Stop Signs, Barricades and Firewalls:
Protecting your Systems on the Internet

The Internet

The Internet as we know it today is a collection of networks linked (internetworked) to provide connectivity worldwide to anyone able to connect and communicate using TCP/IP. Connections are usually made using an Internet Service Provider (ISP). This ISP is a commercial organization serving a subscribership of people and companies wanting Internet access. People and companies connect to the Internet using either dial-up or dedicated lines.

Much information today travels by way of Internet Electronic Mail (email). So much information is traveling through Internet email and other electronic means that, according to Postmaster General Marvin Runyon, "Electronic communication could cost the post office a quarter of its business." Runyon told the House Government Reform postal subcommittee, "A whole new breed of competition is growing. Banks, software, and phone services, even utility companies are wooing new customers with anti-mail offers."

While we may not lie awake at night pondering the fate of the United States Postal Service, it cannot escape our notice that the this type of impact on the USPS shows the immensity of electronic information and communication. We all participate. As individuals, we dash off quick notes to friends and associates using email instead of letters. We bank by phone or by computer. We fax. We order products via the World Wide Web. We even order documents for delivery by email instead of mail. As companies, we demand electronic invoicing, electronic commerce, and electronic accounting. Gone are the days of old when corporate accountants went through company check registers - now the bank does it using special software that interacts with the company's G/L system.

Much of this critical information travels through cyberspace using the now-famous "Information Superhighway" that is the Internet. As more of us connect our individual PCs and Macs to the Internet, and as greater numbers of business connect their LANs, WANs and legacy systems to it, there is an ever increasing danger that unwanted connectivity will lead to compromise of information and loss of secrecy. If all of this information is sent electronically, is it not reasonable to assume that it is stored electronically as well?

According to Reed Karaim, in The Invasion of Privacy, (Civilization, Oct/Nov 96), "It is now taken for granted that our finances, political predisposition, consumer preferences, even our sexual habits are a legitimate matter of public record - ideas that would have been considered a vision straight out of '1984' not that long ago." Information about individuals is being bought and sold, and people have surrendered to the idea of losing their privacy. Information brokers can learn where you have lived, your household income, your age, height, weight, eye color, marital status, and your mortgage information; even detailed information about your home, bank balances, credit cards, phone call records, and medical history are available easily.

The Problems

The problem is simple: you want to surf the net conveniently without compromising your private information. That's all.

In a previous column, we wrote about Surfing the Net and Other Dangerous Computer Tricks, including viruses, cookies and other monsters. We described what Java and ActiveX applets can do to your system and to your privacy. We also described how even cookies can divulge information you want to keep private.

To us, private information is any information you do not want made public. If you don't want a web site you visit to know the speed of your modem, yet that site plants a cookie or runs an applet that gives them that information without your knowledge, then your privacy has been invaded. This happens - the more honest sites ask your permission first. The others just get the information covertly.

There is other, more private information on your computer. Lets say you use Quicken, the money management software from Intuit. This is by far the most popular of all personal money management programs. There are four files that contain most of your data - their total size is probably only a few hundred kilobytes, moist probably less than one megabyte. If I want your information, I can entice you to visit my mythical web site. I can set up and advertise a web site that offers free information to investors with $50,000 or more to invest. As you browse my web site, I do two things.

First, I capture your email address. This is easy to accomplish in several ways - not the least of which is that while you are browsing my web site, I can cause you to send me an email message without your knowledge. In this way, I can capture mailing lists of people who purportedly have $50,000 or more to invest. Imagine the junk mail you will suddenly start receiving if I choose to sell that list.

Second, I can do something much more damaging: I can steal files off your computer. By running various applets or scripts, I can cause your system to transmit your Quicken data base to my web site. If successful, I will have captured all of your private accounting data, including your credit card numbers, probably your social security number, and even your available credit on those accounts.

Is this likely to happen to you? Probably not. But it could happen, and it will happen to more and more people as time goes on unless we all take steps to protect ourselves. Just as you wouldn't go to a dark ATM at midnight in an unfamiliar area, you should not visit an unknown web site without some protections.

The Solutions

The solution is to protect yourself when using an untrusted network. The Internet is the archetypal untrusted network, even though there may be sites that you trust.

The simplest first solution is to enable protections that came with your browser and your system. Disable Java and ActiveX when visiting unknown web sites. Do not accept cookies and do not run applets and scripts. The page may not look as pretty, but at least you won't lose your privacy. These are the signal lights - warning dialogs that appear when a site you are visiting attempts to send or retrieve a cookie, or run an applet or script. Take advantage of this warning system to stop the process unless you know the site you are visiting is a trusted site.

If you are accessing the web using your company's Internet connection, make certain you are not in violation of your company's Internet Policy (if they don't have one, tell them they need one fast). If you are going to do some extensive browsing, log off your network if you can. At the least, unattach from of as many servers as you can. If you are logged in to your network, and you encounter a web site such as the mythical one I described above, your network connection gives that site access to the network just like your own personal access. If you can get the file, so can the web site.

One of the best protections you can install is a Firewall. This is not the traditional firewall that stops fires from spreading; it is a system that controls access into and out of your network. If you have a properly configured firewall and a solid security policy that it implements, the firewall will identify and close any connections that are attempting a security breach. Routers may provide some protection, but only a full-fledged firewall can implement a strict policy that protects an enterprise against unscrupulous WWW sites, FTP accesses and Telnet attempts. We will discuss firewalls in more detail in a future column.