Applications that wait to steal your personal information are legion, so Carlos Valiente recommends constant vigilence

Surf's up, and catching the wave on the newest and most innovative web sites can be enticing. But that ride can exact a heavy price on unsuspecting users, particularly when advertisers may be tempted to use any means to increase their sales.

There are currently more than 800 freeware and shareware applications that have been identified as having the ability to collect and distribute your personal information across the internet, and that number is growing every day. Only a fine line exists between privacy and what these parasitic agents are capable of collecting.

Targeting personal information

I am not referring to commercial software whose functions are legitimately used to perform computer surveillance, parental control or law enforcement. What we are discussing here are applications that falsely advertise their intended use or bury their intent in small- print legal jargon within those 'License Agreements' that most users quickly check off during an install process.

The spyware of the 70s was characteristically a 'Trojan horse,' and its intent was typically to cause damage to a computing infrastructure. Today's spyware also carries a hidden payload, but one that more frequently targets collection of information on the personal likes and dislikes of unsuspecting surfers.

While information collection of that sort can result in unsolicited junk mail, a much more serious line is crossed when information collection includes recording keystrokes that can expose confidential information such as passwords and credit card numbers. At that point, spyware is transformed into malware - a serious problem. After all, your identity and privacy are at risk in a world where identity theft has become a booming business.

An infestation can occur in numerous ways, though the most common source is visits to web sites that prompt users to auto-install Java or ActiveX applets. The majority of freeware and shareware applications also bundle this code. For instance, the music file sharing and interactive applications industries are literally plagued with adware-type code attached to them.

Many of the symptoms are common: your browser setting is changed, you are bombarded with pop-up ads and junk email, automatic file transfers occur without your consent, and your computer may even be used to co-opt or steal CPU processing resource time.

Going on the offensive

Only a handful of anti-virus companies integrate spyware detection capabilities into their anti-virus programs; some require you to purchase it as an additional application. In the interim, protect your company and yourself by considering the countermeasures listed in the accompanying boxout.

The Online Personal Privacy Act, a proposed U.S. senate bill that would require companies to obtain permission prior to disclosing the information collected, would allow consumers a way to opt out, and place responsibility on those that gather the data by requiring safeguards from potential unauthorized access. The European Union and many other countries are introducing similar legislation under the internet privacy umbrella.

Until then, we must remain aware of the risk and implement protective measures that prevent these applications from transmitting information without full disclosure. As more users become aware of the risks they pose, it is likely that pressure will be placed on the marketplace and applicable laws will be enacted to protect you.

Carlos Valiente, Jr. is an internal security IT risk management technical director for PricewaterhouseCoopers (www.pwc.com).


Suggested countermeasures

  • Never download or execute code from sites that you don't trust.
  • Develop strong security policies and standards. Proper usage policies should be expanded to include definitions of spyware, and corporations should be prepared either to block usage, or to inform users of their responsibilities if they elect to allow their use.
  • Consider installing a personal firewall that will alert you when either inbound or outbound programs are attempting to communicate.
  • Employment agreements that establish a strong code of conduct should be considered. Such an agreement prohibits personal, illegal use of internet access, including the use of unauthorized applications.
  • Implement a strong anti-virus program that constantly searches users' personal disks for known viruses and Trojans.
  • Consider adopting standards that require installation of firewalls on all internet-connected equipment, and supplement with anti-spyware.
  • Assess the potential enterprise liability that could result from storage or transmission of illegal information using company resources, and develop a security and risk management plan for intrusions.
  • Analyze and document each port and service opened outbound from your organization firewall gateway. Doing so will enable you to analyze each risk. Ensure that both your inbound and outbound firewall policies are clearly documented and examined periodically to deter unauthorized outbound traffic.
  • Consider installing protocol analyzers and sniffers to review network traffic, detect bottlenecks and identify any network users who may have reconfigured or circumvent controls designed to block unauthorized traffic.
  • Identify hosts and servers that broker spyware applications and block access to them from within your organization.
  • Companies that opt to control bandwidth availability should be aware that doing so does not resolve the network security risks, but does balance the load and frees up valuable bandwidth.
  • Enterprises that allow widely outbound traffic to initiate by any applications should monitor all transmissions 24x7 to identify traffic that would otherwise impact critical business processes.

Spyware-related legislation

Here are just a few of the laws in the U.S. relating to spyware and privacy in cyberspace. There are many others, some relating to specific areas such as health.

Senate

  • S197 Spyware Control and Privacy Protection Act of 2001: Controls spyware computer programs, which collect information about their users and transmit it back to the software company.
  • S1742 Identity Theft: To prevent the crime of identity theft, mitigate the harm to individuals victimized by identity theft, and other purposes.
  • S2201 Online Personal Privacy Act: Protects online privacy of individuals using the internet.

House of Representatives

  • HR89 Online Privacy Protection Act of 2001: Requires privacy notices on all web sites, as well as ways for users to opt out or limit the use of their information.
  • HR347 Consumer Online Privacy Disclosure Act: Federal Trade Commission must prescribe regulations to protect the privacy of personal information collected from and about individuals on the internet.
  • HR2135 Consumer Privacy Protection Act: Requires notice before the disclosure of personally identifiable information, with 'opt-out' and affirmative 'opt-in' for sensitive information such as social security numbers and financial information.
  • HR4678 Consumer Privacy Protection Act of 2002: Protects and enhances consumer privacy.

All legislation is published by the Library of Congress (http://thomas.loc.gov).