What You Don't Know Hasn't Hurt You -- Yet -- Microsoft Certified Professional Magazine Online

What You Don't Know Hasn't Hurt You -- Yet

Also: Trusting TRUSTe; FTC's down on P2P; a policy for encrypting thumb drives

By Russ Cooper
09/12/2007

A research group at the University of Washington is conducting a live survey by having people visit its Web page describing the survey. The group is interested in finding out how many -- and possibly which -- ISPs are inserting advertisements into Web pages rendered on users’ browsers. The study loads Javascript into the browser, which can test the contents of a page as it is rendered on a system. It can then verify whether the page is identical to the one that resides on the group's site or if it has been modified in some way as it goes to the user's system.

Of the nearly 200,000 tests performed against some 30,000 unique IP addresses, only 305 IP addresses demonstrated modified pages. There are companies who insert advertisements into pages, with the user’s consent, at the ISP level. So even if we accept that 0.3 percent of Internet visitors are having pages modified, one still has to question how many are having that done without their knowledge. Certainly it will be some number less than 0.3 percent and possibly none.

Can TRUSTe Be Trusted?
Controversy has arisen over a decision by TRUSTe regarding a member of its “Trusted Download Program.” comScore has a tool, RelevantKnowledge, which tracks users’ online activities. TRUSTe, by granting that tool membership in its program, asserts that the software developer uses good privacy practices when presenting the tool to users. Users are asked if they want to install RelevantKnowledge, and its features and functionality are explained to users. However, an affiliate of comScore used a security vulnerability in the browser to fraudulently install the tool on some user’s systems. The issue now is how TRUSTe responded to this action.

TRUSTe, for its part, saw the issue as someone abusing the comScore tool, as opposed to comScore being a “bad” developer -- sounds reasonable enough. Some security researchers, though, are claiming that TRUSTe should’ve taken bolder steps and banned comScore completely. TRUSTe did suspend comScore for 90 days and said that comScore could then reapply to the program. TRUSTe says this is because comScore’s response to the incident showed they were serious about preventing such actions. comScore was also able to neutralize the installations done by the rogue affiliate and had removed those installs.

From my perspective, it does look as if comScore is serious. Whether they could have prevented the rogue affiliate through better vetting prior to signing them up is a good question, but it's not as if comScore has many such rogue affiliates. Ergo, it stands to reason they are doing some modicum of vetting and that, in general, it works in most cases.

FTC Doesn't Like P2P
SC Magazine reports on testimony being given to a U.S. House Committee, an associate director of the FTC’s division of advertising practices said that peer-to-peer software is often laden with adware and spyware. She also cited two cases where the FTC won rulings against P2P facilitators: one for falsely claiming exchanging music files was legal and the other for falsely stating the software was free when it actually contained adware.

It's important to recognize that it is not P2P that people are having issues with, but collaborative networks. The Internet itself is P2P and there’s little difference between Google and Kazaa. Both go out and find information and assemble it in one place where I can view it, and decide which I want to bring into my system.

Laughably, Jon Newton, the operator of P2Pnet.net, said that he has never had a bad experience using P2P software and doesn’t know anyone else who has. While it's true that malware among P2P files is in the minority, it's equally true that it can be nearly impossible to ensure the file you’re downloading is actually what you think it is.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Why Encryption is Unnecessary on USBs: A Case In Point
A doctor at the Nottingham University Hospitals Trust reported to The British Medical Journal, says this story from e-Health Insider, about the practice of storing patient information on USB drives. Dr. Matthew Daunt's report stated that 20 of 36 doctors who stored patient data electronically did so on USB thumb drives. None were encrypted, and only three were protected by a password. This, he claims, is in violation of the Hospitals' own policies. This became glaringly obvious when the hospital had one of its thumb drives stolen, a drive containing patient information. The hospital was forced to inform the patient of the theft and may end up paying compensation.

The data on these drives used to be kept on sheets of paper, presumably stored in some form of security facility (like a locked file cabinet) in the past. It is interesting to see how the introduction of electronic storage also brought along a requirement for more security than had been in place in the past. Does anyone really think it was entirely impossible to get one's hands on patient records when they were in paper form?

That said, it's trivial to employ cryptography with these thumb drives and doing so does improve the security of the patient records. So one has to ask: Why wasn’t it mandatory before?

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.