Chapter 2
In This Chapter
Taking a look at the dangers that lurk on the Net
Protecting your online privacy
Understanding how viruses can infect your computer
Preventing spyware-makers from installing unwanted software on your PC
Controlling how much junk email you’re stuck looking at
Keeping yourself and your family safe online
We like the Internet. It has been part of our lives — and livelihoods — for years. We’d love to tell you that all the stuff you may have read about the dangers of connecting a computer to the Internet is hype. We can’t. The success of the Internet has attracted unsavory people who view you as a money tree ready to be plucked. (Nothing personal — they see everybody that way.) In a few countries, perpetrating Internet fraud is now a major part of the national economy.
Even if no one steals your money, people can collect information about your online activities, which results in a real loss of privacy. And, some people are trying to take over your computer so that they can use it for nefarious purposes. When a new computer is hooked up to the Internet, it isn’t a question of whether it will come under cyberattack, but when. And not in months or days — but in hours or minutes.
When you combine the Internet with cellphones and global positioning systems (GPSs), privacy issues become even scarier. Cellphone providers can tell where you are whenever you have your phone with you. Phones or other online devices with a GPS can help you find your way around, but they can also report on your whereabouts.
Now that we’ve given you the bad news, relax: The Internet doesn’t have to be a dangerous place. Using the Internet is like walking around a big city — yes, you need to be careful, use some protection, and stay out of dangerous areas, but you can also safely take advantage of the wonders that the Net has to offer.
This chapter describes the types of issues that abound on the Internet:
Throughout the rest of this book, we include instructions for staying safe by using a firewall, a virus checker, a spyware scanner, and some common sense. Chapter 3 talks about rules for letting kids use the Internet, and most of the suggestions make sense for grown-ups, too.
Advances in technology are eroding the privacy that most of us take for granted. Technology we use every day — credit cards, cellphones, electronic key cards, and automobile toll transponders — allow our every purchase and movement to be tracked. The Internet is an extension of this trend. Many of your online activities can be watched and recorded — sometimes for innocent reasons and sometimes not.
All this is further compounded by the amount of publicly available information that is now conveniently available to people all over the world via the Internet. When paper records were maintained by government officials and people had to visit the office and dig through files for the specific information they wanted, a lot less information abuse was possible. Now the potential exists for anyone anywhere to access information about people hitherto unknown, and to gather information from various sources, including online directories. No longer is a geographical or time deterrent enough.
Some people worry that snoops on the Net will intercept their private email or web pages. That’s quite unlikely, actually, other than the specific case of public Wi-Fi networks; see the sidebar “The perils of free Wi-Fi,” later in this chapter, or government surveillance, which is beyond the scope of this book. The more serious problem is that advertisers build profiles of the sites you visit and the stuff you buy. Most web ads are provided by a handful of companies, such as Google’s DoubleClick, AOL’s Advertising.com, and Microsoft’s Razorfish, which can use their ads to determine that the same person (you) is visiting a lot of different websites. Using this information, these companies can create a profile. They say they don’t create these personal profiles, but they don’t say they won’t in the future.
Several techniques for gathering information about you as you use the Internet, or tricking you into providing information, are described in the next few sections.
Although the Internet seems completely anonymous, it isn’t. People used to have Internet usernames that bore some resemblance to their true identities — their names or initials or some such combination in conjunction with their university or corporation names gave fairly traceable routes to real people. Creating a new email address now takes just a few minutes, so revealing your identity is definitely optional.
Depending on who you are and what you want to do on the Net, you may, in fact, want different names and different accounts. Here are some legitimate reasons for wanting them:
The anonymous, faceless nature of the Internet has its downside, too. To protect you and your family, take these simple precautions:
Although relatively rare, horrible things have happened to a few people who have taken their Internet encounters into real life. Many wonderful things have happened, too. We’ve met some of our best friends over the Net, and some people have met and subsequently married. We just want to encourage you to use common sense whenever you set up a meeting with a Net friend. A person you email or swap instant messages with is still largely a stranger, and if you want to meet in person, take the same precautions you would take on a first date with someone you don’t know: Meet in a public place, perhaps with a friend along, and be sure that your family knows where you are and when you’re planning to be back.
The Net is a wonderful place, and meeting new people and making new friends is one of the big attractions. We just want to make sure that you’re as careful as you would be in the rest of your life.
