present a selection of materials to the user based upon their interests as reflected in their purchases and browsing habits. Another example is DoubleClick, which suffered a series of class action lawsuits for user privacy violations related to the company's cookie tracking practices.
Web bugs are tiny (usually a single pixel) transparent image files on web pages that are used to monitor user's online habits. As cited in a CNET article at the height of the web bug storm, critics claimed the bugs could capture IP addresses or perhaps install "pernicious files" and were therefore more invasive than cookies. The argument revolved around the capability, used or unused, that the bugs could take information given by the user at a selected web site and transfer it to any number of other sites without the user's knowledge or consent. The arguments also included the possibility of the bug's information being aggregated with that of cookies and used to create profiles of specific users' habits, instead of being used as general demographic information. Critics were further aggravated by the fact that, unlike cookies, the bugs were beyond the control of the user to block or delete.
Spyware spawned the newest debate in this series of tools used to track your habits and send the information to someone else without your consent or knowledge. Spyware is also called adware, trojanware, parasite programs or media plug-ins. Spyware was originally designed to allow freeware authors to make money on their products. This worked by bundling the programs together for download onto users' machines. The users would see the ads and the freeware authors would be compensated accordingly. This is an excellent concept; however, according to some critics the spyware doesn't stop there.
Many users did not even realize they were downloading the spyware that was bundled with the freeware they wanted, although it may have been obliquely addressed in the licensing agreement with generic wording that may sound something like "may include software that occasionally notifies users of important news." It sits on the hard drive and continually tracks users' actions. It periodically sends reports to its originator concerning the user's activities. The problem is that the user cannot control what data is sent, and unless using special tools cannot uninstall the spyware even if the software it was bundled with is removed from the system.
The programs also use the user's connection without permission, which can be a real issue. They also have the capability of using system resources for other purposes, as illustrated by Brilliant Digital Entertainment, which bundled their 3-D adware with the KaZaA file-trading program and planned to employ users' machine resources to host and distribute content from client companies.
According to security expert Steve Gibson, spyware programs are independent executables that have the capability to monitor keystrokes, arbitrarily scan files on your hard drive, snoop other applications such as word processors and chat programs, read your cookies, change your default homepage, interface with your default web browser to determine what web sites you are visiting, and find and disclose any data on, entering or exiting your computer.
Thus the term "trojanware" results from the many similarities between this type of program and a malicious Trojan horse. One of the definitions of a Trojan horse is an executable program that is introduced to a computer by stealth, is hidden within an apparently harmless or desirable program, executes tasks for a third party without the user's knowledge, and may steal passwords or other data from the computer and send it to a third party.
It is fairly obvious that this might be an issue for the home user who wishes to download freeware, but what about the corporate environment? In any reasonably secure network, the administrator scans for viruses, worms and Trojan horses. However, many corporations allow their users some latitude in the software on their work computers that goes beyond the standard corporate build. These extra programs are usually approved on the basis of the program's function and how it can contribute to the employee's productivity, not upon the various plug-ins associated with it - if the administrator is even aware of those. This means that spyware may currently be on the corporate network. The significance of this is that the capability to send out proprietary corporate information without your knowledge or consent is already there, as is the opportunity to do so. These are two of the three elements (means, opportunity and motive) that are required for a crime to be committed.
Is this a problem? Let's start by assuming that every company that is currently creating and distributing these programs is operating with the best of intentions and with the highest ethics concerning the gathering of consumer data. If these spyware programs have the capabilities that experts claim, how long will it be before someone else subverts one for a less than ethical use?
How likely is this to happen? I think the likelihood of this occurring depends upon the value of the corporate information they would be trying to acquire. The more valuable your secrets are, the more trouble someone (a competitor, a disgruntled employee, etc.) may be willing to go to in order to get them (this incorporates the third element - motive).
If you find that this may be a valid concern for your corporate network, what are the next steps in avoiding this threat? First, make sure that your corporate security and IT policies sufficiently address the issue so that your systems administrator or security director has the authority to address the problem. Secondly, have the network searched for this type of program. If any are found, they must be identified and disabled or removed from the systems. Remember that the proper tools must be used for this in order to avoid damage to the network or data. Finally, measures must be in place to avoid further problems due to this type of program.
Let's take back control of our information and resources. The privacy and security of intellectual property and proprietary data is the lifeblood of an organization and is as important for the corporation as it is for the individual.
Thresa Lang ([email protected]) is a security and training consultant, who also teaches information systems protection at the George Washington University. She is a Cisco certified network associate (CCNA), a systems analyst and a CISSP instructor.
