• Who's Accessing Your Information?

Imagine for a moment having the time to sit in your office, and watch your IDS logs as they scroll by on one screen, while your firewall logs swarm another. Yet another screen displays your critical server logs and just for good measure your anti-virus management of all workstations in the office. Now, on top of that your organization has limited the employees to only web access and just for an extra touch have put filters on email to block all attachments…even to management. Now, imagine with all that time and design your employees are still being watched and private information is being given out to spying eyes all over the world. Even more importantly, envision that while all systems are normal your corporate secrets are being downloaded for resell to the highest bidder. Think it can’t happen in your organization? Maybe it’s time for a reality check.

As network security becomes more sophisticated, so do the tools and tricks of the individuals who are looking to bypass that security. Rather than attempt to hack their way into your network, they are letting your users do the dirty work for them. Each time one of your users loads a new program on their system including applets off the Internet they are opening the door to spying eyes.

The Dawn of Spyware
Spyware is technology that aids in the gathering of information about a person or corporation without their knowledge. Generally spyware is software that is placed on a computer secretly to gather a wide range of information and relay that information back to interested parties. Since spyware can be placed on a computer through the installation of another program or by a virus or worm, most individuals are never aware they are being watched. Early forms of spyware were unsophisticated and simply utilized cookies or hidden images to track movements of users from site to site. These early forms, though useful to vendors, could gather little real information about the individual using the computer.

That was then
New versions of spyware are extremely sophisticated. They gather information about your computer configuration, network parameters, the sites you visit and pass this information back to repository sites on the Internet via html. In addition spyware can also control the information you receive while browsing the Internet. This new breed monitors sites you are looking at and then will pop up new web pages based on the information it has gathered about you. These new pages have nothing to do with the site you are visiting and are called directly from the spyware software. This software can even interfere with certain pages, images and banner ads; instead showing their own designated information. The worst part about this type of spyware is that it is absolutely legal. That’s right! Your users are generally given a warning that the software will be loaded on their system when they install a different program. Generally it is in the fine print of a very long Terms and Agreements contract that almost nobody seems to read. By accepting that contract, users are accepting to load spyware on their systems.

What else can be gathered with spyware?
So you know what can be gathered legally but what about the illegal threats. Obviously that same technology can and has been used for malicious purposes as well. Having the ability to load any kind of software on a computer system is the power to watch your every move. That web cam you installed as a fun gimmick for seeing your friends overseas can be just as easily accessed to record what is happening in your office. Have a microphone on your system? Software can record conversations and pass those along through HTML setting off no alarms and leaving small footprints. What about your address book, QuickBook files, Excel spreadsheets, email? You name it and it’s available to be copied and delivered to waiting eyes. Loading spyware on a computer system in the personnel department that tracks all keystrokes could have disastrous effects releasing information such as employees’ home address’, phone numbers, social security number, possible bank account information for direct deposit, etc. Purchase online? Credit card numbers and all account information necessary for the transaction can be logged with that same spyware. Now, of course this type of spyware is not legal but that doesn’t stop it from being used. On numerous occasions I have been hired by organizations to perform social engineering engagements and this type of spyware is one of my early stages in the process to gather as much information as possible. The information gathered is overwhelming and in some cases is the exact information I was required to obtain.

Beyond Spyware Concerns
Some organizations decided that the risk of Internet web use is just too great. For that reason they blocked access to web surfing completely. This was a temporary solution that seemed to have had the appropriate effect until wireless became mainstream. Users discovered that they could bring their laptops to work and then log on to another organization’s wireless network that was nearby. Using others’ wireless connections became popular with hackers about 3 years ago with the advent of War Chalking. This term referred to the marks left by hackers on the sides of buildings that had open wireless networks . Future hackers could log into these from their laptops on the street.. As wireless has become more popular, less technically savvy users are also putting this technique to use. The problem administrators are facing is that these users do not understand the potential risk they are placing on their own organization’s network by using this newfound access.

