Surf Safely

How to avoid Internet minefields.

by James F. Leon

he Internet is a gold mine of information, but it’s also a minefield, loaded with scores of innocent-looking sites that contain stealthy programs designed to steal or destroy your data. But if you take proper precautions, you can browse the Web with relative safety.

In our illustration for ways to surf the Web, we use Microsoft’s latest browser, Internet Explorer version 7, but you can apply these recommendations to other browsers as well.

GOING OR COMING?
When users surf the Web, they say they “go to” a page. In reality, though, when you type a URL (such as www.samplesite.com) or click on a link, the page actually is brought to your browser in the form of hypertext markup language (HTML)—the programming code that creates the screen image. In some cases, a malicious miniature program (written in what’s called a scripting language) is hitching a ride with that HTML code. The moment that infected page reaches you, the hitchhiker executes its devilish program, which can do many nasty things, including copy your files, transmit them to the thief’s computer or simply erase them. Such a script also can change your Windows system settings, leaving your computer in utter disarray.

How can a script steal information off someone’s hard disk? Exhibit 1 is an example of a hypothetical script buried inside a Web page. Of course, a real script would not identify itself as coming from a dangerous hacker.

If you were to receive this fictitious script, the hacker’s program would momentarily control your computer and you would be instantly redirected to his site, www.hacker.com. Once there, a sophisticated program called stealfiles.cgi would snap into action, steal data off your hard disk, then redirect you back to the original Web page. All this could happen in just a few seconds, without your ever being aware of it.

Be assured most Web sites are safe. However, a criminal hacker will try to inject a malicious script into almost any Web site—a scenario known as cross-site scripting, or XSS. Although antispyware programs are designed to thwart malicious scripts, they don’t always work because clever scriptwriters often stay a few steps ahead of them (see accompanying article, “Spyware Protection”).

So what’s the alternative? If you want total safety, you have no choice but to take matters into your own hands and disable all scripts from running on your browser. And that’s easier than you think.

DO-IT-YOURSELF PROTECTION
To disable scripts, click on Tools, Internet Options, Security (see Exhibit 2). Under Select a zone to view or change security settings, click on Internet if it’s not already highlighted. Then under Security level for this zone, click on Custom level.

You now should be at a menu called Security Settings-Internet Zone (see Exhibit 3). Slide down the scrollbar to the area labeled ActiveX controls and plug-ins and click on Disable for all 10 options. ActiveX is a Microsoft scripting language.

Then slide farther down the screen to the second section from the bottom called Scripting (see Exhibit 4) and click on Disable for all five options. This will stop any script that manages to get into your computer.

To implement your changes, click on OK at the bottom of the panel (see Exhibit 5).

CONSEQUENCES OF DISABLING SCRIPTING
You do pay a price for disabling scripting. For example, for those who use Yahoo e-mail, disabled scripting triggers a message asking you to either turn on JavaScript or switch back to an older version of Yahoo Mail (see Exhibit 6). But if safety is your primary concern, the cost is worth it.

Similarly, if you use a stock ticker at a financial site, such as http://moneycentral.msn.com/investor/home.asp, you will lose the Quote watchlist box (see Exhibit 7). You can reinstate the ticker if you enable JavaScript.

You may wish to experiment with your favorite Web pages to see whether you can tolerate the loss of functionality. Remember, you can always change your mind and re-enable scripting at any time.

You also have the option of specifying sites you know are safe and allowing scripts to run when you visit them. To do that, go back to the Security tab in Internet Options (Exhibit 2), but this time select Trusted sites. Then click on the Sites button and list those you visit and know are safe. When finished, click on OK and then adjust the security level for the Trusted sites zone just as you did for the Internet zone, but this time enable scripting.

COOKIE-CUTTING
Many Web sites acknowledge your visit by sending your computer a small text file called a cookie. Cookies do many things: They keep track of all visitors and remember what they did and looked at. While most cookies are benign, some store information you enter when you buy something at the site—your credit card number, address, phone and, in some cases, even your Social Security number and the identity of your bank account. Although some sites keep cookie information under tight security, others don’t bother to encrypt cookies. If safety is a priority, you probably want to implement some kind of cookie control.

A cookie may stay permanently on your hard disk (called a persistent cookie) or just be for a single Web visit (session cookie). If you have a persistent cookie, any sensitive information on your hard disk is at risk of being stolen.

Getting rid of cookies is easy. While in your browser, click on Tools, Internet Options, General. Under the Browsing history section, click on Settings and then under Current location click View files. Now go to the Name column, right-click on the cookie you want to delete and choose Delete. You can easily identify those cookies that contain sensitive data from sites where you purchased products and entered financial information. You’ll also see cookie expiration dates that are many years into the future. Unless they are truly benign, delete them.

To play it safe, however, it’s best to tell your browser not to accept any persistent cookies. To do this, go to Tools, Internet Options, Privacy and click on the Advanced button. You’ll see a menu that resembles Exhibit 8.

Click on Override automatic cookie handling, and Block for First-party Cookies and Third-party Cookies. Click also on Always allow session cookies. This will allow your browser to only accept temporary session cookies while you interact with certain sites; otherwise many sites will deny you access.

When a Web site asks whether you would like to remain logged in, it actually is asking you whether you want to accept a persistent cookie. If you answer “yes,” the site will send you a persistent cookie with your logon information. Always say “no.”

How much computer safety you need is a personal matter, and it depends on how much you value your data. Although there are commercial programs designed to make your workspace relatively safe, as you can see, gaps remain. The only way to be sure is to take action yourself to close the gap.

James F. Leon, CPA, CISSP, is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University, Dekalb. His e-mail address is jimleon@cs.niu.edu.