US universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL. Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data.
In recent weeks, IT departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree.
Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software.
The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College.
The company that makes the software, Marketscore Inc., has headquarters in Virginia, at the same mailing address as online behavior tracking company comScore Networks. Comscore CEO Magid Abraham said that the Marketscore software is similar to other market research tools, in which subjects agree to give information in exchange for a gift or valuable service. In the case of Marketscore, the premium for sharing information is use of the acceleration software, he said.
Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said. Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates. "Basically it takes all your Web traffic and forces it through its own proxy servers," he said.
Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive. "People who have installed the software complain to us that they're not getting any improvement," Curry said.
Richard Smith, an independent software consultant, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said.
But tests conducted by comScore of Web surfing performance over dial-up connections with a variety of ISPs show that the Marketscore software shortened page loading times for most ISP customers by 40 percent, Abraham claimed.
He acknowledged that some dial-up customers may not notice improvements, depending on their ISP, and that broadband customers would hardly notice the improvement in page loading times because of the speed with which Web pages load over those connections.
At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers. Administrators at SUNY Albany took similar steps.
While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said.
Abraham acknowledged that his company was capturing sensitive information among other data it collects, including data encrypted using SSL. However, the company encrypts and anonymises all the data it gathers, then stores it on secure, tamper-proof servers, he said.
When credit card numbers are identified among the data, only the first six digits of the card numbers are retained. That data is used to give credit card companies an idea of how their cards are being used for online purchases. Other data, such as bank account or social security numbers are not used and are usually discarded, he said.
Marketscore should be a big concern for companies - especially those like banks with employees who handle sensitive data, Escalante said. "I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said. If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said.
CA's eTrust Security Advisor research time labeled Marketscore "spyware" up until June of this year, but stopped doing so after Marketscore appealed that designation using an established vendor appeal process, he said. CA is currently re-evaluating the "spyware" designation using a complicated, multi-factor scoring system. The software is not as bad as its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove.
Marketscore in contrast clearly states both in the end user license agreement and during the installation process what the product does, and provides users with an easy uninstall program. CA considers Marketscore an example of a new breed of software that lies in the grey area between spyware and legitimate software, Curry said. "Under the old definition, Marketscore clearly qualified as spyware. But there are new categories emerging," he said.
While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said. Spyware or not, the lesson of Marketscore is that "if it sounds too good to be true, it probably is," Curry said.