Security Issues of Internet

There are few security safeguards on the net. Information you leave on the net can be matched by IP address, email address, name, phone number, and other information to assemble a detailed profile of your opinions, surfing patterns, and buying habits.

Any information you leave in a public area on the Internet, including Usenet news groups, mailing lists, chat groups, web sites, and MUD's is considered to be placed in the public domain. Anybody can access and make use of this information. Web sites can use cookies to record your surfing patterns on their site, and advertising sites can use cookies to track your surfing patterns across different web sites that they serve.

The typical home user need not take extreme precautions, but should be aware of these issues. There are security sections for each of the Internet's technologies - Email Security, Web Security, Usenet Security, IRC Security, MUD Security, Mailing Lists Security. The following sections describe security issues related to the Internet in genera.

Confidentiality

Surfing is fairly confidential, but posting information is not. Confidentiality of communications is the primary security concern of the average Internet user. Most importantly, you should be aware that when you post anything to a public newsgroup, mailing list, or chat room, you probably give up the rights to it. In most countries, anything you post publicly can be saved, archived, duplicated, distributed, and published, even years later, by anyone in the same way as a photograph taken in a public space like a city park.

Browsing is fairly confidential. Although individual web sites can track your activities while you visit their site, this usually doesn't put your confidentiality at risk unless you give them personal data like an email address, phone number, or birth date.

Risk to interception of your communications by a third party is unlikely unless you are under a legal investigation. However, it is technically easy to do. All of your Internet communications can be intercepted, read, stored, and passed on to others. Interception is directly possible at any of the typically between five and twenty-five routers through which your packets are switched. Direct physical interception through tapping into different types of copper network cable is straightforward with inexpensive equipment, enabling someone to copy all of the traffic on that network line. Tapping into fiber optic links is more difficult, but also quite possible.

Unless your communications are encrypted, you should assume they can be read by others, although it's quite unlikely in practice if for nothing else just because of the sheer volume of Internet traffic communicated every day.

Anonymizers

Anonymizers enable you to surf sites anonymously

How Anonymizers Work - Anonymizers retransmit Internet content.

An anonymizer removes all of your identifying information while it surfs for you, enabling you to remain one step removed from the sites you access.

Most anonymization sites create a URL by appending the name of the site you wish to access to their URL, as in the following:

http://anon.free.anonymizer.com/http://www.yahoo.com/

Once you anonymize an access with an anonymizer prefix, every subsequent link you select is also automatically accessed indirectly and anonymously.

Most anonymizers can anonymize at least the web (http:), file transfer protocol (ftp:), and gopher (gopher:) Internet services.

Anonymization will add up to a second or so of delay, depending on your Internet service and time of day. Some anonymizers keep a local cache of several hundred megabytes of commonly accessed sites, so that you can sometimes get a faster access to a site through the anonymizer than through direct access.

Chaining of anonymization links is not recommended, since it multiplies your risk to confidentiality by the number of nodes in the chain.

How to Use Anonymizers - You can anonymize sites one by one, or specify an anonymizer as your start page or proxy server.

To visit a page anonymously, visit your preferred Anonymizer site, and then enter the site you want to visit in the anonymization field.

If you set your web browser starting page to an anonymizer, then you can be sure that every subsequent web access you make will be anonymized.

Internet Explorer: Tools / Internet Options / General / Home Page
Set to http://anon.free.anonymizer.com/http://www.yahoo.com/

Netscape: Edit / Preferences / Navigator
Set to http://www.anonymizer.com/

You can anonymize bookmarks, by prefixing their URL's with the anonymization site address. You can visit an anonymized page, and add it to your bookmarks just like any other page.

You can anonymously provide password and other information to sites that request it, if you choose, without revealing any other information such as your IP address.

You can configure an anonymizer as your permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in your applications configuration menu.

Internet Explorer: Tools / Internet Options / Connections / LAN Settings / Proxy Server
Set to www.anonymizer.com, port 8080

Netscape: Edit / Preferences / Advanced / Proxies / Manual proxy configuration
Set to www.anonymizer.com, port 8080

Note that proxy servers set up in corporate and institutional networks are usually focused on recording of access logs, and protection from viruses and malicious code, and may not provide identity confidentiality.

Anonymizer Limitations - Anonymizers protect your identify, but have several limitations.

