These two guides are designed to help you understand security and
privacy issues while connecting to the web and the Internet and to give
you things you can do to improve both.
If you want to prevent web sites from collecting information automatically about you and your computer, software, provider, and previous sites, you can use anonymizer sites to protect this information from being passed along. See Wikipedia's Anonymizer page for more help with this.
What are cookies, and should you disable them?
If you clicked on the NY Times link above, and it was your first visit there, you were asked to register and provide some information. If it was not your first visit and you had already registered, you were probably not asked to register again. How could they tell that you were a repeat visitor? The answer is that they planted a cookie on your system with information about you. When you connected, your cookie files were checked to see if you were a registered user, and if you had elected to store your username and password in the cookie. This is an example of a persistent cookie, which remains on your system for a long time. Only the service that installed the cookie has access to it (besides yourself). It is either in a cookies.txt file on your browser's disk drive or in a separate file of its own. Cookies may or may not be encrypted.
Many ISPs use another type of cookie to keep track of logins. They can use a non-persistent cookie that remains in RAM, not on disk, while you are connected. If you are a registered member of an ISP, you must log in with your username and password the first time you access parts of the service that are for members-only (this page isn't one of those). Unless you have told your browser not to accept cookies, which is an option you have, you can continue to visit members-only parts of the service until you close your browser and the cookie goes away.On the other hand, if you tell Delphi to remember your password, it is stored in a persistent cookie, and you don't have to retype it each time. If you refuse cookies, every new page you visit for members only will ask you to log in again with your username and password. The cookie makes it easier for you to get around, and no one but you and the service can access the cookie.
Cookies are very common and are used to simplify navigation for you and identify you to the site you are visiting. A cookie can store quite a bit of information about you, and release it again each time you visit the site that generated it. A NOTE OF CAUTION: The site that generates the cookie isn't necessarily the site you are visiting. In some cases, cookies may be generated by another site, such as an advertising agency, that is providing services for a number of web sites. In this situation, the cookie-generating site may collect information on you any time you visit any of its sites. It won't know your identity (unless they can cajole you to fill out a form), but it will know your habits.
For a much more thorough explanation of cookies, see the Cookie FAQ at cookiecentral.com.
Should you disable cookies on your system? It is a personal judgment to make, just as it is your judgment how much information to give out about yourself as you visit web sites. Personally, I allow cookies to do their thing, but I am very careful about the information I give out and where I give it. i won't fill out a form full of personal information to get a one in a million chance of winning a prize, for example.
What information is already on the web about you?
Are your name, address, and phone number already on the web? Most people's are!
The information in printed white pages telephone books is in the public domain, and services like Switchboard have compiled the information into their databases. They will generally remove them, if you ask to be removed. There are a number of similar services.
That was the easy part. Is there other information about you on the web? Try searching for your name in Google. Put double-quote marks around your first and last names (for example, "Walt Howe")
Did you find anything interesting?
That is a quick look at the public sources with information about you. Whether you found anything or not, there still may be a lot more information about you that isn't as readily available. There are commercial databases available through the nets that are available for a fee to "qualified" businesses or individuals. Your social security number and credit rating are just two of the items that can be found on commercial databases.
Is e-mail secure?
The security breach at Microsoft's hotmail that we mentioned in our introduction was a worst case situation. For a few hours, anyone who learned the URL trick or accessed the hacker web site that automated it could access any hotmail account and see the contents. The security hole was plugged, but there may be others out there, and e-mail isn't very secure anyway.
Whenever you send e-mail, it is relayed through successive sites, and is theoretically accessible to a couple of dozen or so postmasters and system administrators, who have access to everything that passes through their machines. As a practical matter, so many thousands of messages pass through their machines that the chances of anyone looking at any particular message is pretty small (unless NSA or the FBI have targeted you).
If you are using an e-mail account on your employer's system, the courts have said that employers have a right to monitor e-mail on their systems. You probably run a somewhat higher risk of e-mail being read than you would with a large commercial provider.
On the other hand, suppose you have attracted the attention of an employer or law enforcement authorities for some reason. It is relatively easy to set up "sniffer" software to monitor every word of every message looking for your name or for certain keywords or combinations of words and to forward all such messages for special attention. If the organization's security isn't good and tight (many places aren't), it is also possible for hackers outside the system to set up "sniffer" software in an e-mail system, too.
What this all adds up to is that unless you have reason to be a particular target, you chances of having mail intercepted and read is very small, but still exists. As a rule, don't say anything in e-mail that you wouldn't want to see stuck up on a public bulletin board. If you can't accept that, consider encryption. It takes some extra effort to set up, but good, secure encryption is available in the United States and Canada.
Are credit cards safe to use on the net?
