Ddddddddddddddddddddddd
Páginas: 9 (2073 palabras)
Publicado: 28 de septiembre de 2010
Interhack 5 E Long St Ste 1101 Columbus, OH 43215
VOX +1 614 545 HACK FAX +1 614 545 0076 WEB http://web.interhack.com/
Spying on Spyware
C Matthew Curtin,
CISSP
Central Ohio Chapter of ISSA July 21, 2004
Abstract Millions of computer users are being watched, not just by employers and auditors, but by the software that they use—frequently without their knowledge or consent. This“spyware” has become the center of the personal privacy debate and threatens to undermine efforts to keep corporate data secured. What exactly is spyware? How does it work? What is its impact on users—and the businesses that employ them? Interhack’s Internet Privacy Project has been pioneering the dissection and documentation of spyware since 1999.
Id: spyware-wp.tex,v 1.2 2005/11/02 18:54:57 cmcurtinExp
1
INTERHACK PROPRIETARY: PUBLIC/5/5
1
Introduction
Software to observe user behavior to collect information under users’ noses is often called spyware. These systems have become central to a heated debate regarding online privacy, prompting the U.S. Congress to consider several bills. 1 In addition, the very nature of such systems—the collection of data that would not otherwisebe available outside of corporate firewalls—raises questions about how companies can remain compliant with privacy-oriented regulation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA).
1.1
What is Spyware?
In its most simple form, spyware is software designed to collect information fromcomputer system users without their knowledge. Typically, spyware can be classified as a type of trojan horse, which is a type of technology-based security incident, allowing for information security policy violation. Figure 1 shows where spyware fits within the broader context of policy enforcement.
Policy Violation
Security Incident
People
Technology
Phishing
Malware
Virus
TrojanWorm
Spyware
Figure 1: Where Spyware Fits
1 As of this writing, several bills that have been presented in the 108th Congress that either address directly or mention spyware, including “Safeguard Against Privacy Invasions Act” (H.R. 2929), “Internet Spyware (I-SPY) Prevention Act of 2004” (H.R. 4661), “Piracy Deterrence and Education Act of 2004” (H.R. 4077).
2
INTERHACK PROPRIETARY:PUBLIC/5/5
2
How Spyware Works
In this paper, we’ll briefly outline two systems that could be classified as spyware to demonstrate different methods for collecting information from users without their knowledge.2 In both cases, these systems perform some kind of surreptitious user tracking and then format some part of that data for reporting back to system’s operator. It should be notedthat there are significantly more egregious cases of spyware in use; we choose these two systems because they represent a Windows-based system that collects and reports information and a Web-based system to do the same. Other cases that we have analyzed include Spector Professoinal [5], TheCounter.com [2], Coremetrics [7], DoubleClick [8, 9], and Netscape [6].
2.1
PCFriendly
PCFriendly is anapplication that shipped on numerous DVD titles between 1996 and 2000. In addition to its stated objective (providing a software-based DVD player for Windows machine), the system collected information about the user and the user’s DVD collection, occasionally reporting such things back to InterActual Technologies, the maker of PCFriendly. PCFriendly is a Windows-based application that starts whena DVD is inserted into the system’s DVD player. The first time that the application starts, the user is asked for information like name, address, email address, and age. A unique identifier is assigned to the user, and the application appears to track changes over time, for example, additional DVD titles put into the system. As of Interhack’s last look at the system (in May 2002), PCFriendly was...
VOX +1 614 545 HACK FAX +1 614 545 0076 WEB http://web.interhack.com/
Spying on Spyware
C Matthew Curtin,
CISSP
Central Ohio Chapter of ISSA July 21, 2004
Abstract Millions of computer users are being watched, not just by employers and auditors, but by the software that they use—frequently without their knowledge or consent. This“spyware” has become the center of the personal privacy debate and threatens to undermine efforts to keep corporate data secured. What exactly is spyware? How does it work? What is its impact on users—and the businesses that employ them? Interhack’s Internet Privacy Project has been pioneering the dissection and documentation of spyware since 1999.
Id: spyware-wp.tex,v 1.2 2005/11/02 18:54:57 cmcurtinExp
1
INTERHACK PROPRIETARY: PUBLIC/5/5
1
Introduction
Software to observe user behavior to collect information under users’ noses is often called spyware. These systems have become central to a heated debate regarding online privacy, prompting the U.S. Congress to consider several bills. 1 In addition, the very nature of such systems—the collection of data that would not otherwisebe available outside of corporate firewalls—raises questions about how companies can remain compliant with privacy-oriented regulation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA).
1.1
What is Spyware?
In its most simple form, spyware is software designed to collect information fromcomputer system users without their knowledge. Typically, spyware can be classified as a type of trojan horse, which is a type of technology-based security incident, allowing for information security policy violation. Figure 1 shows where spyware fits within the broader context of policy enforcement.
Policy Violation
Security Incident
People
Technology
Phishing
Malware
Virus
TrojanWorm
Spyware
Figure 1: Where Spyware Fits
1 As of this writing, several bills that have been presented in the 108th Congress that either address directly or mention spyware, including “Safeguard Against Privacy Invasions Act” (H.R. 2929), “Internet Spyware (I-SPY) Prevention Act of 2004” (H.R. 4661), “Piracy Deterrence and Education Act of 2004” (H.R. 4077).
2
INTERHACK PROPRIETARY:PUBLIC/5/5
2
How Spyware Works
In this paper, we’ll briefly outline two systems that could be classified as spyware to demonstrate different methods for collecting information from users without their knowledge.2 In both cases, these systems perform some kind of surreptitious user tracking and then format some part of that data for reporting back to system’s operator. It should be notedthat there are significantly more egregious cases of spyware in use; we choose these two systems because they represent a Windows-based system that collects and reports information and a Web-based system to do the same. Other cases that we have analyzed include Spector Professoinal [5], TheCounter.com [2], Coremetrics [7], DoubleClick [8, 9], and Netscape [6].
2.1
PCFriendly
PCFriendly is anapplication that shipped on numerous DVD titles between 1996 and 2000. In addition to its stated objective (providing a software-based DVD player for Windows machine), the system collected information about the user and the user’s DVD collection, occasionally reporting such things back to InterActual Technologies, the maker of PCFriendly. PCFriendly is a Windows-based application that starts whena DVD is inserted into the system’s DVD player. The first time that the application starts, the user is asked for information like name, address, email address, and age. A unique identifier is assigned to the user, and the application appears to track changes over time, for example, additional DVD titles put into the system. As of Interhack’s last look at the system (in May 2002), PCFriendly was...
Leer documento completo
Regístrate para leer el documento completo.