Privacy control flawed, says Kaspersky

25 Jul 2007

The privacy control components used in many market-leading security suites are ineffective and misleading, lulling users into a false sense of security, according to a new report issued by Kaspersky Lab.

Nearly all modern security programs include privacy control, a component designed to protect confidential data stored on a PC from unsanctioned access and transmission to third parties, said Nikolay Grebennikov, deputy director of innovative technologies at Kaspersky Lab.

The traditional approach works by asking the user to create a list of all information that he or she considers to be confidential. The protection component of the solution then analyses all outgoing traffic and either ‘cuts up’ or encrypts fragments of confidential data.

However, Grebennikov claimed this approach is ineffective and creates merely an illusion of security. He maintained it was bad security practice to store all confidential information in one place.

He also said that privacy control does not block the transmission of confidential data on secure websites as they use a protocol that encrypts all data transmitted. Consequently, this makes it impossible for a third party to analyse the data and so nothing prevents a Trojan from sending confidential data from the victim’s machine within the encrypted stream.

A Trojan is easily able to harvest the majority of passwords and other confidential data from a PC that uses the traditional approach to privacy control, claimed Grebennikov.

Kaspersky Lab advocates an alternative approach to privacy control, as a subsystem of the anti-spyware component and which is based on analysing application activity. Such an approach can block both the harvesting of confidential data and the stealth transmission of data via a Trojan to the remote malicious user, it claimed.

Using this methodology Kaspersky Lab has implemented a new product, KIS 7.0, which analyses the behavior of all processes within the PC and if it detects any suspicious activity it will either warn the user or block the action.

By Niall Byrne