Who’s Watching You?

Preface: This article was the cover story in Security Oz Magazine in July 2002, aimed at a non IT-expert audience. Obviously much of the information herein is dated, for example there wouldn’t be too many people reading this, who are unaware what ‘spam’ is. However it is interesting to note despite ever-growing public awareness, how much is still relevant, from avoiding viruses to spam and online behaviour. Many of the sites and tools below have since been taken offline, however are left here for posterity.

Most people would never consider for a second leaving the windows and doors of their house unlocked and their alarm disarmed when they leave for work each morning. The same people may, however, connect a computer to a public network such as the Internet without taking basic precautions to protect themselves and others from online abuse or attack.

As the sophistication of computing technology grows, so does the risk of attack. Equally, the complexity of the attacks has increased to such an extent that IT security breaches are no longer a ‘known quantity’ as is commonly the case with regard to armed robbery, theft or fire. Instead, users must protect themselves from a threat they cannot see and may not understand. It is this latter threat that poses the most danger to users trying to maximize security online. Unfortunately, the only system that is truly safe from attack is one which is switched off and unplugged, and has had its hard drive removed. Obviously such a machine, whilst quite safe, is probably unable to meet most users’ computing requirements.

Upon plugging the machine in and installing software however, the risk increases dramatically unless users have protected themselves appropriately. This concept is equally appropriate to large organisations with thousands of servers as it is to single users with only one computer and a modem. As a computer user, you should be aware of your risks and the means by which to mitigate them. In the remainder of this article we will examine some of the most frequently asked questions from users wishing to protect themselves online.

One of the most common questions is: can people track where I go on the Internet and if so, who can track me, how do they track me, what kind of records are they keeping and for what purposes are they being used?

Every device connected to the Internet has a unique numeric IP address such as 212.78.182.155. Whenever a device such as your computer connects to another device and sends packets of data to it, evidence of the source IP address (yours) can be logged with a timestamp and details of what was performed (assuming the server has logging options configured). For example, if you connect to a website, the webserver of the site in question may log details of your visit. These details usually consist only of your IP address, the time and what pages you accessed. It is possible however that extended information including your operating system, browser type, ISP (identified from your IP address) and the site you most recently visited can be logged as well.

Most of this information is relatively innocuous but there is an additional possibility. Some sites may give you a ‘cookie’. This is a small file which allows the site to save information about you on your computer so that the next time you visit the site, you are not required to create a username or password login to identify yourself to that system. This is why some sites can greet you by name or recall the contents of a shopping basket if you have previously given them this information.

Cookies are usually intended to be returned to the server that issued them, so that they can see information they previously stored for you. Some sites store cookies which get sent back to them when you visit other sites. This could potentially allow a profile of your web surfing to be built. Ultimately, when you provide useful identifying information (such as your name or email address) to one of these sites, this can all be correlated and a privacy issue certainly arises.

Another type of software, known as ‘spyware’, is becoming more common. This is software that usually offers the user a useful feature such as automatically filling in online forms, remembering passwords or downloading music. In the background however, it is logging all of your actions such as websites you visit or time spent online and uploading this information to an organisation. This has huge privacy implications and is ostensibly the same as a Trojan Horse in many ways. A search on Google.com for “spyware” will return a number of resources which discuss culpable software and means for removing it and restoring privacy.

Another common question is: do these people share my information and with whom do they share it?

The short answer to this question is yes. The information industry is constantly finding new ways of profiling individuals and their habits. Credit cards are linked to loyalty schemes in such a way as to make it possible for your purchasing habits to affect subsequent marketing campaigns aimed at you. So too, online marketeers seek as much information as possible to remove the anonymity of your web surfing and work out what sites you are going to and whether you are buying their wares. In general, it is rare that your surfing habits are linked to your email address or other identification. However such a linking is not inconceivable.

When in doubt, you might consider viewing a site’s privacy policy, decide whether or not you trust them and, based on this, choose whether you will allow cookies or register with their site. If your company maintains its own website, you should consider these issues from the user’s point of view and ensure your privacy obligations have been effectively met.

In trying to decide whether or not to turn off your system’s capacity to accept cookies, it is important to know what happens when they are turned off. In such a case, does the user lose functionality as some sites suggest?

There is a chance that cookies are critical to the correct operation of a particular site. If this is the case, you will need to decide whether you wish to accept the risk associated with this. If not, say no and go to another site. Do not ever feel obligated to reduce your security to justify a website’s lack of another means of operating.

