Safe Surfing - Tips from Heliotrope Quality Systems

HQS	Safe Surfing Tips from Heliotrope Quality Systems

Here is my overview of Internet security. I am thinking mainly about the World Wide Web, but also about security in general. I have found these ideas in many places over the years, so I can't attribute most of them with any accuracy. I can't claim to have contributed to the subject myself, nor to have covered it completely. Still, you are welcome to this advice.

It's wise to be cautious

There are people out there who wish you ill, and others who are just careless. No one is "in charge" of the Internet, and there is essentially no body of law to protect you. You are proceeding at your own risk, though in the company of millions of other pilgrims who have exposed many of the pitfalls for your safety.

The biggest hazards on the Internet are the same you find other places, but they may go unrecognized in an unfamiliar setting. For example, you may forget that information you transmit may be routed through many intermediate computers in distant places, and you can have no idea of how many people could examine it if they chose to. Also, digital communications can be intercepted and analyzed more rapidly and more cheaply than analog phone conversations.

Can you keep a secret?

The greatest danger, as I see it, is that someone will ask you for information, and you will provide it before you consider the risks. Use the same precautions you use on the telephone. Some web sites work with your browser to encrypt sensitive information, but that is protection against interception, not against misuse or loss of your data by the person on the other end.

Use long passwords

Possibly the second greatest mistake is to use short passwords for your accounts. You wouldn't lock your storage shed with a two-digit combination lock, and you shouldn't lock your files with a five-character password. Some people can use a single guessed password to compromise an entire network.

Use as many characters as the system allows. Six is an absolute minimum.
Don't use your user-id or your birthdate.
Don't use a word that appears in any dictionary (any language) either forward or backward. An automated attack can try every one of those in a few seconds.
Mix in upper-case letters and punctuation if the system allows it. CompuServe suggests two common words with a punctuation mark, such as "house+magnet" (don't use that one!). Other authorities suggest an acronym of some phrase you can easily remember, but that others could not guess, such as OiMmbCttA for "Objects in Mirror may be Closer than they Appear."
If there is the slightest chance that someone may have watched you type your password, change it. If anything looks odd when you log on, change your password and alert the system administrator.

Don't let strangers play with your machine

Another great danger is downloading a program to run on your computer. Even if the program is free of viruses, you are turning over the entire capability of your machine to the author of the program. Anything you can do, this stranger can do. Your basic protection against this threat is to keep backup copies of everything you consider important. You should do this anyway to guard against equipment failure. Besides that, download only from sources you trust. You can add a layer of safety by getting an inexpensive computer just for use on the Internet. (This will cut down on competition for time on the other machine, too, but you will sometimes have to transfer files from one machine to the other.)

A related risk is the new world of Java and JavaScript on web sites. These are, in fact, programs that run on your computer, but with your web browser watching them. The browsers are supposed to prevent them from doing anything harmful, but there were numerous bugs in the early versions, and cybervandals are staying up late at night looking for more weaknesses. I keep my browser options set to ignore these programs, enabling them only when I both trust the web site and need the function they provide.

Cookies

I'm not quite sure what to think about cookies. These are short pieces of information that web server machines wish to write on your disk so that they can read them back later. Sometimes they are intended to save you the effort of typing in passwords or other information every time you visit the web site. More often, they allow the web site owner to measure how often you visit, how long you look at each section of their site, and what fraction of visitors to one section also look at a related section. An enlightened site host might use these statistics to offer you ads that are likely to interest you instead of a random selection, but you have absolutely no control over any use they may choose to make of them. On the bright side, they cannot know who you are exactly unless you tell them. They can't steal your E-mail address or the contents of your checkbook register. However, I have seen claims that they can read cookies stored by other web sites, so I do not let them store my passwords, just in case. Actually, the browser I normally use lets me block any or all of the cookies that the web servers try to set, and I do. Another option is to delete the cookie file(s) whenever you start your computer as part of your startup script.

Viruses

Viruses are a threat any time you install new software. The risk runs from near zero when you buy from the big publishers such as Microsoft to near 100% when you download from a university network. Always test with a virus detector less than three months old, and preferably with two or three in case one has been spoofed. If you use Microsoft Word and Excel, you also need to test for a kind of virus in documents and spreadsheets that changes the items in the pulldown menus across the top of your screen. Viruses are another reason to backup your files. Some recommend keeping three or four generations of backups in case you overlooked a virus some time ago. (One way this can happen is that the virus was too new for the checking program to recognize. That's why you need the latest version of the program.)

There is no known way to pick up a virus by reading E-mail. (That is, if you have kept up with security updates from Microsoft. If you have not visited the Windows update site in the last month, do it now!) Warnings about Good Times, etc. are nothing but a kind of meta-virus that wastes your time reading them and passing them on. However, if an executable program is attached to a message, it should be treated the same as any other program you might decide to run. Test it for viruses before you execute it, and consider the source. An executable attachment will have a name ending in .exe, .vba, or .scr.

Merely having an infected program on your disk will cause no damage. The program must run to do anything. However, you can inadvertantly run a bootup program by leaving a floppy disk in your disk drive when you power up. All the virus checkers I know of test for these boot-sector viruses along with the others when you scan a floppy, but it's good practice to check that the drives are empty when you power down, and again when you power up. The trick here is that the disk may have only data files, not program files, outside the boot sector, and boot files are normally not included in directory listings. Therefore, it is better to scan all floppies you receive, even if they appear to be blank or simple data.

Don't lose sleep over it

I hope this has reassured you, rather than frightening you. Just as you buckle up when you get into your car, you must take a few precautions when you surf the Net. Use strong locks, be careful talking to strangers, and remember that not everybody is your friend. Then enjoy the ride!

Return to HQS home