From the preceding discussion of e-mail vulnerability, you might not want to send credit cards numbers through e-mail. What about using credit cards with web sites? There was a news story last year about a hacker who retrieved a credit card number list from a web site's computer and sent the card numbers to the owners of the cards to show them how insecure the net is.
But you take similar risks every time you give your credit card to a stranger in a store or restaurant or over the phone? You take a risk every time you throw your credit card slips out in the trash? You risk giving away your credit card number every time you use it. The risks of using credit cards on the nets are probably less than every day usage, and the banks generally cover any losses anyway.
The public has been slow to trust credit card use online, and that is one major thing that is holding up large scale electronic commerce.
Many sites provide servers that operate in a secure mode with your browser to let you send information in safe encrypted form through the web now. The major credit card companies have agreed on standards for secure transmission of credit cards.
Will increased security enable the long predicted boom in electronic commerce? Not by itself. One more thing is needed, and that is a micropayment system. Many things are being offered free on the nets today with the expectation that eventually very small amounts can be charged for them--that people will pay a few cents or even fractions of cents to access information online that is free now, but costs more than a few cents offline. If micropayments were tried with today's systems, it would probably cost much more to process them than the payments themselves. These problems can be solved with good system design, the experts say, When micropayments systems succeed, perhaps then, the economic predictions can be realized.
What information do you give away with Facebook, Twitter, newsgroups and e-mail discussion lists?
Everything you post to Facebook and other social media is potentially readable throughout the world. Furthermore, your posts are archived by search engines like Google and can be searched for anytime. The places you elect to post to are an expression of your interest areas and tell a lot about you. Facebook suggests you use their privacy functions to limit who can read your posts, but they keep changing the rules and the methods, and many people never catch up. It is very important to stay up to date on their privacy controls and use them.
Is there spyware or adware planted on your computer?.
Spyware is software planted on your computer to harvest and forward information about you to others outside your system. The information collected can range from a survey of your surfing habits passed along to advertisers and marketers to the passwords and credit card numbers you type passed along to crackers who will exploit it. The software can be planted through Trojan horses received in e-mail or even included in software you obtain and install for other purposes, such as Gator, Gozilla, products from Brilliant Digital, and freeware versions of CuteFTP. Many free game demos now include spyware embedded in them.
Spyware used to support advertising is often called adware. Another common name for these hidden programs with a hidden purpose is scumware.
To defend yourself against spyware, adware, and scumware, always maintain current anti-virus software on your system, and be very careful about installing software from unknown sources. Check out independent reviews before installing. Note that anti-virus software will not necessarily detect spyware.
Another disturbing trend in scumware is planting software that not only serves you ads, but uses your computers own unused processing power -- and that of many other unsuspecting people -- to support its own intensive processing tasks. This kind of capability has been used openly on a voluntary basis for such things as the worthwhile SETI project, but harnessing your computer deceptively for commercial purposes is about as low as you can get.
Spyware planted by advertisers is quite common. If you seem to be seeing an unusal amout of pop-up ads unrelated to the sites you visit, your system may be inviting them through spyware. Consider getting the free Ad-Aware software to check your system. I thought I protected my system well, but when I ran this software the first time, I found a dozen plants on my system from such sources as Adware, Doubleclick, and Flyswat.
Webroot Spysweeper is another good program that I have used.
HijackThis is another powerful program for removing scumware, but use it with extreme caution. It can indiscriminately remove good software, too.
- Security Guide. Learn how vulnerable you are to intrusion by hackers and crackers and what steps you can take to protect yourself.Are you safe from crackers and hackers on your home or office system? If
you use a dial-up connection, you probably are reasonably safe. If you
use a full time network connected to the Internet or use a full time
connection like cable modem or Digital Subscriber Line (DSL), you may be
quite vulnerable.. At any time, thousands of automated programs are
running on the Internet just looking for vulnerable computer systems. As
a result, your computer is probably being probed repeatedly during the
day. In the day before I wrote this, I had probes blocked by my firewall
software from Chile, two sites in China, a Korean elementary school
(what are they teaching there, anyway?), Norway, California, and
Washington state.
You can test your own system's security using the Shields UP
web site. If it shows you that your system is vulnerable, consider
reconfiguring your system to prevent intrusions (the Shields UP site
will help) or installing good firewall software.
Another site to check your system security is Symantec's Security Check.
A firewall refers to the concept of a security interface or gateway between a closed system or network and the outside Internet that blocks or manages communications in and out of the system. The security may be provided by passwords, authentication techniques, software, and hardware. In particular, I recommend the free AVG Anti-Virus for protecting a personal Windows system or the Norton Internet Security package. Many ISPs provide a free security package these days. If you have a home network and a router, your router provides another type of firewall for you. Make sure you use its security features, including wireless encryption.