Phishing is the fastest-growing Internet crime, and you’re the target. The good news is that protecting yourself is easy when you and your family know how to spot the phish-hook.
Learn what phishing looks like. After you start using the Internet and receiving email (as described in Chapter 8), there’s an excellent chance that you’ll receive a message like this one:
Subject: Ebay Important Warning
From: eBay Billing Department! <[email protected]>
eBay Fraud Mediation Request
You have recieved this email because you or someone
had used your account to make fake bids at eBay.
THE FRAUD ALERT ID CODE CONTAINED IN THIS MESSAGE
WILL BE ATTACHED IN OUR FRAUD MEDIATION REQUEST FORM,
IN ORDER TO VERIFY YOUR EBAY ACCOUNT REGISTRATION
INFORMATIONS.
Fraud Alert ID CODE: 00937614
Please access the following form to complete the
verification of your eBay account registration
informations:
http://www.eBay.com/cgi_bin/secure/Fraud Alert ID CODE:
00937614
If we do not receive the appropriate verification within
48 hours, then we will assume this eBay account is
fraudulent and will be suspended.
Regards, Safeharbor Department (Trust and Safety
Department), eBay Inc.
Sounds authentic and scary, doesn’t it? Think you had better deal with this message right away? Better think again. You are the phish, and this message is the bait. The underlined text in the middle is the hook. Click it and soon an official-looking page appears that looks just like an eBay sign-in page. After you enter your username and password, another official-looking page asks for your credit card number, PIN, billing address, checking account details (complete with a helpful graphic so that you can find the right numbers on your personal checks), Social Security number, date of birth, mother’s maiden name, and driver’s license number. The page is smart enough to reject an invalid credit card number. If you fill in all the information and press Continue, you see a valid eBay page that says you’ve logged out. Then, who knows? The bad guys know enough about you to do anything from making a small purchase paid for by your credit card to full-scale identity theft that can take months or years to straighten out.
This message did not come from eBay. Millions of these types of messages are sent over the Internet every day.
Certain clues might alert you. The misspelled words recieved and informations suggest that the author is someone whose English skills are limited. And, if you take the trouble to save the email to a file and then print it, the underlined link in the middle of the message looks like this:
<a href="http://192.168.45.67/cgi_bin"> http://www.eBay.com/cgi_bin/secure/Fraud Alert ID CODE: 00937614</a>
The text between the angle brackets (< and >) is where the link goes in reality, to a website with a numeric address. (When we tried clicking the link two days after we got the mail, the website had already been shut down. Those eBay security folks are on the ball.)
Phishers have gotten a lot more skillful since the earliest phishes a decade ago, and now often have good editors and use a spell checker, so you can’t rely on spelling and grammar mistakes, although they’re dead giveaways when you spot them. Here are a few additional tips:
One trick phishers use to fool Internet users is website spoofing — tricking your browser into displaying one address when you’re actually at another site. Some browsers allow a website to show only its main address so that it doesn’t look so geeky. Phishers take advantage of this ability. Better web browsers offer protection against website spoofing — they always show the actual web address of the page you’re on.
To summarize, make sure that your family knows this rule well: Never, never, never enter passwords, credit card numbers, or other personal information at a web page you opened by clicking a link in an email.
Ever since the World Wide Web became a household word (okay, three words), companies have increasingly viewed their Internet presence as a vital way to advertise their goods and services and conduct their business. They spend millions of dollars on their websites and advertising email (the legitimate kind you actually asked for) — and want very much to know just how people use them. It’s a small wonder that when you visit a site, companies can keep track of your actions as you move from link to link within the site. But they really want to know what you were doing before you entered their sites — and even more they want to know whether you read their mail. To gather this intelligence, they insert tiny images in mail messages that they call web beacons and everyone else calls web bugs that report your actions back to the mailer.
Most mail programs offer the option not to fetch images in mail messages from unknown or untrusted senders, which stops web bugs and also makes your mail reading faster.
When you browse the web (as described in Chapter 6), the web server needs to know who you are if you want to do things that require logging in, collecting items in a virtual shopping cart, or completing any other process that requires that the website remember information about you as you move from page to page. The most commonly used trick that allows websites to track what you’re doing is setting cookies. A cookie is a tiny file, stored on your computer, that contains the address of the website and codes that your browser sends back to the website every time you visit a page there. Cookies don’t usually contain personal or dangerous information; they’re mostly innocuous and — believe it or not — useful.
