Chapter Descriptions
The following sections describe the chapters in this book. Each chapter builds on the previous chapters to tie together the threats you face and show you how you can respond to threats to your personal information, systems, and devices.
Chapter 2, “Defining Privacy: Social and Legal Aspects”
To understand where privacy is headed, you need to understand the laws and societal pressures that affect your privacy. Do we as consumers have a right to keep our data private? We have voluntarily given out this information to companies and Web portals in return for free services and prizes. Should we expect the people we have given this data to will keep it secure? These issues are being debated in both the legal realm and the corporate realm. Privacy advocates are pushing legal standards, while corporations are pushing for standards of their own to voluntarily secure data. This stems from generating revenue by making the customer happy. But some companies make money by disseminating your personal information, so they are pushing for openness of data and loose privacy controls.
You need to understand the laws that are currently in place as well as the laws that are not yet in place. Each day brings a new challenge to current laws that were not written to address the Internet revolution. Copyright laws have been making the headlines based on the Napster case. Personal privacy has been prevalent in the resale of customer information, yet legal cases have not made the front pages as yet regarding this issue. Prosecution of cybercrime is being better understood, and the laws are being defined to address the new technologies involved in cybercrime.
Companies want to prosecute when they become the victim of a cybercrime, yet they have a very difficult time doing so because of the lack of clear-cut laws and precedents. For the consumer, it's almost impossible to do anything about being hacked. If your information is stolen from your systems, you will not be able to track the attacker. On the other hand, if your information is stolen from a company, you probably won't know unless a news story makes the theft public. The consumer must depend on the security of the company to keep her data from attackers. The root of the privacy measures begins with the company's privacy policy. For a company to have a good policy it must do the following:
Take into account the needs of its target market; some customers might be more resistant to having their information captured.
Capture only necessary data from the consumers. Using surveys and requiring consumers to fill out questionnaires can capture a lot of unnecessary information.
Clearly identify what is done with the data after it is collected, how it is stored, and who has access to it.
Give the user the choice of opting-out of any marketing based on the information she has submitted and of keeping her information from being sent to others.
Comply with any laws regarding privacy and be familiar with pending legislation that might affect the business and consumer information.
Define the security measures in place to secure the customer information and define what steps are in place to keep it secure on an ongoing basis.
Define how third parties will use the consumer information if they provide a business function with the company.
Provide for the enforcement of the policy through internal control structures.
Give the customer a choice in not revealing her information and the ability to see what data has been collected about her.
Keep the policy easy to read and understand. A policy that needs translation by a lawyer will not help consumers feel secure.
The problem faced by both companies and individuals is that there are no standards set for securing personal information. It's the Wild West of the electronic frontier, and so far consumers have been losing the battle. Corporate America has not come up with a standard set of guidelines, and neither has the government. For other countries, the same problems apply. Privacy rights are violated on a daily basis both knowingly and unknowingly. If one company has the best privacy practices and then gets bought out by another company, all the consumer data now falls under the control of another company who might not have such stringent privacy policies. When laws have not even been written to address privacy, there is not much the consumer can do for legal recourse.
Chapter 2 strives to highlight the current landscape of legal and societal issues regarding privacy. A number of initiatives are underway to better protect your privacy, and you need to know about them. By understanding both the problems you face and the proposed solutions, you can better secure your own information.
Chapter 3, “Privacy Organizations and Initiatives”
Several organizations have made it their goal to fight for the rights of the consumer. Much like Consumer Reports, which keeps tabs on companies and products, organizations are keeping tabs on the government and corporations who would seek to have the bare minimum of requirements and laws to protect your privacy. A grassroots effort has grown up around privacy, with the EFF leading the way. These organizations are pushing the legal community through lawsuits and lobbying to get new laws passed to help the consumer.
