What can I do to protect my electronic information on an individual level?
It is now a fact of life. Purchasing a new computer for your own personal use (and even a number of Cloud services) is never equipped with the security tools you'll need. If you want to protect your information and the threat of internet attacks, you must acquire the tools and the knowledge of how to improve the security of your computer and its data.
Mr John N. Stewart agrees. He writes in his article entitled, Securing the Internet Desktop, on page 96:
"An out-of-the-box operating system or a computer that you brought home from your local computer store is not ready for the Internet. It might be able to get you connected quickly, and you may get a free account through a participating ISP, but by being connected to the Internet, you've opened yourself up for more than just surfing.
Take appropriate precautionary steps, and install the software required to protect the computer you use on a day-to-day basis." (1)
A summary of computer security
For the average computer user, the most effective ways of protecting your information are as follows:
- To password-protect your sensitive files, hard disk and other areas you consider sensitive and requires protection using strong encryption software.
- To disconnect your computer from any network such as the Internet until you have an absolute need to get online, or be connected with other people.
- To keep your time online to an absolute minimum.
- To take your computer (or your sensitive digital information on a portable, durable and reliable storage device) with you at all times, especially if your data is not properly password-protected.
- To use a laptop (or handheld device) instead of a desktop machine because it is easier to carry around with you; and
- To use a reputable file shredding or deleting software (because tools are available, mainly from the CIA, to bypass password-protected disks and read the files directly off your hard disk).
A more comprehensive look at computer security
Here is a more complete checklist for the security-minded computer owner:
Encrypt sensitive information
For private email containing sensitive information, encrypt your messages and other information (including attachments). You will know it is encrypted when the account settings shows port number as 443 for email sending and 995 for email receiving and encryption is set to SSL or TLS. As a further security measure you need good encryption technology. Try the powerful Network Associates McAfree PGP Personal Privacy. Or for roughly $40, you can render messages useless to prying eyes of unintended recipients using PGP email encryption (based on Philip Zimmermann's PGP technology) . For further information about this software, go to http://www.nai.com. However, Network Associates, Inc. (NAI) has bought out the technology and has decided to drop it in favour of the standard S/MIME for desktop-to-desktop encryption. And NAI has changed its name back to McAfree.
Better still, there is a freebie version of PGP from MIT at https://pgp.mit.edu/, or PGP Information where the latest version will automatically add itself to Microsoft Outlook Express and give you a button to encrypt/scramble your messages.
Or if you need a complete PGP encryption and mailing service that is free and independent of the commercial companies that might pretend to be offering the best privacy tools on the market, try the OpenPGP-based http://www.mailfence.com/.
For further useful advice regarding email security, you may wish to check out http://compari.tech/emailsecurity.
Use strong encryption for sensitive email messages
Encrypt your more sensitive emails for in the words of Mr Dan Carosone, chief technologist with Melbourne-based security consulting company e-Secure:
"...no email that goes across the Internet unencrypted is secure from snooping and capture. Technically, there are lots of ways it could be done." (2)
For example, interesting news had emerged at the beginning of the 21st century of a sophisticated software technology being used by the Federal Bureau of Investigations (FBI) in the United States to monitor unencrypted or poorly encrypted emails received or sent from a particular server or email account. Known as "Carnivore" or DCS1000, the Internet wiretap system would be installed at various ISP servers across the US and possibly abroad and is meant to be designed to help the FBI agents investigate certain people presumably involved in criminal activity.
- And when sending email messages in a truly secure manner, try to use an anonymous or public Internet computer such as those available at Internet cafes or public libraries. Or use a number of the free email sending services online which guarantee anonymity. You should remember all the email messages you send to the world contain more than just the basic visible header information such as BCC, CC, To, From, Reply-To and so on. Email messages may also include hidden information such as your current IP address, which is considered a powerful means of identifying who you are and where you are located.
Try to use a good password and don't tell anyone about it
- Try to use different passwords for all your different accounts such as email, personal files, your Web server, and so on. If remembering several passwords is too difficult, use one good password and change it regularly (perhaps every couple of months) to stop people from working out your password. Make sure the password you choose to protect your accounts is not too simple. For example, if you choose the name of your pet as your password or the birthdate of yourself or a family member, there is a good chance someone else (perhaps a person close to you) can work out your password. So be a little more creative and make it harder for someone else to access your personal information without your explicit permission.
- Consider purchasing a software tool like SUNRISE Contacts to store multiple and different passwords to various accounts. You give it a temporary master password (the only thingfor you to remember) and let the software encrypt all the other passwords. When you need a password to access an account, the software will decrypt it with your master password. In that way, all other passwords can be hideously complex and random looking characters, making it a headache to figure out by anyone else online or close to you.
- Obviously, you should never share your passwords with others, no matter how much you trust them. It does not matter if a person online claims to be a close friend or a special agent working for the Federal Government. How do you know for sure? He must first prove who he claims to be before you can even contemplate on releasing your personal information, and even then you must have an expert witness at hand such as a lawyer for further advice. Even if the person is sitting right next to you because the person and yourself are a married couple with a shared account, the bank will still give you and your partner a unique password. There is no need to share your password with anyone. Not even the Prime Minister of Australia (unless it is proven that the survival of the human race depends on it). If you need to share data on an account, let each person get their own password. And it will also make it easier on the other person when the time comes for you to change your password.
- Always have a quick glance over your shoulder before typing your password just in case someone could be standing next to you and observing what you are doing. Avoid having to type your password at airport lounges or other public places where there might be surveillance cameras. An anonymous IT security manager at a financial services firm in Australia has confirmed to Computerworld in April 2002 that it is now possible to use existing surveillance cameras to observe people typing passwords on ATM machines and laptops.
- When typing passwords, try to use your hands in such a way as to shield the actual keystrokes you make from the prying eyes of strangers. For example, you can use your left hand to cover the movements of your fingers on the right hand as you type your passwords.
- Use multi-factor identification where possible, such as using SMS codes as your sign-in option for the myGov web site. This is one technique that is bound to give considerable problems to hackers and other unwelcome prying eyes.
- Keep your key business and personal software for retaining or storing sensitive data and any of those considered critical to the operation of your business up-to-date, and run regular checks on your hardware (e.g., a virus checker) to ensure you don't have viruses or spam.
- As old staff leave their positions, it is important to review staff accesses, and remove any that are no longer needed.
- Passwords are one thing. Then there is the data itself that you receive and what they contain. Do you know for sure who is the sender? Does the email address look familiar and is the same as in previous communications with the individual? If you are not sure, investigate the email address by searching online to see if anyone else owns the email address. Find out if the email address is a known spammer or hacker on some government database site. Also, be weary of attachments. Make sure you expect to receive an attachment from the person. Even if you don't know and the person sending you this file is trustworthy, it is possible he/she does not know the file is loaded with a virus or something else. It is better to be safe by installing a virus checker and letting it run in real time for all attachments you download. The virus checker will check the file. And keep the virus checker software fully up-to-date. Go in the preferences of the software to turn on auto updates for a hassle free updating experience. And if you don't always ask yourself, "If something doesn't seem right about this email and its attachments, is it worth the risk to download or even to open the email? Look at the email header and decide straightaway whether to trash it, or accept it as a trustworthy source."
- If you are detained by authorities for security reasons (which is a likely scenario for international visitors entering the US who decide to carry their own password-protected laptops) and they ask you to turn on your laptop for inspection, offer to type the password yourself. Do not tell the password to anyone unless you are requested to do so, and only then you must have a lawyer present to witness what is happening and can give you full legal advice.
- If you feel typing passwords on a keyboard is not the safest because you work for a highly secret organisation (e.g. CIA, NSA, ASIO etc), consider other authentication systems, such as fingerprint technology, eye retina technology, or whatever. NOTE: These alternative technologies are not foolproof, but will be a lot stronger than the usual standard password technology.
- For businesses, consider visiting this Australian government's web site for a questionnaire to see how secure your computer and data is.
Minimise access to a network where possible
- As soon as your computer is equipped with the software to get you on a network and make your files and folders shareable, you are always at risk of being hacked. And it is always because you leave a connection turned on all the time. even at night when staff are unattended and have left work to go home. Always check the status of your file sharing and make sure you ask your guests for a password to access your shareable files and folders. Also, keep all your folders and files protected unless you want some files to be shared. If so, put these files in one shareable folder and tell your software to make this folder the only accessible location. Everything else should be inaccessible.
Try not to connect to the Internet or any other network for long periods of time just in case someone else (or your computer and/or commercial software) is trying to open a secret communication channel between your machine and another on the network using some kind of security flaw in your network software or as part of some alleged marketing purpose. The great marketing idea of networking (i.e. having your machine constantly online from a stable IP address location) may have its advantages for marketers and other supposedly innocent-looking people, but it can also serve as a double-edge sword in the sense that it is a powerful gateway for more dubious characters to gather a remarkably detailed profile about you, your family and your work and to use this personal information in ways you don't expect or want to see and hence make decisions on your behalf mostly in the name of convenience and profit (and usually for the benefit of the other person). Mind you, that may already be happening thanks to your decision to share everything about your life on social media sites. But at least you made the decision. But if, say, your business has business confidential and commercial-in-confidence information that is not to be released before a certain date or needs constant protection, you clearly won't be sharing it online, will you? For those types of information, put a lid on unnecessary internet access. And make sure when you do have access that the folders and other avenues for people to gain access from online are secure and relevant. No other "backdoors" should exist, intentionally or otherwise, while you are online. Keep your ass covered.
To protect your identity based on IP address while browing online or chatting on IRC or instant messenger, download a special tool from the Electronic Frontier Foundation (EFF). This organisation is in the business of advocating for your privacy and security on the internet. The tool is an example of their work and is available for Windows, Mac OS X and Linux. The only drawback in the tool is that it will slow down the speed of accessing information on the internet. We recommend using this tool inconjunction with a broadband connection to make it bearable.
To minimise network security problems, try to update the network software to the latest version, and install a personal firewall. Arguably the two best firewall tools available to filter out unwanted guests on a network are Symantec Norton Internet Security 2002's Personal Firewall and ZoneAlarm 2.6 or higher. Or a cheaper but reasonably effective alternative is Steganos Security Shield (which can also alert you to problems such as hackers entering your computer via SMS). Don't ever rely entirely on Windows XP's own built-in personal firewall. This is a very basic tool and although it is better than no firewall, you are better off installing a complete and dedicated firewall like the ones mentioned above for significantly-enhanced security.
