Paranoia runs rampant when it comes to transaction security over web-based, land line and mobile communications technologies. Our goal here is to side-step emotionally charged topics that inevitably lead to paranoia; and, instead, provide an objective appraisal of the most salient issues.

The standard issues are addressed here first, and new ones will be added as we become aware of them.

The issues fall into two major (partially overlapping) categories: Internet Security and Internet Privacy. The first is mainly about your computer’s interaction with the Internet, while the second addresses your personal identity and records and how they might be compromised during Internet transactions.

Internet Security

Routers

If you are using a computer at work, or with the advent of cable modems at home, you might want to place your home computers behind a router that uses network address translation (NAT). NAT enables multiple computers to access to the Internet over a single high-speed link. NAT also typically has the effect of preventing connections from being established inbound into your computer, whilst permitting connections out. Getting a router in your home improves the security of a home LAN; some people consider that they don't need a firewall if they have a router.

Firewalls

A firewall is a possible solution to someone with only one computer in their home, or someone with another need for it. What it can do for you is block traffic to all except authorized ports on your computer, thus restricting access. A stateful firewall is even more cautious about what it permits through, and the most cautious system administrators often combine a proxy firewall with a packet-filtering firewall to create defense in depth. Most home users would use a software firewall, while some high risk servers and computers might need a hardware firewall.

Anti-virus

Some hackers, and in some cases unreputable companies, write programs called computer viruses, worms, trojan horses and spyware. These programs are all characterised as being unwanted software that install themselves on your computer through deception. Trojan horses are simply programs that conceal their true purpose or include a hidden functionality that a user would not want. Worms are characterised by having the ability to replicate themselves and viruses are similar except that they achieve this by adding their code onto third party software.

Once a virus or worm has infected a computer, it would typically infect other programs (in the case of viruses) and other computers. Viruses also slow down system performance and cause strange system behavior and in many cases do serious harm to computers, either as deliberate, malicious damage or as unintentional side effects. In order to prevent damage by viruses and worms, you need either to completely isolate your computer from dangers (impractical for many people or networks) or install antivirus software, which typically runs in the background on your computer, detecting any suspicious software and preventing it from running.

Generally anti-virus software may also be used to scan all of the files on a computer occasionally for extra peace of mind. Because of the continuing increase in the number of viruses and worms being identified, all good anti-virus software includes a facility to regularly update the data that is used to identify viruses. As well as the commercial antivirus programs, which generally require an annual subscription, there are free antivirus programs available, but the best commercial programs appear to be a little more reliable at present.

Several companies provide a comparison of the performance of different antivirus programs which should be useful in making a decision as to which to use. Some malware programs that can be classified as trojans with a limited payload are not detected by most antivirus software and may require the use of other software designed to detect other classes of malware, including spyware.
 

Anti-spyware

There are several kinds of threats of piracy:

Spyware is software that runs on a computer without the explicit permission of its user. It often gathers private information from a users computer and sends this data over the Internet back to the software manufacturer.
 

Adware is software that runs on a computer without the owner's consent, much like spyware. However, instead of taking information, it typically runs in the background and displays random or targeted pop-up advertisements. In many cases, this slows the computer down and may also cause software conflicts.

You’ll find more on Internet privacy in the next major section.
 

Browser Choice

Internet Explorer is currently the most widely used web browser in the world, making it the prime target for phishing and many other possible attacks. This has caused some users to switch to different browsers, such as Opera, Firefox, or, better yet, TorPark (a version of Firefox that conceals your location). We do not recommend using Internet Explorer under any circumstances if security or privacy are a concern.

Internet Privacy

Internet privacy consists of privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet, and to control who can access that information. Many people use the term to mean universal Internet privacy: every user of the Internet possessing Internet privacy.

Internet privacy forms a subset of computer privacy. Experts in the field of Internet privacy have a general consensus that Internet privacy does not really exist. Privacy advocates believe that it should exist.
 

Levels of privacy

People with only a casual interest in Internet privacy need not achieve total anonymity. Regular Internet users with an eye to privacy may succeed in achieving a desirable level of privacy through careful disclosure of personal information and by avoiding spyware. The revelation of IP addresses, non-personally-identifiable profiling, and so on might become acceptable trade-offs for the convenience that such users would otherwise lose in using the workarounds needed to suppress such details rigorously. On the other hand, some people desire much stronger privacy. In that case, they may use Internet anonymity to ensure privacy -- essentially making use of the Internet without giving any third parties the ability to link the Internet activities to personally-identifiable information of the Internet user.

Risks to Internet privacy

Those concerned about Internet privacy often cite a number of privacy risks -- events that can compromise privacy -- which one may encounter through Internet use. Unfortunately, given the complexity of Internet privacy, many people do not understand the issues. Therefore this section covers not only "real" privacy risks, but also risks perceived as overemphasized.

Malicious Cookies

Cookies have become perhaps the most widely-recognized privacy risk, receiving a great deal of attention. Although HTML-writers most commonly use cookies for legitimate, desirable purposes, cases of abuse can and do occur.

An HTTP cookie consists of a piece of information stored on a user's computer to add statefulness to web-browsing. Systems do not generally make the user explicitly aware of the storing of a cookie. (Although some users object to that, it does not properly relate to Internet privacy, although it does have implications for computer privacy, and specifically for computer forensics).