A significant trend among large corporations has been the adoption of a chief privacy officer (CPO). This position has been used to highlight the serious focus that some large companies have placed on consumer information. In financial institutions, this is a very key role because of the practical nature of having consumer information stolen and disseminated. Money has been the driving force behind many technologies and initiatives, and privacy is no different. When a company's bottom line is affected because of a loss of consumer confidence over privacy issues, corporations will respond to fill the hole. The CPO is a response to the growing need of consumers to feel secure about how their information is being stored and used.
For any large organization, documents such as a Privacy Policy and a Security Policy are standard initiatives. The quality of these documents, however, is a different matter. From experiences in the consulting arena, we have seen the trend toward having these documents reviewed and tested for validity. Companies are becoming more cognizant of how adversely they can be affected by negative consumer confidence if they are hacked and consumer information stolen. Testing these polices and determining how effective they are has been helpful for organizations to prove to the consumer that they are making every effort to secure customer data and keep the customer information private. Compliance with these types of documents and procedures in the past has not been a great issue. But with the media coverage of the exploitation of customer/consumer information, strict adherence to the actual policies is becoming the trend. Companies use their strict security procedures as a marketing tool to show how concerned they are about their customers.
Chapter 3 discusses the initiatives that affect how your information is collected, stored, and used. Several large companies, such as Microsoft, have taken proactive steps to try to set standards and meet the needs of consumers. Initiatives involving the Internet as well as mobile devices and wireless devices are underway, and you need to be aware of how they will interact with the technologies you use and will be using.
Chapter 4, “Legal Threats to Individual Privacy”
Because the laws are not clearly defined about what the line is when it comes to privacy, the consumer can easily be taken advantage of by companies that have no legal restrictions to curb their activities. Three entities pose legal threats to your privacy: individuals, businesses, and governments.
The low cost of technology has enabled individuals to become their own mini companies. Where once it took vast resources to set up a network, develop a Web site, sell a product on the Internet, process credit card information, and disseminate information, now Joe User can do all this for $39.95 a month. Where you could once expect some sort of controls and security measures from a company, you have no idea what individuals are doing on their sites. No laws exist that prevent a consumer from putting anything she wants on a Web site. The information collected through registrations, survey information, and information gathered from technology weaknesses (such as where you are coming from and the type of hardware and software you are using) is regulated, and individuals can do what ever they want with the information.
The second entity that poses a legal threat is the corporation. Possibly the largest threat, corporations help define the legal environment through lobbying and influencing politicians to pass favorable laws. Besides affecting which laws are passed regarding securing your information, corporations have almost no requirements in how they protect your information after they have collected it. As mentioned earlier, security has the role of keeping your data out of the wrong hands, but there are almost no regulations—from either government or regulatory bodies—as to how a company should secure consumer information. The beginnings of such regulations are now being developed. One government regulation that has already passed is the Health Insurance Portability and Accountability Act (HIPAA). This law is intended to ensure patient privacy and protect the interests of health-care consumers from large insurance companies. This is a case of some segment of the corporate world (namely the insurance companies), who desire to divulge consumer information, and the government stepping in to secure our privacy.
With the accessibility of hacker tools and such things as e-mail viruses and Trojan horses, companies are facing more attacks on a daily basis. This was never that important to the consumer before the advent of widespread usage of the Internet. Now, both you and the company face the same security threats. With all your private information being stored on the server side, you face an inadvertent threat from attackers targeting companies. If the corporate Web site is compromised and an attacker makes it into the internal network, he can find the server that has all your personal credit card information. The consumer has to rely on the internal polices and procedures developed by the company to secure her data.
Industry regulatory bodies have difficulty passing regulations that are detailed enough for good security. Unless a hacking incident makes the news, most consumers are unaware of the hacking activity going on every day. The Computer Security Institute's (CSI) sixth annual survey, “Computer Crime and Security Survey,” announced that based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities, 85% of respondents detected computer security breaches within the last 12 months, and 64% acknowledged financial losses due to computer breaches. Yet how many of these were made public? The consumer must rely on corporate goodwill and consumer pressures to implement good security.