Another frequently asked question is, how does spam operate?

Spam refers to unsolicited commercial email and is the online equivalent of junk mail. Unlike paper junk mail however, spam can be sent to millions of addresses for almost no cost, most of which is borne by the recipient anyway in the form of ISP charges. This is achieved by sending the email to huge mailing lists of email addresses, often illegally via a third party’s poorly configured mail server. If even one per cent of the recipients respond, then the exercise is worthwhile and this is why spam has become so prolific in much the same way as the Nigerian mail scam which, hopefully, many of us have thrown into the garbage bin. Once you are on a spammer’s mailing list, you will receive more and more spam as these lists are often onsold to other spammers.

Where spam has reached the stage of being a nuisance, what can be done to prevent it?

Spam emails have been compared to in-laws. It’s not easy to get them at first but then they never stop bothering you! In an ideal world, people wouldn’t buy products advertised by spam thus taking away the perceived market opportunity for spammers. Sadly this is not the case and even though legislation is slowly catching up with spammers, they are generally staying well ahead of it, thus forcing users to adopt stronger countermeasures.

Spammers use similar technologies to search engines that ‘crawl’ the web harvesting email addresses. If you have left your email address on a site’s guestbook, discussion forum or some other publicly accessible page, there is a high likelihood a spammer will eventually find it and add it to a list. To avoid being added to a spammer’s mailing list, you should be very careful about where you post your email address and which sites you use it to you register with. Remember that spammers are usually unscrupulous and clicking on the ‘remove’ link or replying to the email will often merely confirm to the spammer that it is a ‘live’ address and not in fact remove you as you thought. You should, therefore, generally not respond in any way to obvious spam.

When you register for a site or post a message on a bulletin board, there are steps you can take to prevent your address being harvested. One popular method is “munging” your address. To mung is to Mash Until No Good by changing it in a way a human can recognise but a mass harvester will not. For example, say your address is [email protected] you might mung it thus ” [email protected]” and instruct people to “cut off my arms and legs to send me a message”. Bear in mind that not only will this (slightly) inconvenience people trying to contact you but it may not necessarily thwart a person manually adding your address to a list – although this is still relatively rare compared to automatic harvesting (which it would likely defeat). Bear in mind that munging does not offer you privacy. It is only an impediment to spammers.

Another technique is to use a ‘disposable’ email address separate from your main personal or work address. You can open an account on a free web-based mail service such as Hotmail or Yahoo and use this address for registering with sites or posting to newsgroups and bulletin boards and not care what sort of rubbish otherwise fills up the mailbox. For a truly disposable email account, visit the delightfully named spamgourmet.com which allows you to configure a forwarding mail address that can only be used a certain number of times before disappearing forever. This is very useful for registering to sites that send you a password via email but from whom you don’t want to hear again.

Alternatively, if you just need an email address because a form insists you enter one and you don’t want to use your own, use ‘ [email protected]’ instead. Anyone sending an email to that address would receive a reply indicating that the person who gave them that address did not wish to receive any further email from them. See www.privacy.net for the complete details as well as a selection of other online privacy tools.

If you manage a business, then you should always consider the privacy implications of direct and electronic mail. Aside from moral and ethical responsibilities, Australian privacy laws place additional obligations on companies and you should be absolutely certain your company conforms to these laws as serious penalties for breaches apply.

Because we all wish to protect our own financial position, it is natural for individuals to wonder whether others can intercept credit card details when they are used in making transactions over the net. And if those details can be intercepted, how can they be used or misused?

If a person obtains your credit card number, they may use it to fraudulently purchase goods and services. Although many financial institutions have policies that waive your liability (barring some small amount such as up to $50) for such fraudulent purchases, you may still have to prove it was not you who purchased the goods and this is not always easy, particularly online.

As a general rule, you should never enter your credit card onto a web page that is not secured using SSL. This means that all data between your computer and the web server is encrypted so that anyone ‘sniffing’ (or electronically eavesdropping) cannot readily view it. Do not rely on headlines or graphics on a site that proclaim the site is secure. You should look for the closed padlock icon in your browser to indicate the site is in fact secure. When in doubt, don’t click submit. To be truly confident, you should also view the security properties of the page and ensure it is encrypted with at least 128 bits and no less.

