|
|
|
|
Jesse Aaron Safir Security Topic Chosen for Future Forecast: spyware Introduction to Spyware: Spyware is any software which is installed on users' computers without their knowledge and consent and which sends information about those users, their computing habits, their preferences, or the contents of their computers back to a remote server on the Internet. In many cases, this software is designed to gather marketing information about users and to use that information to target advertising at them that is most likely to pique their interest. This kind of spyware is also called adware because it often involves integrating banner adds into the users' web browsers or other applications and tracking which adds have been displayed and which ones the users clicked on. Scott Spanbauer claims that "hundreds of freeware, shareware, ad-supported, and even shrink-wrapped commercial applications contain components that maintain a record of your online activity and transmit that information to an advertiser's server" (Spanbauer). Al Stevens explains that there are two kinds of "adware". The first kind is when the host application "displays the ads and the adware company sells space in the applications of its partners to advertisers...Every time a user opens your application, they see banner ads, different ones at different intervals. This exposure is called an 'impression.' Tile banner displays are controlled by the adware software, which keeps track of impressions. In some systems, [software authors and publishers] get paid by the impression" (Stevens). The other kind of adware involves a separate DLL getting installed with the host program. The DLL doesn't interact with the host application, but rather it displays a button in the user's Internet browser title bar. When the user clicks on the button, he/she gets redirected to the advertiser's website. Software authors and publishers get paid a one-time fee for each user who installs the application (ibid). Another kind of spyware involves checking to see what software is installed on users' computers to make sure that it is legitimate and registered rather than bootlegged and illegal. Some software vendors are embedding this kind of spyware into their applications to try to protect their intellectual property rights. A third kind of spyware is the kind used by intelligence agencies, such as the CIA and the NSA to "snoop" on the online activities of suspected criminals or otherwise interesting people. The most notable of the third kind of spyware are the NSA's global Echelon surveillance system, which reportedly intercepts and processes over 3 billion communications per day, the FBI's Carnivore software, which is installed with cooperation of Internet Service Providers (ISPs) in their networks to capture all communications to and from suspected criminals, and the FBI's "Magic Lantern" keystroke-logging system, which has the ability to capture encryption passwords to allow the FBI to decrypt communications to and from the targeted computer (Levy). John C. Dvorak explains that this keystroke-logging system was successfully used to bust an alleged New Jersey bookmaker by capturing his passwords, which made his password-protected encryption useless (Dvorak). Why Spyware Is Significant: Spyware is an important information security topic to consider because it raises questions about protection of individuals' right to privacy. Marketing firms want to gather as much personal information about potential customers as possible and this includes their online computing habits and preferences. They stand to make an enormous amount of money by gathering this type of data and using data mining techniques to come up with relevant statistics and lists of potential customers for almost any good or service. Once they have this information, they can sell it for a lot of money to the companies that want to sell those goods and services. In addition, software publishers may be lured into including spyware with their products as a way to subsidize the development and maintenance of the software. Inclusion of the spyware with downloadable software allows the software authors and publishers to make the software available to billions of users for "free", rather than relying on the older and mostly ineffective method of asking customers to pay for the software they use. According to Al Stevens, "industry estimates are that 90 percent of shareware users are using unregistered copies or bootleg copies of registered shareware programs" (Stevens). Governmental agencies and law enforcement agencies want as much access as possible to be able to monitor the activities of potential criminals and terrorists. The NSA's Echelon system is an enormous system of global communications surveillance. For example, the Echelon system records, transcribes, translates, and filters every international phone call to and from the United States. The system watches for interesting or alarming words like "President Bush" and "Bomb" and only flags those messages that are interesting in terms of national security. Many concerned citizens and civil liberties groups such as the ACLU (American Civil Liberties Union), the EFF (Electronic Frontier Foundation), and EPIC (the Electronic Privacy Information Center) are calling for legislation and self-restraint to protect the right to privacy of citizens. Since September 11th 2001, however, there are also a lot of people who are willing to give up their privacy in exchange for additional security against future attacks. Background Information: According to Dave Rensberger, "spyware arrives quietly and burrows deeply, usually attaching itself to a parent program. Even reading the privacy policy of the primary software you install may not mention anything about the suckerfish attached to it. These little stealth packages travel with you everywhere you go, sending a map of your progress back to your benefactors. This information isn't just limited to old indicators like clicking on pop-up ads; various incarnations can track you right down to the keystroke" (Rensberger). Neil Rubenking explains that users feel secure when they have anti-virus software running on their PCs and a firewall protecting their network traffic, but he notes that spyware can evade all that protection. He states, "even though your system is protected