Lynda

----- Original Message -----

> http://www.zonelabs.com/newsletter/beware1100.html
> Beware Spyware
> Experts have discovered that those free software products that ask only
that
> you accept some advertising may be seriously invading your privacy.
> When a U.S. senator asks Congress to intervene in the way some software is
> sold, it's a good sign there may be a problem. That's exactly what
happened
> in October 2000 when North Carolina Democratic Senator John Edwards
> introduced legislation that would force software makers to disclose when
> they use Spyware in the products they sell.
> Senator Edwards commented "I have been closely following the privacy
debate
> for some time now, and I am struck by how often I discover new ways in
which
> our privacy is being eroded. Spyware is among the more startling examples
of
> how this erosion is occurring."
> At Zone Labs, we draw a distinction between Spyware and Adware. Adware
> includes a piece of code that can be used by software vendors to track
your
> use of a product that contains advertising, so that the vendor can bill
the
> advertisers whose products or services are advertised on the software, and
> in some cases to track your use of the software to determine your behavior
> as a user.
> It's usually a fair trade - you the user allow the software vendor to
track
> your use of their product so they can target appropriate advertising
through
> the product - and you get the software free. And while Adware from
reputable
> companies is rarely malicious, it does raise some important privacy
> questions, especially whether it's enough to take the vendor's word that
> they will use the information for advertising only, and no other purpose.
> Spyware is much more malicious, and is increasingly used by hackers to get
> inside your PC, track your behaviour, steal your data, and use you as a
back
> door into your employer's corporate network.
> And many security and privacy experts believe that the confusion between
> Adware and Spyware could be a big problem for many consumers, especially
> when it comes to privacy. One of the largest distributors of free software
> claims to sell more than 500 different titles to more than 28 million
> consumers. And although the company freely admits to using Adware in its
> products, it also claims that it's only to best target advertising through
> these products.
> When one user of that company's free software conducted a simple and free
> test to see if his computer did in fact contain any Adware, a total of
> twenty-seven Adware "parasites" were detected.
> The test is called Opt Out, offered by Gibson Research, and you can try
the
> free service yourself at <http://grc.com/optout.htm>
> When a spokesperson for toy-maker Mattel was asked why they used Adware in
> more than 100 children's software titles, the response was "The program
was
> originally designed to offer consumers additional product content and to
> communicate fixes."
> While Mattel's intentions were entirely honorable and an obvious benefit
to
> consumers, parents could be forgiven for being alarmed when they first
> stumbled across the secret. And suspicion is often further increased when
> the information being sent over the Internet from your computer to an
> unknown source is so heavily encrypted there's no way of telling what's
> being sent.
> If the information is not encrypted, who else can grab and use is? And
what
> if a disgruntled programmer designed the Adware to do something much more
> sinister? Like siphon off email addresses, credit card number, or
passwords?
> What to Do?
> Think twice about how free "free" advertising-based software really is,
and
> whether it's worth the loss of privacy.
>
> If you're considering using advertising-supported free software, ask the
> manufacturer if they use Adware or any other mechanism to track your use
of
> the software.
>
> Use the free OptOut program to test if you already have Spyware or Adware
on
> your PC.
>
> Be vigilant - a product like ZoneAlarm will always warn you when Adware or
> Spyware is trying to connect to the Internet and send your information
back
> to base. By clicking on the "More Info" button of a ZoneAlarm Alert you
can
> find the source for these attempts.
> ==================
> http://www.zonelabs.com/newsletter/howtoprotect1100.html
> Ask The Expert
>
> Q: We're planning on installing a local area network - we have around
twenty
> PCs, between two offices, as well as half a dozen laptops. What security
> precautions should we consider?
>
> A: It is recommended that you first determine what it is you want to
> protect. For the purposes of discussion, it's assumed that it is
information
> you ultimately want to protect. If so, then you should identify who "owns"
> that information (a business owner and not always the system
administrator);
> who the owner wants to grant access to the information to; and over what
> systems, networks, databases, and applications that access is to be
granted.
> The more sensitive the information, the more safeguards you have to employ
> to protect that information.
>
> Another point to consider is how critical the information is to the
> company's operations. How long can your company continue to operate
without
> the availability of the information? The more critical information is to
> your business operations, the more safeguards you have to implement to
> ensure its availability.
>
> Typical security precautions, however, include the following:
>
> Inventory and baseline your systems, networks, and peripheral equipment.
> It's virtually impossible to do an effective job of protecting your
> architecture if you don't know what you have to protect.
> Institute configuration control procedures and review the impact to your
> overall security environment from any subsequent system/network changes.
> Put the LAN server and routers behind locked doors in a room or
> well-ventilated closet with physical access restricted to the absolute
> minimum number of people on your staff.
> Ensure users have to log-in with effective IDs and passwords before being
> granted access to the system.
> Establish a one-time password capability (like SecureID or Safeword
> Softoken) for your employees when they dial into the company's system
> through an extranet modem pool or over the Internet via IP connection.
> Audit user activities while in the system. Simply making sure they have
> access isn't enough. You want to be able to know what it is they are doing
> in your system and make them accountable for their actions.
> "Harden" your operating systems. If using NT, run the C2 configuration
> utility from your Resource Toolkit. On Sun Solaris operating systems,
> consider stripping out unnecessary commands like the "r commands" or
"tftp"
> if not essential to business operations.
> Restrict the number of "share" drives or directories as well as how many
> users can see files in those shared resources.
> Implement Access Control Lists (ACLs) on your router(s). You can filter
> activity based upon IP packet criteria. Ensure that router activity is
> logged and (as with Cisco routers) both levels of access to the router are
> secured with ID/password access controls.
> Encrypt your most sensitive information so that only those with a
> "need-to-know" can decrypt it and read it.
> Encrypt network traffic between critical or sensitive nodes on your
network.
> Encrypt email if you send sensitive information.
> Utilize firewalls between critical LAN nodes/file servers/etc. and less
> secure zones or the Internet. DON'T poke so many holes in your firewall
> business rules that it becomes essentially "swiss cheese" useless.
> Purchase security cables and locks to secure your highly portable laptops
> during business hours. Don't leave laptops out on the desk at night. Lock
> them up in a drawer or take them home with you.
> Install disk security and encryption on laptops so that if they are
stolen,
> the sensitive information on them is not compromised.
> If you can afford to, hire an information security expert to help you
build
> a Security Risk Management Program.
> Document security procedures and policies. Enforce them. Monitor
> system/network use to ensure compliance with policy and procedures.
> Draft up an Acceptable Use Policy (AUP) for email, Internet, and system
use.
> Familiarize and sensitize your staff with security awareness through
> informational media and some sort of orientation program.
> Make sure all laptops and home computers have the same protection as
> business PCs so employees don't take hidden risks to work with them.