02-02-2013, 12:07 PM
Understanding Spyware: Risk and Response
Understanding Spyware.pdf (Size: 302.04 KB / Downloads: 29)
Spyware
programs that monitor a computer
user’s activities and capture data
about the user, storing the information so
a third party can access it—is a relatively
new phenomenon,affecting more than 50 percent
of Windows operating systems failures, as reported
by users to Microsoft (“Battling ‘Spyware’:
Debate Intensifies on Controlling Deceptive
Programs,” Microsoft, 20 April 2004, http://
www.microsoftpresspass/features/2004/
apr04/04-20Spyware.asp). Although only in its
adolescence, spyware has had an immediate
impact on the Internet community and could
severely threaten security. IT professionals have
used the term spyware generically and specifically,
with different intent.Many have heard of spyware,
but few realize the specific distinctions between
spyware,adware,scumware, or other species in the
malware genus.The “Terminology Brief” sidebar
defines several of these terms. Some terms have
multiple definitions, but the sidebar covers the
most common and accurate uses.
Spyware countermeasures are just now maturing
beyond their initial capabilities, with many
choices available to enterprises and individual
users. As this field matures, threats and responses
are becoming more sophisticated. One major concern
has been the time lag between
how quickly threats have evolved
compared to how quickly countermeasures
become available to deal
with the threats. Spyware has
evolved rapidly because of the profit
motivation that spurs it forward.
HOW DOES SPYWARE WORK?
Spyware varies from mild to wild, as does user
risk.At the mildest level—such as that of a simple
cookie, in which a user can access a known Web
site without reentering his username and password—
the resulting risk is minimal. But some privacy
advocates have no risk tolerance and will
therefore not allow even the most basic cookie.
The second and third levels of exposure are an
entirely different story. These can easily exceed
individuals’ and enterprises’ risk tolerance.
First level: Basic cookies
The most basic level of Web server recognition
is based on a simple cookie identification for a single,
specific site. Simple cookie identification
enables the site to recognize the user when he
returns to the site, and it allows the site to associate
the user with the known stored data he has
provided.This is generally useful to the user,who
presumably agreed to share his typed data with
the site. So the user is aware of and generally
accepts this recognition and considers it low risk.
This useful feature lets sites like booksellers or
airlines recognize you and provide your customized
preferences immediately.
Second level: Associated cookies
Many agree that real spyware stems from associated cookies, greatly
increasing user exposure and risk. Associated cookies work by identifying
a single user each time he connects to any member site.These cookies track
activity and store data gathered from the user’s interaction with each member
site. Advertising companies form agreements with the member sites,
which allow these advertisers to place references on the site.The references
are to spyware data servers—they could be a simple image file reference
with a picture or even just a single pixel.These references cause the user’s
browser to travel to the referenced spyware site and attempt
to acquire the reference. Once there, the spyware site looks
for a recognizable cookie on the user’s system.Finding none,
it sends one with a unique ID called a globally unique identifier
(GUID) that identifies the user any time he visits a
member site. Figure 1 illustrates the interactions among the
user, and the member and spyware sites.
Third level: Application based
The third level of spyware is application based, and it can become totally
malignant to systems and users, causing severe security exposure and risk.
A key problem is that users cannot restrict application-based spyware.Such
software can gain complete control of the user’s system, starting whenever
the user turns on the system.These applications can query the system for any
desired data and can transmit anything and everything from the user’s system
to an outside source.
Advertisers use application-based spyware for all the reasons described
previously, but this technique does not have to wait for the user to share
data with a member site.
LEGISLATION
Just as no legislation addressed viruses and computer
hacking when they began, no US legislation currently
addresses spyware control. At the state level, in March
2004, Utah adopted legislation—HB 323—that aims to
control spyware (http://www.le.state.ut.us/~2004/bills/
hbillenr/hb0323.htm).As you might expect, spyware companies
voiced their objections, but many computer industry
leaders also voiced objections, which was particularly
interesting. Although this legislation’s effectiveness
remains to be seen, it has clearly brought attention to the
issue. Opponents sought and won a temporary injunction
to halt the legislation in June 2004.