With users now bypassing the main security infrastructure of their own organization to access the Internet through this second organization, that user is now at the mercy of the security in place at the alternate organization. The fact that this company has already shown a lack of security in their wireless network is generally not a sign of good things to come. Viruses and worms that might be blocked from entry into your organization have a new avenue through this wireless access point. In some cases users set up their laptop or computer so they are plugged into their local company’s network and subsequently their wireless is connected to the other organization. This design creates a potential conduit between the two networks that directly compromises the entire network security and negates the majority of the security that has been put in place.

Hackers In The Mist
Hackers too are aware of this new phenomenon of corporate users attempting to use open wireless connections to gain Internet access. For that reason hackers have started setting up bogus wireless access points. Basically the plan is simple. Place a wireless access point in a building with Internet access. In most cases this is extremely easy as most small companies have no real controls set in place on the network and do not know when an employee has installed such a device. Next. boost the signal strength with a modified antenna to reach the largest audience. Then write a small program that watches for any activity on the wireless device. As soon as there is activity, the hacker is notified immediately and begins to attack the computer that has logged onto the wireless network. If the computer is vulnerable, the hacker will allow the user to continue to use the Internet access while the hacker takes over that system. In most cases spyware and trojans are loaded onto the unsuspecting users computer in a matter of minutes. Once a system is compromised the sky is the limit to the types of information the hacker can gain. Systems that have been setup to be connected to both networks are the hacker’s main desire. Though some routing issues come into play when first attempting to access the user’s network, even low-level hackers are able to bypass that issue within a couple of minutes. As for the corporation’s internal network monitoring? Depending on what kind of security has been put into place, they may never know what is happening until long after the damage has been done.

Simple Solutions To Dangerous Problems
As with most security issues, it is the simple things that make all the difference in the world;

• Users need to be made aware of the risks that are out there. Most users have no idea what spyware is let alone that it is being loaded on their systems. Explaining where spyware comes from and what information it can pass out is an important first step in empowering your users to stop the installation of software without reading the fine print.

• As I make it clear in almost every article I write, a strong policy and user awareness of the policy is mandatory. Users should not be loading any software on their systems without approval from management. Management should not be loading any software on their systems without comprehensive knowledge of what they are loading. If personal firewalls are in place, they must be enabled to track when software is being loaded on the system and when software is trying to send messages from the system.

• If your organization does not yet require personal firewalls on all systems, it is something that should be addressed in your next budget. A personal firewall is no longer for home use only. Most attacks are focused on the internal desktops rather then directly at the servers. This allows hackers to bypass firewalls and external security devices such as IDS. Many personal firewalls can now be managed from a central location for greater ease of use.

• Web blocking software is another form of privacy control. There are numerous applications available to filter web content and block undesired sites. This is not an option for all organizations as it does have its limitations. Many sites get blocked that your users may need to access and spyware is continually changing where they will deposit data. This makes it difficult for web blockers to know what to block.

• Monitor web traffic. Most of the time spyware will send data at set times throughout the day. If you notice that there is web traffic coming from a system when there is no user at that device, most likely spyware is attempting to send out data.

• Pay attention to resource degradation on systems. Many of the spyware programs are poorly written and over time consume large amounts of memory causing systems to run very slow. Users complaining about a loss of performance may be victims of spyware.

• Deploy anti-spyware software to detect and remove spyware from systems. There are many companys offering such software, ranging in price from free to ridiculous. Be aware that some spyware software actually removes anti-spyware before it loads onto the system, which means even if you have anti-spyware, new spyware can remove it or disable it from the system it is there to protect.

Obviously the strength of your organization’s network security lies in the hands of your users. If they do not take network security seriously, attempt to subvert the network security, or ignore the corporate policies, chances are that private information about your company will end up in a database on the Internet.

If you enjoyed this article, be sure to check out Stickley's book "The Truth About Identity Theft"