Remember, the security of a system is only as strong as its weakest link. There is no point encrypting the credit card data between the user and the webserver if the details of the transaction are then sent in an unencrypted email to the merchant’s own computer as is sometimes the case, particularly with smaller businesses who outsource their website. Again, if in doubt read the information on the site, assess your level of trust in them and if still unsure, don’t submit your details.

Another useful method is to have a separate credit card with a low or nil credit limit to be used only for online purchases. Such a simple scheme ensures that the level of damage can be contained in the event that the card number should ever be compromised.

There is still a lot of hysteria about credit card fraud on the Internet. Ironically, people who swear they will never shop online for this reason often compromise their credit card details ‘in the real world’. They might leave receipts behind in ATMs or petrol stations (which list your credit card number and are a good hunting ground for criminals) or cheerfully give their credit card to a stranger at a restaurant who will walk away with it for long enough to actually copy the card’s magnetic stripe and make a duplicate card or at least write down the numbers. Once again, verify the electronic security of a site to determine they have taken minimal acceptable precautions, assess your level of trust and act accordingly.

One of the major security devices offered on the Internet is Secure Socket Layer protection. But the question to be asked is what is it and does it offer real security?

Secure Socket Layer (SSL) is a protocol commonly used for encrypting message transmissions over the Internet. This often includes web pages and data sent via online forms. SSL relies on the RSA encryption system to protect the data. Although, as with any form of encryption, it is theoretically possible to be broken, the effort and resources required to facilitate this usually cost more than the data being protected. That is, it would take too many years to crack data that has been protected with 128 bit encryption (referring to the length of the key used to encrypt the data). See “Encryption – The Hidden Message” in Security Oz September 2000 issue). Again, data needs to be encrypted end-to-end to be assured of security. If there are unencrypted links midway, there is a weak link. If your company conducts online commerce, be certain that you present yourselves to your clients as a company that takes security, yours and theirs, seriously. The damage to your company from a newspaper headline may far exceed the cash value of the money lost after an attack.

Most of us often wonder, who can read my email and how secure are systems like Hotmail?

If you assume all your email is being read, you will never be surprised to find out someone actually was reading it. Unencrypted email is stored on mail servers at the sending, receiving and sometimes interim points. Mail and system administrators can potentially access the contents of your mailbox and read your emails. Web based email systems sometimes provide ‘security by obscurity’ where there are thousands or millions of users, the vast numbers reducing the likelihood of an administrator reading your email, but this is not a strong security tactic alone. Moreover, the connection between the webmail site and your computer may be intercepted and your email read unless the connection is secured via SSL. These sites are usually designed for convenience and portability, not security. There are, however, security sympathetic web based mail services such as www.hushmail.com that may meet your requirements.

In the event that other people can intercept my email, how do they do it and how can they be stopped? The best tactic is to encrypt your mail so that even if the message is intercepted it is useless. Pretty Good Privacy (PGP) is an excellent tool for encrypting email and files across most popular computing platforms and has been very widely adopted by the security community. See www.pgp.com for commercial and freeware versions. Once you have established a means for sending encrypted mail to colleagues, you should consider encrypting all your mail rather than just the confidential messages. Consider a person raiding your mailbox at home and finding ten envelopes, only one marked ‘confidential’. Which envelope will attract the most attention? If you encrypt all your messages though, not only are you not drawing attention to the private ones but you are also removing a margin for error that could see you fail to encrypt a message you really should have.

How does the nature of connection to the Internet impact upon the security of my system? Is a permanent connection less secure than a dial up connection?

If you are fortunate enough to have a permanent connection to the Internet via your corporate network, cable modem or similar, the risks are greater because your computer is always exposed to attackers and generally maintains the same IP address for extended periods rather than dial up connections whose address changes each time. This means that once an attacker has found an inroad into a permanently connected computer, they know how to ‘find’ it again in the future. The three most important forms of protection on a personal computer connected to the Internet are a correctly configured operating system, a proper antivirus strategy and a firewall. Your operating system should be hardened to ensure unnecessary services that may be exploited (such as a web server) are not running as they sometimes may be in a default installation of that operating system. A good starting point is www.sans.org for organisations and www.staysafeonline.info for individuals. When private local area networks (LANs) are connected to the Internet, they are usually connected via a firewall. This is a separate machine that approves or denies traffic travelling in and out of the network based on an internal ruleset. Single computers may be protected via ‘personal firewalls’ such as Tiny Personal Firewall (www.tinysoftware.com) or Zonealarm (www.zonelabs.com), which are installed on the same machine and allow you to nominate rules for each application (program) running on your computer. This has the added benefit of alerting you to software which may be connecting to the Internet without your attention and could perhaps be a ‘trojan horse’ or other form of malicious software. Sadly, security and ease of use do not always go hand in hand. For this reason, many options on a system are enabled by default, which may not, from a security standpoint, be ideal. To prevent the problem described above, and a raft of additional security concerns, it is recommended that you explore the often overlooked security options of your web browser. As a general guide, if you don’t need an option such as ActiveX downloads or Java, disable it, or set it to prompt you for permission each time. That way you can determine whether you trust the site or not on a case by case basis. You may, for example, allow Javascripts to run on your bank’s web site, but not on an underground site dedicated to hacking tools.