- Privacy on the Internet. Learn what information about yourself is available on the World Wide Web and Internet and what steps you can take to better protect yourself.
- Introduction.
We are in the midst of the Information Era! There has been an enormous information explosion,
and the mushrooming popularity of the Internet and its World Wide Web puts huge amounts of
information right at your fingertips. How much of that information is about you? Are you
concerned about it?
Some of the threats to privacy have been widely publicized. NSA is accessing Internet communications all over the world. The Federal Government wants the FBI to be able to access any one's PC. Amazon has been sharing customer information with others in their "purchase circles". Several years ago, a major security hole was revealed in Microsoft's Hotmail service that allowed anyone to view any hotmail member's mailbox by using a correctly configured URL that included the username, but not the password.
If you are running a business, you probably want information to be easily accessible about your products or services. You don't want potential customers to look elsewhere because they could not locate information about your business. Possibly you want your name to be readily recognizable, too. It may enhance your career standing. But what about your personal telephone number? Or your personal home address? Do you want your e-mail address to be accessible to all? Do you want just anyone to know about your personal interests? What information would you expect to remain private and unavailable to anyone with an Internet account? Are your expectations realistic, and what can you do about it? This page will give you some answers.
What information do you give away while web surfing?
When you visit a web site, some information is automatically available: - who your provider is
- where it is located
- what site you came from
- what software you are using.
If you want to prevent web sites from collecting information automatically about you and your computer, software, provider, and previous sites, you can use anonymizer sites to protect this information from being passed along. See Wikipedia's Anonymizer page for more help with this.
What are cookies, and should you disable them?
If you clicked on the NY Times link above, and it was your first visit there, you were asked to register and provide some information. If it was not your first visit and you had already registered, you were probably not asked to register again. How could they tell that you were a repeat visitor? The answer is that they planted a cookie on your system with information about you. When you connected, your cookie files were checked to see if you were a registered user, and if you had elected to store your username and password in the cookie. This is an example of a persistent cookie, which remains on your system for a long time. Only the service that installed the cookie has access to it (besides yourself). It is either in a cookies.txt file on your browser's disk drive or in a separate file of its own. Cookies may or may not be encrypted.
Many ISPs use another type of cookie to keep track of logins. They can use a non-persistent cookie that remains in RAM, not on disk, while you are connected. If you are a registered member of an ISP, you must log in with your username and password the first time you access parts of the service that are for members-only (this page isn't one of those). Unless you have told your browser not to accept cookies, which is an option you have, you can continue to visit members-only parts of the service until you close your browser and the cookie goes away.On the other hand, if you tell Delphi to remember your password, it is stored in a persistent cookie, and you don't have to retype it each time. If you refuse cookies, every new page you visit for members only will ask you to log in again with your username and password. The cookie makes it easier for you to get around, and no one but you and the service can access the cookie.
Cookies are very common and are used to simplify navigation for you and identify you to the site you are visiting. A cookie can store quite a bit of information about you, and release it again each time you visit the site that generated it. A NOTE OF CAUTION: The site that generates the cookie isn't necessarily the site you are visiting. In some cases, cookies may be generated by another site, such as an advertising agency, that is providing services for a number of web sites. In this situation, the cookie-generating site may collect information on you any time you visit any of its sites. It won't know your identity (unless they can cajole you to fill out a form), but it will know your habits.
For a much more thorough explanation of cookies, see the Cookie FAQ at cookiecentral.com.
Should you disable cookies on your system? It is a personal judgment to make, just as it is your judgment how much information to give out about yourself as you visit web sites. Personally, I allow cookies to do their thing, but I am very careful about the information I give out and where I give it. i won't fill out a form full of personal information to get a one in a million chance of winning a prize, for example.
What information is already on the web about you?
Are your name, address, and phone number already on the web? Most people's are!
The information in printed white pages telephone books is in the public domain, and services like Switchboard have compiled the information into their databases. They will generally remove them, if you ask to be removed. There are a number of similar services.
That was the easy part. Is there other information about you on the web? Try searching for your name in Google. Put double-quote marks around your first and last names (for example, "Walt Howe")
Did you find anything interesting?
That is a quick look at the public sources with information about you. Whether you found anything or not, there still may be a lot more information about you that isn't as readily available. There are commercial databases available through the nets that are available for a fee to "qualified" businesses or individuals. Your social security number and credit rating are just two of the items that can be found on commercial databases.
Is e-mail secure?
The security breach at Microsoft's hotmail that we mentioned in our introduction was a worst case situation. For a few hours, anyone who learned the URL trick or accessed the hacker web site that automated it could access any hotmail account and see the contents. The security hole was plugged, but there may be others out there, and e-mail isn't very secure anyway.