against outside attack, it's still vulnerable to betrayal from within. Each time you connect to the Internet, you may be sharing that connection with a traitor--a spyware program that has its own agenda and communicates secretly with its home site. Some spyware programs are installed automatically when you visit Web sites that use them. Others are installed along with particular shareware or freeware programs. The installation may occur completely without your knowledge, or you may accept it by clicking on Yes without reading the entire license agreement" (Rubenking). Rubenking also notes, however, that many of the accusations that spyware programs are inventorying software on the user's system and scanning the Registry and then sending this and other private information back to the Internet have not been proven. He points out that all of the known spyware programs claim to respect your privacy, and "under scrutiny, these claims appear to be true" (Rubenking). He also mentions that many of the spyware companies provide uninstallers for users who wish to "opt-out" of using the software. This is important because in many cases, removing the application which installed the spyware does not actually remove the spyware as well (Spanbauer). The earliest and most simple type of spyware was the invention of web browser "cookies". The name comes from UNIX objects, called "magic cookies", which are tokens attached to a user or program that change depending on where the user or program goes. Cookies are sent by web sites to web browsers and then sent back to the web sites when requested. They contain personal information and preferences so that the user doesn't need to keep entering this information every time they go back to the same sites. The problem is that for most users, cookies are accepted and retrieved automatically and their preferences, personal information, and even passwords can be available to anyone who is smart enough to read their cookies. In addition, companies like doubleclick.com are able to use cookies to track which web sites users go to, how often, and which ads they clicked on. Current State-of-the-Art: Legitimate Uses for Spyware: As mentioned above, spyware does have some legitimate uses. For example, web browser "cookies" can actually improve the web browsing experience by helping users to not need to keep entering their personal information over and over every time the go to a specific website. They can help online merchants to personalize the web browsing experience for their customers so that each customer is offered goods and services that are more likely to pique his/her interest. "Adware", which is included with "free" downloadable software can enable the software authors and publishers to write very useful and innovate software tools for users to use and to offer those tools to users for "free". I quote "free" because there is a price being paid; it's the user's time and willingness to share his/her personal information, computing resources, and network connection. The good news is that users no longer have to directly "pay" for the software they use and software authors and publishers probably make more money from their work than they would if they were using the old shareware "honor" system. In addition, the makers of "spyware" applications often have published privacy policies and are very insistent that no personally-identifiable information is being collected. The implication is that while preferences and other sensitive information are being gathered from an enormous number of Internet users, this information cannot be linked back to anyone's actual identity. Even the spyware used by governmental agencies and law enforcement may be useful in helping to catch and prosecute criminals or prevent terrorist acts, but there is also a lot of potential for abuse of power. Unfortunately, even with all their advanced spyware technology, the US government failed to stop the terrorist attacks on September 11th, 2001. Challenges To Be Considered: As the name implies, "spyware" involves gathering potentially sensitive information without the users' consent. In order for the users to openly accept "spyware" on their computers, they should be made aware of specifically what information about them is being gathered and how it is being used. I would suspect that most Internet users would not agree to having their personal information "stolen" without their consent and only for the purpose of making somebody else richer. Users, in general, are willing to give up some of their personal information if they are getting something they want in return. In addition, users are probably not interested in sharing their computing resources, such as memory, disk space, processing cycles, and network bandwidth unless they know that they are getting something valuable in return. Steven J. Schuchart Jr. sees unauthorized spyware as an invasion of privacy. He goes on to say that "the use of such tactics is tantamount to theft of services. I didn't volunteer to give up CPU cycles, memory, and disk space to support market research" (Schuchart). These ideas apply equally to the use of "cookies" and other web-browser-based "spyware" tools such as some ActiveX controls as they do to other adware and spyware tools that ride along with the installation of legitimate applications. Users can configure their web browsers to stop cookies or prompt every time one is sent or requested, but blocking them makes websites "break" and constant prompting is very annoying and slows down productivity. There are some utilities available, which can be used to monitor the cookies on your system and remove those from companies whose only interest is in stealing your personal information for marketing purposes. One example of such software is a utility called "Cookiewall" from AnalogX (Rensberger). In addition, there are some utilities available, which detect and remove all traces of spyware installed on your computer. The problem is, however, that many of the host applications that installed the spyware break when you remove the spyware components. One example of such software is a utility called "Ad-Aware" from LavaSoft (Rensberger). Most users who actually pay for their software would be appalled to find out that the software is betraying their trust by sending personal