One of the most pernicious threats to computer security is the prevalence of viruses. How can they be avoided and how can ‘safe hex’ be practiced? At a minimum, you should have a properly configured, up to date antivirus program installed and update the virus definitions as often as possible. This alone is not enough. You should never open email or file attachments that are suspicious. In the same way your mailroom should never open a package marked in a peculiar fashion or not expected, you should not open emails that are suspicious either. These may be from an unknown origin, or in a writing style different to what you might expect from a colleague (whose mail client may have sent you a virus without their knowledge). Make sure your mail client (e.g. Outlook, Eudora, Netscape Messenger) is updated with the latest patches to prevent it being used in distributing viruses. Educate your friends and colleagues. If you receive a file attachment you were not expecting from a colleague, email or call the sender and ask what it was. If they are as perplexed as you, it may have been sent without their knowledge and you can delete it knowing you have just avoided infection.Viruses rarely hurt people who are well protected.

More and more frequently, banners are appearing on monitor screens that claim “you are being watched” and offering to sell software that will allegedly wipe out Internet history because the methods available to perform this function do not work.

To delete your Internet history you must perform two steps. Firstly, delete the contents of your browser’s cache where copies are kept of the sites you visit to speed up access times on repeat visits. Secondly, delete the browser’s history log, which lists the last sites you visited. Both of these steps may be performed in Internet Explorer by going to the “Internet Options” menu selection and in the resulting dialog box, clicking “Delete files” and “Clear History”. While you are there, click on the security tab and secure yourself in that area as well! The software you are being offered generally does only this. It may, however, be of some limited value in that it does all of the above automatically. There are free versions of such software available and www.privacy.net lists a number of these under the “Privacy Software” section.

With users storing more and more personal information on their computers, it is not unreasonable to ask whether other people access the files on our computer?

Operating systems today are designed to be used as part of a network. As such, bearing in mind the ease-of-use dilemma raised above, they often have file sharing enabled by default. File sharing may sometimes operate over the connection to the Internet, potentially granting access to other, unauthorised people. Once again, properly configuring your operating system is required. In this case, you should disable file sharing or apply access control lists (including user and password privileges) to your computer’s directories. A personal or organisation wide firewall may also help but should not operate to the exclusion of proper OS configuration. If you install or run software on your machine, this may potentially allow use of your machine’s resources without your knowledge. The most popular examples of this at the moment are file sharing applications such as Kazaa, which rode on the popularity of Napster for swapping of music and other files between a large network of users. These programmes may also allow access to other data on your machine, or your computer to be used for processing other people’s data. If misconfigured, they can certainly allow access to your files by performing nothing more than their stated role as a filesharing tool. Personal firewalls may stop you being caught off guard, provided you carefully consider the consequences each and every time you approve a connection attempt. There is little point blindly approving all connections any more than there would be having a security guard who cheerfully waves everyone through the door he is supervising. Trojan Horses may be delivered to you via email as well and several of these allow remote access to your computer or ‘keystroke logging’ which sends a third party copies of what is typed on your keyboard (including passwords).

Finally …….. Aaaargh… Where can I hide? If at this point you have rendered your computer ‘truly safe’ then perhaps you should dig it up again, plug it back into the wall, reinstall the software and visit the following sites for more information:

www.sans.org,

www.securityfocus.com, two excellent starting points for Information Security resources

www.caube.org.au, the Australian Coalition Against Unsolicited Bulk Email

www.privacy.net, Online privacy tools and antispam resources

www.abuse.net, How to report spammers and see them put out of business