I spy

2006-09-01

David Harley

Small Blue-Green World, UK
Editor: Helen Martin

Abstract

David Harley reviews Combating Spyware in the Enterprise.


Introduction

See Combating Spyware in the Enterprise on Amazon

Title: Combating Spyware in the Enterprise

Author: Baskin, Bradley, Caruso, Faircloth, James, Piccard and Schiller

Publisher: Syngress

ISBN: 1-59749-064-4

Cover price: $49.95

According to the cover blurb, this book is essential reading for 'anyone responsible for the security of an enterprise's network'. It contains some useful and interesting general material, but does it live up to its claim?

Content

The book begins with chapters entitled 'An overview of spyware' and 'The transformation of spyware', both written by Tony Bradley. The first defines spyware, malware, adware, parasiteware (browser hijackers), phishing and botnets. The definitions will not add much to the knowledge of readers of Virus Bulletin, but are uncontentious and clearly written, with examples of specific programs and the body text of several phishing emails.

A short description of how botnets work is followed by very short descriptions of a handful of bots. The separate section on malware seems a little odd, given that most of us would probably consider most of the programs described here to be malware. The second chapter is largely historical, describing the origins and evolution of spyware through targeted marketing, spam and cookies, and adware. A section on spyware and criminal activity introduces some slightly different or additional definitions (identity theft, ransomware) and is followed by a short US-centric section on anti-spyware legislation. While these chapters don't really address the enterprise context, they do provide a reasonable introduction to the topic of spyware.

Chapter three, 'Spyware and the enterprise network' by Jeremy Faircloth, begins with brief descriptions of a selection of hardware and software keystroke loggers, including Sony's DRM fiasco. A consideration of 'spyware/backdoor combinations' and 'encapsulated trojans' is followed by a couple of pages on fake removal tools. The content related to the enterprise network is sparse and very generalized (e.g. 'Always use standard security practices…').

Chapter four, 'Real SPYware – crime, economic espionage, and espionage' by Craig S. Schiller, picks up the pace somewhat. The first few pages consist mostly of historical overviews of the criminal use of (loosely speaking) spyware and commercial and governmental espionage, and seem to suggest that profit-driven malware represents a shift from a previously ethical model of virus writing. (I'd love to hear that debate at a VB conference!) A more detailed overview of phishing is followed by a long section on botnet functionality, detection and countermeasures. There’s some useful introductory-to-intermediate material here, though many enterprises will not have the resources or incentive to follow up on this material to the same level of detail.

Chapters five and six, 'Solutions for the end user' and 'Forensic detection and removal', were written by Brian Baskin. Home users might find the former quite useful. However, this chapter is surprisingly long for a book which supposedly focuses on the enterprise. Only one keylogger detection utility is mentioned, but a number of common toolbar utilities are named, as well as a few commercial solutions. However, these are considered from an individual PC user's viewpoint, rather than in terms of enterprise management. Of the mainstream security vendors with products or services that include spyware management functionality, only McAfee AntiSpyware gets a mention. Given the number of mainstream AV vendors with a foot in that door, this is disquieting.

Chapter six is useful, but inaccurately named. It considers detection of spyware by tools like Hijack This, examination of the Registry, processes, the hosts file and so on, but pays no significant attention to the presentation of evidence in a court of law, so in what sense is it forensic? Its juxtaposition of detection and removal techniques without even mentioning the need to preserve a chain of evidence is, if anything, anti-forensic. The final section of the chapter summarizes a handful of enterprise-level removal tools and services, but not in any great depth.

Chapter seven, 'Dealing with spyware in a non-Microsoft world' by Ken Caruso, addresses the general issues of spyware and security on the Linux and Macintosh OS X platforms. Caruso mentions the existence of Linux spyware and rootkits, but the only Linux threats he describes (briefly) are Staog and Slapper, and the only preventative measures mentioned are the use of unprivileged accounts and (in the summary section) tripwire (which isn't described). Pre-OS X malware isn't mentioned at all, but Leap and Inqtana are described briefly. The only Mac security product mentioned is MacScan.

Chapter 8, 'The frugal engineer's guide to spyware prevention' by Paul Piccard, contains reasonable basic material, mostly on application security. It seems unhelpful to mention free versions of commercial AV here: very few enterprises will meet the licensing criteria to allow them to use those versions. The descriptions of Microsoft's WSUS and MBSA and the sections on securing email, Windows and so on could be the starting point for a useful set of checklists, but leave a lot of ground uncovered.

The appendix, written by Lance James, contains some competent material on mule-driving, telephony, and malware trends. It does fit quite well with the heavy emphasis on phishing in other chapters, but doesn't really tie the subject in with the main theme of the book.

Does the book keep its promises?

This is a disappointing book. It contains useful general information on spyware and a number of related areas (especially phishing), but it isn't the definitive work on spyware. While there are certainly links between phishing attacks and spyware, the terms are not so interchangeable as to justify the volume of non-technical phishing material. This would have been more defensible had there been more emphasis on corporate governance and non-technical countermeasures. I would expect a book centred on spyware in the enterprise to address topics around governance issues like policy, end-user education, top management buy-in, compliance issues and accountability, as well as purely technical matters. Even at the technical level, the book is much better on attacks than on countermeasures.

The book largely overlooks the strong presence of mainstream AV vendors in this space. More surprisingly, even the open source programs widely used as a supplement (or, more contentiously, as a substitute) for commercial AV are not considered. This is a pity: a responsible, well-informed discussion of when it is appropriate to use open source and freeware would have been a real service to the enterprise community. AV aside, the range of commercial solutions that is considered is astonishingly narrow.

This emphasis on in-house technical measures and cost-cutting misses an essential point about enterprise security. Many enterprises prefer to spend serious money on commercial products and services rather than rely on internal expertise and applications that aren’t contractually supported. Why would they do that? Because the principle of transferring risk and accountability is, if properly managed, a viable security model. A book on enterprise security that doesn't give due weight to this model undermines its own credibility.

This book contains useful reading matter for non-specialists, and many system administrators and managers might benefit from it. However, as a guide to corporate handling of spyware, it is weak and even misleading.

Found a useful infosecurity book? Why not tell us about it so we can let others know - email: [email protected].

View this book on Amazon.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.