Anonymizers have the following limitations:

HTTPS. Secure protocols like "https:" cannot be properly anonymized, since your browser needs to access the site directly to properly maintain the secure encryption.
Plugins. If you access a site invokes a third-party plugin, then you can't be assured that these programs won't establish independent direct connections from your computer to a remote site. Widely used, standard programs can usually be trusted.
Logs. All anonymizer sites claim that they don't keep a log of your requests. Some sites, such as the Anonymizer, keep a log of the addresses accessed, but don't keep a log of the connection between accessed addresses and users logged in.
Java. Any Java applications that you access through an anonymizer will not be able to bypass the Java security wall and access your name, email address, or file system. Some services such as the Anonymizer state that Java security is not compromised "if you use the URL-based anonymizer", but that it might be "if you use the anonymizer as a regular proxy", and that "We are currently investigating this issue and will post more info here shortly."
Active X. Presumably safe, authorized Active X applications are certified with a certificate number. Active-X applications have almost unlimited access to your computer system. They can access and reveal your name and email address, and they can access your file system to perform file creations, reads, and deletions. Your protection with Active-X is traceability -- if a program maliciously causes damage to your system you can track the author down through the certificate registration system.
JavaScript. Under most systems, the JavaScript scripting language should be secure, and not reveal data or perform destructive acts to your computer system. Some services such as the Anonymizer state that there may be a security problem "if you use the URL-based anonymizer, so the URL-based anonymizer disables all JavaScript", and that "If you use the anonymizer as a regular proxy, then JavaScript is safe and is left enabled."

Remailers

Remailers let you send and receive email while keeping your real email address secret. Remailers are sites that retransmit your email with an anonymous return address. While encryption provides protection from reading your communications, remailing also protects knowledge of your email's destination.

The first widely used remailer was hosted by Johan Helsingius's in Helsinki, Finland. He eventually closed it down when a court case brought by the Church of Scientology forced him to reveal the real email address of a user that had posted information about the Church.

The two most currently popular type of remailers are described below:

Cypherpunk. Also called Type I remailers, and usually incorporate PGP encryption. You can chain Cypherpunk remailers, but each extra node in the chain increases the opportunities for communication interception.

Mixmaster. Also called Type II remailers. Mixmaster remailers are good for chaining to further obscure any connection between the email's source and destination. These remailers divide all mesages into fixed size packets, so that all communications between remailers look the same, greatly complicating any attempts at traffic analysis.
Most remailers also vary the retention time before remailing to help protect against time-based analyses.

Encryption

It's personal. It's private. And it's no one's business but yours. You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something that you feel shouldn't be illegal, but is. Whatever it is, you don't want your private electronic mail (E-mail) or confidential documents read by anyone else.

For as long as people have needed to conduct private conversations across distances, communications have been encrypted by a variety of methods. The introduction of electronic communications networks raised a new problem -- how do two people establish secure communications when they live so far apart that they can't meet first to exchange a secret decryption key?

The solution to this problem is called Public Key Cryptography (PKC), an ingenious mathematical structure that doesn't need participants to meet, and is now used for almost all of the encrypted communications on the Internet.

Viruses

The Internet has been infected with viruses from its early years, and proper security precautions are now more important than ever.

Almost every computer is now connected to the Internet, giving viruses a convenient new path for infection, most commonly in email attachments. Some viruses are just annoying, but some are destructive. Some run silently in the background and give outside agents complete control of your computer without your knowledge whenever you are connected to the net. Therefore, it is very important that you run a virus protection program to protect your computer from these serious threats.

Passwords

A good password is your first security defence. You should always use a password on a computer where others may use it, so that no one can access your private information or use your Internet account and impersonate you on the net. From least to most secure, there are three types of passwords:

Have :- Things you have, such as door keys and pass cards. These can be lost or stolen.
Know :- Things you know, such as computer account and building alarm passwords. These can be copied if you are carefully observed while entering them.
Are :- Things you are, such as fingerprints, retina pattern, and other biometric passwords. Things you are so far can't be copied, and are the most secure.
For standard alphanumeric passwords, there are four rules for maximum security:

Pronounceable : The best password is at least eight letters, and pronounceable so that it is therefore memorable. In insecure environments with unmonitored access to your computer, your password should not be a recognizable word and include at least one number. The trick to easily making up passwords from pronounceable nonsense words is to combine letters in random "noun-vowel-noun" combinations, like "wegorand8", "tilupsam6", and "somican33". In lower threat environments you can use less complex passwords like "batman2", "cougar7", and "dandelion4".

Avoid Clichés : Lots of people use their birthday or spouse's birthday, the name of someone from their family or friends, the name of a favorite pet, or some other high profile subject for their password. Avoid obvious choices, since professional hackers try these first.

Recording : Don't write your password down. Well, ok, if you absolutely have to write it down, then don't store it in your wallet, put it in your desk drawer, or tape it to the bottom of a drawer or anything else. Instead, write it down somewhere unobtrusively in pencil on a document that you store in a file drawer with a lot of other documents, or in the inside margin of a book that you put on a shelf with a lot of other books. Therefore, even if someone had the time to search for it, it would be difficult to find. And, even if someone found it, it wouldn't be obvious what it was.

Uniqueness: Never use the same password for more than one purpose. Use separate passwords for your computer login, internet account, email account, and other functions. If you use the same password for more than one purpose, you run the risk that if someone knows one of your passwords then they can break into all of your accounts. (This rule may be relaxed for low threat environments like your home office).
Crackpassword.com maintains utilities to crack passwords.

| Back |