A Terroristic Divorce

Attempt to spy on worker at Akron hospital backfires; Man faces prison for e-mail infected with spyware

By Peter Krouse, The Plain Dealer

December 20, 2009, 10:56AM

If you ever had the urge to download one of those software programs that lets you spy on someone else’s computer, consider first the case of Scott Graham of Avon Lake.

Early last year, Graham, a cardiac surgical technician at University Hospitals in Cleveland, wanted to sneak a peek at the online activity of a woman he knew.

So he sent an e-mail to her personal Yahoo! account with an attachment that would unleash spyware when opened.

The spyware, legally purchased on the Internet, was designed to capture e-mails and screen shots from the infected computer and forward them to a stealth e-mail account Graham could peruse without anyone knowing.

But Graham got more than he expected when the woman, an employee of Akron Children’s Hospital, opened the e-mail attachment on her work computer instead of her personal computer as Graham had figured.

Graham was soon receiving hospital files, including more than 1,000 screen views, most containing confidential information about medical procedures and diagnostic notes for specific patients. He also received personal e-mail and financial records of four hospital employees.

The surreptitious flow of information went on for nearly three weeks before complaints of slow-acting computers led hospital personnel to discover the spyware, hospital officials said.

The FBI was contacted and Graham ultimately pleaded guilty to a felony, intercepting electronic communications, in U.S. District Court. He faces possible prison time when sentenced early next year, although probation is also possible.

Graham’s case raises questions. How could a hospital’s security be breached with a legal product? And how many other people might be trying something similar?

Most institutions like hospitals and schools have tools in place to protect their computers from viruses and other malicious software. At the time of the breach, Akron Children’s Hospital was doing a systemwide upgrade that included installation of a firewall on all workstations that would have kicked out the spyware, hospital executive Shawn Lyden said.

The firewall was installed but had not yet been activated on the two computers used to open Graham’s e-mail attachment, Lyden said.
“As a result of this, it was activated immediately,” he said.

Lyden said none of the files received by Graham were used to compromise patient privacy. “Clearly, Graham had no intention of accessing hospital information,” he said.

Attorney Ian Friedman said his client sent the e-mail to investigate allegations the woman had made about certain doctors and professionals in their industry. Court documents describe the woman as someone who had a previous relationship with Graham, but they do not offer additional details.
Friedman thinks a lot of people may be operating under the false assumption that using legally purchased spyware in the way Graham did is OK.

“This case may be a sign of more to come,” Friedman said, “but to date this has not been a common prosecution.”

Spyware that runs on Microsoft Windows operating systems has been around for nearly two decades, with 10 to 20 companies still developing it in the United States, said Eric Howes, director of research services at Sunbelt Software, a Florida producer of anti-spyware and anti-virus software protection.
Graham purchased his spyware from SpyTech Software and Design Inc. of Red Wing, Minn.

The company’s Web site states its products are legal as long as those buying the software install it on a computer they own.

SpyTech founder Nathan Polencheck said he helped the FBI catch Graham after being contacted last spring. The vast majority of people who buy the company’s software use it legally, including parents keeping track of their children’s computer habits and employers worried about improper Internet browsing on company time, Polencheck said.

Howes believes that might be an exaggeration, “but the bottom line is no one really knows,” he said.

While SpyTech software has legitimate uses, a product that can be installed remotely and without a target’s knowledge lends itself to unlawful uses, he said.

But there’s plenty of blame to go around, he said. While Akron Children’s Hospital had the proper protective software on its computers, it doesn’t do any good unless it’s turned on.

“Lesson to be learned there: Don’t have gaps in coverage,” Howes said.

He also faults Graham’s victim for opening the attachment.

It’s been nearly a decade since the infamous “I Love You” computer virus, he said, and “we still have users blindly clicking attachments that they don’t know what it is.”

He said even something sent from a legitimate e-mail address could have been maliciously sent by somebody else.

The e-mail attachment sent by Graham was labeled “InCaseYouHadDoubts.zip.” It was empty except for the undetectable spyware, Lyden said. It infected a second computer after the woman tried to open the attachment on that machine, too.

Lyden said the hospital has made it “crystal clear” since the incident that employees are not to access personal e-mails at work. The hospital spent $33,000 to hire a company to investigate the breach.

Polencheck said that since the Graham case he has enhanced one of his products, Realtime-Spy, so a message box pops up on the target’s computer when it’s being installed.

“Now the user has to confirm the installation so you can’t do it sneakily anymore,” he said.

But there are plenty of other spyware products out there for computer users to be concerned about. And for every fix that’s created, a pathway around it is designed, which means computer users must be diligent about keeping their virus and spyware protection updated.

“We are processing several gigabytes of new malicious software every day,” Howes said. “That’s how fast this stuff is coming out.”

It is remarkable that Eric from SUNBELT SOFTWARE neglected to mention that the CEO of SUNBELT SOFTWARE, Alex Eckelberry, is directly involved in the Anti-Spyware Coalition which informs the anti-virus/anti-spyware/anti-malware companies to ignore programs like these.
See www.antispywarecoalition.com

Read elsewhere on my site how in February 2008, Alex Eckelberry CAUSED my identity theft when he published my personal data to his blog. he then pretended he didn;t cause the issue, because according to him, Eric told him it was ok. THERE IS A MUCH BIGGER FRAUD AT WORK HERE.