Spyware enters the spotlight

Late in July, an email that hit employee in-boxes at a British credit card and finance company carried a secret payload -- "spyware" capable of recording confidential corporate data and sending it over the Net.

Labeled "Wedding Invitation", the email looked at first like spam or an ordinary worm. But consultants at security company Clearswift now believe that the email was part of a targeted attack on the victim company aimed at extracting specific information -- a nightmare scenario in the corporate security world.

Clearswift says the incident highlights a dangerous new trend in computer breaches, where spyware applications increasingly play a starring role. Relatively benign attacks intended to win attention by disrupting networks are being eclipsed by sophisticated attempts to steal passwords and other confidential information that can be used to deliver cash.

"The good old days of script kiddies and geeks are well gone," said Pete Simpson, manager of Clearswift's ThreatLab division. "These are criminal gangs, and the motive is clearly profit."

After several years of mounting concern, fears about "spyware" are now starting to come to a head in computer security and policy circles around the world. The term itself is slippery, frequently used fuzzily to apply both to the information-thieving programs such as that identified by Clearswift, and the often-annoying advertising programs typically bundled with free software programs such as Kazaa or Grokster.

Both sides of this spectrum of software are coming under increasing scrutiny, however. A US congressional committee heard testimony on the issue on Wednesday, while studying an antispyware bill introduced by Representatie Mary Bono, a California Republican, which would outlaw many of the practices that most irritate consumers.

Meanwhile, a consortium of private companies is pursing a different path toward the goal of stomping out spyware. Dubbed the Consortium Of Anti-Spyware Technology Vendors and led by the creators of the popular Ad-Aware and Pest Patrol software programs, the group is trying to create standard definitions of "spyware", "adware" and other pests, and give best-practices recommendations to the companies that want to avoid being blocked by their software.

"We're working to figure out a standard definition of what's acceptable, and what's not," said Pete Cafarchio, Pest Patrol's vice president of business development. "We have vendors waiting in wings to see what we come up with. They want to see what's ethical."

Little pests and big problems
Security companies say they've seen a rise in several trends in the past few months that run from the annoying to the dangerous.

On the irritating side, many more companies are producing "browser helper objects" -- little programs that attach themselves to Internet Explorer and do everything from serve ads to monitor Web surfing. While these are often marketed as Net download speeders or search tools, they often have features that consumers don't immediately understand and are difficult to uninstall when found, security consultants say.

Many more "adware" programs are routinely installed along with free software such as digital video viewers or file-swapping programs. Some of them monitor users' surfing habits and report back aggregate data to their parent companies; others simply serve up ads displayed inside the software program.

More dangerous are the kinds of software programs like the one found by Clearswift in its "Wedding Invitation" email. That program, a commercially available "remote surveillance" application called iSpyNow, allows the spying software to be disguised on a computer, and then reports back every keystroke that is made on the computer to whoever installed it.

These kinds of remote-spying applications were solely the property of hackers or other malicious computer programmers, but for the past few months they have been marketed by some vendors as ways to keep tabs on children's or spouses' computer use. Corporations are increasingly worried that these types of "key loggers" might also be installed by hackers or spammers on employees' machines, capturing confidential data.

Security experts point to employees who work remotely, either from a home computer or a laptop, as high risks of spyware infection. Because these machines can surf the Net outside the corporate firewall, and then use a virtual private network to log into the corporate network, they threaten to bring in spyware that can communicate with the outside.

"Those machines aren't under the control of the network," Cafarchio said. "In most environments firewalls are designed to keep bad guys out. But if communication is initiated from the inside, most firewalls let it out."

What's a spy, anyway?
This variety of programs, from hacker-like tools to simple advertising plug-ins, continues to make efforts to control spyware difficult.

Bono's bill, the first major piece of legislation intended to address the issue, highlights that point. Staffers for the congresswoman say she is in the midst of rewriting her original proposal in response to concerns that it would have blocked ordinary Web features such as cookies and automatic update features such as those in Microsoft software.

In a report released Tuesday, the Center for Democracy and Technology, a Washington D.C.-based privacy advocacy group, argued against any legislation that specifically targets spyware, because of its inherently slippery nature. Much of the worst software-spying that corporations fear is already illegal under computer privacy, antihacking or Federal Trade Commission laws, the report said.

Instead, consumers would be better served by a broad-ranging privacy legislation that forced all software programs to give clear notice if they were collecting information, and give computer users the ability to turn them off or easily uninstall them.

Most importantly, consumers should study software programs' terms of service before installing them, and use software such as Lavasoft's Ad-Aware if they think their computer might have spyware installed, it said.

"The distinction that we're trying to make is whether there is notice or meaningful choice," said CDT Associate Director Alan Davidson. "The question is do people know how their computer is being used, and do they have a meaningful choice to uninstall a program if they don't want it. In the most troubling cases of spyware, the answer is still no."