Jewish World Review Feb. 16, 2001
Lance Gay

A new bug in computer privacy -- IS someone looking over your shoulder as you surf the Internet, pay your bills or write an e-mail?

It's very possible. New generations of "Web bugs" provide crackers, hackers and other third-party snoopers ways to explore holes in software and even break through computer "firewalls" to access financial statements and other personal data that owners intended to keep off-limits to outsiders.

Engineers at the Pittsburgh-based Internet company Iventurelab, Inc., used a Web bug in a demonstration test on a reporter's computer, part of a Washington, D.C., office network.

Within an hour, they were able to obtain:

The Internet Protocol number, which serves as an Internet address, and can be matched with other data to personally identify the user.

A copy of the initiation sequence of the Windows operating system, detailing the programs on the reporter's computer, and the directories containing information.

The identification of hardware and printers plugged into the computer by brand name and generation.

A listing of subdirectories, giving the outside user access to contact lists, e-mail programs and personal scheduling programs. Iventurelab engineers were even able to find and identify a casino program the reporter had downloaded two years ago for a story on offshore gambling.

The Web bugs come embedded in e-mail messages sent to individual users, inviting them to click on a link that opens an Internet page. But when the animated Internet page is activated, it clandestinely triggers a hidden program included in the e-mail that captures data from the user's computer and sends it back to the original sender.

Kevin Coleman, an adviser to Iventurelab and former chief strategist at the Internet browser company Netscape, said Web bugs can be used to run programs installed on target computers, activate computer microphones or turn on computer cameras.

"It works through firewalls,'' Coleman said.

He said the Web bugs exploit programs built into Web browsers that allow them to function properly when they communicate with one another. The Web bugs evade firewalls because they are triggered by an individual user on a network opening an e-mail. Iventurelab said other methods are also used to exploit computer vulnerabilities and retrieve information.

"It's pretty frightening,'' says Gary Clayton, president of the Privacy Council, who is trying to warn American business that computer systems - even those that built sophisticated firewalls against hacker intrusion - are vulnerable to losing their most sensitive data and financial secrets.

"It's incredibly powerful, and easy to use,'' said Clayton, whose organization works with Fortune 500 companies on Internet privacy issues.

Clayton, a lawyer, said this sort of Internet snooping may not be covered by existing laws banning wiretapping and e-mail interception that were written before the technology was developed.

"It's equivalent to burglary, because you are taking something of value. But it's a stretch of existing law,'' he said.

The Web bugs work better with newer generations of computers that allow Internet pages to be displayed graphically as part of the message. Some versions, used by advertisers, have Web bugs embedded in an Internet page that catches users as they surf, and tracks where they go on the Internet.

Once the snooping program is launched, it allows the snooper to continue to harvest information on what the target computer is doing, and track the computer user clandestinely. It can work like a regular computer virus: if the unwary target forwards it to a friend to look at the Internet page, it can be used to access their computer as well once it is triggered.

"It's not, as people naively believe, that they are protected," said Iventurelab chief executive officer Tommy Wang. Iventurelab engineers have found two Web bugs that stay resident in a user's computer when they are triggered, and track activities on the computer.

Wang said the method could be used to extract the most sensitive inside information that businesses keep on their computers, which would be invaluable to stock traders following the company. Wang's firm hopes to have software available by March 15 to identify Web bugs that might be installed on computers.

He said Congress has to find a way to regulate the computer industry and protect individuals, or people will lose faith in doing business on the Internet. His company did a survey of 50 million Web pages over the Christmas season, and found 15 million of them were involved in tracking visitors. He estimates Internet users these days have a 90 percent chance of being tracked online.

Richard Smith, an Internet privacy consultant now associated with the Privacy Foundation at the University of Denver, agreed the test showed a serious security breach.

He said the ability of using e-mailed bugs to extract the initiation program that starts Windows was particularly serious, since that gives a hacker a diagram of all of the programs on a computer. "That's bad news. They got something they can use,'' Smith said.

He said software manufacturers left many security holes in their products. "It's usually mistakes, or something they weren't thinking carefully about,'' he said.

Software manufacturers have issued patches to close some of the holes, but Smith said users often don't download them. He said operating systems of MacIntosh computers disable some features on Microsoft Windows that hackers can exploit.

Bulgarian computer consultant Georgi Guninski has also found more than 30 "high risk" vulnerabilities in Microsoft Windows programs, many that he details will allow outsiders to gain access and control of computers.

The Congressional Privacy Caucus, a coalition of House and Senate members working on a new Internet privacy bill, is investigating e-mailed Web bugs in preparation for hearings next month.

Jeff Duncan, an aide to Rep. Edward Markey, D-Mass., said congressional staffers earlier this month experimented with e-mailed Web bugs on their Capitol Hill computers, and were alarmed at the information they were able to harvest. The bugs they tested allowed staffers to track e-mail as it was opened, and commented upon.

Rep. Joe Barton, R-Texas, said Web bugs are capable of taking such private information that they ought to be outlawed.

"Do you think the American people want that? As far as I'm concerned, we ought to just put into law an outright ban unless there's some law-enforcement security exception based on a warrant issued by a state or federal judge," Barton said.

Back To The Study