We will begin blocking traffic to Marketscore effective immediatley.
This will cause users attempting to browse the web to not be able to
do so. We are looking at alternative methods to be able to redirect
such users to an informational page.
==============
Marketscore Security Alert
1. What is Marketscore?
2. Privacy Issues Concerning Marketscore
3. Blocking access to Marketscore Proxies
4. Removing Marketscore from Your Computer
5. Background on How Marketscore Looks at Encrypted Data
6. Notes
1. What is Marketscore?
The Marketscore service provides Web proxy and caching for secure and
non-secure Web traffic (http://www.marketscore.com), and antivirus
scanning for email. This service is primarily marketed as a way for
computers users to speedup Web access.
2. Privacy Issues Concerning Marketscore
Marketscore introduces an unreasonable intrusion into the secure Web
communications of our users, including access to otherwise secure Web
resources hosted within our network. This is not to imply that
Marketscore is attempting to hide the workings of their software. To
their credit they have outside auditors who verify their adherence to
their privacy policies [2], though end users may want to factor in past
behavior of those auditors as well [3].
Specifically:
a. UNET has an obligation to make reasonable efforts to comply with
established privacy regulations, such as HIPAA for medical information,
Sarbanes/Oxley Act for student information, and Gramm-Leach-Bliley for
financial and customer records. Permitting the use of Marketscore
software makes it more difficult for us to ensure these privacy
regulations are met.
b. End users may not be aware that their sensitive data is being
analyzed by a 3rd party. Though detailed in the privacy statement [1],
it is only alluded to on Marketscore's homepage as an "Opportunity to
influence the Internet as a member of our premier Internet research
community".
c. Access to even local resources (PeopleSoft, medical records, student
records, etc) are being routed outside the network and analyzed via this
third party.
d. The use of Marketscore introduces additional points during network
transfer where sensitive data could be misused, or compromised by
attack.
e. Marketscore's use of collected information may change over time.
"Marketscore reserves the right to change the composition, operation and
function of the Marketscore Network at any time and without notice or
liability to you or any third party, provided that Marketscore continues
to give you, our member, a reasonable commercial benefit." [1]
3. Blocking access to Marketscore Proxies
UNET will soon block access to all of Marketscore's proxy servers, which
will prevent computers connected to either the UMS or MSLN networks from
using this service. From outside our network, users would be able to use
Marketscore, but not to access resources within our network.
Users will need to remove the Marketscore software from their computers
to be able to use their Web browsers.
4. Removing Marketscore Software from Your Computer
For those who have installed Marketscore's software on their computer,
instructions are available in the Members area of the Marketscore
website. The software can also be removed by using Add/Remove Programs
in the Control Panel, though this alone may not terminate the user
agreement between the user and Marketscore. Columbia University has also
posted information on how to ensure the Marketscore software is removed
from your computer at
http://www.columbia.edu/acis/security/howto/remove/marketscore.html
5. Background on How Marketscore Looks at Encrypted Data
Secure Web services are usually expected by the end user to be encrypted
from end to end, that is, from his or her computer to a remote server.
This is not the case for those using the Marketscore service.
a) The Marketscore installation process establishes a new Certificate
Authority (CA) on the user's computer. The CA will validate any
Marketscore certificates that are presented to the user's Web browser.
b) All Web traffic (secure and non-secure), are routed through the
Marketscore proxy servers.
c) When a secure data connection is requested (i.e. bank, credit card,
or online shopping), a Marketscore proxy server intercepts the
certificate from the secure site, and substitutes a Marketscore
certificate, which the user's browser will automatically accept, due to
step a) above.
d) The end user sees a “lock” icon indicating a secure connection, which
now represents only the connection from the user's computer to the
Marketscore proxy server. Marketscore is now free to decrypt and analyze
the data, then encrypt with the original certificate and send it along
to the final destination (bank, credit card company, etc).
6. Notes:
[1] http://www.marketscore.com/privacy.aspx
[2] External Audit Report of Marketscore by Ernst & Young LLP
https://cert.webtrust.org/SealFile?seal=383&file=pdf)
[3] Excerpt from Bloomberg News service posting of Apr 16, 2004,
concerning the behavior of Ernst & Young LLP
(http://www.srimedia.com/artman/publish/article_816.shtml):
"Ernst & Young LLP, the third-biggest U.S. accounting firm, was barred
from accepting new audit clients for six months by a U.S. Securities and
Exchange Commission judge.
Ernst & Young's business venture with audit client PeopleSoft Inc.
violated SEC rules that are designed to preserve the independence of
audits, SEC Chief Judge Brenda Murray said in a ruling today.
Murray also ordered Ernst & Young to pay $1.7 million and required the
firm to be overseen by an independent monitor.
The firm ``committed repeated violations of the auditor independence
standards by conduct that was reckless, highly unreasonable and
negligent,'' Murray wrote in a 69-page order. "
Garry Peirce [log in to unmask] 1-207-561-3539
=============================================
== Network Analyst ==
== UNET Technology Services, Network Operations ==
=== University of Maine System ===
=============================================
|