Companies can also be a threat to each other and therefore a threat to the consumer. If one company takes over another company, the consumer is at the mercy of the new company's policies regarding privacy and security. What if the company you have been doing business with is acquired and sold off in pieces? Its collections of data are just another asset to be sold. Again, there are no legal restrictions governing such situations, so the consumer has no recourse when such situations happen and cannot do anything to stop her information from being disseminated.
The third legal threat to consumer privacy is the government itself. The U.S. government has been hands-off for the most part in passing regulations to ensure user privacy and even corporate security. This stance has been difficult to change. For the most part, companies and most individuals would rather see self-regulation by industries rather than having numerous laws to keep information private. The sad state of computer security in general has forced more government involvement, and not always for the better. One side of the privacy issue regarding government regulations is that the government can pass laws to make accessing consumer information difficult. The other side of the privacy issue is that government can use its powers to invade the consumer's privacy.
One such example is the software DCS1000 (originally called Carnivore) developed by the FBI. DCS1000 was designed by the FBI to monitor e-mail communications of suspected criminals, but it can intercept and scrutinize e-mail transmissions by individuals who might have no connection to criminal activities. This Orwellian technology has privacy organizations fighting against it. The government has proposed this as a method of helping the public and keeping data secure, but others say it does just the opposite. Privacy advocates are using the Freedom of Information Act to get detailed information on this technology.
The Electronic Privacy Information Center (EPIC) has already filed a federal lawsuit. The same types of laws are also being enacted and challenged in other countries, such as the United Kingdom. The U.K. passed the Regulation of Investigatory Powers Act that allows the British government to access e-mail and other encrypted Internet communications for surveillance purposes. Privacy advocates have raised concerns that this law conflicts with the Human Rights Act of the European Union, which is meant to protect consumer privacy. As you can see, government can be helpful as well as a hindrance to consumer privacy concerns.
After the tragic terrorist events of September 11, 2001, in the U.S., the U.S. and several other countries quickly passed new laws strengthening the government's ability to monitor electronic traffic. Agencies such as the FBI and their equivalents around the world now have more capabilities and leeway in tracking and monitoring suspicious activity. DCS1000 has been implemented in some Internet service providers, and laws such as the Anti-Terrorism Act in the U.S. have been passed to expand the powers of wiretapping and electronic surveillance.
Chapter 4 goes into detail about pending laws and regulations that affect the consumer. Threats come from individuals, companies, and the government, and each entity has its own special set of circumstances that can lead to a compromise of your information.
Chapter 5, “Illegal Threats to Individual Privacy”
The distinction between legal threats and illegal threats is not always clear-cut when we discuss technology. Laws to protect your privacy are not in place yet. In addition, some laws might even compromise your privacy. Over the next several years, we will see legal regulations become more readily defined, which can be good or bad—new laws can be a detriment to your privacy. For now, we do have the ability to determine clear violations of some privacy issues based on current laws. Attacks against you and your data residing on the client side as well as the server side can be measured and tracked in numerous ways.
Illegal threats to privacy and therefore security have usually come from individuals. But, as we have discussed with legal threats, illegal threats can also come from corporations and even governments. The individual attackers are, for the most part, hackers, extortionists, and now cyberterrorists. Business threats can come in the form of companies disregarding laws and performing illegal activities that can place consumer information in jeopardy. Governments, on the other hand, can tacitly sponsor illegal activities against other governments and corporations of other governments by not prosecuting such activities or by turning a blind eye to its occurrence.
Illegal attacks can come in two forms against user information. The first is usually launched against the security of the system. This means targeting your computer network at home and at the office. Attackers can compromise your home systems to get your data or use your computer as a launching point for further attacks. The second form of attack is aimed at stealing information, not just systems and data. Information combines different bits of data to make up who you are in the online world. Information can be all the data needed to make purchases with your credit card, such as the card number itself, your billing address, and your phone numbers. This takes more effort and resources than just attacks against computer resources.
