By an interesting coincidence, the article below appeared in the on-line
Computerworld today.
                                                        -- Jerry

              Universities grapple with SSL-busting spyware
              Marketscore could be used to intercept sensitive
              information, security experts say

              News Story by Paul Roberts
              NOVEMBER 30, 2004 (IDG NEWS SERVICE) -
              U.S. universities are struggling with a flare-up of dangerous
              spyware that can snoop on information encrypted using
              Secure Sockets Layer (SSL). Experts are warning that the
              stealthy software, called Marketscore, could be used to
              intercept a wide range of sensitive information, including
              passwords and health and financial data.

              In recent weeks, IT departments at a number of
              universities issued warnings about problems caused by the
              Marketscore software, which promises to speed up Web
              browsing. The program, which routes all user traffic
              through its own network of servers, poses a real threat to
              user privacy, security experts agree.

              Columbia University, Cornell University, Indiana
              University, the State University of New York (SUNY) at
              Albany and Pennsylvania State University are among those
              noting an increase in the number of systems running
              Marketscore software in recent weeks. Each institution
              warned its users about Marketscore and posted instructions
              for removing the software.

              The software is bundled with iMesh peer-to-peer software,
              and may have made it onto university networks that way,
              said David Escalante, director of computer security at
              Boston College.

              The company that makes the software, Marketscore Inc., has
              headquarters in Reston, Va., at the same mailing address
              as online behavior tracking company ComScore Networks Inc.
              ComScore Networks did not respond to repeated requests for
              comment.

              Reports of infected systems on campuses ranged from a
              handful to as many as 200 on one large campus network,
              Escalante said.

              Marketscore is the latest incarnation of a spyware program
              called Netsetter, which first appeared in January, said
              Sam Curry, vice president of eTrust Security Management at
              Computer Associates International Inc.

              "Basically it takes all your Web traffic and forces it
              through its own proxy servers," he said.

              The redirection speeds up Web surfing, because pages
              cached on Marketscore's servers load faster than they
              would if they were served directly from the actual Web
              servers for sites such as Google or Yahoo. However, those
              performance benefits have been elusive.

              "People who have installed the software complain to us
              that they're not getting any improvement," Curry said.

              Richard Smith, an independent software consultant in
              Boston, is also skeptical of performance improvement
              claims made by Marketscore and others, especially since
              many Internet service providers already offer Web caching
              for their dial-up customers, he said in an e-mail message.

              Cornell's IT security office blocked connections between
              the university's network and the Marketscore servers,
              according to a message posted on the university's Web
              site. Administrators at SUNY Albany took similar steps,
              according to a message posted on that school's Web site.

              While other legal software programs make similar claims
              about improving Web browsing speed as Marketscore,
              Internet security experts are troubled that the software
              creates its own trusted certificate authority on
              computers. That certificate authority intercepts Web
              communications secured using SSL, decrypting that traffic,
              then sending it to the Marketscore servers before
              encrypting the traffic and passing it along to its final
              destination. That traffic could include sensitive
              information, including passwords, credit card and Social
              Security numbers, Curry said.

              Marketscore should be a big concern for companies, such as
              banks, with employees who handle sensitive data, Escalante
              said.

              "I don't know how good it is for parties on either end of
              a transaction to have a third party listening in," he
              said.

              If nothing else, all the extra decrypting and encrypting
              slows down SSL traffic, casting doubt on Marketscore's
              claims to be an Internet accelerator, Smith said.

              CA's eTrust antivirus software labeled Marketscore as
              "spyware" up until June of this year but stopped doing so
              after Marketscore appealed that designation using an
              established vendor appeal process, he said. CA is
              currently re-evaluating the spyware designation using a
              complicated, multifactor scoring system. The software is
              less repugnant than its predecessor, Netsetter, which did
              not clearly disclose to users what it did when installed
              and made itself difficult to remove.

              Marketscore is better on both those counts, clearly
              stating both in the end-user license agreement and during
              the installation process what the product does, and
              providing users with an easy uninstall program. CA
              considers Marketscore an example of a new breed of
              software that lies in the gray area between spyware and
              legitimate software, Curry said.

              "Under the old definition, [Marketscore] clearly qualified
              as spyware. But there are new categories emerging," he
              said.

              While Marketscore clearly tracks user behavior, it doesn't
              hijack Web browser home pages, spew pop-up advertisements
              or conceal its presence, like earlier generations of
              spyware did, Curry said.

              "There's more granularity. Companies have responded and
              ... are adding benefits and value to these programs. We're
              looking at ways to more accurately identify this," he
              said.

              Perhaps trying to increase its appeal, Marketscore is
              advertising itself as an e-mail protection service, in
              addition to an Internet accelerator. According to
              Marketscore.com, members will receive Symantec Corp.'s
              CarrierScan Server antivirus technology at no cost.

              However, that promise doesn't sit well with Symantec,
              which said it has no relationship with Marketscore and, in
              fact, considers the software spyware, said Genevieve
              Haldeman, a company spokeswoman.

              "We don't have relationships with companies that make
              software we consider malicious," she said. Symantec is
              considering legal action to force Marketscore to stop
              using its name and logo on Marketscore.com, she said.

              Spyware or not, the lesson of Marketscore is that "if it
              sounds too good to be true, it probably is," Curry said.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to