Safe Surfing

Cyber-Sierra Workshop 2002: Security Issues

Safe Surfing
| Index | Back Up Basics | Site Security | Safe Surfing |

Using the Web Wisely

The Internet is basically a computer network that would continue to function in the event of a disaster. The Web is known as a client-server system. Your web browser software is the client; the remote computer which stores the data is the server. The glue that holds the Web together is called hypertext and hyperlinks. This feature allow electronic files on the Web to be linked so that you can easily jump between them. On the Web, you navigate through pages of information based on what interests you at that particular moment. This is commonly known as browsing or surfing the Net.

As a web master you'll probably search the Internet for information you can use for your web site. Consequently, your computer is constantly exchanging quantities information with an unknown number of computers. What you really want is to exchange just the amount of information necessary to establish communication between the computers and get the information you requested. No more, no less. You don't want the other computer to poke around in your computer or connect to your office network.

If you are using a dial-up connection, your computer does not have a permanent identifying number. Your ISP (access service) assigns one to your system temporarily whenever you dial up. This makes your system less attractive to hackers and snoopers, but not impossible to find. If you are using one of the fast, always on service connections then your system is much more vulnerable because you do have a permanent assigned location in cyber-space.

CERT has an excellent article that covers all the things you'll need to know about information security at http://www.cert.org/tech_tips/home_networks.html

According to CERT, information security is concerned with three main areas:

Confidentiality - information should be available only to those who rightfully have access to it

Integrity -- information should be modified only by those who are authorized to do so

Availability -- information should be accessible to those who need it when they need it

You wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it's sending e-mail messages to family and friends or looking for specific web sites. Developing safe surfing habits and protecting your privacy is important.

Protecting your System

1. Use virus protection software

A good antivirus program will provide a high degree of protection from virus threats but only if it's kept up to date. Caution: run only one antivirus program on your system, two may conflict.

2. Use a firewall

Shields Up is an on-line means of checking your system's vulnerability. There is also a ton of information there on security topics and how to protect your system. Zone Alarm is an award winning firewall program. I myself use the purchased pro version. Many newer computer systems come with a firewall program installed.

3. Don't run programs of unknown origin

Like shareware? So do I. But scan any downloaded software for viruses before installing.

4. Keep all applications (including your operating system) patched

It's just one of those endless nuisance tasks that can save the day. Schedule it and Do it!

5. Turn off your computer or disconnect from the network when not in use

Nobody can hack into your system if you unplug the phone or access line connection.

6. Make regular backups of critical data

The emphasis here is on REGULAR!

7. Consider encrypting certain files or setting up passwords to portions of your system.

There are a number of good encryption programs available, just don't lose your passwords or you might as well have blitzed the drive.

8. Make a boot disk in case your computer is damaged or compromised

BOOT Disk - you know, what the computer book recommended you do after you unpacked your new system? Check under the Windows Control Panel and you'll find the 'Add New Software' section. One of the tabs is 'StartUp Disk'. Make one.

Protecting Yourself while On-line

1. Establish another e-mail address for use with news groups and 'strangers'

Yahoo.com, and others offer free web addresses. This works pretty well, although my quota of junk mail shot up in my personal mailbox after getting a web-based mailbox.

2. Surf anonymously.

If you've had trouble, consider anonymous surfing, particularly with IE browsers.

3. Don't open unknown e-mail attachments

Simply don't open them. Period.

4. Disable hidden filename extensions

Windows is set by default to not show common filename extensions. You want to make sure you see all the details because the trouble arises from false extensions like image.gif.vbs.

5. Disable scripting features in e-mail programs

Set your e-mail to read just plain text. HTML pages can carry spybugs. And set your e-mail program to disable VBS type files. Do not have your e-mail program set to automatically open files.

6. Disable Java, JavaScript, and ActiveX if possible

Each browser has setting that you can adjust. Simply uncheck the most high risk browsing features during high risk times. It does change your viewing experience. Play with the settings to find the one that fits your viewing needs best.

7. Use mail screener techniques during high virus threat times

Web sites like Mail2Web.Com allow you to view your mail and discard it without downloading it. This is very handy for determining what huge file is taking so long to download, or to dump suspicious mail. Keep in mind that you still shouldn't open attachments. Opening is opening.

You can also consider programs like Mailwasher to bounce spam. Set your hosting service to screen out most of the spam.