Identity theft is one complex form of information theft. This can be done in numerous ways. Identity theft began with physical theft of things, such as passports and driver licenses. One extreme example of this is having a house mover steal all your things. How do you prove that it was theft if the mover says he was robbed on the way to your new home? He now has all your personal belongs and every bit of information about you and can now become you and use your credit cards, and even open new cards. Physical theft is hard enough to defend against, but identity theft is even more complex because you have information in disparate locations and information that requires others to keep it secure.
The individual illegal attacks against your personal information include the following:
Hackers— Hacking was originally used to describe a practical joke or modification of technology and software to solve a problem. But as technology and the Internet developed, it got the connotation of illegal activity.
Cyberterrorists— A new breed of criminal has developed because of the global use of technology and connectivity of just about every country to the rest of the world through the Internet and communications lines. Cyberterrorists target governments or organizations for attack but rarely target individuals.
Businesses— With access to a wealth of consumer information, it was inevitable that some businesses would take advantage of consumers through disguised business practices.
Credit card theft— This activity most directly affects the consumer. Having your credit card information stolen from a site where you make a purchase can be readily understood by the consumer when she sees a charge on her credit card bill for a purchase she did not make.
Spyware— These insidious products stealthily install themselves on your computer and can send out information about your system and your activities.
Governments— Governments around the world have always covertly been involved in illegal activities. With access to the Internet, a government can easily sanction such tactics as cyberterrorism without being blamed.
Identity theft— This is probably one of the most damaging forms of illegal attacks on the individual consumer. Identity theft can destroy your financial reputation and bilk you out of money, as well as make recovery a living nightmare.
Fraud— Scams are prevalent on the Internet. Setting up fake companies and convincing people to spend money for products or services they will never get is easy. In the past, fraud happened only on an individual basis, but with Internet usage, whole groups of people can be deceived by a technologically savvy criminal.
Chapter 5 defines the threats you face. In later chapters, details of how these threats are actually launched in a practical manner are discussed.
Chapter 6, “Understanding the Online Environment: Addresses, Domains, and Anonymity”
The home user has vast capabilities in setting up a presence in the online world. You probably already have your own domain name (www.yournameregistered.com) and maybe even a Web site showing family pictures or talking about your pet. If you don't already have a domain name, you can register one for $20–$30 a year, set up a basic Web site, and talk about your love of knitting all in one day. You can make it very easy for someone to find you online by putting all this great or not so great information out there, but that only leads to giving up private information about yourself. This includes detailing your interests, how to reach you, what technologies you are using—all things that lead to a detailed profile. Any registered Web site can be tracked through WHOIS (whois.arin.net); this information shows the person registering a site and his contact and billing information (see Figure 1.6).
Figure 1.6. WHOIS results of a search on PrivacyDefended.com.
To get online, you obviously must have a connection through some service provider. America Online is one of the more popular Internet service providers. An ISP can be considered the same as any other company where you buy a product and give up your personal information, such as a credit card number. You must rely on the ISP to keep that data secure. Of course, one target of hackers is the ISP. Because the ISP has all your information—and in the case of a company using an ISP, access to the company information—compromising an ISP and installing a backdoor on the network can be easy. A backdoor can do several things, including leaving an open connection for later connectivity and capturing information such as your login ID and password as it is sent along the wire. You are now reliant on the ISP's security measures to keep your data secure. But ISPs have many connections to companies and users, leaving multiple points of attack open for the wily hacker. With all the traffic flowing through the ISP—possibly millions of user logins—tracking down one specific attacker and seeing what data he has accessed can be hard.
