You might be surprised, even terrified, to hear that in our work we find spyware on the majority of law firm computers we examine. And the percentage skyrockets when we examine home computers, which are generally less protected. It is truly frightening (especially if you ever work from home) to think how vulnerable client data is to spyware.
If you haven’t thought much about spyware, consider this. In a recent survey, 67 percent of network administrators rated spyware as this year’s most significant problem, with viruses running at 23 percent and phishing running far behind at 10 percent.
What Constitutes Spyware?
Generally speaking, spyware is software installed on a computer without the target user’s knowledge and meant to monitor the user’s conduct. Some spyware can record everything the user does—sites visited, instant messaging, e-mail and document preparation. Some is used to gather personally identifiable information such as passwords, credit card numbers and Social Security numbers, all useful for fraud and identify theft. Other spyware programs can hijack your Web browser, reset your home page, add toolbars, alter search results or send pop-up ads that cannot be closed, all intended to hawk some vendor’s products.
Spyware has become insidiously clever. Many programs now come with a reinstaller, which means as soon as you attempt to remove the invader, it reloads itself. Many forms of spyware hide in Windows files and even mimic the file names so the average user would have no idea that the files are, in fact, shielding spyware.
The latest wrinkle with spyware is that it can turn the infected machine into a spam zombie. This means that your computer is being used as a relay point to send spam messages without your knowledge. Probably not a law firm’s first choice of how to use its computer network.
Is Adware Part of This Plague?
Those who are responsible for adware will have conniptions if you tell them their products are spyware. But in fact, adware programs are spyware, even though they are a lesser form of it. If you click something and consciously agree to install adware, it cannot be classified as spyware. However, if you (or very likely, your children) want to install a neat screensaver, a cool game, or swap music or movie files via a peer-to-peer (P2P) sharing program, chances are that you will never read the user agreement. You will simply hit “I agree.” This is how most adware finds its way into a computer system.
Mind you, there are other more insidious ways as well, including “drive-by downloads” from Web sites, malicious cookies and the like. True adware, however, isn’t meant to steal your personal financial information or monitor your shenanigans. Usually, its purpose is to send information to marketers about your surfing and buying habits, so they can target their marketing to you and similar users, especially with pop-up ads, spam and their unwelcome brethren.
Who’s Likely to Have Spyware on Their System?
The more correct question is: Who doesn’t have spyware? Although studies disagree on exact figures, probably between 80 to 95 percent of all computers have some form of spyware. Here are some of the indicators that spyware may be present:
If you haven’t noticed these symptoms, you might think you’re safe. Think again. In November 2004, America Online and the National Cyber Security Alliance released a study in which 77 percent of computer users felt that they were safe from spyware. In point of fact, 80 percent of their systems were infected. If you look at your computer and think it’s looking back at you, it may well be doing exactly that.
Keystroke loggers—which monitor the user’s every keystroke—are much more rare. They seem to have three primary uses: business spying, relationship spying and monitoring children. Take a look at Figure 1, which is a sample screenshot from the well-known keystroke logger Key Katcher, showing one lawyer writing to a colleague in his firm. The image is complete with misspellings and corrections (BS means backspace), every keystroke having been captured by the program. Imagine the chaos this e-mail could cause if someone were monitoring the lawyer’s machine.
Are There Laws Addressing This Invasion?
As of this writing, there is no federal anti-spyware law. Last year, the U.S. House of Representatives overwhelmingly (399 to 1) passed the so-called SPY ACT, a pithy acronym for the Securely Protect Yourself Against Cyber Trespass Act. The bill, however, stalled in the Senate, reportedly owing to the lobbying efforts of marketing groups and software manufacturers. Representative Mary Bono reintroduced the bill on January 4, and many commentators believe it will be passed this year.
The SPY ACT would require a user’s permission before software is downloaded onto a computer. It would prohibit unauthorized software from changing a browser’s default home page, changing a computer’s security settings, logging keystrokes and activity, and delivering advertisements that the user can’t close without turning off the machine or ending all browser sessions. The bill would also allow fines of up to $3 million for those who manufacturer software that would surreptitiously procure personal information from a user’s computer. Many spyware functions would be defined as unfair business practices subject to Federal Trade Commission fines.
Among the states, California and Utah have enacted legislation designed to outlaw spyware. Virginia has both a computer trespass and computer privacy statute, so spyware is a definite no-no there, even if the computer is a joint asset.
In addition, anti-spyware legislation is currently pending in Michigan, Pennsylvania, New York and Iowa.
A quick scan of other states revealed similar laws in Kansas, Tennessee, Rhode Island, Washington and North Carolina. You should check the status of the laws in your own jurisdiction.
How Do You Combat Spyware?
Spy Sweeper, Spyware Eliminator, Ad-aware Pro, AntiSpy, XoftSpy and Spyware Doctor are among the top-rated anti-spyware programs. Beware, though, for no one program will catch all spyware. Experts recommend running two or three anti-spyware programs weekly to maximize your chances of eliminating all spyware on your system. Many of these programs run in the $30 to $40 range.
Too many people believe they are okay if they simply have up-to-date antivirus software. Wrong. A lesser number believe they are safe if they’ve checked the installed programs listing, the add/remove panel and the standard start-up area, and they’ve pressed Control+Alt+Delete on their computer without anything mysterious showing. Also wrong. The entire point of spyware is to cloak itself so that standard methodologies will not detect it.
Along with having good anti-spyware programs, you want to make sure that you regularly update your operating system and Web browsing software to close vulnerabilities that the manufacturer may have patched. Also, download free software only from sites you know and trust. Read the license agreements of any software you download.
In addition, keep your browser security setting at “Medium” or higher to minimize drive-by downloads. Don’t click on links in pop-up windows. And please don’t click on links in spam, which often carry spyware. Make use of personal firewalls on home machines. Plus, consider changing browsers to Firefox, which will also minimize drive-by downloads.
Scared yet? Well, here’s the real heart-pounder! Find out if you have spyware on your computer by using the free systems audit at www.webroot .com/services/spyaudit_03.htm.You may be very surprised, even horrified, at the results. So, who’s watching you?
Sharon D. Nelson ( firstname.lastname@example.org) and John W. Simek ( email@example.com) are President and Vice President, respectively, of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA.