Universities struggling with SSL-busting spyware

U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL (Secure Sockets Layer). Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data.

In recent weeks, information technology departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree.

Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software.

The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College.

The company that makes the software, Marketscore, has headquarters in Reston, Virginia, at the same mailing address as online behavior tracking company ComScore Networks.

ComScore CEO Magid Abraham said that the Marketscore software is similar to other market research tools, in which subjects agree to give information in exchange for a gift or valuable service. In the case of Marketscore, the premium for sharing information is use of the acceleration software, he said.

Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said.

Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates International (CA).

"Basically it takes all your Web traffic and forces it through its own proxy servers," he said.

Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive.

"People who have installed the software complain to us that they're not getting any improvement," Curry said.

Richard Smith, an independent software consultant in Boston, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said in an e-mail message.

But tests conducted by ComScore of Web surfing performance over dial-up connections with a variety of ISPs show that the Marketscore software shortened page loading times for most ISP customers by 40 percent, Abraham said.

He acknowledged that some dial-up customers may not notice improvements, depending on their ISP, and that broadband customers would hardly notice the improvement in page loading times because of the speed with which Web pages load over those connections.

At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers, according to a message posted on the university's Web site. Administrators at SUNY Albany took similar steps, according to a message posted on that university's Web site.

While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said.

Abraham acknowledged that his company was capturing sensitive information among other data it collects, including data encrypted using SSL. However, the company encrypts and anonymizes all the data it gathers, then stores it on secure, tamper-proof servers.

When credit card numbers are identified among the data, only the first six digits of the card numbers are retained. That data is used to give credit card companies an idea of how their cards are being used for online purchases. Other data, such as bank account or social security numbers are not used and are usually discarded, he said.

Marketscore should be a big concern for companies -- especially those like banks with employees who handle sensitive data, Escalante said.

"I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said.

If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said.

CA's eTrust Security Advisor research team labeled Marketscore "spyware" up until June of this year, but stopped after Marketscore appealed that designation using an established vendor appeal process, Curry said.

CA is currently re-evaluating the "spyware" designation using a complicated, multifactor scoring system. Marketscore is less repugnant than its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove, Curry said.

Marketscore is better on both those counts, clearly stating both in the end user license agreement and during the installation process what the product does, and providing users with an easy uninstall program, Curry said. CA considers Marketscore an example of a new breed of software that lies in the gray area between spyware and legitimate software, Curry said.

"Under the old definition, (Marketscore) clearly qualified as spyware. But there are new categories emerging," he said.

While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said.

"There's more granularity. Companies have responded and ... are adding benefits and value to these programs. We're looking at ways to more accurately identify this," Curry said.

ComScore defends both the Marketscore and earlier Netsetter products, saying that the company is forthcoming with users who sign up to use its products and that it obtains appropriate consent from them prior to installation of any software, according Christiana Lin, chief privacy officer at ComScore.

"Since 2000, when Netsetter went up, we have been very careful to fully disclose the information that we obtain from (users)," Lin said.

That information includes disclosures in ComScore's privacy and membership agreements that the company tracks all Web traffic, including payment information, personal health information and prescription information, she said.

Although Marketscore was bundled with the iMesh software as recently as July or August, ComScore discontinued that practice, feeling that iMesh's consolidated end user license agreement didn't allow users to adequately understand the software before agreeing to install it, Abraham said.

Marketscore is also advertising itself as an e-mail protection service, in addition to an Internet accelerator. Members now receive Symantec Corp.'s CarrierScan Server antivirus technology at no cost, according to the Marketscore's Web site. The company is hoping to use antivirus features to add value to the Marketscore software, especially for broadband Internet customers, Abraham said.

Spyware or not, CA's Curry said that Marketscore offers a lesson: "If you're looking at a product that's promising to speed up your Web browsing by redirecting traffic through their servers -- and it's free -- to me, that sounds too good to be true."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?