|
----- Original Message -----
From: "Nessie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 1:49 AM
Subject: Re: [CTRL] REU: Alberta to license beggars > I'll keep looking and post what I find. Thanks. Anybody else out there know the name of this thing? ----- Original Message -----
From: Bond
To: ParanoidTimes
Sent: Tuesday, March 06, 2001 3:17 PM
Subject: [ParanoidTimes] New tools hatch for sniffing out Web
bugs New tools hatch for
sniffing out Web bugs
A
handful of companies are arming Web surfers with tools for finding and repelling
so-called Web bugs--invisible pieces of code that can be used for everything
from secretly tracking people's Web travels to pilfering computer files.
Many site operators and Net advertising companies place Web bugs on their
pages to collect information, such as which pages are being read most often. Too
small for readers to see, the bugs also can be used in more invasive ways,
capturing a visitor's Internet Protocol address or installing pernicious files,
for example.
The bugs can also be matched with "cookies," the electronic files that are
stored on a PC and can contain personal information such as name and e-mail
address. Concerned that visitors are often unaware that the bugs are
being used to track their surfing habits, security companies are beginning to
arm Web surfers with tools to find the pesky bugs. "People don't understand the potential risks associated with Web bugs. With a
Web bug, your computer can be fully exposed to malicious sites that can take any
files or information from programs on your hard drive," said Tommy Wang of
security start-up Intelytics. "People need to get educated on this stuff."
Internet tracking and security company Security Space issued a report last
Thursday that identified Web advertising networks DoubleClick and
Linkexchange.com, as well as Excite.com, as some of the top sites that use Web
bugs to track consumers on third-party pages.
Meanwhile, Intelytics plans to unveil a free service in two weeks that
surfers can use to spy on the spies. Its software, called Personal Sentinel,
will alert consumers to the "risk level" of any given Web site by listing the
number of Web bugs working behind the scenes.
Illustrating the growing presence of such technology, Intelytics issued a
report over the holidays on major e-commerce sites that uncovered nearly 16
million pages (out of 51 million that were scanned) with at least one Web bug
that had been attached from a third party, such as an advertising network.
Privacy on the Hill Such surveillance tactics are beginning to take higher priority with
lawmakers as well. Last Thursday, the Congressional Privacy Caucus, a bipartisan
group of senators and congressmen charged with studying individuals' privacy, met to discuss the
threat posed by online tracking technology. In one such test, the Privacy Council and Intelytics showed how Web bugs,
when used nefariously, can steal a computer user's entire e-mail address book
merely by clicking on a bugged Web page.
"Through an insecurity in Windows, they showed how easy it is for people to
get stuff off (a consumer's) hard drive," said Richard Smith, chief privacy
officer at the Denver-based nonprofit group the Privacy Foundation, who
testified at the Thursday hearing. The Privacy Foundation also is testing a beta
version of a browser plug-in, dubbed a Web bug detector, that allows people to
identify the tags. In his testimony, Smith illustrated how simple it is to peer into other
people's e-mail by attaching a Web bug to the message. According to Smith, a
person can send an e-mail with a bug that secretly sends copies back to the
sender when the e-mail is replied to or forwarded.
"If an e-mail can be wire-tapped
in the halls of Congress, where else is e-mail safe? The answer is nowhere,"
Smith said.
Intelytics, in partnership with the Privacy Council, unveiled a similar Web
bug-searching service in late January for companies to run reports on their own
sites, assessing privacy risks to consumers. Intelytics plans to launch other
corporate Web bug tools for e-mail and intranets.
The Message Sentinel, for example, is set up to check for privacy threats
sent through e-mail, including so-called wiretaps. The product, which is already
garnering interest from government agencies and financial services firms, is set
to launch in early April. The price has not been set.
Personal Sentinel will be available March 15 and will be supported by
companies that plan to sell services to "wash" the Web bugs off the page so the
consumer can avoid prying eyes, according to Intelytics' Wang.
Varying strengths of venom Through its research, the company has identified about five different types
of Web bugs, Wang said. The simplest, most discussed bug is a small, clear GIF
that works with cookies to send information to third parties about a visitor's
online travels. Other more malicious forms of Web bugs are "executable bugs," which can
install a file onto people's hard drives to collect information whenever they
are online. For example, one such bug can scan a person's machine to send
information on every document that contains the word "financial."
Perhaps the most nefarious bugs are "script-based executable bugs that can go
out and take any document from your computer" without notice, said Wang, who
warned of programs that can track live, private recordings through Webcams or
voice recorders hooked up to computers.
Other script-based bugs also execute files, but they're not installed on a
person's PC. They can simply try to control the person's computer from its
server, as well as track the consumer's travels on the Web from behind the
scenes. An example of this can be found on a popular entertainment site,
PassThisOn.com, which launches multiple browser windows when a person tries to
exit the site.
While the Web Bug Report shines a light on the tags, most consumers "won't
care" about it, said Thomas Reinke, director of technology for Security Space,
which plans to publish the report monthly. But "it's important to understand how
much information one or two organizations can get about Web traffic and user
preferences as a whole," he said.
Security Space, a 5-year-old security and Internet tracking company, scans
more than 100,000 active Web sites, or nearly 4 percent of total Web sites, to
find the bugs. A so-called crawler automatically visits home pages and all links
one level down.
It measures a site based on its "authoritativeness on the Web" or by how many
sites are linked to it. For example, if Yahoo has 100,000 links to its site, it
is weighted heavier than a site with only a hundred links to it.
DoubleClick registers as the top site that uses Web bugs with the
highest-trafficked sites. The ad network uses roughly 535 Web bugs on
third-party sites, compared with 326 from Weather.com and 306 from Netscape.com,
according to another report that tracks the pure number of bugs issued by a
company.
DoubleClick representatives could not be reached for comment.
"If you start collecting that information and correlate that information back
to users...then you start being able to potentially abuse that information,"
said Reinke, who added that his company will start to sell such reports in the
future.
"What if, as an ad company, you knew that a household was going to Web sites
about firearms and bomb-making? What's the responsibility of that advertiser
holding that information? Should they have to turn that over to law
enforcement?" Reinke pondered. IF YOU'RE NOT PARANOID, THEN YOU'RE NOT PAYING ATTENTION! ============================================== To Post: [EMAIL PROTECTED] Subscribe: [EMAIL PROTECTED] ================================================== NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ================================================== |