Being online, you almost have to resign yourself to potentially giving away all your information. Of course, there are many steps that you can take to keep this to a minimum. Using anonymous Internet portals and software can help hide who you are from prying eyes. Anonymous Web surfing allows you to visit a Web site without the site being able to track where you are coming from or track what you are browsing and what your preferences are. Free Internet service providers can also be a way of becoming anonymous, but they bring a whole other host of potential problems with using the Internet. Using a cyber cafè or public library for surfing can be another path to Internet anonymity.
Chapter 6 shows several means by which a user can be tracked down on the Internet, as well as how you can hide your access and surf anonymously. Being anonymous becomes harder each day with all the login requirements and methods of tracking how you use the Internet.
Chapter 7, “Understanding the Online Environment: Web Surfing and Online Payment Systems”
The Internet has become widespread because of Web surfing. To make money, companies started out with typical sales models, but trading goods and services for money just didn't seem to be enough for the Web. Freebies became a standard part of the Internet culture. Just about anything you want can be found on the Web somewhere. Many sites are just informational, using registration processes to allow entry but also to track users and what they are actually surfing.
Various technologies are involved with Web surfing, from encryption to cookies to information storage. All along the process are multiple points where your personal information can be captured. Having to register on vendor sites, free contest sites, and portal information sites allows the sites to build a profile on you. Many of these sites then resell that information or use it themselves for mass marketing.
The dangers of Web surfing come from two major angles. On the one hand is the personal information you know you are giving out through site registrations and such.
On the other hand is the information you unknowingly give out. The nature of computing in today's world basically comes down to this: You do not really own your computer. Even though you might own the hardware, such as hard drives and modems, software is licensed, and you do not have ownership rights to it; rather, you have a license to use it. The increasingly distributed environment of the Internet is leading many large companies to seek more control over your personal computer. Things such as active content enable centralized sites to exercise control of your PC by installing software of their choice on it. You might or might not be made aware of this.
Internet elements such as cookies are fed to your Web browser when you surf. They collect personal information about you and send that information back to either the originating Web site or a third-party Web site of which you are unaware. Cookies serve both good and bad purposes, and it is important to understand their nature and how you can control them.
Web bugs can be used similar to cookies. They might be designed to track your mouse clicks, or clickstream, across the Internet. Sometimes Web bugs are used in conjunction with cookies or spyware and might be designed to make your Web browser fetch software and install it on your computer. However, programs such as Bugnosis from www.bugnosis.org can be used to identify Web bugs on Web pages.
Spyware can come in many forms, including software you purposely download or install. Any legitimate software can be considered spyware if it collects and sends information about you back out to the Internet or to a specific organization. If you are unaware of or if you accept a program doing this, it is invading your privacy.
Throughout this first chapter, we have been using credit card theft as a good example of how your personal information can be stolen and used maliciously. Payment systems on the Internet go beyond simple credit cards. New forms of online payments systems are being developed, such as Cybercash, Checkfree, and Digicash. These are, of course, tied to your personal information as credit cards are but should be more difficult for the hacker to compromise and use against you. Theoretically. Technology such as that used by Microsoft's Passport.com enables the consumer to sign on once and then shop multiple sites without having to reenter credit card information each time. All charges come from one account from many sites that have become partners/users of Passport.com. Visa has a similar program using online wallets through several vendors. Your information is stored once through Visa and the vendor and then is used to pay for your transactions at sites you shop.
With all the various methods of surfing the Internet and making payments online, a number of weaknesses exist that can lead to a compromise of your privacy. Chapter 7 discusses how these technologies work and what the potential threats are to the consumer. As with every technology you use, there are correct and incorrect ways of using it.
Chapter 8, “E-mail Security”
E-mail is the basic current communications method on the Internet. Many wired folks have 2–3 e-mail accounts. They are provided free by many Web sites, and your ISP will of course provide an e-mail address. When you register a domain name, the domain registrant typically also provides free e-mail. E-mail is free everywhere because it keeps people coming back to the site and requires information about the user to be given up.
