Notlong ago, computer viruses were the biggest problem personal computer users hadto contend with. However, these days most computers run some sort of antivirusprograms and most e-mail systems have built-in scanners to slow downe-mail-borne viruses. The emerging problem in the last year or two has beenspyware.
more serious varieties of spyware may search for modems attached to the user's
computer and then attempt to make telephone calls to pay-per-use services,
usually located in the Caribbean or Eastern Europe.
Or they may turn the user's computer into a "zombie" that can then be used to
send out spam e-mail or to mount co-ordinated "denial of service" attacks
against web sites that refuse to pay cyber-extortionists.
worst variety install backdoors that allow hackers to access to the computer or
install "keyboard loggers" that quietly monitor passwords used by the user to
access secure systems, including office computers and online banking sites.
from the obvious security risks, spyware uses memory and resources (including
bandwidth used to access the Internet). It may therefore impair the proper
function of PCs by slowing down their operation or causing conflicts with other
software and adversely affecting system stability.
to computer viruses, spyware is harder to guard against, even in a corporate
environment. The use of anti-virus scanners on the firm e-mail system, even
combined with good Internet use policies that prohibit users from downloading
or installing unapproved software programs, won't provide full protection.
some cases, a computer can be infected simply by visiting a compromised web
site containing code that exploits security holes contained in the browser or
operating system. Also, most organizations have little control over their
staff's home computers. An infected home computer can then be used to steal
passwords for accessing the company or firm resources remotely.
both at work and at home, need to be updated promptly with security and
critical updates issued for the operating system and application programs.
Personal firewall programs that monitor and control both incoming as well as
outgoing traffic (such as ZoneAlarm Firewall) should also be installed on each
computer. This should be done even if the network that the computer is attached
to is protected by a firewall or router (because the primary purpose of such
routers is to protect computers from outside attackers, not to monitor whether
hidden programs are trying to send personal data to the outside world).
programs (such as Spyware Doctor, Ad-Aware, Spy Sweeper and Spybot Search and
Destroy) should also be installed on each computer. While some anti-virus
programs (such as McAfee Antivirus or Norton Antivirus) and some personal
firewall programs (such as Outpost 3.0 and ZoneAlarm Internet Security Suite 6)
now include built-in anti-spyware components, no one program is 100-per-cent
addition to the digital armour provided by the software programs described
above, safe computing practices are also critical. Avoid installing unknown
software and stay away from hacker-type web sites (such as those offering
infringing software or music downloads). It also means keeping a separate
computer at home to access corporate systems (or online banking resources) and
which the kids in the house are prevented from using.
financial services industry has also singled out spyware as a big problem.
Although still in the minority, a significant percentage of Internet users have
become so concerned about spyware and online fraud that they have stopped using
online banking facilities and/or have reduced their online purchasing
the Federal Financial Bank Examination Council sent banks a letter in early
October notifying them that they will be expected to adopt some form of
"two-factor" authentication by the end of 2006. With two-factor authentication,
customers must confirm their identities not only by providing something they
know, such as a PIN, but also with something they physically have, such as a
hardware token that displays numeric codes which change every minute or
one-time passwords on scratch-off cards.
to the FBEC, the use of single-factor authentication is inadequate for
high-risk transactions involving access to customer information. Although its
requirements apply only to U.S.
financial services companies, it is to be hoped they will have an influence on
Canadian financial services regulators.
Gahtan is an information technology lawyer admitted in Ontario
His web site is www.gahtan.com/alan