information back to some Internet server without their consent. One other issue to consider is that spyware programs have been found to be the cause of system performance and stability problems (Rubenking). John C. Dvorak claims, "spyware is often poorly written, and it grabs bandwidth, slows boot times, and crashes PCs. My system has become more stable since the removal of this garbage" (Dvorak). With respect to the spyware that governmental agencies use for surveillance, there is a lot of legitimate fears that this type of surveillance is akin to "Big Brother" in George Orwell's 1984. Even though the NSA's global Echelon surveillance system is able to intercept an enormous number of communications around the world, there isn't enough computing power and powerful enough software to convert all these communications into accurate intelligence information automatically. According to Kevin Hogan, "many experts say the ability to derive useful knowledge from all that data is still far from plausible. Even as the processing times get faster and the software gets smarter, the process of turning raw data into assured intelligence is far from perfect. If the goal is capturing, listening to and then actually sussing ever single electronic communication in the United States, 'In practical terms, we're not even close,' (Hogan). With reflection on the September 11th attack, he says "even if intelligence agencies seamlessly integrate their knowledge, the tools available to them now and for the foreseeable future do not appear up to the task of providing the early warning needed to thwart terrorist plots" (ibid). The FBI's Carnivore system, which can be installed on a simple PC in any ISP's machine room, has also come under legal scrutiny by civil liberties groups because although it is supposed to only capture email, instant messages, web search trails and other electronic communications between the targeted computer and the rest of the Internet, and only when legally authorized by judicial approval, the technology exists for these kinds of systems to monitor much more than that. By giving these limited digital wiretap powers to the FBI, the public has to trust that the FBI will not abuse that power and use their technology to do all sorts of unauthorized surveillance. The intelligence community has many other tools they have developed for capturing, filtering, digesting, and understanding digital communications. The problem is that there's a whole lot more information than can actually be processed in any meaningful way. Hogan says, "security and intelligence experts agree that the mass of information generated every day around the world far outstrips the capacity of present-day technologies to process it" (ibid). Another problem is that the spyware technology can easily be fooled. For example, "'the odds are nigh on impossible that the NSA or anybody else is going to be able to break' and encrypted message, says security expert and author Schwartau. Another technology that Osama bin Laden's minions reportedly used falls under the rubric of steganography: cloaking one type of data file within another. It is possible, for example, to hide a text file with attack plans within a bit-mapped photo of Britney Spears" (ibid.). Hogan also notes that even the most advanced spyware technology "can be stymied by embarrassingly primitive countermeasures". For example, the terrorists could have substituted the word 'banana' for 'bomb' and 'orange' for 'World Trade Center'. To summarize the challenges that face this governmental spyware, Hogan states, "Even the most sophisticated intelligence paraphernalia still can't guarantee success when pitted against the malevolent combination of human ingenuity and capacity for evil" (Hogan). Likely Future Scenario: What Is the future of spyware? According to Dave Rensburger, "Our society is busy trading privacy for convenience or security with no end in sight. We are all busy compromising, but we don't have to like it. The real problem isn't lack of legislation, it's the profit factor. As long as there is profit in them, marketing techniques will flourish" (Rensburger). Neil Rubenking recommends that users become a lot more aware of the software they allow to install on their computers. This means that the have to actually read the long and boring licensing agreement to make sure they understand everything the software is supposed to do. It also means that they should configure their web browsers to prompt them before automatically installing software and some cookies. For example, Internet Explorer can be configured to prompt before downloading and installing ActiveX controls (Rubenking). According to Rubenking and others, Steve Gibson of Gibson Research is taking aim at all spyware applications. He has written several programs and offers them from his web site to help users monitor the security of their systems and to remove unwanted cookies and spyware. For example, Gibson offers an online service called ShieldsUp! that can remotely scan the security of any requesting PC. Ed Foster quotes Steve Gibson as saying, "It's my intention to 'retarget' OptOut in the very near future at the continuing problem of Web-based privacy abuse. I'm going to completely end the problem of cookie misuse and third-party cross-domain information leakage. Thus OptOut will become a tool for allowing people to instantly 'disappear' from radar screens of those who would track them...while allowing safe and untraceable cookie use" (Foster). Gibson also has his own recommendations for the future of spyware itself. According to Rubenking, Steve Gibson proposes a "Code of Backchannel Conduct", which essentially says to marketers, "You may use my Internet connection, but you must first help me to understand why you want to use it and how you will use it, then receive my explicit consent before using it. Then, if I ever change my mind, you must cease such use and go away" (Rubenking). Rubenking notes that despite all the hype and controversy, "there is no evidence that spyware programs are gathering private information or associating that information with individuals" (ibid). I'm sure that this statement applies to commercial spyware and NOT to governmental and law enforcement spyware, which clearly aims to gather as much information as possible about the online