Bug Zapper

By eweek  |  Posted 2001-04-02

Hawking Internet Security Products and services is a bit like selling insurance policies — vendors need to instill a sense of paranoia in their prospective customers to close the sale.

Intelytics, a 5-month-old security firm in Pittsburgh, Pa., has ably demonstrated the subtleties of this strategy in launching its first services. The company is attacking "Web bugs" — invisible graphics on Web pages or in e-mail messages that are designed to track users activities online. Most commonly, Web bugs are used by online advertising firms, such as DoubleClick, to determine how many people have viewed a given ad.

But Intelytics is sounding the alarm that Web bugs can have more pernicious uses. Last month, in a demonstration to the bipartisan Congressional Privacy Council, Intelytics executives planted a Web bug on a Windows 2000 PC without the users consent. The Web bug — probably a malicious ActiveX script, according to security experts — was then able to e-mail the PCs configuration text file, e-mail address book and file directory structure back to Intelytics.

Following the presentation, the audience was "noticeably stunned," according to the companys press release.

Now, Intelytics is moving into selling mode. The company — formed by Iventurelab, a technology incubator that spun off from Carnegie Mellon University — offers businesses a ser-vice that monitors their use of Web bugs, to establish if the bugs are being used in ways that might violate the sites stated privacy policies. Intelytics also plans to release a consumer version of its service, Personal Sentinel, in the near future.

While you might expect a company to know exactly what it is doing on its own Web site, thats not necessarily the case, says Miles Wallace, Iventurelabs president and managing director. "We have run across some rather frightening examples of data that is shared with third parties," he says.

For example, Wallace says, Intelytics worked with a major credit-card company that was unwittingly sharing its user data with a porn site through a third-party marketing organization. Intelytics has a few other customers, but Wallace declined to name them. He also will not disclose pricing information, which he says is negotiated on a per-client basis.

But is Intelytics overstating the dangers of Web bugs? The company refuses to explain what vulnerability it exploited in its Congressional Privacy Council demo. However, according to Paul Zimski, a security researcher at Finjan Software, Intelytics most likely exploited the "cross-frame scripting" vulnerability in certain versions of Microsoft Internet Explorer — which lets someone embed into a URL instructions to run a malicious script on a local PC — a problem identified a year ago that has been fixed in the latest version of IE.

Wallace says Intelytics is just pointing out security threats that already exist.

"I dont want to say the sky is falling," Wallace says. "Were just saying these methods of stealing data are possible." And by the way, Intelytics can also sell you a solution to the problem.

Rocket Fuel