The original developers of cookies intended that only the website that originally sent them would retrieve them, therefore giving back only data already possessed by the website. However, in actual practice programmers can circumvent this intended restriction. Possible consequences include:

The possible placing of a personally-identifiable tag in a browser to facilitate web profiling, or, possible use in some circumstances of cross-site scripting or of other techniques to steal information from a user's cookies.

Many users choose to disable cookies in their web browsers. This eliminates the potential privacy risks, but may severely limit or prevent the functionality of many websites. All significant web browsers have this disabling ability built-in, with no external program required. As an alternative, users may frequently delete any stored cookies. Some browsers (for example, Mozilla Firefox) have an option to have the system clear cookies automatically whenever the user closes the browser. A third option involves allowing cookies in general, but preventing their abuse. There are also a host of wrapper applications that will redirect cookies and cache data to some other location. The Private Internet Browsing feature found in the CryptoStick Software Suite redirects all Internet Explorer information to a USB flash memory device. This prevents the storing of browsing information on the actual computer: the information goes off-system when the user removes the USB flash memory device from the computer.

Browsing profiles

The process of profiling (also known as "tracking") assembles and analyses several events, each attributable to a single originating entity, in order to gain information (especially patterns of activity) relating to the originating entity. On the Internet, certain organizations employ profiling of people's web browsing, collecting the URLs of sites visited. The resulting profiles may or may not link with information that personally identifies the people who did the browsing.

Some web-oriented marketing-research organizations may use this practice legitimately, for example: in order to construct profiles of 'typical Internet users'. Such profiles, which describe average trends of large groups of Internet users rather than of actual individuals, can then prove useful for market analysis. Although the aggregate data does not constitute a privacy violation, some people believe that the initial profiling does.
Profiling becomes a more contentious privacy issue, on the other hand, when data-matching associates the profile of an individual with personally-identifiable information of the individual.

Governments and organizations may set up honeypot websites - featuring controversial topics - with the purpose of attracting and tracking unwary people. This constitutes a potential danger for individuals.

IP addresses

Every device on the Internet (including each online computer) has an IP address, an identifying numeric code used to route data. The Internet Service Provider (ISP) through which the device connects may assign this address semi-permanently (for example, for the duration of the lifetime of an account) or temporarily (many dial-up connections, for example, get assigned new IP addresses each time they connect).

Every packet (piece of data) moving through the Internet gets tagged with the IP addresses of its source and of its intended destination. The proper working of the Internet depends on such routing information. Consequently, any direct connection between two devices on the Internet (such as when a personal computer reads a website) reveals both IP addresses to both parties.

An IP address sometimes becomes a personally-identifiable datum, and therefore potentially subject to privacy concerns. An IP address identifies its user's ISP, and often identifies its user's (or the ISP's) nation, region/province/state, and sometimes even city. The amount of information deducible from an IP address depends on the ISP's policies. See also: DNS, whois.

Any web site can track the movements of users through its pages by their IP addresses. This can serve for profiling within a single site.

An IP address provides the minimum amount of information needed to attack a computer over the Internet.

People seeking Internet anonymity usually have an interest in hiding their IP address from third parties. One can only do this (without loss of Internet use) by connecting through one or more anonymous proxies - special Internet servers that connect to remote hosts (a web site, for example) on behalf of the user. The remote host communicates with the proxy, and receives the proxy's IP address rather than the real user's. The proxy, however, knows the IP address of the user, and sees all data passing between the user and the website; therefore the anonymous proxy has the opportunity for abuse of the user's privacy, whether intentional or accidental. Onion routing offers one method of addressing this problem; as used in such systems as Tor, I2P and Freenet.
 

ISPs

Consumers obtain Internet access through an Internet Service Provider (ISP). All Internet data to and from the consumer must pass through the consumer's ISP. Given this, any ISP has the capability of observing anything and everything about the consumer's (unencrypted) Internet activities; however, ISPs presumably do not do this (or at least not fully) due to legal, ethical, business, and technical considerations.

ISPs do, however, collect at least some information about the consumers using their services. From a privacy standpoint, the ideal ISP would collect only as much information as it requires in order to provide Internet connectivity (IP address, billing information if applicable, etc). A common belief exists that most ISPs collect additional information, such as aggregate browsing habits or even personally-identifiable URL histories.

What information an ISP collects, what it does with that information, and whether it informs its consumers, can pose significant privacy issues. Beyond usages of collected information typical of third parties, ISPs sometimes state that they will make their information available to government authorities upon request. Often, such a request need not involve a warrant.

An ISP cannot know the contents of properly-encrypted data passing between its consumers and the Internet. For encrypting web traffic, https has become the most popular and best-supported standard. Note however, that even if users encrypt the data, the ISP still knows the IP addresses of the sender and of the recipient. (However, see the IP addresses section for workarounds.)

Data logging

Many programs and operating systems are set up to perform data logging of usage. This may include recording times when the computer is in use, or which web sites are visited. If a third party sufficient access to the computer, legitimately or not, this may be used to lessen the user's privacy. This could be avoided by disabling logging, or clearing logs regularly.

[Note: Some of the material in this section has been extracted with permission from Wikipedia, the Internet community-based encyclopedia.]

[Home] [Issues] [Security News] [Products] [Library] [Virus Tracker] [Links]