Zone Labs has kindly provided a free version of their famous firewall software to all PC users for the home known as ZoneAlarm 3.7. This free software package is just as powerful as the Plus and Pro versions but without all the whiz-bang features. The core firewall is standard on all three products but most home users will appreciate the power and features of the free version.
To test whether your computer is vulnerable to network access from unwanted guests, visit Steve Gibson's Shields Up! web site at https://www.grc.com/. To be sure it wasn't a fluke, also try https://www.security-audit.com or http://www.hackerwatch.org/. If the report card from either site suggests it is not good, we recommend installing a personal firewall immediately if you intend to get on a network regularly. Firewalls work by identifying the TCP/IP port number of a packet of information travelling through the network outside your computer or intranet to help determine who or what is trying to access your computer or intranet from the outside network, and then looks up a table of rules to decide whether to discard the packet or allow it to go through to the intranet or Internet applications on your computer such as your browser. For example, port 139 is used by Microsoft to identify Windows machines. To block all Windows machines from accessing your computer or intranet, you would tell your firewall to block any connections on port 139.
But please remember that if you want access to the Internet, your Firewall must allow entry to port 80. This is the only problem with Firewalls. If you want to deal with potential Internet security attacks on port 80, you must complement your Firewall with other security measures such as turning off unused services like the Web server software on a file server or minimising your time online.
As Internet Security Systems (ISS) announced in the first quarter of 2002 after analysing security incident figures gathered from 350 of the company's high-volume intrusion detection sensors around the world:
"Since almost 70 per cent of malicious activity occurs as a result of entry through port 80, it is obvious and imperative that firewalls should be augmented with additional intrusion and defence technology, since firewalls cannot prevent this form of unauthorised access in their own right." (3)
Use a software firewall like Norton Internet Security's Personal Firewall if you intend to use only one computer for network purposes. If you have several computers connected to a network, it is cheaper to install a hardware firewall that sits between the Internet modem and router and your network hub, instead of buying multiple copies of a software firewall for each computer. And whatever firewall you do install, make sure the firewall's rules tables are updated regularly for maximum security.
NOTE 1: Do the downloading of updates from a public internet computer or public internet location for your laptop as some web sites may collect information about you when you do the downloading (e.g. IP address, name of the person registered to use the software and/or OS for downloading etc).
NOTE 2: Keep your software as anonymous as possible.
Hide your email address(es)
If you have to be on a network, take great care when posting messages to newsgroups online. There are specialised marketing software tools in cyberspace to comb, or address harvest, for email addresses in your messages and later send you and your friends junk email, often by the hundreds! If you receive these junk emails, or spammers as they are called in the industry, don't reply to them. It will only notify the sender that your email address is a live one, and you may well receive an increased number of junk emails.
Either remove your email address altogether from your messages, or set up a specially-dedicated "junk email" address with one of the free ISPs. This can be with Yahoo.com or hotmail.com.
- To strip your name and email address from the header of your email messages, use an anonymous remailer. This service is available from https://www.anonymizer.com, http://www3.anonmail.net, and http://www.mailanon.com. For other reliable remailers, check out the list maintained at the Electronic Privacy Information Centre at https://epic.org.
As for those applications like Adobe Acrobat 5.0.5 that allow you to create PDF files at Adobe's own online hard disk web site, either type a bogus email address in your Internet Config control panel, or visit one of your local libraries with Internet access and use a free ISP email address containing bogus personal details such as your postal and residential address, name, date of birth etc. In that way, Adobe will have to send the completed PDF file to your email address but will not be able to physically locate your whereabout from the email address.
The primary electronic means of identifying who you are, where you are located, and what you do while you are online or working on your network-connected computer are (i) your IP address; (ii) your email address; (iii) your preferences/logs/cookies/cache/history files on your computer's hard disk (including those stored by your internet browser and third-party plug-ins used by the browser); and (iv) the registration and personal details you have typed into your installed application software (i.e. a kind of legal consent from you to allow other people online to inconspicuously look at your personal information) or enter online.
To understand how powerful preferences/logs/cookies/cache/history files are, the Department of Veteran's Affairs has conducted an audit of their departmental computers and checked the web sites visited by staff. They do this periodically by looking at the Internet browsers' cache/history files and any log files stored by other spyware. What the Department has found was that some staff were visiting offensive sites (i.e. pornographic). Although it does not prove staff were not doing their work or have been deliberately visiting these sitesbecause it is possible some web sites could advertise such material as unexpected pop-up windows or in junk emails or staff may accidentally click on the wrong hyperlinkit shows how easy some people can spy on your activities.
To learn more about basic computer security for the average PC user, we recommend Internet Guard Dog for around A$75.00. This software will check for unprotected shared folders, unprotected applications, test to see whether unauthorised deletion of files has occurred, update Microsoft Explorer security level, and give you the essentials in protecting your identity while you are surfing online.
Otherwise set up an anonymous email account with a local free ISP and ensure the software you are using have minimal or anonymous personal registration details stored in it. For example, refrain from using the Platform for Privacy Preferences (P3P) capability of certain software like Microsoft Internet Explorer 6.0 or higher unless you are happy to share your personal information to online shops, marketing firms, and the more dubious characters called hackers. Also consider turning off "Enable third-party browser extensions" in the Advanced tab of Internet Explorer. You will find this in Internet Options under the Tools menu command. This can help stop people from hijacking your browser or be spied upon by strangers.
To give you an idea of how easy companies like Microsoft can learn more about you, read this article.
And regularly delete the Internet browser's cache, cookies and history files. And consider turning off plug-ins for your browser to rpevent historical information from being recorded by third-party developers. As a final security measure, consider using your own computer to do your work and take the computer with you everyday. This effectively stops auditors from checking your computer (i.e. they'll need a warrant to do so).
Hence the usefulness of laptops!
Keep your IP address hidden from public view
Keeping your IP address secret is vital. Your IP address is one of the best ways of identifying your computer on a network. If anyone should somehow get their hands on this important information, your security will be potentially compromised. Why? Once a person has this information, he/she can locate your computer on the network, not to mention the name and address of the ISP you are using to access the Internet and eventually your home and work address you use to register yourself with the ISP.
But if this stranger did not want to physically visit you, it is still possible for the person to open a secret communication channel between their machine and yours while you remain online. In fact, this is how many hackers get into other people's machines: they scan for IP addresses and then try to connect to those computers having the "live" Ethernet/IP addresses using special black-market software and/or inherent programming flaws in commercial Internet software on your machine or the operating system you use.
- Script kiddies, as they are called, are small programs designed to help hackers make a nuisance of themselves by crashing your computer through flaws in your operating system. When this happens, it is known as "Denial of Service" attacks (DoS). But for this to work, the hacker must know your IP address, which can be easy to find if you're on Internet Relay Chat (IRC) or using an instant messaging tool such as ICQ. For further details about these programs, check out the following interesting web site at http://www.antionline.com/.
- Keep your IP address secret at all times, or at least constantly changing by using other people's machines at a local Internet cafe or library, or by utilising software to automate this procedure. Hiding your IP address from unwanted guests is crucial to maximising your security on a network.
- Avoid using any kind of software that can reveal your IP address to anyone, no matter how trustworthy another person might be. This includes instant messaging tools and a variety of Internet Relay Chat (IRC) facilities. Also be careful if other people can access your computer. Your IP address can easily be found using the Network or TCP/IP control panels or the numerous freeware software utilities like IP Monitor, or even a number of Internet web sites designed to reveal your IP address irrespective of Firewalls and other security software you may have or employ.
- Be careful not to install certain third-party software management tools on your web site, especially if they require you to insert (and reveal to other people) your IP address. For example, a freeware software tool called Envirolyzer (testmy.cgi) version 0.2 by Craig Richards (it was once available on http://download.cnet.com/) requires you to insert your IP address and upload the tool to your web site where almost anyone else (including your local ISP) could download it. If your web site is already registered with your preferred local ISP, this may be fine. But if you are using a free web site hosting service from people like Yahoo.com and you prefer to remain anonymous, such management tools should be avoided at all costs like the plague!
Remove unnecessary log/cache/cookie files etc.
The simple act of browsing web sites or listening to music on the Internet can leave behind a trail of interesting electronic information of where you have been, who you are, what you are doing, what you like and dislike, your email address, and so on inside certain files on your computer's hard disk. Most of these files tend to be visible and are often called log files, cache files and cookie files. Other files may be invisible and you will have to check to see where they have been installed.
To minimise this potentially serious security risk, (i) turn off Java or ActiveX on your browser; (ii) trash the files inside the browser's cache folder; (iii) remove the browser's cookie file (try the freeware utility called Cookie Monster to automate the removal process) and the history file. If necessary, use a freeware utility like AutoDelete 1.0.1 to automate the process of batch deleting all these files or folder contents at once (including the log files created by your email software like Qualcomm Eudora Pro). Or for $14, try Ultimate Anonymity for an effective software solution to the problem by ensuring anonymity is maintained when browsing the web, sending encrypted email, and posting to newsgroups.
26 June 2004
You might wish to investigate a new product for automatically removing your browser's history files, cache files, cookies, autocomplete forms, saved logins and passwords in preference files, browser's bookmarks; ICQ/Yahoo/Miranda IM talk history and received files; and Windows clipboard, Recent documents list, list of run application, Windows temp files, log files, Find Files history, and scan disk logs. Try Privacy Keeper 2.7.3 for US$39.95. The tool is well-designed and easy to use. Only suitable for PCs.
The power of cookie files in making a detailed profile of Internet users has been properly vindicated with the release of the following quote, published in the May 2000 edition of the UK magazine .net, page 72:
"...One of the biggest on-line advertisers, DoubleClick, recently caused outrage when it was revealed that it intended to combine its information [retrieved from people's cookie files created by their Internet browsers] with marketing databases. The result would be a detailed profile of millions of Web users, including their names and addresses. Although the company climbed down, many people were shocked by the ease with which companies can track people's movements on-line."
Further details about this case has been revealed in the following quote:
"[Attorney Ira] Rothken brought the first lawsuit against DoubleClick, in January 2000, after the online advertising company said that it intended to marry information it had gathered online to personal information it had acquired by buying Abacus Direct. The ensuing uproar forced DoubleClick to reverse its decision." (4)
While cookies created by an Internet browser are meant to be designed to store non-sensitive data (i.e. not your log-in passwords, credit card number, your name and address, or your personal life) as a way for web site owners to personalise their web sites to suit your tastes and greet you in a particular way and nothing more, it is difficult to know for sure what is actually stored in the cookies at all times. With the exception of online shopping malls that require cookies to operate properly, all other cookies should be removed on a regular basis.