Avoiding Adware, and other Snoops

A recent irritating development on the web is spyware. Shareware is often ad supported. Ads in free software is fine as long as you know that's what you are getting along with the program. Popular e-mail client Eudora is ad supported in it's free version and they tell you so when you download it. So some kinds of adware are fine.

Spyware, on the other hand, is when a program reports back to the advertiser about your surfing habits every time you go on-line, and they didn't tell you they were going to do this when you got the program. Think you don't have any? Guess again. I had 26 little beasties in my system busily reporting. You can remove these threats to your privacy.

Lavasoft's Ad-Aware Remover

Ad-Aware will safely remove all sorts of spyware programs you may have innocently downloaded into your system along with shareware..

SpyChecker

A database of known spyware/software titles and how to get rid of them.

Identity Theft and On-line Shopping

Identity theft is more of an offline problem. Identity Theft Resource Center can inform you on ways to protect yourself.

Here's some sensible precautions for blocking ID Theft:

Make a copy of your wallet contents:

Place the contents of your wallet on a photocopy machine,do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.

We've all heard horror stories about fraud that's committed using your name, address, SS#, credit, etc. Unfortunately a friend had firsthand knowledge, because her wallet was stolen last month and within a week the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer, received a PIN number from DMV to change her driving record information online, and more.

In case of ID Theft:

Cancel your credit cards immediately. The key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them easily.

File a police report immediately in the jurisdiction where it was stolen, this proves to credit providers you were diligent, and is a first step toward an investigation (if there ever is one).

Call the three national credit reporting organizations immediately to place a fraud alert on your name and SS#. This is perhaps most important. Application for credit can be made over the Internet in your name if they have some verifying data stolen from you. The alert means any company that checks your credit knows your information was stolen and they have to contact you by phone to authorize new credit.

You might also consider one of the new credit watch services from Equifax which will monitor your credit report activity for an annual fee.

Additional recommended actions

Contact all creditors, by phone and in writing, to inform them of the problem.

Alert your bank to flag your accounts and to contact you to confirm unusual activity.

Request a change of PIN and new password on existing credit cards/ATM or debit cards if you believe your existing accounts have been wrongfully accessed.

Keep a log of all contacts and make copies of all documents.

Contact the Social Security Administration’s Fraud Hotline, 1-800-269-0271.

Contact your state office of the Department of Motor Vehicles to see if another license was issued in your name. If so, request a new license numberand fill out the DMV’s complaint form to begin the fraud investigation process.

Credit Agency Report fraud Web site

Equifax (800) 525-6285 www.equifax.com

Experian (888) 397-3742 option 2 www.experian.com/consumer/index.html

Trans Union (800) 680-7289 www.tuc.com

Social Security
Fraud Line 1-877-438-4338 www.ssa.gov/pubs/10064.html

Shopping on-line isn't really any more dangerous than shopping in a store or eating out. You should however, take some sensible precautions when shopping on-line by using such things as a temporary account number for a specific transaction. Visa has taken steps to slow abuse by adding a PIN number requirement to transactions.

Always be sure to use a Verisign authenticated site, and make sure you are actually in a 'secure' mode during the secured transaction (the lock symbol in your browser looks locked). And don't forget to print out a receipt for yourself. Plus you might consider enabling yourself to look at your credit card transaction records on-line - and on a regular basis. That way if something funny is going on you'll find out sooner rather than later.

More Information:

The usual disclaimer - mentioning a product doesn't mean I am 'recommending' it.

CERT Home System Security

Covers the basics in plain english.

Gibson Research

Home of Zone Alarm, you can find out all you ever wanted to know about security, spyware, denial of service attacks and test your system firewall, too.

Zone Alarm

Personal firewall program.

Shields Up

Test your system vulnerability.

Anonymizer

Designed to be used with IE, it will allow you to surf without divulging information.

Mailwasher

Mailwasher is an e-mail viewer with a bounce-back feature that may get you off some spam lists.

Lavasoft's Ad-Aware Remover

Ad-Aware will safely remove all sorts of spyware programs you may have innocently downloaded into your system along with shareware..

SpyChecker

A database of known spyware/software titles and how to get rid of them.

Evidence Eliminator

For the truly paranoid, a way to munch up all those secret files in your computer. It's one of many of this type of file munching programs, which I am sure the bad guys as well as the good guys know about.

ID Theft

The Federal Trade Commision is a one-stop national resource to learn about the crime of identity theft. It provides detailed information to help you deter, detect, and defend against identity theft.