By Law: Catching Up with Malware - Network Security -
Companies large and small are still feeling the effects of spyware. While spyware is damaging from a productivity standpoint in an enterprise, it is not as threatening as some better-known viruses. Spyware programs often contain one or more additional applications that trigger pop-up ads and other applications, while devouring computer memory resources and limiting computer performance.
This is a problem that primarily haunts consumers because most corporate networks have more advanced security to guard against spyware/adware programs. But more information workers perform their tasks remotely these days using personal systems that don't have the protective automatic security and patches to guard against malware. These programs have become more than just nuisances; they are making a bigger appearance at the corporate level, despite security precautions.
Getting to the Root of the Problem
According to Webroot Software, Inc., a Boulder, Colo.-based firm specializing in antivirus protection, adware-infected computers lose 10 percent to 90 percent of their productivity, depending on the type and number of installed adware/spyware programs. Beyond that, firms and individuals spend countless time and expense trying to eradicate these programs or paying professionals to do so.
IDC, a global provider of market intelligence, estimated that spyware problems represent 30 percent of all helpdesk calls. According to Webroot, about 87 percent of all computers scanned by the company had some type of spyware. So the government is stepping in with enforcement and legislation.
The FTC Makes an Entrance
The Federal Trade Commission (FTC) asked a U.S. District Court judge to halt an operation that secretly installed spyware/adware that consumers could not remove from their infected computers. Defendants used the lure of free software, which they claimed would make peer-to-peer file sharing anonymous, to entice users. The agency alleged the stealthy downloads violated federal law and asked the court to order a permanent halt to them.
According to the complaint filed by the FTC, Stratham, N.H.-based Odysseus Marketing, Inc. and its principal, Walter Rines, advertised Kazanon software they claimed would allow the anonymous file sharing. With claims like "Download Music Without Fear" and "Don't Let the Record Companies Win," the defendants encouraged consumers to download this free software.
The agency charges that the claims are bogus. First, the software does not make file-sharing anonymous. Second, the cost to consumers is considerable because the "free" software is bundled with spyware called ClientMan, which secretly downloads dozens of other software programs, degrading consumers' computer performance and memory.
This accumulated software also replaced or reformatted search engine results. With this spyware, for example, consumers who tried to conduct a Google or Yahoo search would be brought to a page that appeared to be the Google or Yahoo search engine result. However, the page was actually a copycat site. The order of the search results was rigged to place the defendants' clients first
. The bundled software programs, which also generate pop-up ads, captured and transmitted information from the consumers' computers to servers controlled by the defendants.
Other spyware and adware programs also have promised free goods, bargain prices, or even spyware- and adware-blocking capabilities, but they turned out to be the same type of program they promised to eradicate.
Obligation To Disclose the Facts
In the landmark Odysseus Marketing case, the FTC charged that the defendants had an obligation to disclose that their "free" software download caused spyware/adware to be installed on consumers' computers. But instead, the company hid its disclosure in the middle of a two-page end-user licensing agreement buried in the "terms and conditions" section of its Web site, according to the FTC.
End-user licensing agreements, particularly those listed in the terms and conditions sections, are usually listed in minuscule type with legalese, making them difficult or impossible to read. As a result, most people ignore them.
The FTC also alleges that the defendants deliberately make their software difficult to detect and impossible to remove with standard software utilities. Although the defendants purport to offer their own "uninstall" tool, it does not work. In fact, it actually installs additional software, according to the FTC's complaint.
The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and that they violate the FTC Act. The agency will seek a permanent halt to the practices.
Domestic Jurisdiction
Since Odysseus Marketing is based on U.S. soil, the FTC has a better chance of shutting down the operation than other alleged spyware/adware operations. Other sites that allegedly propagate spyware are largely based out of the country and out of the U.S. law enforcement's reach.
The action against Odysseus Marketing follows a late-summer settlement as Advertising.com, Inc., a subsidiary of America Online, Inc., agreed to settle FTC charges that it violated federal law by offering free security software without adequately disclosing that adware was part of the software bundle.
States are also getting more aggressive. Recently, the state of New York reached an agreement with the former CEO of a leading Internet marketing company responsible for secretly installing adware/spyware on millions of home computers.
Under the agreement, Brad Greenspan, the founder and former CEO of Intermix Media, was ordered to pay $750,000 in penalties and disgorgement in connection with an investigation into the conduct of his former company.
"Internet marketing companies have gotten away with unethical and illegal software downloading practices for too long," said Attorney General Eliot Spitzer. "This agreement sends a message that intrusive and deceptive practices will not be tolerated."
Legislative Intervention
The penalties could become stiffer for similar cases in the future. The Internet Spyware (I-SPY) Prevention Act of 2005 makes unauthorized access of computers using spyware a criminal offense punishable by a prison term of up to 5 years. The second bill-called the SPY Act-requires firms to get the informed consent of users before installing programs on their PCs.
Both bills have been sent to the Senate for consideration, after being approved by an overwhelming majority in the House. As of late October, the Senate had yet to pass its versions of the same legislation. Some of these programs also have a legitimate business purpose, according to some security experts. So the legal protections are moving ahead slowly.
Related legislation was also subject to a vote before the end of the year. In October, the House was debating the following measures: the Financial Data Protection Act of 2005, designed to prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information; requiring institutions to notify consumers that their information has been compromised and could be used by identity thieves; and mandating institutions to provide consumers with a free 6month nationwide credit monitoring service upon notification of a breach.
"We know of 50 database security breaches that have occurred since January 2005 that, taken together, could impact [more than] 51 million Americans," according to Rep. Michael N. Castle, R-Del.
"While the severity of each breach and the long-term consequences, in many cases is minimal or not yet known, I worry about consumer confidence. The words 'identity theft' have become an all too familiar phrase in our everyday lives and consumers constantly worry about their sensitive information getting into the wrong hands."
He continued: "This legislation will build on efforts we have enacted over the years by safeguarding sensitive information like Social security numbers, credit card numbers with security or access codes, drivers' license numbers, and personal identification information."
In October, the Senate Judiciary Committee approved and sent legislation authored by Sen. Jeff Sessions, R-Ala., to the floor that would require businesses and organizations to notify consumers who are at risk of identity theft because of a data security breach.
"For the fifth year in a row, identity theft has topped the list of fraud-related complaints to the Federal Trade Commission," according to Sessions, a member of the Judiciary Committee. "Individuals need to have confidence that they can transact business online or otherwise without the fear of identity theft."
Sessions' bill -- Notification of Risk to Personal Data Act of 2005 -- requires businesses and organizations in possession of computerized data containing sensitive personal information to implement and maintain reasonable security and notification procedures. It would also create a national legal framework, preempting such state laws. Some senators oppose the legislation; they say their existing state laws offer better consumer protection than the proposed law.
Enterprises Take a Stand
Corporations are taking a more aggressive stance as well. Microsoft joined Symantec, Trend Micro, McAfee, Panda, and several other security firms to form the secureIT Alliance.
Those companies in the alliance will share information about new threats and best practices, along with gaining access to Microsoft betas, software development kits, early adopter programs, and development labs. The online portal to facilitate this cooperation will be launched later this year.
Likewise, the public will also benefit. The secureIT Alliance Web site will also provide customers with security-related case studies, videos, white papers, and more, according to Microsoft.
*************************************************************
For all your Online Data Backup, Data backup, Computer backup, Data storage and Data restore needs go to SaveAndSecure.com