To remove cookies, we recommend using a freeware utility like AutoDelete 1.0.1 to remove all cookies, or Cookie Cutter 1.0 to selectively keep certain cookies and to remove all others. Another utility you could try is WebWasher available for Mac, PC and Linux at http://www.webwasher.com/. Webwasher will also remove those tiresome pop-up ads, block access to certain Web sites, and perform many other useful functions.
The latest Microsoft Internet Explorer 6.0 software does not properly address the issue of cookies being used by third-party web sites and online shops for tracking your browsing habits. It merely has the option in the preferences to permit or not permit cookies to be stored on your computer. So use other software tools to automate the process of selectively deleting your cookies.
To manually delete cookies from your hard disk using your Internet browser, select Internet Options under the Tools menu command in Microsoft Internet Explorer. Click on the "General" tab. Now click the Clear History, Delete Cookie, and the Delete Files button to remove all unnecessary files created by Internet Explorer. In Netscape Communicator, go into Preferences under the Edit menu command. Then click on the word "Navigator" in the Category list and click on "Expire now" button. Now go into the "Advanced" preferences section and select your preferred cookie handling capability of your browser (you can tell your browser not to accept cookies). Finally, go into "Cache" (part of the "Advanced" preferences section), and click the button that says, "Clear Disk Cache Now".
"Trend Micro InterScan AppletTrap [a program for detecting malicious mobile code over networks] provides a two-pronged approach to detecting harmful ActiveX controls and Java applets. It analyzes mobile code as it passes through the HTTP proxy server, and stops it if it finds any harmful instructions."
Similar security options exist in Microsoft Outlook Express. Choose Options under the Tools menu command. Select the Security tab. Now visit the useful guide at Lifewire.com for advice on what to do.
Clean up invisible temporary files
- The simple act of using certain applications on your hard disk can leave behind its own trail of interesting electronic information inside invisible temporary files. For example, on a Macintosh computer, the invisible temporary files are stored inside the invisible Temporary Items Folder at the root level of your hard disk. In previous incarnations of the MacOS (i.e. prior to version 9.1), these temporary files were automatically deleted (or moved to the Trash can) by the operating system. In MacOS 9.1, however, the files are no longer deleted or moved. Such information could be useful to other people while your machine is connected to a network, so for good security, you will need to delete these files every time you restart your computer. Some of the recommended freeware utilities to do the job of clearing the temporary files properly include Eradicator 1.2.2, AutoDelete 1.0.1, or AutoPurge 2.5.1.
Clean up preference files
It is also a good idea to occasionally trash certain preference files stored in the Preferences folder. A closer inspection of some seemingly-innocuous looking preference files created by applications can reveal more information about yourself and your computer's hard disk structure (i.e. all your files and applications) than is absolutely necessary.
For example, on the Apple Macintosh computer, there is a file called Apple Menu Options Pref which is designed to grow rapidly in size from about 1K to a whopping 745K in a matter of a few days despite turning off the recent applications, files and servers option in the "Apple Menu Options" control panel (NOTE: In MacOSX, you are forced to have the recent applications, files and servers turned on at all times. There is no option to turn this off). The reason for the sudden increase in the size of this file is because it somehow needs to continuously store unnecessary information about the names of all your files and applications on your hard disk even though the basic preference file needed for the Apple Menu Options control panel to do its job is actually small (less than 1K). If these preferences files are not removed, it is possible for strangers with a basic knowledge of Java or ActiveX to send a copy of this and other files to another computer.
This is known as the inconspicuous approach to recording potentially sensitive information about you from your hard disk for auditing purposes. The more conspicuous approach is, of course, for a company like Microsoft Corporation to provide everyone with a free Microsoft Office Manager control panel and extension for recording all known Microsoft products on your hard disk together with your name and serial number purely for convenience and presumably to help you access all the Microsoft products quickly and easily.
NOTE 1: Apple Computer, Inc. now does the same with its highly visible Dock feature of MacOSX, saving information in a preference file where it reveals both its current Dock configuration of applications and the original Dock configuration at time of installation of the OS.
NOTE 2: Microsoft Internet Explorer 6.0 also records and transmit to all web sites you browse online all the Microsoft products you own. For further details, read this article.
NOTE 3: The most common way to audit a computer conspicuously on a PC is via the Add/Remove Program control panel, which lists the names of every software application installed. On a Macintosh, this should be visibly done via the Apple System Profiler tool normally available under the Apple icon menu command of OS8/9 and in the Applications/Utilities/ folder of OSX. However this is verified with the information stored in a preference file by the Dock in OSX.
Disable the Forms AutoComplete feature of Microsoft Internet Explorer
- Please note that if you are using Microsoft Internet Explorer version 5 or higher, you are strongly advised to disable the Forms AutoComplete feature for security reasons. The AutoComplete feature permits your browser to store your passwords in a preference file for automatic re-use when filling in online data-entry forms for you. However, this allows other people with access to your browser and computer to use your details without having to know your password or PIN. To disable the Forms AutoComplete feature, select Internet Options under the Tools menu command (for PC) or Preferences under the Edit menu command (for Macintosh). Then click on the Forms AutoFill tab.
Take great care of the sorts of commercial freeware/shareware/licensed software you decide to install and use on your personal computer (spyware makers should take heed of the word "personal" in personal computer, it certainly does not mean you can look at someone else's machine or computer manufacturers would have called it a public computer!). Some software such as Real Player and Microsoft Explorer can surreptitiously send information stored in their preference/history/cookie and log files back to the company over the Internet.
For example, according to Icon: Your Internet Guide in The Sydney Morning Herald, dated 8-14 July 2000, page 12, under the appropriate title of Receive and you shall give:
"Not long ago, Real Networks [the makers of the Real Player and Real Producer music streaming software] got itself into hot water for keeping tabs on its users' musical preferences without letting them know it was prying." (5)
Now Real Audio has been required by law to disclose all information collected by the company in their online privacy statement.
Even those seemingly innocent-looking applications on your computer that do not appear to be Web-enabled or have any good reason to be on the Internet actually do. For example, Adobe Photoshop and Aladdin StuffIt Deluxe are designed to secretly send information over the network when launched even though they don't look like they need the Internet to work properly. Although the information sent by these software programs are mainly for law enforcement purposes - that is, to stop another software with the same "single user" serial number from running at the same time - there is an effort today to have your registration details in the software and your email address in other applications sent automatically to the software manufacturer for possible investigation, marketing, or "commercial advantage" purposes once you are on the Internet.
So how do you know whether you've got spyware?
By their very nature, spyware are designed to install itself and perform tasks in a secretive way that cannot be easily detected. On a PC, most spyware will keep themselves hidden from view (even when you press CTRL-ALT-DEL to reveal the Windows Task Manager dialog box) by modifying the Windows startup files (such as WIN.INI) or the registry file and then run as a hidden service in the background. Other spyware tend to be embedded directly inside major applications like Adobe Photoshop or installed as a plug-in or some other utility looking suspiciously like it is a part of your application package. Either way, you may have a seriously hard time finding spyware on your computer.
Fortunately there is a place where you can determine whether or not your software is of the "spyware" variety. Just visit Spywareinfo.com and let it scan for electronic nasties.
For a truly comprehensive look at all the commercial software applications that somehow need Internet access through your computer so you can determine if you need those programs to do your work or try alternatives, we recommend installing a copy of Norton Internet Security 2002. This software will monitor all applications having the potential to exchange information via the Internet.
Spyware makers are hitting back with a range of new and updated spyware programs capable of disabling the detection systems used in spyware detection tools such as Ad-aware and Who's Watching Me. For example, the latest version of the keystroke logging software known as WinWhatWhere is able to stop Who's Watching Me from detecting it. As Richard Eaton, President of WinWhatWhere, explained the reasoning for this:
"Every time we find out about any of these programs, we will change our program to do whatever is necessary. My reasoning behind it is I'm selling a security product that shouldn't be detected." (6)
Yes, but isn't it part of legislation for people to be told they are being watched and how it is being done? It is a question of respecting people's privacy by informing them and getting agreement before the tool does its job.
We recommend you use several different anti-spyware programs for optimum protection on your PC. Try Ad-Aware SE Personal Edition 1.06 followed by Spybot Search and Destroy and, while we are at it, a quick check with Microsoft Windows AntiSpyware beta just to be on the safe side. All software are free and can be download online. In fact, Microsoft considers its early AntiSpyware software so important, it has decided to incorporate the tool directly into Windows 7 or higher under the name Microsoft Security Essentials/Microsoft Defender. And if you should happen to find more anti-spyware tools, consider downloading them and put them through their paces.
Some spyware makers are getting cleverer to the point where new spyware tools are capable of hiding processes running on your computer (i.e. making the spyware look invisible). In some cases, the spyware may disable security software without letting you know what has happened. Spyware tools that don't tell you it is running in the background are called Rootkits and are considered among the hardest to remove. Short of reformatting your hard drive and reinstalling your OS, your next best shot is to use a Rootkit Revealer software tool to at least detect the presence of known Rootkits. Try Rootkit Revealer for further details. Please note that Microsoft Defender now targets Rootkits after it acquired the Rootkit Revealer and made it part of its security tool for Windows 7 or higher.
If things get too serious (unless you choose to turn your computer into an online games machine), you are better off disconnecting completely from the network (both intranet and internet). Even those paranoid employers who want you to stay connected to a network to do your work because they want to see what you are doing may be forced to allow employees to work offline if the latest spyware developments become more pervasive throughout the computing world.
- Be careful with certain software you download from the Internet. Some Web tools such as Usenet readers, and instant messaging programs will install files on your hard disk that secretly download advertisements. This may seem like a harmless activity, but if this software can download information from a secret location outside your computer, you can be sure it wouldn't be too hard for the software developer to upload files from your hard disk to a secret location as well (known as spyware). If your software is one of those "ad-download" varieties, download Lavasoft's free Ad-Aware 5.62 for PC users. It will scan your Windows registry and remove the necessary information and files relating to your ad tools.
Beware of certain seemingly innocent-looking software utilities capable of recording secretly in one part of a computer's hard disk every keystroke or password you enter. One classic example of a "keystroke capture" program is the PC utility called Gator designed to remember passwords you type on the screen. Then there is a software program called Spector designed to perform a similar "keystroke recording" purpose, except that it can also take screen snapshots every couple of seconds. Another is TypeRecorder 1.5 for Macintosh. Unless you are using your own personal computer to run this utility for your own purposes, such 'spyware' should be avoided like the plague on other people's machines to help maximise your privacy and security.