activities of suspected criminals and terrorists. One answer to the spyware controversy is that the marketing companies self-regulate. According to Callaghan et al, the "Personalization Consortium...issued a set of privacy principles and a framework for conducting third-party audits of members' privacy policies" (Callaghan et al). These authors report that James Catlett, the president of Junkbusters Corp. and a noted privacy advocate, finds most industry association attempts at self-regulation as "lamentable", but he sees the Personalization Consortium's latest effort as "pretty progressive" (ibid). Ed Foster of InfoWorld is not so optimistic about the future of spyware. He states, "Not only should you not trust the vendors to refrain from abusing your privacy, but don't expect the government to do anything serious to help soon. In fact, the legal trend is the opposite. With the Digital Millennium Copyright Act already law and the Uniform Computer Information Transactions Act (UCITA) being enacted in a few states, software developers have been gaining lots of legislative cover for slipping spyware onto your system to protect their intellectual property rights" (Foster). I predict that as the Internet continues to grow, users will be bombarded with more and more targeted advertising, pop-up ads, spam, etc...as a result of unregulated or poorly-regulated spyware technologies that are installed on their PCs. I further predict that the anti-spyware community will develop better and more effective tools to block spyware from communicating with remote systems and to remove as much as it as possible. More and more users will download and install tools, such as Ad-Aware or SpyBlocker that regularly and automatically scan their systems for unauthorized spyware and remove it. There will be other tools, such as AdSubtract, JunkBusters, and GuideScope, that will block pop-up, pop-under, and banner ads as well as spyware cookies that track browsers from one website to another. There will be more tools to scan personal computers for unauthorized processes and open TCP/UDP ports and to shut those processes down as well. There will be better anti-virus software and personal firewalls. There will also be better system integrity verification systems that detect unexpected or unauthorized changes to the system as well as systems that watch for keystroke loggers and other network sniffers. In general, I expect these anti-spyware tools to become more user-friendly and therefore I predict that perhaps a majority of Internet users will download and install them in order to rid themselves of the annoyances and invasion of privacy of spyware. I expect marketing companies to come up with more creative and stealthy ways to integrate spyware into partner's software but I also expect more industry self-regulation with more detailed privacy policies and third-party certification and enforcement of those standards. I see government regulations helping a little bit by requiring minimal protection of users' privacy while allowing companies to use spyware to combat software piracy and protect intellectual property rights. As time passes, the intelligence community will continue to advance their technologies for processing and filtering various types of digital communications, including e-mail, fax, voice conversations, video and audio transmissions, and all of these in a much larger number of foreign languages. As the amount of data to process continues to grow, governmental agencies will push for more power to do widespread surveillance. However, because anti-spyware technologies are easy to implement and difficult to crack, those who wish to not have their communications intercepted will become more aware of these technologies and will use them to avoid being caught. The result for the public will be a loss of personal privacy coupled with a decrease in security. When will these changes happen? According to Callaghan et al., In 2001, Senator John Edwards, D-N.C., introduced the spyware Control and Privacy Protection Act of 2001. This bill seeks to protect consumers from the common vendor practice of using user-installed software to secretly collect data and then transmit that data without the consumer's knowledge to the vendor. Callaghan et al. say that this bill "would require that any software that contains spyware provide consumers with an obvious notice of what information the spyware will collect and to who it will be transmitted. Users would have to agree, or opt in, for the data collection to begin. Data collected for technical support or to verify licensing would be exempt" (Callaghan et al.). In addition, the Gramm-Leach-Bliley Act of 1999 (GLB) requires "that vendors provide an annual written notice to customers of their privacy policies--including the types of information they share with third parties. The vendors must also offer customers a convenient means to opt out of third-party information sharing" (ibid). The growth and interest in anti-spyware utilities is happening now and will continue to happed at an ever increasing rate. Even today these anti-spyware tools are being spread from person to person as people are fed up with all the spyware that is infecting their computers. Marketing companies will continue to discuss self-regulation and governments will continue to discuss legislation to protect consumers from spyware, but these measures won't be nearly effective enough because the profit motive is much more powerful than concern about consumer privacy. Governmental intelligence agencies have been developing their spyware technologies at least since World War II. They will continue to put the "best and the brightest" minds on the projects and throw huge amounts of money at them because "homeland security" has become a major priority since September 11th, 2001, but even if the various intelligence agencies start integrating their knowledge and sharing their techniques, they will not be effective at preventing crimes and terrorism. With what level of confidence can I make these predictions? Based on all the readings I did for this assignment and my own knowledge of technology, personalities, human ingenuity, and understanding of corporate and individual motivations, I feel very confident that my predictions for the future of spyware are fairly accurate. References:
|
