Spyware poses a huge threat to our business and nation

By ara C. Trembly

In 1979, a group of militant Iranian students stormed and took over the U.S. Embassy in Tehran–along with 66 hostages–ostensibly as a demonstration of their anger against the United States for supporting the Shah of Iran.

Many of the confidential documents stored at that embassy were shredded before the takeover was completed, but the Iranians painstakingly worked to reassemble those documents, much to the chagrin of the U.S.

This may have been the most publicized instance of a phenomenon that would come to be known as “dumpster diving,” which involves picking through a company’s or individual’s trash to get confidential, sensitive and potentially valuable information that resides amid the refuse.

Such tactics remain a threat to businesses today, but the danger is less due to both increased awareness and the development of shredders (and shredding services) that literally can obliterate a document to the point that recovery is near impossible.

But what if a bad guy could watch you online and could see your documents as you produced them, keystroke by keystroke, then make an electronic record–all without you knowing it? That unsettling possibility is what we face today thanks to the dubious technical achievements that have produced spyware and keystroke loggers.

Spyware, as its name implies, is software designed to allow someone to watch what someone else is doing online, including Web surfing habits. Often enabled by hacker-created “back doors” that allow access into computer systems, spyware (and its supposedly less-insidious cousin, adware) represents a huge threat wherever it is installed, because it compromises the notion of online privacy.

Keystroke loggers, as their name implies, are software programs that enable a remote viewer (usually a criminal hacker) to record every keystroke made and to assemble those keystrokes into documents. Assuming a crook has propped open a back door in your systems, he easily can use a keystroke logger to re-create any document you produce.

Spyware or adware can be placed transparently on your system any time you visit a Web site. The real kicker, though, is that much spyware gets voluntarily downloaded by users who think they are getting some kind of useful software (like an anti-spyware program). In fact, there may be some helpful program provided, but the spyware is attached and goes unnoticed by the user. Incredibly, the spyware may even be mentioned in the license agreement that one must approve to use the “free” software. Of course, no one reads those agreements, so spyware victims remain blissfully unaware.

Meanwhile, the federal government is telling the insurance industry–and many other industries–that confidential information must be protected from theft or unauthorized access. Companies that fail in this regard risk hefty fines or even jail terms. Insurers, brokers and agents are under intense pressure to secure their systems, but experts say spyware technology is growing faster than are efforts to thwart it.

How bad is the problem? I ran an anti-spyware application on a computer in my office that cleaned out some 50 instances of spyware, adware or other malicious programs. Just 24 hours later, the same anti-spyware picked up 98 new instances on the same computer. That PC, incidentally, had three anti-spyware programs on board. It’s truly frightening.

Solutions to the problem are draconian and incomplete at best. Forbidding employees from downloading any kind of software, no matter how enticing, could help, but that doesn’t address the hacker threat. Beefing up firewalls and intrusion detection are a good idea, but like a car alarm, these measurers won’t ultimately stop a determined hacker who wants to look at what you’re doing. And criminal hackers aren’t the only danger. Consider how far a competitor might go to gain access to your confidential documents.

It looks like a losing battle, but this is a battle we cannot afford to lose. We must not allow our business systems to be compromised, not to mention the systems that run our government and protect our nation. Anti-spyware efforts within our enterprises must be redoubled and money must be poured into research and development of security technology.

Finally, penalties for those who are caught spying must be severe. The rack and the iron maiden come to mind (where is Edgar Allan Poe when you need him?), but I suppose we’ll have to settle for 20 years at hard labor (no parole!). Write your congressman today.

“Spyware or adware can be placed transparently on your system any time you visit a Web site. The real kicker, though, is that much spyware gets voluntarily downloaded by users who think they are getting some kind of useful software (like an anti-spyware program).”

Caption

Spyware represents a huge threat wherever it is installed because it compromises the notion of online privacy.