NOTE: Law enforcement officers have caught hackers using this type of technology for collecting user IDs and passwords from people who do their banking on the Internet. If you are going to access online banking systems, make sure it is your own password-protected computer and not somebody elses. Also do it in the privacy of your own home (or take your laptop with you). And make sure the information you will exchange over the Internet is secure. This is one of your best defences against hackers.
Beware of company computers you may use at work. They are not secure machines for private use (well, at least for people working in Australia). Special monitoring software such as the PC-based iOpus STARR (renamed to OPUS ActMon) for AUS$29.95 can log everything you type, every site you visit, and even both sides of your instant messaging conversations. What makes this tool particularly nasty is its ability not to show itself as an icon in the taskbar or listed in the Windows Task Manager. Unless you know the specific files making up this software and where they are located to uninstall it, you simply cannot use the Uninstall option unless you know the password for the tool itself. To deal with this kind of software, reboot your PC in Safe Mode (hold down CTRL on your keyboard as your system starts, then choose the Safe Mode option). Then find its executable files on the hard disk and rename a few of them. Hopefully that will disable the software. Otherwise, bring in your own personal computer (with permission from your system administrator of course) and do your work on it instead. Or try to work from home if you can.
NOTE: The Fourth Amendment to the US Constitution provides clear privacy protection to US citizens no matter who or what is being used as part of the surveillance activity. However, in Australia, there is no such constitutional or common law right to privacy. Employers can do pretty much what they like in Australia because of outdated and inappropriate legislation concerning surveillance activities. For example, the current state legislation in NSW is very much device specific (i.e. does not cover computers as part of a surveillance activity) and personnel specific (i.e. does not include employers as part of a surveillance activity). However, this may be set to change with the NSW Law Reform Commission (LRC) report of December 2001 recommending 121 changes be made to the legislation in NSW Parliament. Furthermore, new provisions to the Australian Commonwealth Privacy Act mean employers must notify employees when and why they are being monitored. But whether employees should be monitored at all because it impinges on the right for people to have their own privacy is still being debated in Australia.
If you are an employer and want to ensure company computers are being used appropriately while retaining a happy and productive workforce, we recommend that a policy be set up to specify times when personal surfing is encouraged such as during breaks, or before and after work. Personal surfing is considered vital for a healthy and creative workforce. Let staff find time to pay their bills, to read up on new ideas, to do some shopping, and to be emotionally happy. But when it is worktime (i.e. you are getting paid to do something for the employer), be clear that the Internet is only for work-related purposes and nothing else unless it is an emergency.
For example, employers who castigate employees as in the following case at the Australian Department of Defence should be considered socially unacceptable unless (i) the employee was required to do important work for the department during the weekend; and (ii) there had been a potential overloading of vital communication links at the Department because of the employee's personal actions:
"A Defence official...who had spent his weekends viewing pornography at his office, was the subject of a major security investigation....
Yesterday, the Secretary to Defence, Dr Allan Hawke, issued new guidelines for the Internet which warned that departmental monitoring of Internet usage would continue. Anyone caught viewing pornography would be disciplined." (7)
One should also note that the Department apparently spends about A$1 million a month (as of 2002) for Internet usage. However anyone at the Department who argues it is unacceptable to use the Internet for personal use because it is costing them money is not a valid argument. Why? The money has to be spent to acquire a block of time (i.e. monthly, not minute-by-minute) which in all practical purposes cannot always be used 24 hours-a-day and seven days-a-week. There will be times when the Internet services will be unused by employees and the employer. Therefore it only makes sense to permit employees to use that spare time to achieve other important positive and worthwhile personal goals to help improve their emotional and intellectual development, irrespective of the type of information being accessed.
In the case of the unnamed Defence official at the centre of the investigation for alleged misuse of the Department's resources, his explanation was to see what her daughters were viewing or could come across on the Internet from home and so decide which Web addresses would need filtering.
Just so long as the information will not interfere with the operations of the Department and is positively presented (i.e. no violence etc) and will make the employee feel better about themselves and improve their or other people's learning, then Internet access for personal use outside normal working hours should be seen as acceptable. If necessary, special places should be set aside at work (if not at home) to allow employees to surf for personal use without affecting other employees and the Department's operations.
But what happens during work times? Should employees be constantly monitored? Monitoring of employees to ensure they are doing the right thing is not the answer. People should be entitled to some privacy when they work for the most efficient and effective work practices (unless the employer does not want employees to be creative and happy at all times as is so often the case at the Department of Defence). If employers want their employees to do the right thing, then they should treat their employees responsibly and they will in turn act responsibly using the tools available to them.
It will only be a matter of time before a number of marketers and law enforcement agencies employ new versions of these "electronic peeping tom" equivalents known as spyware capable of giving a reasonably full personal profile of who you are and what you do by creating a link to your email address and other information.
To avoid this situation, either download public (open-source) freeware software, or don't install any new 'third-party' software unless you are absolutely certain they are safe and do exactly as they intend (i.e. will not steal your personal information and send it to a third party without your consent). Or if that is not practical, install and register your software and computer using anonymous names and addresses.
For example, where the application asks for your name in the registration dialog box, type "Any User"; and for the organisation name, type "**". Don't worry. Being anonymous with your registration details is perfectly legal. And it will not violate your warranty. Actually, Charles Britton, a spokesman for the Australian Consumers Association said:
"You can't make warranty subject to registration. You are not compelled to register in order to get basic warranty service." (8)
As for those commercial applications such as Adobe Photoshop 6 and 7, Adobe Illustrator 9 and 10, and Adobe Acrobat 5.0 and 6.0 which tries to send your name and serial number to the software manufacturers online, you may wish to go one step further and remove the "Web" folder (or at least AOM, or adobeweb.dll in Windows systems) of the Adobe folder inside the Application Support folder. The Application Support Folder is found in the System Folder of MacOS9.x or Library folder of MacOSX.
So feel free to be anonymous as much as you feel is necessary to protect your privacy. At least by doing so you have effectively made it much harder for the software manufacturers to work out who you are. And keep your computer offline when running unsafe applications in case they will be trying to send your personal information over the Internet.
Finally, when you have finished using a suspected spyware program while you are offline, regularly trash the log, cookie, history and preferences files created by the program using an effective batch file and folder content deleting freeware utility like AutoDelete 1.0.1, or create your own folder/file deletion (or folder/file template replacing tool) using AppleScript.
- Email messages are a form of spyware in the sense that you are not really anonymous because of additional information sent with the email message such as your IP address. You must use a tool specifically designed to help you send anonymous email messages.
If you suspect the latest and greatest software on your computer may contain spyware programmed directly into the application and working offline will not guarantee sufficient security protection (because the files you create and send to your clients with the help of this software may already contain sensitive information), try to convert and Save As into another file format; or get a freeware, older or any other alternative "anonymously registered" software you feel safe in using and Save As the original file into the new file version. In most cases, this will be enough to destroy any personal and unnecessary information you may have in the original file.
NOTE: Following the release of this information, software manufacturers like Adobe Systems, Inc. are working with third-party software developers to supply things like freeware Photoshop plug-ins such as j2k and SuperPNG. In that way, Adobe can work out whether you are using an illegal copy of Adobe Photoshop when creating your JPEG file, especially for commercial use where profit is being made. Adobe can also compromise your privacy by using these plug-ins to learn more about you as well. It is a double-edged sword and you must be prepared to use true freeware utilities like gif2png 1.0 to get away from this serious privacy problem with the big commercial software manufacturers. That is why you will often see shareware and freeware programmers providing utilities to read commercial files like Microsoft Word and AppleWorks documents so that you don't actually have to use the original commercial applications to read the documents, create PDF files from them, etc.
And as a last resort, you can open the files using an appropriate Hex or Text edit utility and physically remove portions of the code containing your sensitive personal information. For example, you can now legally remove your email address from the postscript files created by Apple's laserwriter software using a utility like Strip-a-Post 1.0, or use your word processing application to read the postscript file and remove your email address in the header section (at the top of the file). If you create a Macro in Word, you can automate this function easily. Then Save As a "Text File" and continue with your process of distilling it into a PDF file.
Adobe Systems Inc. has just realised the possibility that people can remove their email address from the header of a postscript file. So Adobe is working with other software manufacturers (notably Apple and Microsoft) to allow a button or menu command to immediate create a PDF file straight from an application (e.g. MacOSX and Microsoft Office) without going through the intermediary step of creating a postscript file. This effectively makes it difficult to find the email address embedded in the PDF file.
Be careful with commercial applications that can secretly attach any file on your hard disk to the commercial files you create and send to others with the applications
A major security flaw has emerged in the Microsoft Word software package from versions 97 and up. The most vulnerable of all is version 97 (for PC). The flaw involves the ability for someone with enough knowledge to insert a short piece of carefully-crafted code into a Word document (via the invisible Word fields which help to automate functions such as inserting information into Word documents) and then send it to someone else. When the Word document is opened, the code tells Microsoft Word 97 or higher to attach a file named in the code to the Word document as soon as it is saved. Now when the Word document is resent back to the originator, more than just the Word document is revealed to this other person. The person resending the Word document is never aware of this until he/she uses a utility like HexEdit to view the full content of the Word document and discover information from another file has been somehow added to it. Although Microsoft is complaining that it won't be able to provide a security update for the older Microsoft Word versions to fix this serious problem, it would be in the best interest of Microsoft to do so if it is to be seen as a good corporate citizen promoting secure software and privacy for all individuals and groups.
Now just imagine how much easier it would have been for Microsoft to gather any other file it likes from your hard disk and not just your Word document if you decided to use the web-application version of Microsoft Word!
For further information about this security flaw, click here. For an official response to the security flaw by Microsoft, click here. It is interesting in this reponse how Microsoft wants consumers and businesses to spend more money on upgrading to the latest Word 2002 version to solve this security problem. Perhaps Microsoft is strapped for cash in 2002 and therefore cannot find the time to produce a security update?
NOTE: Security updates from Microsoft may not necessary be what the company claims. Click here for an example of this.
Microsoft Corporation has released an "Office 98 SSL Security Updater" designed presumably to increase the security of your Office software in certain situations. However, you will also find in this update that either Microsoft has not done the quality control checks before releasing the update, or they may be enticing people to purchase the latest Office products. The reason for this is because the update effectively forces Word 98 to read certain Word documents as corrupted when in fact it isn't using the non-updated version of Word 98. It also loses something in the interface in all Microsoft Office applications (e.g. the warning icon disappears when the message comes up saying you have not saved the Word file). Always keep a copy of the original Microsoft Office software and test the update on another copy before committing yourself to the new version.
