This article originally appeared on
SearchSecurity.com.
The spyware problem has gotten so bad, experts say, that it is
unlikely it can ever be solved on a technical level. Instead, the
solution will have to come from regulators and law enforcement
agencies.
"It is not technically feasible to stop spyware. You will not be
able to stop this technically. This problem lives at the
legal-technical boundary. We can't go around arresting people,"
said Dan Kaminsky, senior security researcher and founder of
Doxpara Research, speaking on a spyware panel at the recent Black
Hat USA 2006 event. "We need to create standards that clearly
delineate legitimate code from illegitimate code where you throw
people in jail."
 |
Kaminsky on Net neutrality | Dan Kaminsky's annual "black ops" session at Black Hat usually
serves as a pulpit for new research on standard protocols, but this
year Kaminsky took on the bigger topic of interet neutrality and
unveiled details of an open source tool he has developed that will
test whether certain packets are treated differently by carriers
and ISPs. Net neutrality is a term that underscores the presumed
neutrality of IP networks, which are designed to transport data
from point to point. Protocols higher up the stack may inspect
packets for content, but not the IP layer. Some carriers and ISPs may treat some traffic like
encrypted virtual private network data differently. Net neutrality
keeps this from happening. "Telcos selectively censor traffic so as to maximise revenue
from those who will pay most," Kaminsky said. Kaminsky's tool estimates the amount of TCP bandwidth used by a
pair of nodes on the same network. It monitors dropped packets,
which are a source of intelligence about other traffic passing
through a network, and learns what the carrier defines as
interference or second-class traffic. Net neutrality is currently being debated in US Congress. Some
Democrats are backing an amendment to a proposed telecommunications
bill that would guarantee equal treatment of internet traffic
regardless of source or destination. AT&T and Verizon oppose the neutrality provisions, saying it
would restrict their ability to offer services. Comcast, for
example, offers a premium $95-a-month service to allow video and
encrypted traffic to pass. "This has absolutely nothing to do with video," Kaminsky said.
"Your VPNs are being threatened. Tell your bosses."
--Michael S. Mimoso, Information Security
Magazine |
|
| |
|
In a number of
recent surveys involving spyware,
administrators have listed it as their top security concern.
Trojans,
keyloggers and other stealthy
malicious programs have replaced mail-borne
viruses and worms as the weapons of choice for attackers looking
to plant their wares on thousands or millions of machines.
Antispyware supplier Webroot Software compiles quarterly
statistics on the spread of spyware, and its latest figures, which
are due to be published later this month, show that about 31% of
PCs unknowingly harbor at least one Trojan.
The US Department of Justice, Federal Trade Commission and a
host of industry coalitions have made stopping spyware a top
priority, but their efforts have met with limited success.
Eileen Harrington, a deputy director in the FTC's Consumer
Protection Bureau, said her commission is hamstrung by statutory
limitations in its efforts to stop spyware distribution. She said
the FTC is working to get broader authority, especially in regard
to investigations that cross international boundaries.
"It sounds lame to sit up here and say there's only so much we
can do, but it's true," Harrington said. "We all know saying,
'Don't do that anymore' in a civil action is not that effective.
It's very tough under the law to get financial remedies. We're
pushing for new statutory authority to help us do our job
internationally."
Harrington also said a recent appeals court decision that set
forth strict guidelines on how and when the FTC can force
organisations to surrender ill-gotten money could seriously harm
the commission's ability to win judgments against spyware
distributors.
"The effect of the decision has been troubling to us because
we'd have to name every single affiliate [in a spyware distribution
network] and trace every dime," she said. "Needless to say, we
don't necessarily agree with the court's decision."
She added, however, that the FTC does have a large settlement
with a spyware distributor in the works that will require the
company to pay back all of the money it made through spyware.
In the meantime, spyware distributors are becoming more creative
and devious. Stealthy malware that hides its presence on machines
and collects confidential data is now the norm, the panelists
said.
"We're seeing a huge increase in the usage of rootkits and
custom packing and encryption algorithms," said Gerhard Eschelbeck,
CTO and senior vice president of engineering at Webroot.
Kaminsky suggested that a modified form of whitelisting could hold
some promise for preventing spyware infections.
Implementing such an approach is a tough task, however. Defining
good and bad programs through their behaviour is extremely
difficult, given that some legitimate applications can exhibit
rootkit-like behaviour on occasion, and vice versa, the panelists
said.
"The challenge is how you manage your whitelist," Eschelbeck
said.