Tiny, Evil Things

Much like spam E-mail, spyware and its resultant problems are becoming serious. These small applications are planted on a PC by some software programs, Web sites, and E-mail messages and can track a Web surfer's every online move. Criminals or dishonest businesses can use spyware to capture keystrokes and copy personal data from hard drives and transmit it to the people behind the eavesdropping.

Federal agencies, state governments, and politicians are getting involved. The Federal Trade Commission held a hearing last week on the costs and security risks posed by spyware as a prelude to formulating policy on the threat. The Spyware Control Act takes effect in Utah on May 28 and imposes a fine of $10,000 or more for planting unauthorized snooping software on a computer.

U.S. Senators Barbara Boxer, D-Calif., Conrad Burns, R-Mont., and Ron Wyden, D-Ore., in February introduced the Spyblock Act, which would require the consent of a user before software could be installed from the Internet on his or her computer. The act would prohibit information collection, advertising, distributed computing, and modifications to a PC without the user's agreement. "There's a big need" for the legislation, Burns told InformationWeek last week. "If I own a computer, it's my property for me to use, and I don't want anyone else harvesting the benefits of my computer."

Technology vendors are responding, too. PepiMK Software, PestPatrol, and Webroot Software offer anti-spyware tools. Antivirus vendors such as McAfee Inc. and Symantec Corp. are adding anti-spyware capabilities to their security software. Likewise, ISPs such as America Online and EarthLink are introducing tools to help customers find and disable spyware. Microsoft has added anti-spyware technology to its upcoming Windows XP Service Pack to block pop-up ads, a common way people get lured into downloading spyware. It also will include a download blocker to stop self-initiating downloads, as well as harder-to-spoof dialog boxes so users can see exactly what's being downloaded, says Jeffrey Friedberg, Microsoft's director of Windows privacy. Friedberg says computer makers and software developers "are spending millions dealing with this."

Anti-spyware software has stopped keystroke loggers and Trojan horses, says Raymond James VP Fredriksen.

Photo by William Speer/ Silver Image

Business-technology managers are looking for all the help they can get. "We're starting to see more spyware issues," says Gene Fredriksen, VP for information security at financial-services firm Raymond James and Associates. New and better tools are needed because those available aren't able to "effectively handle the problem for a large company," he says.

Florida Cardiology P.A., which provides heart-disease diagnosis and treatment in six locations around Orlando, has 88 PCs. IT administrator Nick Butler discovered earlier this year that virtually every computer had been infected with some type of spyware. It created a serious drag on productivity, with some systems taking more than 12 minutes to start and others unable to properly connect to the Internet.

Since Florida Cardiology handles personal medical information, the presence of spyware scared Butler. "No one knows for sure what this stuff is doing," he says. "What if one of these things is keystroke logging or captures patient information? That's an unacceptable risk."

Butler armed the company with 100 licenses of software from PestPatrol to clear the spyware from the computers, and he's educating colleagues on the risks. "You teach people not to click on this stuff, but sometimes they still do," he says.

Herbalife, which makes nutritional supplements, also is fighting spyware. The company uses content-security software from SurfControl plc and PepiMK Software's spyware-removal tool to manage the threat. Herbalife also tweaked its intrusion-detection systems to spot spyware network-scanning patterns. Network engineer Dave Trujillo says the problem mostly comes from workers downloading menu bars and other types of software from the Internet, even though that violates company policy. Contractors using personal notebooks cause most new infections, he says.

Raymond James and Associates deployed security company WholeSecurity Inc.'s Confidence Online Enterprise Edition to secure a VPN used by remote employees and independent financial advisers. Now it's deploying WholeSecurity's Confidence Online Portal Edition to protect customers accessing its services over the Internet. Fredriksen says the security software runs quickly in the customer's browser and checks to ensure that the system is safe before connecting. The software has stopped keystroke loggers, Trojan horses, and viruses. "The ones that actually capture customer or user IDs and log-in information are the big concern," he says, adding that the software will help the company avoid large fraud losses and even reduce customer-support costs.

The spyware problem will only get worse. PestPatrol is adding protection against 1,000 new variants of keystroke loggers and Trojans every week, says Roger Thompson, VP of product development. "We've already added as many new variants of spyware this year as we did for all of last year," he says.

That's a threat too serious for businesses to ignore.

This story courtesy of InformationWeek.