Most e-mail is sent in clear text. Clear text means that anyone on your network, whether it's your work network or your home network, can see traffic flowing on the network. This means they can “sniff” the traffic and read your e-mail. Because e-mail can carry some extremely private information, you are making that information available to anyone on your local network where you send and receive e-mail as well as on the network where you are sending the e-mail. In the case of cable modems, your local network can include all your neighbors using your cable company. They can be sniffing your e-mail ID and password and reading your e-mail. However, there are measures you can take to secure your e-mail through encryption that we will discuss.
As we have seen with all the major news stories about the “I Love You” virus, e-mail can be deadly to your computer. A virus attached to an e-mail can easily wipe out your hard drive or look for files on your system and send them to a malicious hacker. Targeting specific information on your computer through viruses will be the next wave of virus development.
Pretty Good Privacy (PGP) was primarily developed for keeping e-mail private. It uses a public key exchange mechanism. Each person has two keys: one public and the other private. These keys encrypt and decrypt the e-mail. If you are not the intended recipient of the e-mail, you will not be able to read it. Normal e-mail traffic is clear text as we have mentioned, but PGP e-mail is encrypted and can't be read by an attacker. There are ways around PGP, such as if you have decrypted the e-mail and keep an unencrypted copy of the message on your machine. If your security is then compromised, the intruder will have access to your text. PGP can also be used as a digital signature to ensure the authenticity of the message.
Chapter 8 demonstrates some of the vulnerabilities associated with using e-mail and gives you several alternatives for using e-mail securely. Encryption is your friend when it comes to e-mail, and you should understand how to use it correctly and safely.
Chapter 9, “Securing Your Internet Transactions with SSL and Digital Certificates”
Although this book is not focused in-depth on technical aspects of using technologies such as the Internet and wireless technology, it is important for the consumer who is heavily into these technologies and who will be using them more as new features get developed to understand the underlying technology and security of devices used on a daily basis. One key technology that makes security possible is Secure Sockets Layer (SSL). SSL works by encrypting data that is transferred over the SSL connection. All Web sites that process transactions or need to use encryption technology use SSL or some other form of secure transmission. Another protocol for transmitting data securely is Secure HTTP (S-HTTP). SSL creates a secure connection between a client and a server, whereas S-HTTP is designed to transmit individual messages securely. Information-only sites that require ID and password authentication usually use SSL if they do not want a hacker to sniff information and passwords. Of course, there are ways around the security mechanisms of SSL and S-HTTP. One of the major concerns with these security measures is implementation and configuration. Problems can occur both on the server side and client side. Therefore, the user must be aware of how these technologies are used to secure her private information.
On your home systems, if you set up a Web site or are running a business out of your home DSL or cable modem, you need to understand these technologies. You do not want your neighbor, who might happen to have hacker tendencies, to take over your Web site and make modifications or destroy your system. Say you were running a home business that sells clay pots. You might think you are not a target of an attacker, but as we have mentioned already, you can be used as a launching point for further attacks.
Another method of securing transactions and performing authorizations is by using digital certificates. Digital certificates are a verification of who you are and the integrity of your data. Certificates let consumers know that the company is legitimate and provides for authenticity and verification. Of course, as with all the technologies we have discussed, digital certificates are not perfect and are subject to attack. As recent as March 2001, Verisign was tricked into issuing a fake Microsoft digital certificate. The hacker could potentially use the certificate to pretend that his software product is a Microsoft product and thus is secure and trustworthy. If someone downloaded a software product with this certificate, she would think it was from Microsoft and not a hacker tool. As with any technology, the consumer must know the strengths and weaknesses that apply to their privacy.
Chapter 9 also discusses how to secure your transactions. Transactions can be anything from browsing Web pages to making a purchase. Securing the communications we use on the Internet and eventually through wireless technologies is necessary to keep our information secure.