As our recommendation, the order in which you should apply updates to the original Microsoft Office 98 installation CD files is as follows:
1. MS Office 98 Updater MkII
2. Office 98 OS9/Y2K/PP Update (Excel 98 Y2K Update already included)
3. MS Word 98 Security Updater
4. Off98 Unique Identifier Update
Ignore the latest security update known as "Office 98 SSL Security Updater" as this creates major problems in Word 98 and the other applications don't look the same after the update.
When you do download the updates, use a public internet computer and burn the updates on CD, or a public internet location for your laptop. Some web sites may collect information about you when you do the downloading (e.g. IP address, name of the person registered to use the software and/or OS for downloading etc).
In an attempt to ease the general public of Microsoft security problems, Microsoft has posted a message about the "SQL Slammer" worm in response to complaints from Windows security experts and administrators of Microsoft SQL Server 2000 and MSDE 2000 systems in late January 2003. The message claims a security patch was made available to solve the problem since June 2002, except it did not provide a clear and direct link to the patch so as to highlight the problem and the solution to customers in the easiest way possible. In fact, this would probably explain why Microsoft didn't follow its own advice and use the patch when executives confirmed the worm had indeed affected their own internal network!
As much as Microsoft may not like to highlight security problems, it would be seen as a good company in the eyes of the public if Microsoft makes it clear at the front of its web site all security-related problems and direct links to patches and other solutions. And make sure the solutions have been well-tested before releasing them to the customers (Apple could learn a trick or two from this idea).
Otherwise, Microsoft software isn't as bad as most people will try to make out. Apart from the occasional marketing and software infringement purposes and in forcing people to use the latest peripherals when running Windows XP, Microsoft has to be pleased that enough people are actually using the software and hence helping to uncover security problems more quickly and easily. Once the problems are highlighted and quality solutions provided will it make Microsoft software the most secure in the industry.
Be careful about relying on Microsoft-only (or Apple-only) products for everything you do as you may experience greater security problems
In an independent non-profit report titled CyberInsecurity The Cost of Monopoly written by seven IT security researchers and published on 24 September 2003, it is claimed computer systems relying entirely on Microsoft software (known in the IT security industry as an homogenous system) is a critical security risk. Organisations and individuals wanting good security should deploy a software mix of some Microsoft and non-Microsoft software on different multiplatform systems for greater security. The report also recommends the US Government should force Microsoft to make its dominant software including Internet Explorer, Media Player and Microsoft Office available for different computer systems (e.g. Macintosh, Linux etc).
The report does not go as far as to say Microsoft is deliberately creating security problems in its software. Rather, the blame falls mostly on consumers for choosing to buy Microsoft products only. The sellers are merely there to make a profit by selling what the consumers want (or know exists about after seeing what many others have bought).
As Bruce Schneier, the founder and chief technical officer of Counterpane Internet Security Inc and co-author of the report, said:
"I think the blame falls mostly on the buyers. The seller is going to sell what the buyers want. Because everyone is buying it, because it's compatible, because it's easy, everyone is doing it. The point of the report is to say, 'Hey, there are security implications to your decision." (9)
Fixing up the security problems in all Microsoft products won't solve the underlying security problem inherent when sticking to one architecture. The only way to significantly improve security is to use a range of different software and computer systems not owned by a single company.
As computer security consultant and co-author Perry Metzger said:
"It doesn't matter how hard Microsoft works on security. So long as they continue to be human beings, there will continue to be flaws and you don't want every machine on Earth to have the same flaw revealed at the same time. It's as though every person in the U.S. had the exact same genes." (10)
Readers can review the report from here. The report was sponsored by the Computer & Communications Industry Association (CCIA).
26 September 2003
The instigator of the report Dr Dan Geer has suddenly resigned on 23 September 2003 from security vendor @stake Inc. as Chief Technical Officer in an attempt by the company to dissociate itself from the report. In a statement made by an @stake Inc. spokesman on 25 September 2003:
"@stake would like to clarify that Dan Geer is no longer associated with the company as of Sept. 23, 2003. Although Dr. Geer announced that his CCIA-sponsored report titled, CyberInsecurity: The Cost of Monopoly was an independent research study, participation in and release of the report was not sanctioned by @stake.
The values and opinions of the report are not in line with @stake's views." (11)
Microsoft is believed to be a valued customer of @stake Inc. according to the security vendor's official web site. Maybe this explains what's @stake? $$$ from Microsoft!
3 November 2003
A public campaign to make Microsoft look good has begun at @Stake with an advisory report on several security bugs in Apple's own MacOSX version 10.2.8 and lower was published.
8 November 2003
After a string of stinging criticism about Microsoft's lazy attitude towards fixing up security problems was made more publicly known by the media, Microsoft Corporation has undergone massive changes as it tries to win the hearts and minds of a sceptical public. For a start, Microsoft is doing excellent work in changing the focus of the web site on fixing up specific security bugs and in helping people to improve their security generally speaking as this big company learns to develop a positive relationship with its customers. Excellent stuff!
To make the move more dramatic in the minds of its customers, Microsoft has announced (via chief executive Mr Steve Ballmer) the next service pack in 2004 will be free and devoted exclusively to fixing up security problems in Windows XP and Windows Server 2003.
Let's hope the security fixes from Microsoft don't stop with just one free service pack. We can be sure hackers will find loopholes in the latest software for many years to come.
You should bear in mind this Microsoft decision will affect only the latest two software products for consumers and businesses.
22 March 2004
Microsoft is under the microscope again with revelations that the company is forcing consumers and businesses to use Microsoft's own brand of software such as Media Player and how installing any other alternative software will cause problems for Windows XP. According to European Competition Commissioner Mario Monti, a ruling was been successfully passed in the European courts requiring Microsoft change its Windows XP to allow alternative software to be used in place of Microsoft's own brand. As Monti said:
"A lot of people do not want to live in a Microsoft-only world. Microsoft has a way of making its anti-competitive tools support the monopoly efforts in other areas." (12)
This means Microsoft will have to provide two versions of Windows XP one with Microsoft Media Player installed and the other without it.
Otherwise if you are forced to stick with Microsoft-only tools and nothing else, you risk the chance of having security flaws exposed and exploited by hackers which could affect a large number of Windows-based systems and this could be enough to create massive problems for the economy of a nation should the Windows-based systems fail en masse.
29 March 2004
A number of US politicians are unhappy with the European Unions's decision to force Microsoft to fix up its products and be fairer to other competitors. A strongly worded letter written by five Democrats and five Republicans in Washington, USA, to the European Competition Commissioner Mario Monti has explained the decision as excessive and unnecessary. To cite as evidence, the letter claims the problem has already been dealt with in a previous 2002 settlement between the US Justice Department and Microsoft after finding evidence of anti-competitive behaviour in Microsoft. Apparently the politicians believe Microsoft is meeting tough new compliance structures thanks to a comprehensive regulatory scheme put in place in the US. However, the settlement refers mainly to the US. In Europe, Microsoft can still force consumers to accept Microsoft-only products by ensuring consumers have no choice but to install certain products in Windows XP (and which appears integral to the proper functioning of the Windows operating system) and it does not have to tell its rivals of the situation. Hence the reason for the European Union's decision against Microsoft to change its products. Furthermore, the politicians have also called for a reconsideration of the unprecedented fine of US$613 million (A$817 million) to Microsoft claiming it is excessive. However, a number of European observers consider the fine fair given the size of the company's profits which exceeds the US$1 billion per year mark even after paying for all operating costs and salaries. In essence, the letter suggests some politicians are worried Microsoft (and by implications for other American companies) may not be able to maintain a certain level of competitiveness in this tough international market environment.
Microsoft Australia has issued a free security pamphlet titled Secure your PC with lots of pictures of smiley people using a laptop (running Windows of course). The brochure explains how you can stop spam, shop smart online, and help parents and kids with safe surfing techniques. The pamphlet ends with a question. No, it isn't the familiar, "Where do you want to go today?" Rather, Microsoft asks, "Is you Microsoft software genuine?" Then it goes into some detail about making sure the Certificate of Authenticity (COA) sticker is on the Microsoft product and there is the edge-to-edge holographic image on the installation CD (i.e. not a sticker). It is not quite obvious how this helps the user to be more secure.
Perhaps Microsoft is trying to say to users how important it is to purchase the latest Microsoft software to improve the security? That would make sense instead of saying we should all get genuine Microsoft software. Or perhaps the company is letting us know why the security in Microsoft software had to be so poor in the past because Microsoft wanted to see what people were doing with the software and whether it is genuine software or not.
Be careful with those products that attempt to link your personal information with serial numbers
The use of serial numbers in software and hardware (e.g. the microprocessor) is the first critical step for commercial manufacturers of identifying who you are, where you work, and what you do. Once they find a way to link your personal information with the product's serial number, it would be a simple matter for the manufacturer to secretly send all that information to someone on the network using spyware either secretly programmed directly into the manufacturer's application (or in partnership with other companies having their own commercially-produced software) or through a freeware utility you download from the Internet.
NOTE 1: Serial numbers are useful to help businesses protect their investments in selling products but only if the businesses know who is the original licensed owner of the products. If the personal details are not recorded by the businesses and in the products themselves together with the serial numbers, the serial number technology is effectively useless. Then the only security measure businesses have is to hide the serial number from non-authorised and unlicensed users. This is why Adobe Systems, Inc., for example, has decided to hide the last three digits of its serial number technology when the products show their splash screen. It just makes it a little bit harder for other users to work out the serial number and use it to make an unauthorised installation of the products.
NOTE 2: Please note that hiding serial numbers from users is also not foolproof.
Use anonymous registration details in commercial applications and online, and do not send in warranty/registration cards
- Do not send registration/warranty cards to software and hardware manufacturers; you'll be surprised at how little junk mail you will receive! But don't worry, not sending in your registration cards should not preclude you from obtaining the necessary updates or upgrades, or getting repairs under warranty should you require them in the future. You only need your original receipt as proof of purchase in order to obtain something under warranty or whatever (or for software purchases, the original packaging and installation disks are adequate as proof of purchase).
