Ban downloads and implement personal firewalls to protect
corporate systems.
Trojans, worms and viruses continue to hog the headlines and
diligent network managers have powerful firewalling, anti-virus and
patch management policies protecting the fortress. But what good is
all this if a Trojan can enter through the front gate?
Spyware is any software unwittingly downloaded that gathers
information about the user and the network. Sometimes the user
pulls in spyware without realising the danger, sometimes it arrives
through secret passages in the browser code. Once inside, it
gathers information to build a profile of the user's habits and
online environment. It breaches the firewall with the implicit
permission of the user.
At its simplest, spyware may only be a cookie, a small text file
downloaded through the browser by virtually all websites. Cookies
come in two main varieties. The vanilla variety is arguably well
meant and useful. It stores personal information so a visitor can
re-enter a website without typing in their user name and password.
They may also store preferences for personalised pages, usually
called "My something".
When a cookie is recognised on a user's computer, scripts can track
them around the site and gain more information about the visitor's
interests and preferences. Typically benevolent, the cookie is only
accessible to the originating website and is only active while the
user is on that site. Another example is the shopping trolley
cookie, which "carries" your purchases to the virtual checkout and
then self-destructs.
Advertising cookies
The second variety is the darker, advertising cookie. These are
downloaded secretly to benefit the authoring company and its ring
of partners. These cookies may only ply the surfer with targeted
ads while on a website but there are ways to stalk surfers beyond
the original site and across the internet.
Banner ads and web bugs can be legitimately placed on websites to
expose visitors to any page carrying the bug. The tracker can note
all pages visited, user names, e-mail addresses used, searches
performed and other information for building a personal profile.
Based on this, the user is subjected to customised advertising and
spam.
Because cookies are simple text files, they cannot plant malicious
code, but innocent data can be used maliciously. Imagine employees
from company A visiting competitor company B's website to check on
products and pricing. This offers B the opportunity to place a
persistent cookie on the PC of every visitor from A. The
intelligence gathered can show patterns of corporate behaviour. If
the cookie comes from a web bug, placing ads on the pages of
competitors and other sites can reveal much more detailed
patterns.
If company A is rumoured to be considering a merger with company C,
placing a web bug on C's site will pick up any increased activity
or interest from B. All of this is legal - and almost
unstoppable.
Hackers
Butler Group analyst Maxine Holt warned users that spyware offers
hackers an ideal opportunity to install hacking toolkits on
end-users' PCs. "An important point to remember is that the use of
a toolkit typically automates basic tasks for a hacker, such as
scanning for vulnerabilities." She said such toolkits would allow
the hacker to discover vulnerabilities remotely and Trojans can be
implanted without the hacker needing to take direct action.
Many freeware or shareware web downloads contain spyware, or
adware, to plug their advertisers. Not all are so benign.
Downloaded aids, such as toolbars, become a constant part of the
browser and many do useful jobs, but some hide keyloggers that
record every key press or may even install a server backdoor
through which hackers enter the network.
Protecting your systems
The best protection against this malware is to outlaw downloads
explicitly in a policy document and bar them electronically, where
practical.
Gunter Ollmann, manager of X-Force Security Assessment Services at
Internet Security Systems, warned that senior executives are often
the worst culprits for unauthorised downloading. "Policies should
apply to all ranks in an organisation. Some of the worst machines I
have seen are owned by financial directors. Besides the usual
business data, I have found some most interesting content," he
said.
There are tools users can install to stop spyware. However, Jan
Sundgren, an analyst at Forrester Research, said although these are
the most cost-effective way of dealing with the problem, many
personal firewalls control application access to the internet and
can stop adware from sending out information.
Sundgren said, "An advantage of using a firewall with application
control is that your defence is not based on signatures of known
adware. Also, the enterprise versions of these firewalls allow for
centralised management."
It is not just corporate information that is at risk. In July, a
Devon man was cleared of knowingly downloading child pornography
when a computer expert discovered 11 Trojans on his hard drive.
Though it was not proven that these downloaded the images, it is
not impossible to believe. The victim temporarily lost custody of
his daughter and almost lost his liberty. If a similar event
occurred in the corporate world, an enterprise pleading ignorance
might not be given the benefit of the doubt.
What are web bugs?
Web bugs are usually banner ads but can be as small as one pixel.
When a browser downloads the graphics for a page, the graphical
elements do not all come from the web server hosting the
site.
Many of the third-party graphics download from the originating site
and some of these may be marketing companies or even business
competitors seeking to gain information about the user's web
surfing habits.
In itself, a web bug is harmless but the contact with its host
server makes the link that offers the chance to plant a cookie and
get the IP address, or sometimes the e-mail address, of the surfer.
Web bugs from third-party sites also feature in the current trend
of using HTTP e-mails, in which case the e-mail address is revealed
to the bugging site.
By comparing results from different sites or synchronising the
database with other bugging sites, a detailed picture of the surfer
can be developed and sold on.
How to protect against spyware
- Ensure all web traffic is firewalled
- Block any suspicious outward traffic at the firewall
- Use anti-spyware software regularly, such as Symantec Internet
Security, Spybot S&D and Adaware
- Bar unsanctioned software downloads wherever possible
- Monitor computer inventories, especially mobile devices, for
illegal software additions
- Implement a security policy addressing internet access
- Block third-party cookies.
Useful sites
An example security policy
www.websense.com/products/resources/iap/
Adaware
www.lavasoft.de
Spybot Search and Destroy
http://security.kolla.de/index.php?lang=en&page=about
Spyware/adware remover
www.bulletproofsoft.com
Source: Forrester Research