Whenever you send e-mail, it is relayed through successive sites, and is theoretically accessible to a couple of dozen or so postmasters and system administrators, who have access to everything that passes through their machines. As a practical matter, so many thousands of messages pass through their machines that the chances of anyone looking at any particular message is pretty small (unless NSA or the FBI have targeted you).
If you are using an e-mail account on your employer's system, the courts have said that employers have a right to monitor e-mail on their systems. You probably run a somewhat higher risk of e-mail being read than you would with a large commercial provider.
On the other hand, suppose you have attracted the attention of an employer or law enforcement authorities for some reason. It is relatively easy to set up "sniffer" software to monitor every word of every message looking for your name or for certain keywords or combinations of words and to forward all such messages for special attention. If the organization's security isn't good and tight (many places aren't), it is also possible for hackers outside the system to set up "sniffer" software in an e-mail system, too.
What this all adds up to is that unless you have reason to be a particular target, you chances of having mail intercepted and read is very small, but still exists. As a rule, don't say anything in e-mail that you wouldn't want to see stuck up on a public bulletin board. If you can't accept that, consider encryption. It takes some extra effort to set up, but good, secure encryption is available in the United States and Canada.
Are credit cards safe to use on the net?
From the preceding discussion of e-mail vulnerability, you might not want to send credit cards numbers through e-mail. What about using credit cards with web sites? There was a news story last year about a hacker who retrieved a credit card number list from a web site's computer and sent the card numbers to the owners of the cards to show them how insecure the net is.
But you take similar risks every time you give your credit card to a stranger in a store or restaurant or over the phone? You take a risk every time you throw your credit card slips out in the trash? You risk giving away your credit card number every time you use it. The risks of using credit cards on the nets are probably less than every day usage, and the banks generally cover any losses anyway.
The public has been slow to trust credit card use online, and that is one major thing that is holding up large scale electronic commerce.
Many sites provide servers that operate in a secure mode with your browser to let you send information in safe encrypted form through the web now. The major credit card companies have agreed on standards for secure transmission of credit cards.
Will increased security enable the long predicted boom in electronic commerce? Not by itself. One more thing is needed, and that is a micropayment system. Many things are being offered free on the nets today with the expectation that eventually very small amounts can be charged for them--that people will pay a few cents or even fractions of cents to access information online that is free now, but costs more than a few cents offline. If micropayments were tried with today's systems, it would probably cost much more to process them than the payments themselves. These problems can be solved with good system design, the experts say, When micropayments systems succeed, perhaps then, the economic predictions can be realized.
What information do you give away with Facebook, Twitter, newsgroups and e-mail discussion lists?
Everything you post to Facebook and other social media is potentially readable throughout the world. Furthermore, your posts are archived by search engines like Google and can be searched for anytime. The places you elect to post to are an expression of your interest areas and tell a lot about you. Facebook suggests you use their privacy functions to limit who can read your posts, but they keep changing the rules and the methods, and many people never catch up. It is very important to stay up to date on their privacy controls and use them.
Is there spyware or adware planted on your computer?.
Spyware is software planted on your computer to harvest and forward information about you to others outside your system. The information collected can range from a survey of your surfing habits passed along to advertisers and marketers to the passwords and credit card numbers you type passed along to crackers who will exploit it. The software can be planted through Trojan horses received in e-mail or even included in software you obtain and install for other purposes, such as Gator, Gozilla, products from Brilliant Digital, and freeware versions of CuteFTP. Many free game demos now include spyware embedded in them.
Spyware used to support advertising is often called adware. Another common name for these hidden programs with a hidden purpose is scumware.
To defend yourself against spyware, adware, and scumware, always maintain current anti-virus software on your system, and be very careful about installing software from unknown sources. Check out independent reviews before installing. Note that anti-virus software will not necessarily detect spyware.
Another disturbing trend in scumware is planting software that not only serves you ads, but uses your computers own unused processing power -- and that of many other unsuspecting people -- to support its own intensive processing tasks. This kind of capability has been used openly on a voluntary basis for such things as the worthwhile SETI project, but harnessing your computer deceptively for commercial purposes is about as low as you can get.
Spyware planted by advertisers is quite common. If you seem to be seeing an unusal amout of pop-up ads unrelated to the sites you visit, your system may be inviting them through spyware. Consider getting the free Ad-Aware software to check your system. I thought I protected my system well, but when I ran this software the first time, I found a dozen plants on my system from such sources as Adware, Doubleclick, and Flyswat.
Webroot Spysweeper is another good program that I have used.
HijackThis is another powerful program for removing scumware, but use it with extreme caution. It can indiscriminately remove good software, too.
0 comments:
Post a Comment