Whenever you get something for free - for example, a free web site and/or Internet access, or download a free commercial software - you will probably end up on someone else's electronic database (presumably for the purposes of sending you junk mail). If you are required to register online with a business to receive these free services or products, use anonymous names, addresses and other personal details. You are not required by law to give your exact details to another company. NOTE: This is actually getting harder to achieve thanks to Microsoft Explorer which can now automatically fill in the online form with your personal details and MacOSX and Windows XP can secretly deliver more information about you than you would anticipate from specific log files in the system folder.
Also consider providing a separate private box address where all your junk mail can be received and processed. And when the online registration form asks you whether it is okay to pass your details to another company, click the "No" box. You'll be amazed at how little junk mail ends up in your private box. NOTE: Some companies are getting a little tricky in how they ask this question. They may ask for your permission to pass on your details to another company, but then in the end ask for your response in a slightly different way which if you are not careful, you may respond in a way that suits the company. Always read the entire question and make sure you have selected the right response.
NOTE: Adobe Systems, Inc. has chosen to take this online registration form approach before permitting users to download free software updates. Following the recent debarcle with secretly embedding people's private email addresses in PDF files they would create, Adobe is taking the safer and more legal approach of ensuring people are given the right to decide the sort of personal information they want divulged to the software company.
Remove your personal details from electronic databases
- Search the dozens of Web directory sites to see whether certain sensitive information is being revealed about you on their listings. If so, you can request that these sites remove or modify your listing. For example, check out http://infospace.com, http://www.superpages.com and http://www.bigfoot.com.
- Remove the public listing of your name, address and telephone number in the white and/or yellow pages. Use a private number instead. Many Web directory sites now publish white and yellow page listings on the Internet. In fact, you are likely to be on hundreds of databases by now, and some of them may be published online thanks to your presence in the telephone directory. So try to minimise your presence by not doing things like filling out warranty cards (keep the receipt instead as proof of purchase and warranty), market surveys, or leaving your name in public places like the telephone directory.
Carry sensitive digital information with you at all times
Don't leave credit card numbers and other personal data on your computer if there is every possibility that it can be stolen when you are not around. If your computer is stolen or accessed by strangers, people can spend your cash straight away. Likewise, by leaving your computer on the network, someone could find a surreptitious way of accessing the information on your hard disk from another location.
Consider purchasing a laptop instead of a desktop computer. It is much easier to take a laptop with you than a desktop variety. Or purchase a handheld computer that fits in your pocket. Or alternatively, buy a pocket-sized portable hard-disk or special USB RAM cards to store your most sensitive information.
Don't store credit card numbers on an electronic database if the database would be stored on a computer connected to the Internet. No matter how good your security, hackers will find a way to break into the computer and eventually the database itself. As Adrian Dolahenty has said:
"Most at risk of hackers...were the companies that stored credit card information in their databases, ultimately protected by the credit card companies' own security. Hackers have traditionally cracked these codes and used these details for fraudulent purposes." (13)
The solution to the great credit card security issue when making an online purchase has now been found thanks to the announcement from American Express regarding a new scheme for creating "one-off" credit card numbers. This means that once a customer makes a financial transaction online using this new credit card scheme, the number is automatically and instantly cancelled, making it virtually impossible for hackers to gain access to the company's credit card database containing your financial details. The scheme is known as Private Payments and has already been successfully launched in the USA since October 2000.
Don't send sensitive digital information to anyone
As for marketing experts asking for your personal information in surveys or whatever, you do not have to release this information without your consent. In fact, it is against the law in many countries for marketing experts to gather personal information about you without your explicit consent. Even if they do gather the information under any legal means, the Freedom of Information Act is there to permit you to view this information and make changes as you see fit and proper.
It is now part of legislation that marketing experts must provide a marketing opt-out where junk mail is sent to individuals as well as giving individuals the right to know what information is being held about them and to correct that information if it is wrong, or even to delete the information altogether from the databases if the services and/or products are no longer required.
This law also include government departments, but the law only goes as far as allowing individuals to view and modify their own personal information, but not to delete the entire record for certain reasons.
In Australia, the law for protecting the privacy of individuals is covered by the Privacy Amendment (Private Sector) Act 2000 which came into effect for all businesses from 21 December 2001.
If you must send sensitive digital information to someone, make sure your software is secure and you are sending it to the right person
- Do not send important information like credit card details to a web site that does not have a secure SSL server. Check the padlock icon in the lower left-hand corner of your browser to determine whether the server is secure (it should show a locked padlock sign).
- Even if credit card numbers are encrypted by SSL by a reputable online business, always check the Internet address of the business you wish to make a purchase, especially at the point where you start to type in your credit card number and other personal details on an official online order form. It is possible for some hackers to unlawfully access the web site of the business you are with and redirect one of the links to their own web site containing an exact duplicate of the genuine business web site. Then once you have typed your details and click send, you may be allowing the hacker the opportunity to use your details to make unauthorised transactions.
Wipe clean the free space on your hard disk
Trashing files on your computer (i.e. the act of clicking and dragging files to the Trashcan and then choosing "Empty Trash" or "Recycle") is not a fool-proof way of removing the files from your hard disk. Practically all operating systems do nothing more than make the icons of the trashed files disappear from the screen and opens the space where the files used to be for other files to write to it. But until those files write to this free space on your hard disk, the trashed files are still recoverable using consumer software tools such as Norton Utilities 3.0 or higher, TechTool Pro 2.5.5 or higher, GoBack and Snap'N'Shot (and we are not talking about the ones available at the Department of Defense, or from the computer forensic experts of various law enforcement agencies).
Use Norton Utilities, Burn 1.2, Eraser 5.3, or WinDelete 5.0, to name a few, to wipe clean (or file shred) this free space. For top-notch security (especially if you are in one of those clandestine intelligence gathering agencies), make sure the utility wipes the free space several times (to ensure the write head can move slightly over those areas that were missed in the first erase run), as some new software tools available from the Department of Defence and at Deloitte Forensics in Sydney can still pick up tiny traces of the files existence and with it some potentially sensitive information. All it takes is an address, name or part of a picture in a tiny portion of the file to give anyone a hint at what was contained on your hard disk.
NOTE 1: Formatting your disk (hard disk, floppy disk, CD-RW, optico-magnetic disk etc) will also not guarantee your data is properly erased. Make sure the disk is erased (or formatted in the full mode) several times using a quality software utility. And when the disks are no longer useable, incinerate the disks instead of throwing them in the rubbish bin.
NOTE 2: The science of professional electronic evidence gathering depends on the ability of a forensic expert to recover and make exact copies of electronic files (trashed or untrashed), or to find any meaningful patterns left behind from parts of a deleted file. It doesn't matter if you try to make your files invisible from the desktop, you can be sure a forensic expert will find them.
NOTE 3: The only things that would make life virtually impossible for a forensic expert to find what you have got on your hard disk is (i) a properly deleted file (i.e. overwritten completely several times); and (ii) using a powerful encryption software designed to make it impossible for cracking tools and a supercomputer to break into your important files (just so long as you don't try to record the password or special key elsewhere on your hard disk or to be too cooperative to the forensic expert in giving away your password or key).
NOTE 4: Do not rely on the encryption technology of standard commercial software such as Microsoft Word, Excel and Access. These applications have poorly programmed or flawed cryptographic capabilities and these can be overcome using special purpose software tools. You are better off using a tool of at least the same encryption stength as Pretty Good Privacy (PGP) or something more powerful to do the encryption for you.
- Do not shop or do your banking on a public Internet machine at a cafe, shopping mall, job network service provider, or library. It is possible for your sensitive personal information to be retrieved from browser cookie files and other means.
Stop computer viruses in their tracks!
Install a good quality antivirus software like Symantec Norton Antivirus 5.0 or higher (use version 7.0.2 or higher for MacOS9) for A$59; McAfee VirusScan 2006 for A$60; or ZoneAlarm Internet Security Suite for A$100. And make sure the virus definitions file is the latest (download it from the software manufacturers' web site). It may also help to turn it on whenever you insert another person's floppy disk into your floppy drive or when you are downloading any information off the Internet (including email) or any other kind of network.
Computer viruses are short pieces of programmed code that can partially or fully attach themselves to files (e.g. email attachments or things you download and open) and applications. Most are designed to replicate themselves when launched and send copies to other computers on a network. Some viruses may do more than just replicate themselves. For example, the viruses may make a copy of all the email addresses of people in your address book of Microsoft Outlook and send them to everyone including the email address of the creator of the viruses. Viruses may also make changes to the information in the files or applications they attach and/or make other software-related changes to your computer without your awareness or consent. These are known as electronic vandalism.
Other computer viruses can also be designed to steal information such as your passwords stored in electronic files on your computer. For example, W32/Bugbear-A released for Windows users at the beginning of October 2002 was among the first of a breed of powerful viruses to steal information. A more recent example appearing in early 2005 is the rbot.ash and Win32.Rbot.gen*2 viruses known as "the peeping Tom" because of its ability to turn on WebCams and send images to the hacker as well as steal passwords and keys of popular game applications.
And in June 2005, spammers are using hackers to create zombie viruses designed to quietly infiltrate broadband-connected PCs and activate them at the right time by an online command. The purpose of these viruses is essentially to use another person's PC to do the spamming and using the email addresses in a local contact address book (i.e. Microsoft) to masquerade the actual email address of the spammer and thereby allowing the spammer to use this information to send bulk spam using another person's infected PC.
NOTE: SUNRISE Contacts 2015 is a contacts address book not affected by zombie viruses.
And yet another one involves receiving fake CIA and FBI emails asking you to open an attachment. The emails lure you to follow the instructions because they claim your IP address has appeared in over 30 illegal web sites and wants you to open the attachment to find out how and where. But if you do, the attachment will reveal a virus designed to use the email addresses in your (Microsoft) Address Book and send copies of itself to other recipients. It will also leave a message on your screen claiming your computer has no trojans, viruses or spyware for the purposes of tricking you into thinking your computer is okay when in fact it isn't (naturally since the virus has achieved its objective).
Viruses designed to steal information help the virus creator (or hacker) to gain an advantage in some way such as mimicing people's identities in an attempt to gain extra cash from your bank account or to pretend they are a legitimate user of your software packages.
Computer viruses can either be good or bad, depending on the intention of the original creator of the viruses. Some computer viruses may be good in the sense that they help to highlight security flaws in a network or on someone else's computer. In fact, the presence of computer viruses can make the system administrator very happy as it can teach people to be wary of junk emails (with attachments) and not to be too blase about their security. So it is likely in the long run people's email accounts will be clean of junk emails.
