http://www.nwfusion.com/news/2004/1130univestrug.html By Paul Roberts IDG News Service 11/30/04 U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL. Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data. In recent weeks, information technology departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree. Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software. The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College. The company that makes the software, Marketscore, has headquarters in Reston, Va., at the same mailing address as online behavior tracking company comScore Networks. ComScore Networks did not respond to repeated requests for comment. Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said. Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates. "Basically it takes all your Web traffic and forces it through its own proxy servers," he said. Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive. "People who have installed the software complain to us that they're not getting any improvement," Curry said. Richard Smith, an independent software consultant in Boston, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said in an e-mail message. At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers, according to a message posted on the university's Web site. Administrators at SUNY Albany took similar steps, according to a message posted on that university's Web site. While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said. Marketscore should be a big concern for companies -- especially those like banks with employees who handle sensitive data, Escalante said. "I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said. If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said. CA's eTrust anti-virus software labeled Marketscore "spyware" up until June of this year, but stopped doing so after Marketscore appealed that designation using an established vendor appeal process, he said. CA is currently re-evaluating the "spyware" designation using a complicated, multifactor scoring system. The software is less repugnant than its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove. Marketscore is better on both those counts, clearly stating both in the end user license agreement and during the installation process what the product does, and providing users with an easy uninstall program. CA considers Marketscore an example of a new breed of software that lies in the gray area between spyware and legitimate software, Curry said. "Under the old definition, (Marketscore) clearly qualified as spyware. But there are new categories emerging," he said. While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said. "There's more granularity. Companies have responded and ... are adding benefits and value to these programs. We're looking at ways to more accurately identify this," he said. Perhaps trying to increase its appeal, Marketscore is now advertising itself as an e-mail protection service, in addition to an Internet accelerator. According to the Marketscore.com Web site, members will receive Symantec's CarrierScan Server anti-virus technology at no cost. However, that promise doesn't sit well with Symantec, which said it has no relationship with Marketscore and, in fact, considers the software "spyware," said Genevieve Haldeman, a company spokeswoman. "We don't have relationships with companies that make software we consider malicious," she said. Symantec is considering legal action to force Marketscore to stop using its name and logo on the Marketscore.com Web site, she said. Spyware or not, the lesson of Marketscore is that "if it sounds too good to be true, it probably is," Curry said. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'