Who best to define spyware?

By Bill Brenner, News Writer 18 May 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

This article originally appeared on SearchSecurity.com, a sister site of SearchSMB.com.

About this series: Spyware is quickly replacing worms and viruses as IT managers' biggest worry. In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.

Joshua Lutz knows the damage spyware can do if left undetected on a network. He keeps track of efforts on Capitol Hill, in virtual communities and elsewhere to define the menace and fight it. But he's not sure any of these entities are up to the task. Not individually, at least.

"The process of defining spyware is already playing out in the online forums, but online forums have no real authority to enact change," Lutz, network analyst for a large Boston law firm, said in an e-mail interview. "Legislatures, as a whole, have the authority but lack the technical acumen to adequately generate realistic definitions of specific, technical applications."

He believes the Internet community needs "a non-governmental intermediary that both the legislators and general public can look to for a technical framework [where] applications can be classified and defined." Ask other IT professionals who they trust to define spyware and they say pretty much the same thing. But they also agree that each entity has a role to play. They may not banish spyware from cyberspace, but collectively they could go a long way toward better defining and fighting it.

Read more on spyware: Spyware legislation sparks concern Is Windows AntiSpyware a good fit for enterprises? McAfee, Symantec unveil antispyware tools New threats, dissolving perimeters

For now, there's a movement in the information security community to form the type of intermediary group Lutz envisions. One example is the nonprofit Center for Democracy and Technology teaming with top antispyware companies to hammer out a clearer set of criteria to define spyware.

Legislation won't solve the problem…
According to Boulder, Colo.-based security firm Webroot, legislation to deal with spyware is pending in 27 states. Six states have passed laws.

Meanwhile, U.S. Rep. Mary Bono, R-Palm Springs, has sponsored a bill that would force spyware and adware producers to give users clear notification and get consent before they can download their wares. The bill was passed by the House earlier this week. If it becomes law, it will pre-empt similar laws at the state level.

"Some companies worry this would force them to fundamentally change how they do things and that it would affect their business," said Kimberly Pencille, Bono's press secretary. "That's just not the case. This is simply about notification and consent. In our view, companies that practice notification and consent have more credibility and that's good for business."

Those asked said legislation can only go so far. Ed Skoudis, co-founder of Washington, D.C.-based security consultancy Intel Guardians, said, "I would hate to see [spyware] defined in legislation. You're talking about legislation put together by people who don't understand the technological issues and are under the heavy influence of lobbyists."

The problem with bills like Bono's is that companies can find ways to abuse the notification-consent provision, Skoudis said.

"Yeah, there's notification and consent, but you're talking about a 10-page box that pops up that's full of legalese" that people aren't going to read, he said.

…But it can make 'a significant dent'
Eugene Schultz, a principal computer systems engineer in the University of California's Berkeley Lab, agrees with Skoudis that U.S. legislation won't solve the problem because spyware is an international scourge. But he doesn't think you have to be a computer genius to define what spyware is, either.

"I don't think that defining spyware is all that difficult," he said in an e-mail interview. "In my mind spyware is a program that is installed in a

Malicious or legitimate? Sound Off on whether you'd allow cookies and other programs that track information into  your network.

computer without the user's or system administrator's knowledge that gleans information from the user's machine as well as patterns of network usage -- including Web sites visited -- without the user's knowledge or consent."

While it wouldn't solve the whole problem, Schultz believes the right legislation could make a positive difference.

"I am confident that U.S. legislation would make a significant dent in the problem because so many Web sites in the U.S. currently inject spyware into systems that visit them," he said. "I am confident that considerably less spyware would get into my systems if there were U.S. legislation that would forbid injecting it into systems and that would also punish individuals who violate the terms of this legislation."

Pencille agreed. "This is a big enough problem for anyone using the Internet that something has to be done," she said. "We can't do anything about offshore sources of spyware, but this legislation would mean a lot more accountability in the United States."

As for concern that the process is under the control of lawmakers who lack technical expertise and are influenced by lobbyists, Pencille said, "This has been a very open process with technical experts involved."

Promise and peril in online communities
As Lutz mentioned, the question of how to define spyware is already being played out in a growing list of virtual communities like SpyNet, started by Microsoft as part of its AntiSpyware beta program. The software giant describes SpyNet as a voluntary network of users "that helps uncover new threats quickly to ensure everyone is better protected." Any user can choose to join SpyNet and report potential spyware to Microsoft.

The concern here is that online communities can be poorly moderated and generate even more confusion over what is and isn't spyware.

"Open forums are both a blessing and a curse," Lutz said. "There is often valuable information to be had in an active online forum, but one must sift through the detritus surrounding it. How does the average computer user differentiate between good and bad information?"

Many open forums tend to be self-regulating and members will often point out faulty information, Lutz said. "But then when dealing with questions like 'Is this spyware?'" he added, "the answer is often as varied as the number of people responding to it. You know what they say about opinions."

Skoudis points to another problem: Online communities can also be invaded by spyware pushers, "just like COAST was invaded by 180Solutions."

But SpyNet is an example of how online forums can be helpful in fighting spyware, Mike Panczenko, information systems security officer and chief scientist for Doylestown, Pa.-based Sytex, Inc., said by e-mail.

"I think that Microsoft seems to have a reasonable approach with its SpyNet community," he said. "The fact that users play a key role in determining which programs should be classified as spyware will help minimize any deception attempts on the part of adware vendors and, ultimately, create more robust detection programs."

This article continued on page 2

Next >>

Tags: Risk management for the midmarket,  Security tools for the midmarket,  Information security management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary