Two weeks ago, as Secret Service agent Kent McCarthy and attorney Eric Friedberg closed a presentation they were giving to members of the New York Electronic Crimes Task Force, they flashed an IP address on the screen before taking questions from the audience. Right away, a hand shot up near the front of the auditorium, but the speaker didn’t want clarification of their case study. He wanted them to put the IP address back up, so that he could write it down.
The address in question is supposedly used by a perfectly legal piece of software called eBlaster, which the company SpectorSoft markets as a way to keep track of what your spouse or children are doing online. Operating in stealth mode, the software tracks every single keystroke entered into a computer, from instant messages to passwords, and records every e-mail sent and received and website visited. Then, it sends all the data to an IP address, where it is anonymously relayed to whomever has installed the software. (Or rather, it is anonymously relayed to whomever has caused the software to be installed — one of SpectorSoft’s points of pride is that eBlaster can be hidden in an e-mail attachment so the user installs it unknowingly. The company only half-heartedly points out that if you do this without the computer owner’s permission, you could be breaking the law.)
In short, eBlaster is the creepy kind of technology that sells more tickets to The Matrix Reloaded than its lissome leads. No surprise then that in the case described, it was being used by a criminal to monitor the e-mail activity of an unnamed company’s executives.
Even more disturbing, however, was McCarthy and Friedberg’s advice for how CIOs and CSOs could make sure the software wasn’t installed on any of their company’s PCs: by checking their system logs for the aforementioned IP address, which they indicated should not have any legitimate traffic. That would be about as efficient as checking for computer viruses one e-mail at a time.
The fact is that eBlaster is just one of a growing number of keystroke capturing programs, sometimes known as keyloggers and more broadly dubbed as “spyware.” Some are marketed to parents, spouses, employers and investigators for allegedly legitimate purposes; others are not sold so much as traded by hackers or passed on through computer viruses like Fizzer. These are incredibly powerful programs. In April, a former Boston College student pleaded guilty to installing keystroke capturing software on more than 100 campus computers and using it to steal personal information about 4000 students, faculty and staff.
Judging by the reaction of the audience, monitoring for this kind of stealthware is next to impossible. The products are designed to operate invisibly — that’s the whole point — and once installed are unlikely to trigger alerts from firewalls or intrusion detection systems. They just sit there, whispering your secrets. While the anti-virus vendors attempt to locate some of them, in large part because of viruses like Fizzer, they don’t consider it their business to monitor for the likes of eBlaster.
And so, a cottage industry has quietly sprouted in response. With names like Pest Patrol, SpyGuard and Spysweeper, these emerging products aim to root out keystroke capturing software and other stealthware, like the mini-programs advertisers use surreptitiously to track Web usage. But these defensive products are far from perfect.
One person next to me griped that he runs several of them on his PC at work and just thanks his lucky stars he isn’t in charge of the network. Not only are the products not designed to work across an enterprise, they all detect different things — that’s why he uses several of them rather than just one to protect against the latest threats. Why, he wondered out loud, couldn’t these vendors act more like anti-virus vendors? Then, no matter which product you chose, you could be reasonably assured that it would catch everything.
Clearly, there’s a missed opportunity here. The emerging anti-stealthware vendors are still too immature to really solve the problem. Meanwhile, the anti-virus vendors — established companies that actually have the means to share information about new threats and get fixes pushed out to the marketplace — are leaving their customers exposed to a whole set of malicious code.
Maybe you should write down that IP address after all. It’s 18.104.22.168.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.