IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Cybersecurity & Consumer Data: What's at Risk for the Consumer?

Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building 

Mr. Roger Thompson
Vice President of Product Development
PestPatrol, Inc.
1650 Emerald Ridge
Marietta, GA, 30062

Good morning.

Spyware is silent. It's invisible to the consumer. It allows criminals to steal from them. It arrives uninvited and unwanted. It has not received the attention needed to warn the unsuspecting of these dangers to their personal and confidential information. And, perhaps worst of all, spyware and similar malware problems rob consumers of the confidence needed to make commerce over the Internet inviting, safe and successful.

Every day, we hear horror stories from our customers that illustrate the very real and personal losses caused by the spyware problem. Listen for a moment to just three:

  • Wanda Gilman is a church secretary from Saginaw, Michigan. Like most people, she has received warnings from her anti-virus software about virus attacks, and she thought she was pretty much protected on that front. Unfortunately, it became abundantly clear to Wanda that she needed something more than her anti-virus after she experienced not one but two incidences of identity theft. While neither incident involved more than $1000, it was an uncomfortable feeling for her to have her identity hijacked, and a long and complicated recovery each time around.
  • Michelle Scalero from New Jersey has a home computer that her family shares for online banking and purchasing, as well as enjoying what the web has to offer them and their young children. They were extremely alarmed when they found their PC flooded with explicit teen porn pop-ups caused by a trojan horse program that had been delivered by a piece of spyware they had unknowingly downloaded onto their computer.
  • Barbara Wolski bought a brand new computer that was supposed to be very fast (2.6 GHz), which included a special feature called hyperthread technology to make the processing speed even faster. While her old computer was only 1.2 GHz, it ran faster than the new one. Barbara ran our anti-spyware software on the new machine and found over 5000 pieces of spyware factory-installed on the new machine, all busy "phoning home" information about her - causing the massive slow-down.

None of this needed to happen. And we hear thousands of similarly sad stories all the time. Our customers reported a record number of such incidents this year - more than 60,000 as of the end of last month - and the complaints keep growing.

Here are some numbers to think about as we discuss protecting consumers from spyware:

  • 24 billion dollars. that's estimated identity theft losses in the US from identity theft last year.
  • 73 billion dollars. that's estimated losses from identity theft projected domestically by the end of this year.
  • 9,800 dollars . that's the estimated average "take" from each identity robbery.

These numbers come from the Aberdeen Group, an industry analyst firm that calls identity theft "the crime that pays." Aberdeen also warns that the profits from these crimes are so encouraging that the organized crime is becoming a factor.

You may have heard that last week was a dubious anniversary. it's been 20 years since the first virus was created. Through much of my career, I have watched the damage that computer intruders can cause - to every PC user from children at home to senior corporate executives.

My computing career began in Australia (perhaps you recognize the accent) in 1979, where I worked as a mainframe systems engineer. I co-founded the first Australian anti-virus software company, Leprechaun Software, and launched the Virus Buster product back in 1987. After moving to the United States, I started Thompson Network Software, which produced The Doctor range of systems management and security products.

When I became Director of Malware Research at TruSecure Corporation, I was able to focus more closely on the way that different kinds of malware were developing, and the sheer size of the problem was really brought home to me. And now, at my current company, I am working with malware's fastest-growing and most insidious incarnation yet - spyware.

The anti-spyware industry is still in its infancy, but it's proven to me every day from the prevalence data collected by my company that this type of secretive, invasive software is a huge problem for computer users.

Before we can address possible solutions to the problem, however, we need to define what the spyware problem actually is. For me, spyware is any software that is intended to aid an unauthorized person or entity in causing a computer, without the knowledge of the computer's user or owner, to divulge private information.

The industry has begun to make consumers more aware of this threat by banding together. To begin educating the public on spyware and its dangers, we recently co-founded, along with several other anti-spyware software companies, the Consortium Of Anti-Spyware Technology (COAST) group. This non-profit organization is a forum in which members cooperate to increase awareness of the growing spyware problem. We've reached agreement on the definition of spyware, which helps us technology vendors create products that address consumers' concerns.

The dangers of spyware are not always known and are almost never obvious. Usually, you know when you have a virus or worm - these problems are "in your face". Spyware, on the other hand, silently installs itself on a PC, where it might start to take any number of different and unwanted actions. For example:

  • "Phone home" information about you, your computer and your surfing habits to a third party to use to spam you or push pop-up ads to your screen ·
  • Open up your computer to a remote attacker using a RAT (Remote Access Trojan) to remotely control your computer ·
  • Capture every keystroke you type - private or confidential emails, passwords, bank account information - and report it back to a thief or blackmailer
  • Allow your computer to be hijacked and used to attack a third party's computers in a denial-of-service attack that can cost companies millions and make you liable for damages
  • Probe your system for vulnerabilities that can enable a hacker to steal files or otherwise exploit your system.

If that doesn't make the computer users on the subcommittee nervous, consider that the holiday online commerce season has already arrived.

During the holiday shopping season, with more and more people shopping online, the potential for identity theft is much greater - shoppers are stressed and distracted, and may not take their usual care in protecting themselves from electronic pickpockets.

No one would allow a silent and hidden burglar into his or her home without a fight. As you saw with the real-world experiences I described earlier, spyware has the potential to ruin someone's Christmas. Like having your wallet stolen, life becomes a bureaucratic nightmare of new identity cards and credit cards. And, ultimately, how do you retrieve your privacy from an unknown and uncaring prowler or corporation using the Internet as a hunting ground?

The anti-virus companies were often accused of hyping gloom and doom to help increase their own sales and profits - that was long ago proven to be unfounded. Today, the billions of dollars lost - in identity theft, transaction hijacking, sensitive information - are compounded by the huge losses to credit card companies that must reissue cards whenever any account has been compromised or even suspected of being compromised. The growing threat is no exaggeration. I think everyone on this panel would agree that a huge portion of damages and tangential damages caused by spyware and malware goes unreported and is unknown.

Something must be done to protect the Wanda Gilmans's, Michelle Scaleros's and Barbara Wolskis's, who only want to conduct their online activities and purchases with the peace of mind of knowing they can do so safely. H.R. 2929, the Safeguards Against Privacy Invasions Act, is powerful step in this direction. In person, consumers have the choice not to answer address, phone and email address questions when they go shopping. Why shouldn't on-line shoppers have the same choice to say no to spyware?

As a representative of my company and as a person who has devoted my working life to malware eradication, I urge you to pass the SPI Act.

Thank you.

Roger Thompson VP, Product Development PestPatrol, Inc

About PestPatrol

PestPatrol, Inc. is a Carlisle, PA based developer of security tools founded in May 2000 by a team of security software professionals to counter the growing threat of malicious non-viral software. The company's founders, Robert C. Bales and Dr. David Stang, were the original founders of the National Computer Security Association (NCSA), later the ICSA and now TruSecure Corporation. PestPatrol was recently ranked the number 1 anti-spyware software by the German magazine PC Professionell. The company was the recipient of the NetworkWorld Category Breaker Award in 2002 for innovative security technology, and in March 2003, the Technology Council of Central Pennsylvania named PestPatrol Growth Company of the Year. Further details about the company may be found at www.pestpatrol.com.