If you plan to shop on the web (described in Chapter 15) or use other web services, cookies make it all possible. When you’re using an airline reservation site, for example, the site uses cookies to separate the flights you’re reserving from the ones that other users are reserving at the same time. On the other hand, you might use your credit card to purchase an item or a service on a website and the site uses a cookie to remember the account with your credit card number. Suppose that you provide this information from a computer at work and the next person to visit that site uses the same computer. That person could, possibly, make purchases on your credit card. Oops.
Internet users have various feelings about cookies. Some of us don’t care about them, and some of us view them as an unconscionable invasion of privacy. You get to decide for yourself. Contrary to rumor, cookie files cannot get other information from your hard disk, give you a bad haircut, or otherwise mess up your life. They collect only information that the browser tells them about. Your web browser lets you control whether and when cookies are stored on your computer; see Chapter 7 for details.
The web browser equivalents of web bugs are tracking cookies. If several websites show ads from the same advertising network, the ad network can use cookies to tell whenever you’re looking at one of its ads. By piecing together the information from many websites, these tracking companies form a clear picture of where you go online — and what you look at when you get there. Many are careful to provide only statistical information to their clients, but the potential for abuse is there. It’s worth noting that US courts set a lower standard of protection for “business records” gathered in this way than they do for personal papers stored in our homes. Fortunately, most web browsers provide an option to reject third-party cookies, or cookies from anyone other than the source of the web page itself; this makes tracking cookies go away.
Cellphones and GPS receivers make the privacy situation even more complicated. Anyone with a cellphone can take pictures or videos of you and email them to friends or post them to the web, which can be anywhere from innocent fun to citizen journalism to seriously creepy. (We’ve read news reports of people standing with their cellphones at the foot of stairwells and escalators and trying to take pictures up girls’ skirts. Ewww.) Modern cellphones have built-in GPS receivers, primarily intended to provide your location if you call 911, but also potentially usable to track your location whenever the phone is on.
Lots of cellphone users want to be tracked. Travel apps (programs) like Yelp and Facebook can tell you about restaurants and attractions near you, but only if they know where you are.
You can download and install software directly over the Internet, which is a useful feature. If you need a viewer program to display and print a tax form or when you want to install a free upgrade to a program that you purchased earlier, it just takes a few clicks. How convenient!
However, other people can also install programs on your computer without your permission. Hey, wait a minute — whose computer is it, anyway? These programs can arrive in a number of ways, mainly by email or your web browser.
Computer viruses are programs that jump from computer to computer, just as real viruses jump from person to person. Computer viruses can spread using any mechanism that computers use to talk to each other, such as networks, data CDs, and DVDs. Viruses have been around computers for a long time. Originally, viruses lived in program files that people downloaded using a file transfer program or their web browsers. Now most viruses are spread by opening files that are sent by email, as attachments to mail messages.
There was a time long ago when people in the know (like we thought we were) laughed at newcomers to the Internet who worried about getting viruses by email. Email messages back then consisted only of text files and could not contain programs. Then email attachments were introduced. People could then send computer software — including those sneaky viruses — by email. Isn’t progress wonderful?
When a virus lands on your computer, it has to manage somehow to get executed. Getting executed in computer jargon means being brought to life; a virus is a program, and programs have to be run in order to start doing their nefarious work. After a virus is running, it does two things:
In the good old days, virus writers were content just to see their viruses spread, but like everything else about the Internet, virus writing is now a big business, in many cases controlled by organized crime syndicates.
Don’t worry too much about viruses — excellent virus-checking programs are available that check all incoming mail before the viruses can attack. In Chapter 4, which describes connecting to the Internet, we recommend installing a virus checker. After you install it, be sure to update it regularly so that you’re always protected against the latest viruses. You can subscribe to receive updates automatically.
A worm is like a virus, except that it doesn’t need to hitch a ride on an email message. A worm simply jumps directly from one computer to another over the Net, entering your computer by way of security flaws in its network software. Unfortunately, the most popular type of network software on the Net, the kind in Microsoft Windows, is riddled with security holes — so many that if you attach a nice, fresh Windows machine to a broadband Net connection, the machine is overrun with worms in less than a minute.