On the other hand, other computer viruses can be malicious in their intent and, of course, should be avoided at all costs. For example, some computer viruses have become so powerful and malicious that they can not only reproduce themselves and use your machine as a gateway to other machines, but can also look for your sensitive computer files (made easier thanks to certain commercial operating systems such as Windows XP and OSX which forces people to use specific folders such as Documents in specific locations determined by the commercial software and not by you unless you create another folder of the same name and hide it somewhere else) and have them automatically sent to other people's email accounts. Today the worse computer viruses in existence are those designed to destroy all the files and applications on your hard disk without warning. So it is highly recommended that a backup of all your "clean" files are made on a regular basis, preferably on non-rewritable (or write-protected) disks (e.g. CD-R).
Remember, viruses do not infect:
- the files on write-protected disks;
- compressed files unless the files themselves are already infected at time they were compressed; and
- computer hardware such as monitors or computer chips.
Computer viruses only infect computer software stored on a writable disk - namely applications and files on your hard disk. Furthermore, Macintosh viruses do not infect PC software and vice versa. The only exception to this rule is when you have Macro viruses infecting Microsoft Office documents because of the ease in which you can share and open them up on both platforms using the Microsoft Office software.
Microsoft Corporation has only recently (i.e. in the last few months) realised the importance of having a good antivirus software in its arsenal of Microsoft products. Considered by some experts as the most highly targeted software in the world for the lowly virus creators, Microsoft has decided to acquire the antivirus technology from a small Romanian company known as GeCAD Software of Romania. As part of the deal, GeCAD will no longer provide its customers with free updates to its excellent RAV antivirus signature updates. Instead, Microsoft intends to offer what is presumably a better deal for customers: pay a subscription service now and you will obtain the antivirus software updates! Yes, we thought readers would be jumping with joy with that one! In the meantime, GeCAD will continue to retain its rights to the RAV Antivirus product name in the foreseeable future.
To reinforce this profit aim of Microsoft Corporation, the company is now closing down free chat rooms in Australia and another 28 countries by 14 October 2003. The official reason given to the media: To stop children talking to paedophiles according to media reports, and to eliminate spammers and pornographers. But the real reason is to force people to join and pay for Microsoft's MSN Messenger instant messaging service while reducing expenses on policing free chat rooms. Other free chat rooms on the Internet remain unaffected by Microsoft's latest decision.
Don't think all viruses target Microsoft products only. For example, Shockwave files created with Macromedia Flash and PDF files created with Adobe Acrobat were once considered safe from viruses until only recently. In the case of Shockwave files, they can now be infected by a virus called SWF/LFM-926. This virus exploits the Action Scripting component of Macromedia Flash to do its dirty work of infecting other shockwave files on your hard disk resulting in the reduction of the download speed of the files. As Matthew Bath, editor of the UK Digit magazine, has colourfully described it:
"Macromedia Shockwave Flash has fallen foul to its first computer virus....Once opened, it [SWF/LFM-926] races through a system, coughing in the direction of other Flash files, wiping its nose on anything Shockwave, and generally clogging up your Flash work with the viral equivalent of snot and pus." (14)
The way computer viruses spread on your machine and other people's machines is by (i) launching an infected application; (ii) opening a file/document; and (iii) running infected system files on startup. Once the application is launched or the document is opened causing the viruses to run and get stored in memory, they can infect other applications, documents and system files you may open or run during the course of using your computer. If your applications or documents are on a network, the viruses can easily spread and infect other people's computers.
The worse ones of all are those that do not let you know that they are sitting there waiting to cause havoc until it is too late and something destructive has happened to your computer (i.e. a loss or a change in the data stored in your documents or applications). The best advice from experts is to get in a habit of checking for viruses every time you get online or receive a foreign disk using a quality antivirus software, preferably stored on a write-protected disk of its own.
Computer viruses are a potential threat to your security. According to the FBI, Department of Justice and the System Administration, Network and Security Institute in the US, the number one Internet security threat is opening email attachments because of the viruses they contain. So get a good antivirus software.
Who makes these viruses? It can be anyone. Young hackers, software manufacturers wanting to learn more about you, the US military/government, certain terrorist groups or other organised crime syndicates, marketing experts or whoever. We can all produce viruses for whatever motive we may have, sinister or otherwise. Your aim therefore is to selectively choose your information and get rid of those types you feel might be suspicious or have no relevance to your work or life in general.
For instance, look at (do not click on) the subject header, address, and recognise the emails having attachments. Next, decide which ones to read and which ones ought to be removed (or trashed). If they have no subject matter, remove immediately. If the address is not familiar, remove. If the subject matter suggests you might have to download an attachment and the email is from an advertiser or someone you don't know, trash it immediately. Also be careful with software that is given away for free in email attachments. If you are interested in the software, download directly from reputable web sites (i.e. not as an attachment). And when reading emails and their attachments, always use the latest antivirus software. Or alternatively, read your emails from a public computer.
Remember, an antivirus program is only as good as the virus definition file it contains for detecting all known computer viruses. In other words, regularly update your virus definition file every month for maximum protection and turn on the scanning option to "continuous" on the antivirus program itself whenever you are online or when inserting a foreign disk (even if the disk is from one of your own friends or family members).
If you suspect your computer might be infected with a virus, use a write-protected "decontamination" disk containing your antivirus software and run it.
Want to know a good antivirus software but are a bit short on money? Try the free TotalAV. Likewise, you certainly won't be too disappointed with AVG Antivirus 6.0 so long as you register on the company's web site at http://www.avg.com/au-en/homepage to receive a free copy of AVG Antivirus.
Or try the slower but highly effective free antivirus scanning web-based service at Trend Micro's web site located at http://housecall.trendmicro.com/au/. It has been around since May 1997 and, most importantly, will scan and clean for free all known viruses using the latest anti-virus technology.
NOTE: If you are not sure whether your existing anti-virus software on your computer is working properly, try http://housecall.antivirus.com/. This will test your software for its effectiveness. And if you like Trend Micro's software technology, you might like to purchase for A$89.95 the tool known as PC-cillin 2002 with built-in firewall, considered the best anti-virus software in the world after Symantec's Norton AntiVirus 9.0.
Or perhaps the world's best form of defence against computer viruses is not to open any file you are not expecting to receive. In particular, avoid file attachments to email messages that have the.pif,.exe,.vbs,.vb,.scr,.js,.zip or.bat file extensions on them. For example, if you see the following filenames as attachments:
and/or if you see the following subjects:
Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Your details
Re: Anna Kournikova
you should delete the email and attachments immediately. Similarly email messages sent in multiple copies from either known or unknown sources should be trashed. They are either spam or someone sending viruses in the messages.
Even if your anti-virus software cannot detect a virus on any of these sorts of emails and attachments (or you use a Macintosh computer to read emails), there is every likelihood a new "undetected" virus may already be lurking in them ready to create havoc for you and your computer system. So be highly prudent and remove all emails you are not expecting to receive or you think looks suspicious.
As Chris Horsley, an analyst with the Australian Computer Emergency Response Team (AusCERT), said:
"The standard advice used to be not to click on attachments, but now you can't trust anything you receive. Each time you get an email you need to think about the motive of the email and be suspicious." (Manktelow, Nicole. Spam 'hurting' business: The Sydney Morning Herald (the Icon Supplement). 25-26 March 2006, p.3.)
And be extremely sceptical about running application file attachments with the.exe file extension (for users running PC software). For further information about viruses, please visit the following locations:
You can also get a free, comprehensive security checklist and a heap of free security software from AusCERT.
Prior to 2004, the most common way to distribute viruses is through email attachments (and usually downloaded and read by Microsoft Internet Explorer, Netscape Navigator and/or Microsoft Outlook). Now security analyst Jamie Gillespie has alerted users of new viruses transferred by malicious web pages which exploit security loopholes in your browser and ultimately gain access to the rest of your hard disk. All you need to do is click on a link such as the subject line of your email to open the message and it could in fact be linked to one of these malicious web pages. Or you could be tempted to click on a link in a pop-up window of your browser and download a piece of software only to find it is spyware. So not only should you be more vigilant about email attachments, but now the name of the game is not to click on any suspicious and unfamiliar link and software in emails and web pages. Could this grind the Internet to a halt? Or would only the well-known web pages from big IT companies be visited and all unfamiliar emails (including SPAM) and web sites be put out of business because of this latest threat where people are afraid to click on anything? The big commercial IT companies and governments of the Western world would definitely like that, wouldn't they?
NOTE: Software manufacturers such as Apple and Microsoft are designing their OS and other commercial software to have weak security features and in storing sensitive log and preference files and other information in fixed locations (e.g. the Document, the Preferences and the Application folders) thereby increasing the risk of your sensitive files being found by certain online viruses with the help of your browser. While it is good for the image of these companies to look like they are providing security updates every now and then after the software was delivered, it is time these big companies design their commercial software to be properly secure in the first place and in letting users decide how and where they want their information stored. Otherwise people will have to consider alternative software from people like Linux and other freeware/shareware developers.
Beware the trojans!
Another dangerous piece of software is called a "Trojan program". This is a sophisticated piece of "self-contained" program designed not to reveal itself as relevant or visible during the installation of another software. But like spyware, trojan programs will have some secret purpose, except that it will be a whole lot more dangerous. Trojan programs do not necessarily need to be activated by launching a file or application, but once installed in the right location(s) of your hard disk can run in the background. The purpose of a trojan program is highly varied and depends on the creator. However some trojan programs can be designed to send your personal information held in files such as your passwords to the creator whenever you go online.
These potentially nasty little programs are commonly found in binary attachments in newsgroups and from unreputable software download sites. The only way to get rid of known trojan programs is to run an up-to-date antivirus program or specialist Trojan detectors and to download software from reputable download sites.
- Do not rely on Firewalls to protect you from trojan programs. Firewalls may help to stop a trojan program from calling home, but beware. Other trojan programs do not need to say anything to the creator to do their nasty work and even if they do contact the creator, can easily bypass firewalls with surprising ease.
- Some trojans are visibly built-into certain application programs. These trojans are usually designed to send statistical information about what you do with the programs to interested parties, known as spyware. To avoid these types of visible trojans, do not install the program in the first place. If you want to know whether your program is spyware, check out SpyChecker at https://spychecker.com. To help strip out advertisements in the programs which are often of the spyware variety, visit Adaware at https://www.adaware.com/
Keep your network-related and operating system software updated
The most successful security attacks occur because your software has "vulnerabilities" or weaknesses while your computer is connected to a network. Computer hackers look for these vulnerabilities or a flawed piece of logic inside the code of your software to help them access the files on your computer. So upgrade your software regularly (especially your Internet browser, email software, and instant messaging software) to the latest version as many updates address important security bugs in the old software.
