Today’s spyware is sophisticated, cheap and readily available: $100 will buy a program that can record every screen image and keystroke when loaded on a particular computer.
A few dollars more will enable the spyware to be loaded remotely. It may be used to check that staff or children are not accessing inappropriate material. But others may use the same software to steal money, identities and tarnish reputations.
Electronic eavesdropping is growing rapidly and law courts are increasingly having to deal with the consequences. Cases involving celebrities, such as the notorious attempt to use e-mail-borne Trojan spyware to spy on the Jimmy Choo founder Tamara Mellon, make the news but behind the headlines the practice is growing insidiously.
Peter Jenkins, a director of the surveillance training group ISS Training, reckons the use of spyware by private investigators to track e-mail and web activity for their clients has increased threefold in the past year, with special emphasis on keylogggers which record every keystroke the user makes.
There are question marks over the legality of the ways this software is used. Running spyware on your own computer is legal; running it on machines belonging to others is almost certainly not.
Can managers spy on their staff? Martin Baldock, operations director for computer forensics specialist Kroll Ontrack, says that to monitor legally the performance and actions of their employees, managers need to inform their staff regularly that their e-mails and telephone conversations could be monitored. “Surveillance is usually illegal where employees are unaware of it,” he says. “The use of instant messaging is another challenging area; many companies, for example allow this medium for communication to remote branches. While it is possible to store, monitor and search IM, the quantities can be vast.”
Simon Young, head of commercial dispute resolution at Clarion Solicitors, based in Leeds in the UK says industrial espionage is already costing businesses about $200bn a year: “In most cases, trade secrets are stolen by employees from the inside, but with more businesses going online and becoming IT-led, the problem of electronic industrial espionage is a real and growing problem.
“Industrial espionage cases rarely make it into the public eye, as there is little incentive for companies to risk their reputation by revealing their problems.
“Electronic industrial espionage can cause huge reputational damage. In 2003, the US Air Force sued Boeing after it was found that the aeroplane maker had acquired 25,000 confidential documents during a 1998 contract competition. Boeing was forced to issue a public apology, damaging its reputation and also lost more than $1bn in contracts.”
A company’s standing among its internet peers has become a target for cybercriminals. William Beer, Symantec’s European security practice director, says the chief threat to a business is not loss of cash but loss of reputation. “The main risk that I see is not so much the monetary problem. It’s really about reputational risk. If people lose confidence in ways of transacting business online, then we are going to see some serious issues.”
Mr Beer said a new development had been the appearance of small, well-written and very professional pieces of malware designed to attack named individuals rather than the scattergun approach of earlier years.
He said an online attack would be made gradually over several days to avoid triggering security systems. First, the security around the browser would be disabled. Then the entire security suite would be taken down, opening the door to keyloggers and screen scrapers.
Identity theft was the principal aim: “After the criminals have created a new identity, the damage they can do is much more significant”. Significantly, a stolen credit card number raises a few cents; a US social insurance number, key to a new identity, sells for $7, Mr Beer says.
The IT research group Gartner echoes Mr Beer’s view. Jay Heiser, its research vice-president said this month that criminals would soon routinely blackmail companies by threatening to damage their reputation “by ensuring that routine online search requests will return negative or even libellous results.
“If your business depends on a positive internet reputation, then you have little choice but explicitly to manage that reputation online. The internet is like a bad new Petri dish; negative information multiplies and spreads with frightening speed and becomes virtually impossible to erase.”
So how can companies protect themselves against these electronic invaders. Those starting from scratch would do well to seek advice from an organisation such as the Information Security Forum, an international source of best practice.
At a practical level, Mike Greene, chief executive of the US group PC Tools, recommends that both domestic and business users should instal a good counterspyware product: “If you are suspicious that your system has been infected, run the software and it will tell you what’s there and remove it for you. If it’s installed before infection, it will prevent spyware from being loaded on to the system.”
Technology can only do so much, however. Awareness is the key to good security. Mr Beer of Symantec points to the need for an integrated security package comprising intrusion detection, counterspyware and antivirus firewalls.
There is also the equally important need to keep the software up to date. Failure to renew the subscription is an open door to the cybercriminals.