If you rigorously apply all security updates from Microsoft, they fix most of the known security flaws, but it takes a lot longer than a minute to apply them all. Hence, we strongly encourage anyone using a broadband connection to use a hardware firewall, a box that sits between the Net and your computer and keeps the worms out. If you have a broadband connection, you probably should use an inexpensive router to hook up your computers, anyway, and all these devices include a firewall as a standard feature. See Chapter 4 for more information.
Spyware (which includes adware) is similar to a virus, except that your computer catches it in a different way. Rather than arrive by email, spyware is downloaded by your browser. Generally, you need to click something on a web page to download and install spyware, but many people have been easily misled into installing spyware that purports to be a graphics viewer or another type of program they think they might want.
Spyware got its name from being frequently used for sneaky purposes, such as spying on whatever you’re typing. Sometimes, spyware gathers information about you and sends it off to another site without your knowledge or consent. A common use for spyware is finding out which sites you’re visiting so that advertisers can display pop-up ads (described later in this chapter) that are targeted to your interests.
Targeted advertising isn’t inherently evil. The Google AdSense program, for example, places ads on participating web pages based on the contents of those pages. Targeted ads are worth more to advertisers because you’re more likely to respond to an ad about something you’re already reading about.
Spyware can also send spam from your computer, capture every keystroke you type and send it to a malefactor over the Net, and do all the other Bad Things that worms and viruses do.
This advice is particularly important on your mobile device. Some free apps are free because the programmer wrote them for fun, or they provide access to a commercial site, or they hope they can get you to upgrade to a more capable paid version. But some are free because they show ads and report back to headquarters. On Android devices, when you install an app it tells you what system facilities the app uses, and you should always do a sanity check. If you find a cool pinball app, and it wants access to your address book, huh, what does pinball have to do with your friends’ addresses? It’s probably spyware that will steal the addresses.
Spyware programs are often designed to be hard to remove — which can mess up your operating system. Rather than wait until you contract a bad case of spyware and then try to uninstall it, a better idea is to inoculate your computer against spyware. To block spyware, be careful about the screen elements you click. Install a spyware checking program that can scan your system periodically, such as the free Microsoft Windows Defender. See Chapter 4 for details.
Macintosh computers aren’t immune to spyware. (See the nearby sidebar, “Are Macs the solution?”) The Macintosh operating system is by design more secure than Windows, so few viruses and little spyware attack it. But a Mac user is just as likely as a PC user to be fooled into clicking a link to a free porn site that downloads spyware to your computer along with that sexy video. Even smartphones (such as the iPhone or Android phones) can be infected with spyware, and although most spyware targets Windows, it also targets other kinds of computers and phones, so think before you click on any of these devices.
One of the worst innovations in recent decades is the pop-up window that appears on your screen unbidden (by you) when you visit certain websites. Some pop-ups appear immediately, and others are pop-unders, which are hidden under your main window until you close it. The pop-ups you’re most likely to see are ads for mortgages and airline tickets. (No, we don’t give their names here; they have plenty of publicity already.)
Several mechanisms can make pop-ups appear on your computer:
Luckily, web browsers now can prevent most websites from opening unwanted new browser windows. See Chapter 7 to find out how to tell your browser how to display fewer pop-ups.
Everywhere you go these days, someone wants you to enter a password or pass code. Even Harry Potter has to tell his password to a magic portrait just to enter the Gryffindor dormitory (although there’s apparently no security between the boys’ and girls’ wings). Security experts are nearly unanimous in telling us how we should protect all our passwords:
Never use as a password a word that occurs in the dictionary. Consider sticking a number or two into your password.
This sound advice is intended for everyone — except ordinary human beings. Most of us have far too many passwords to keep track of and too little brain to store them in.
One common-sense approach is to use a single password for accounts where you have little risk of loss, such as the one you need in order to read an online newspaper. Use separate, stronger passwords for the accounts that truly matter (such as your online banking account). If you feel you can’t remember them all, write them down and keep them in a safe place, not on a Post-It note stuck to your monitor.
Our warning about not using a password that’s in the dictionary — take that one seriously! Hackers managed to find a hole in our firewall one day, and we had stupidly left one password set to a normal English word (weather, if you must know). It took the hackers less than two hours to break into our computer, by simply having their computer generate every English word until they found one that worked.
