U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL (Secure Sockets Layer). Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data.
In recent weeks, information technology departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree.
Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software.
The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College.
The company that makes the software, Marketscore, has headquarters in Reston, Virginia, at the same mailing address as online behavior tracking company ComScore Networks.
ComScore CEO Magid Abraham said that the Marketscore software is similar to other market research tools, in which subjects agree to give information in exchange for a gift or valuable service. In the case of Marketscore, the premium for sharing information is use of the acceleration software, he said.
Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said.
Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates International (CA).
"Basically it takes all your Web traffic and forces it through its own proxy servers," he said.
Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive.
"People who have installed the software complain to us that they're not getting any improvement," Curry said.
Richard Smith, an independent software consultant in Boston, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said in an e-mail message.
But tests conducted by ComScore of Web surfing performance over dial-up connections with a variety of ISPs show that the Marketscore software shortened page loading times for most ISP customers by 40 percent, Abraham said.
He acknowledged that some dial-up customers may not notice improvements, depending on their ISP, and that broadband customers would hardly notice the improvement in page loading times because of the speed with which Web pages load over those connections.
At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers, according to a message posted on the university's Web site. Administrators at SUNY Albany took similar steps, according to a message posted on that university's Web site.
While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said.
Abraham acknowledged that his company was capturing sensitive information among other data it collects, including data encrypted using SSL. However, the company encrypts and anonymizes all the data it gathers, then stores it on secure, tamper-proof servers.
When credit card numbers are identified among the data, only the first six digits of the card numbers are retained. That data is used to give credit card companies an idea of how their cards are being used for online purchases. Other data, such as bank account or social security numbers are not used and are usually discarded, he said.
Marketscore should be a big concern for companies -- especially those like banks with employees who handle sensitive data, Escalante said.
"I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said.
If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said.
CA's eTrust Security Advisor research team labeled Marketscore "spyware" up until June of this year, but stopped after Marketscore appealed that designation using an established vendor appeal process, Curry said.
CA is currently re-evaluating the "spyware" designation using a complicated, multifactor scoring system. Marketscore is less repugnant than its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove, Curry said.
Marketscore is better on both those counts, clearly stating both in the end user license agreement and during the installation process what the product does, and providing users with an easy uninstall program, Curry said. CA considers Marketscore an example of a new breed of software that lies in the gray area between spyware and legitimate software, Curry said.
"Under the old definition, (Marketscore) clearly qualified as spyware. But there are new categories emerging," he said.
While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said.
"There's more granularity. Companies have responded and ... are adding benefits and value to these programs. We're looking at ways to more accurately identify this," Curry said.
ComScore defends both the Marketscore and earlier Netsetter products, saying that the company is forthcoming with users who sign up to use its products and that it obtains appropriate consent from them prior to installation of any software, according Christiana Lin, chief privacy officer at ComScore.
"Since 2000, when Netsetter went up, we have been very careful to fully disclose the information that we obtain from (users)," Lin said.
That information includes disclosures in ComScore's privacy and membership agreements that the company tracks all Web traffic, including payment information, personal health information and prescription information, she said.
Although Marketscore was bundled with the iMesh software as recently as July or August, ComScore discontinued that practice, feeling that iMesh's consolidated end user license agreement didn't allow users to adequately understand the software before agreeing to install it, Abraham said.
Marketscore is also advertising itself as an e-mail protection service, in addition to an Internet accelerator. Members now receive Symantec Corp.'s CarrierScan Server antivirus technology at no cost, according to the Marketscore's Web site. The company is hoping to use antivirus features to add value to the Marketscore software, especially for broadband Internet customers, Abraham said.
Spyware or not, CA's Curry said that Marketscore offers a lesson: "If you're looking at a product that's promising to speed up your Web browsing by redirecting traffic through their servers -- and it's free -- to me, that sounds too good to be true."