The Dilemma of Reporting Spyware Attacks

Black Hat Briefings: The FTC is encouraging businesses to inform them when exploited by spyware, but some observers say that doing so may cause more headaches for those who come forward.

LAS VEGAS—The Federal Trade Commission is asking corporations to report incidents when they are victimized by spyware attacks, but some experts say the process of doing so puts businesses in a tricky position, where they must weigh the benefits of pursuing malware code distributors against the potential for legal recrimination.

Speaking at a roundtable discussion on the topic of spyware at the Black Hat Briefings security conference being held here July 31 through Aug. 3, Eileen Harrington, a deputy director in the Bureau of Consumer Protection at the FTC, said that companies will need to be more forthcoming if they are to help the agency track down malware writers and take those individuals to court.

While companies must be held responsible for any mistakes they make that leave computer networks and sensitive data exposed to attacks, law enforcement officials need private-sector organizations to contribute more actively if the FTC is going to make headway in tracking down those responsible for the programs, she said.

/zimages/2/28571.gifThe FBI wants hackers to join the fight against Web mobsters. Click here to read more.

"Companies need to report problems to help us do our jobs. If you have the appropriate security measures in place, you shouldnt be afraid to contact us," Harrington said. "Where liability can arise on the part of the private sector is when personally identifiable information on an [IT] system has not been reasonably protected. What constitutes reasonable varies from case to case, and we will sue companies when those steps are not in place."

The proposition is enough to strike fear in the hearts of business executives and IT administrators, as they must consider the implications of admitting an attack and lending a hand versus not reporting a security lapse that allows the spyware to take root and do damage. In addition to the promise of potential fines and legal action from agencies including the FTC, companies must also take into consideration the fact that their corporate image could be tarnished by the related publicity fallout.

However, Harrington said that by reaching out to the FTC, companies may also reduce any fines they receive as a result of being found liable for a data breach. She also admitted that the Washington-based agency has retired some of its own computers "to the closet" that became too loaded with malware programs to be considered useful.

"If you had a data breach and didnt have proper protections in place, you may wind up on the other end of enforcement, but were likely to find out about it anyway," the FTC official said. "If you let us know, it may also mitigate in some way the nature of any [penalties] sought by the FTC."

Another panelist, Andre Gold, chief information security officer for Houston-based Continental Airlines, shook his head and smiled as Harrington described the need for companies to report their major security incidents. His comments summed up the reaction of many Black Hat attendees, who appeared flummoxed by the notion of trying to stop spyware distributors while protecting the interests of their own companies.

"Its definitely concerning when youre being asked to go to the FTC and you might be told that you havent done a good enough job," Gold said. "I dont think that model works very well."

Another alternative for companies troubled by the dilemma of how to share their attack information is to work with researchers who can report incidents to law enforcement without handing over specific corporate information, said panelist Ari Schwartz, deputy director of the Center for Democracy and Technology.

/zimages/2/28571.gifA pair of hackers expose a "critical" Wi-Fi driver flaw. Click here to read more.

While some believe the spyware problem has faded somewhat, with the large volume of attacks of previous years being replaced by more targeted campaigns against specific companies or groups of end users, new figures indicate that the malware format continues to proliferate.

According to the latest research collected by Webroot Software, to be published in the Mountain View, Calif., companys quarterly malware report later this month, there were more than 100,000 new sites discovered between April 1 and June 30 that were found to be distributing spyware and other malicious programs. The company has unearthed some 527,000 malware sites since launching its research in 2004.

While 67 percent of the new sites were hosted in the United States, compared with Germany, which ranked second with only 7.5 percent of the spyware distributors, Webroot Chief Technology Officer Gerhard Eschelbeck said the people behind the efforts are likely distributed around the globe. The predominance of spyware sites in the United States is likely driven by criminals desire to steal money from American companies, he said.

Spyware programs used to deliver Trojan viruses are also on the upswing, according to Webroot. The company found that 31 percent of the spyware programs it intercepted during the second quarter carried Trojans, compared with 19 percent during the same time frame last year, and 14 percent two years ago.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.