Of particular security concern in this regard is Microsoft Explorer 4.0 to 5.0 and Microsoft Outlook Express running on a Windows-driven PC computer. They should always be updated including the operating system itself if you intend to use the network regularly. For regular network use on a PC, consider updating your operating system to Windows 2000 or XP; for Mac users try MacOS9.2.2 or X (version 10.2.4). Otherwise stick with Windows 95/98 or any of the standard early MacOS versions if your computer will not be connected to a network (or at the most sparingly if you must).
NOTE: To learn more about all the potential security flaws in your software, check out SecurityFocus at http://www.securityfocus.com/;
Stick to an operating system that you know is secure and safe
The exception to this general rule of constantly updating your operating system is when a brand new operating system utilises a technology that already has the potential to create serious security flaws. For example, MacOS 9 is considered a more secure technology than OS X version 10.2.4 because the older operating system does not have the UNIX kernel where it is possible for UNIX experts to create security vulnerabilities in the UNIX-based system.
Also if the operating system has been completely rewritten with lots of fancy superficial features and therefore looks like a brand new technology or if the operating system is used by many people, the security vulnerabilities are likely to be found to a much higher degree than well-established operating systems and/or operating systems used by fewer people.
Price can also be an indication on the quality of the security shown by an operating system. As a general rule of thumb, if the operating system is very low-cost or free, don't be surprised if there was little if any quality control checking in the security aspects of the technology. Good security checks is usually expensive and this tends to be reflected in the price.
Finally, be careful when security companies claim MacOSX is more secure than Windows 2000 systems. It is more likely the reverse might be true because more people are using Windows and are therefore able to expose a greater number of security flaws than MacOS. So long as Microsoft Corporation makes the effort to fix up the security flaws quickly (i.e. less than 6 months after a security flaw is reported to Microsoft by a consumer), it could end up being that Windows 2000 might be the more secure operating system.
Or it might be true that Microsoft Windows is more insecure than OS X. More work certainly needs to be done in this field to determine the security of all operating systems.
- Online shopping is now one of the most secure methods of purchasing products compared to using a telephone to talk to a sales assistant or going there in person and risking the possibility of a shop double swipping your credit card for fraud purposes.
- For the best security, choose online shops that are reputable. For more obscure shopping sites, check to see how long the sites remain online and see if anyone is updating the sites. Generally the longer the sites have been around and is constantly being updated, the more reputable and safer the sites. Do a search on the internet or go to online forums to gather extra information from other people about what they think about the sites you may wish to do some shopping with.
- Never pay for goods online with cash. It is also a good idea not to send money orders unless you are comfortable with the shopping sites (e.g. you have successfully made purchases in the past through them).
- You should not send payments to PO Box addresses.
- Be especially careful of addresses that appear to be different from the one listed on the official and correct web sites of genuine businesses. For example, it is okay if say SUNRISE wants to change the email address. However, we never accept payments through email addresses. But if the physical address (PO Box or whatever) is different from what is published on our web site, do not send the payments to us (or what seems to be us) under any circumstances.
- It is also wise not to bank or wire transfers to the online sellers. We strongly recommend the credit card approach to making an online purchase as the technology for protecting you against fraud and getting your money back should anything go wrong is available to you.
- Do not do your online shopping at a public internet cafe or other public places. It is possible strangers may use your computer to recover the cookies you used to make purchases.
- Want to purchase items through an auction site? For the highest security, stick to the site. Never be lured off the main auction site to a place clearly having a different web site address. If you do, check out the address carefully by doing an internet search and ask the main auction site whether they have endorsed this alternative address. If you want to try another auction site to get a better deal, copy the web address of the new auction site, go into the preferences or internet options menu command of your browser and clear all the cookies, cache and web history, then paste the new web address and do your browsing from there.
When making a purchase using a credit card, only provide the essential personal and financial information needed to make the purchase. You don't need to give your life history, body size, age, sex, marital status, income level, profession, shopping preferences, names of family members and so on. And never under any circumstances should you ever provide the seller your Tax File Number, Passport number, social security details, bank account details including PINs and passwords. These are all irrelevant to making a purchase. Even if it is part of a marketing survey, you do not have to give extra information to make the purchase. The most information you ever have to provide is (i) the name as it appears on your credit card; (ii) the credit card number, expiry date and security code; (iii) the address where your credit card statement is sent; (iv) the postal address if it's different from your statement address; (v) your telephone number as some financial institutions require that sellers contact the customer to personally validate their identity and yours; and (vi) an email address (especially if delivering products to email accounts).
SPECIAL NOTE: Want to fill in online marketing surveys to receive a free gift? Make sure you are not going to make a purchase. Clear all cookies, cache and history and visit the site you want to fill the online form. When you are ready, make up any name and other details you like except for the delivery address where you want the gift sent to. The delivery address should be PO Box or ask a friend to accept delivery of the gift on your behalf.
NOTE: To stop fraudsters from grabbing enough personal information to electronically impersonate you as needed to pass the 100-point identity test to get a bank account and obtain credit in your name, shred or destroy all paperwork and letters containing your personal details. Set up a PO Box to have such letters delivered for maximum security. This will make it much harder for thieves to work out all your personal information.
Also consider making all your passwords relatively hard to figure out. To make it easier for yourself, use a combination of familiar names, dates, favourite colour and other information combined to form one main password and make a slight variation of the password for different systems requiring a password. Firstly the combination of familiar letters and numbers in your mind makes it harder to work out by a stranger, makes it easier for you to remember, and you have extra protection in case one of your passwords is revealed to a stranger. Because once you know one of your passwords has been compromised, you have time to change it and inform the appropriate authorities of a security breach.
Your aim is to find a password that is easy for you to remember, but too difficult for a stranger to work out unless they know you intimately (i.e. they must be you), and you don't use the same password in more than one place in case the unexpected happens and a stranger somehow works out your password.
Netiquettes and signatures
Be careful what you write at the end of your email messages when signing off. Signatures as they are called, are short, witty, humorous or wise statements used to express your view of the world and/or reveal something of your personality. Such unnecessary remarks can help marketing experts understand how you think and behave and eventually what they can offer to you by way of products and services.
For example, if someone signs off with the words, "The truth is out there? Does anyone know the URL?", then look out. The person is likely to be quite young and may talk for hours about all sorts of things he/she has found on the Internet. For marketing experts, this person may be seen as somewhat naive and/or gullible and likely to buy any reasonably desirable product online. As another example, if someone writes, "Just remember, if the world didn't suck, we'd all fall off", it may reveal signs of pessimism with a tendency towards chronic depression as time passes. In essence, it is better not to add signatures at the end of your emails if you want to minimise other people's potentially undesirable insights into your personality or risk the possibility of alienation and misunderstanding. But if you want to add signatures to your emails, try telling a simple joke or quote a wise statement using other people's words and thoughts.
NOTE: You should not add humour to your emails unless you know your recipient well. If you wish to tell a joke, keep it simple and make sure it would not offend the recipient.
Although not strictly an issue of protecting your privacy, how much you communicate and how you actually communicate with others can still reveal quite a bit about you. Therefore, you should be aware of other etiquettes, or informal rules for behaving, on the Internet (known as Netiquettes).
- Don't write your email messages in the heat of the moment. You may regret it later. Read the email messages you receive from others carefully and, if you need to respond to any of them, do so in a courteous manner;
- When quoting someone else, keep it short and relevant;
- The same thing goes for writing an email message to someone using your own words. Nowadays, people are having to sort through and read up to 100 emails a day. So the last thing people want to see is an autobiography of your life or something else encyclopedic in nature;
- When joining a mailing list or newsgroup, avoid jumping in too quickly by asking common questions. Firstly, go to the Frequently Asked Questions (FAQ) page for a group you are interested in. Secondly, spend a few days monitoring the messages of other people in that group. That way, you begin to get a feel for the sorts of topics being discussed and the sorts of appropriate questions to ask; and
- Try not to CAPITALISE LETTERS in your message as this has come to be seen as a form of shouting.
- The same goes for those electronic diaries people like to put on special online repositories known as "weblogs" (or "blogs" for short). If you want to be careful about what you write online, try something creative that is not related to yourself in some way. Talk about something you've read or heard and put a funny slant on it. Again, this may reveal a little about you to others, but at least you are not giving away specific names of people, places, credit card details and so on;
Consider purchasing a combination of Norton Internet Security 2002, Norton Antivirus 2002 and Zone Labs' ZoneAlarm Pro firewall software, together with a utility to trash unnecessary Internet cookies, history files and logs. This is an effective system employed by an experienced programmer and Net user, Marius Cybulski, to deal with the security and privacy issues on the Internet. As Cybulski explains it:
"Unless a site specifically needs [cookies] to function, like Windows Update, I don't permit them. Why should I? For statistical purposes? So a site can remember me and customise itself to my preferences? I hardly consider that essential in exchange for knowledge of where I've been, what I did, and where I'll be going." (15)
Do not expect to rely entirely on your best hard disk driver security software like Apple's Password Security for a complete computer security system. Some people with the right technical skills can overwrite the hard disk driver with a select brand of another hard disk driver security software and then suddenly have access to the contents of the disk. For example, FWB's disk protection driver can be overwritten by the hard disk driver security software from Silverlining.
Furthermore, the most technically-proficient security-breaking experts like those at the CIA and other clandestine organisations can directly by-pass the hard disk driver security feature and go straight for a file recovery of all your data in all the other sectors of your hard disk using their special "black boxes". These boxes (containing a built-in high-speed hard disk) are also used by auditors and system administrators to do a routine check of the hard disk of company computers.
So only use the hard disk driver password security system to stop inexperienced computer users from accessing your computer. But always complement this security feature with a file/folder/Internet password "encryption" security software such as PGP Personal Privacy Package for US$19.95 for a top-notch security system.
NOTE: Auditors and system administrators do not need an employee's permission to access his/her company computer. With company permission, security experts are able to "image" or "copy" as many as 10 computers in a night using the special black box. However, if the computer is your own, security experts are required by law to obtain your permission first before copying your hard disk. You can say "No" if you like. There is no law that says you must provide your hard disk for inspection. The only exception to this rule is if the security experts have found clear evidence that a security breach has taken place through the use of your computer, in which case a warrant must be issued before your hard disk can be copied without your permission.