| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mastah at phreaker.net (Egoist)
Subject: "No such thing as spyware"
Hello Danny,
Saturday, March 5, 2005, 12:26:10 AM, you wrote:
D> From: http://www.viruslist.com/en/weblog
D> Thoughts?
Yes. This text is just waste of writers time.
I dont see useful info/advisory here at all.
D> --------------------------------------------------------------------------------
D> No such thing as spyware
D> Eugene March 03, 2005 | 22:21 MSK
D> "The rising number of cyber-criminals creating more and more different
D> malicious programs, attacks and cyber-frauds have resulted in the
D> media and public paying more attention to security issues. New
D> solutions and services, such as patch and vulnerability management,
D> intrusion prevention, etc., appeared during the last year or so.
D> New threats are appearing as well. But are they really all that new?
D> Spyware is a brand new word in the threats list and it is being used
D> widely. Everyone is talking about spyware: many dedicated anti-spyware
D> products have appeared on the market, all of them brand new.
D> But what exactly is spyware? What threats does new term cover? My
D> favorite definition of the term can be found at Information week.
D> "Spyware is software that's installed without your informed consent.
D> Spyware communicates personal, confidential information about you to
D> an attacker. The information might be reports on your Web-surfing
D> habits, or the software might be looking for even more sinister
D> information, such as sniffing out your credit card numbers and
D> reporting those numbers."
D> Exactly. This is a good definition which we can use to describe
D> software designed to spy on user actions and report on infected
D> machines.
D> Did we have such software in the past? Of course we did. The first
D> malicious software designed to spy and steal confidential information
D> was detected back in 1996 - the AOL Password-Stealing Trojans.
D> Have we already seen other malicious programs which can be described
D> as spyware? Certainly! There are many different kinds of Trojans
D> designed to:
D> * steal passwords/logins (including bank account information)
D> * log user activity (keyboard, screenshots, applications being run)
D> * backdoor trojans which have spy abilities
D> Thus, what people are calling spyware is not new at all...
D> Anything else that can be called spyware? Yes. Numerous advertising
D> tools (adware/advware) which report such information as visited Web
D> pages and Web search requests. Sometimes this information is
D> confidential.
D> And there's even more. Legitimate keyloggers for example,
D> freeware/shareware/commercial utilities which log keystrokes and/or
D> monitor other user activities.
D> Are we done? No, there are still more programs that report user
D> information to outside sources. For example, if you post to a forum
D> your email client will report your email address. If you are browsing
D> the Internet your IP address, Windows and browser version can all be
D> logged as you surf.
D> Can we or should we class these programs as spyware? Definitely not.
D> This is where we reach the border between so-called spyware and
D> non-spyware.
D> And the border is fuzzy. Because the issue is not always what the
D> program does, but how it's being used. We call the border-line
D> programs riskware, and detect many of them as 'not-a-virus'. We leave
D> it up to users to decide what to do next: if they want or need the
D> program, they can keep it. However, if it was installed without their
D> consent or is doing something they don't want or need, we find it for
D> them, so they know what's going on in their computer and can make an
D> informed choice.
D> So, technically speaking, spyware simply doesn't exist as a
D> stand-alone cyberthreat.
D> The programs which are being called spyware are, from a technical
D> point of view, simply a limited sub-set of Trojans, advertising
D> software and some riskware:
D> * Trojan spies and some backdoors
D> * most adware
D> * riskware ? potentially hostile programs that require users to
D> make conscious choices about using them
D> In short, there is no such thing as spyware.
D> On the other hand there are many anti-spyware programs produced by
D> vendors who actively promote their products as dedicated anti-spyware
D> solutions.
D> An interesting review was published in latest PC Magazine {USA
D> edition, Feb 22 2005, pages 82-91}. They compared how a number of
D> security suites (anti-viruses) and dedicated anti-spyware products
D> removed so-called spyware. Guess what? Some traditional solutions are
D> better at removing these threats than dedicated ones.
D> Unfortunately, there are no adequate consumer tests to separate
D> effective solutions from ersatz-security programs. In the PC Magazine
D> tests, there were only 24 "spyware" samples tested. In reality, there
D> are hundreds of malicious programs in the wild that fit into this
D> category. For instance, we know of over 200 adware families (with
D> numerous variants in each). We need better and more in-depth tests in
D> the future.
D> To cut a long story short, the term spyware is basically a marketing
D> gimmick: just to separate new ersatz-security products from
D> traditional ones, just to push almost zero-value products to the
D> security market.
D> We need to avoid this trap. There is nothing worse for the computer
D> security community than false alarms and/or users with a misplaced
D> sense of safety."
D> _______________________________________________
D> Full-Disclosure - We believe in it.
D> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Best regards,
Egoist mailto:mastah@...eaker.net
Powered by blists - more mailing lists