Over the years, we’ve ended up with so many passwords that we started storing them in a text file — which anyone with access to our PC could read! This isn’t a horrible idea, as long as your PC has a password to keep random people from logging in, but you can do better. If you have a lot of passwords and no way to remember them, consider using a password manager, which is designed to store your passwords in a safe place. Of course, you have to remember one password — for your password manager. We use KeePass, a freeware, open source program that you can download from www.keepass.info for PCs and Macs.
Pink tender morsel,
Glistening with salty gel.
What the hell is it?
Hawaiian lunch meat?
Someone else’s old shoe heels?
We may never know.
— SPAM haikus, found on the Internet, sometimes credited to Christopher James Hume and Reber Clark
More and more often, we receive unsolicited bulk email (abbreviated UBE but usually called spam) from organizations or people we don’t know. Spam is the online version of junk mail. Offline, junk mailers have to pay postage. Unfortunately, online, the cost of sending out a bazillion pieces of junk mail is virtually zilch.
Email spam (not to be confused with SPAM, the meat-related product from Minnesota that’s quite popular in Hawaii) means that thousands of copies of an unwanted message are sent to email accounts and even to instant message programs. The message usually consists of unsavory advertising for get-rich-quick schemes or dubious drugs — something that you might not want to see and that you definitely don’t want your children to see. Many spam messages tout worthless stocks that the spammers have bought and hope you’ll buy at inflated prices. The message is spam, the practice is spamming, and the person sending the spam is a spammer. Phishing often involves spam, too.
Spam, unfortunately, is a major problem on the Internet because it’s extremely cheap for sleazy advertisers to send. We receive hundreds or thousands of pieces of spam a day, and the number continues to increase. Spam doesn’t have to be commercial (we’ve seen religious and political spam), but it has to be unsolicited; if you asked for it, it isn’t spam.
The meat? SPAM might be short for spiced ham. Oh, you mean the unwanted email? It came from the Monty Python skit in which a group of Vikings sing the word spam repeatedly in a march tempo, drowning out all other discourse. (Search for Monty Python spam at your favorite search engine and you’ll find plenty of sites where you can listen to it.) Spam can drown out all other mail because some people receive so much spam that they stop using email entirely.
You may think that spam, like postal junk mail, is just a nuisance we have to live with. But it’s worse than junk mail, in several ways. Spam costs you money. Email recipients pay much more than the sender does to deliver a message. Sending email is cheap: A spammer can send thousands of messages an hour from a PC. After that, it costs you time to download, read (at least the subject line), and dispose of the mail. The amount of spam is now about 20 times the amount of real email, and if spam volume continues to grow at its alarming pace, pretty soon real email will prove to be useless because it’s buried under the junk. Another problem is that spam filters, which are supposed to discard only spam, can throw away good messages by mistake.
Not only do spam recipients have to bear a cost, but all this volume of email also strains the resources of the email servers and the entire Internet. ISPs have to pass along the added costs to its users. Spam volume doubled or tripled for many years, and is still growing, although not as fast. Large ISPs we know have estimated that more than 95 percent of their incoming email is spam, and many ISPs have told us that as much as $2 of the monthly fee goes to handling and cleaning up after spam. Spammers send 100 billion spam messages every day. And, as ISPs try harder to filter out spam, more and more legitimate mail is being mistaken for spam and bounced.
You don’t have to put up with a lot of spam. Spam filters can weed out most of the spam you receive. See Chapter 9 to see how to use the spam filter that may already be built into your email program or how to install a separate spam filtering program. Also visit www.cauce.org, the Coalition Against Unsolicited Commercial Email, which is the major grass roots antispam organization.
Viruses, spyware, phishing, pop-ups, spam — is the Internet worth all this trouble? No, you don’t have to give up on the Internet in despair or disgust. You just have to put in a little extra effort to use it safely. In addition to the technological fixes we suggest (virus checkers, spyware scanners, and pop-up blockers), you need to develop some smarts about online security. Here’s a quick checklist:
You must keep the virus description files in your antivirus software updated — automatically if possible, and every week at least. (New viruses are launched every day.) Your antivirus software should automatically download the updates; check your documentation.