Chapter 10, “Understanding Your PC Operating System and Its Security Features”
The first step in securing your data is implementing operating system security. Good security starts at home. Home systems have become very complex in the past 2–3 years with the advent of always-on technologies such as ISDN, DSL, cable modems, and sophisticated operating system software. Your computer is subject to attack 24/7/365. To understand how to secure your system, you must first understand how a hacker can find out information about your computer. A good hacker methodically discovers every piece of information about your network/PC and then starts hacking your system with known and sometimes unknown vulnerabilities.
Your home operating system can be a Microsoft Windows-based operating system such as Windows 98, Windows 2000, or Windows Me. Or it might be Mac OS or a Unix variant such as RedHat Linux. No matter what it is, there are ways it can be hacked. Hackers can try to compromise either the operating system or application you are running, such as a Web server, and they can launch denial-of-service attacks against your machine to take it off the network or destroy it. Application attacks are more common against companies that have to perform some type of business processing on their Web sites, such as online brokers. Most attackers try to take advantage of the home user through operating system attacks.
A number of Web sites are dedicated to hacking and teaching hacking skills that can be of benefit to the average user. If you understand the techniques being used in the real world, you will have a better understanding of how you are really vulnerable to a hacker compromise. Newsgroups and discussion forums are available to any user on the Internet for posting and reading about computer security. Good security practices require ongoing attention. In addition to these information sources, several free and for sale products are available that can help you in the quest for privacy and security.
The goal of Chapter 10 is to identify the method attackers use to gain access to your computer. The intent of the attacker can be to take over your system, destroy your system, or hide and use it as a launching point for further attacks. There are inherent weaknesses resident on operating systems and applications that need to be addressed before you should even get on the Internet. Chapter 10 details practical steps to understanding how your operating system can be taken advantage of and help develop the best practices for securing your operating system. We mainly focus on Windows variants and Unix variants of operating systems (sorry, Mac users; we will cover the Mac OS in the next edition).
Chapter 11, “Securing Your Standalone PC: Broadband Connections”
Operating system security is just the first step in your home security. Just as you have more than one lock on your front door, perhaps also using a security service such as ADT, your home network needs more than one layer of security. Just as all the windows and doors are entry points to your home, your computer has multiple entry points, too. Every application and service you are running on your computer can be a threat if it provides Internet access capability. If you run your own Web server, you have a port open on the computer that an attacker can use to reach your system. Open ports are what allow connectivity between systems. If you run Napster, a port is open on your system to allow Napster traffic.
To determine which ports are open and how the applications affect your system security, you use a number of tools. The home user must be a mini-system administrator and security officer to protect his computer. The tools you use to do this are compatible with whatever technology you are using to connect to the Internet, whether it's cable, DSL, dial-up, or some other form of connectivity. (Sorry, ESP is not covered.) We discuss various tools that can help you find weaknesses in your computer and network.
The major market share on online connectivity belongs to regular phone dial-up connections, DSL, and cable modems. Each of these technologies poses different threats to your home environment. These technologies are also frequently used by businesses, which face the same risks as home users. We discuss the relative capabilities of each technology and how to secure each.
Operating system security helps secure your files and the data on your computer. To secure the applications and other computers on your home network, you will probably want a firewall. A firewall is usually a software-based application used to allow you to protect your computer as well as a whole network of computers. Home firewalls are now inexpensive and relatively simple to install. The problem most home users face is that they do not understand the firewall settings and rules that allow traffic in and out. We discuss in detail several popular firewall options and show how you can easily configure them to secure your home network.
Home use of networking technology is also on the rise. Cost has been a large factor involved in allowing consumers to buy multiple computers, network them together, and have continuous access to the Internet. But more connectivity just means more areas of attacks from evildoers. Chapter 11 discusses detailed mechanisms to protect your home network.
Chapter 12, “Securing Your Standalone PC: Viruses, Chat, and Encryption”
The operating system is probably the key lynchpin to good security. After we discuss how to secure the operating system, we can move onto application security. Application attacks are prevalent against large corporations, but the home user faces the same challenges on a smaller scale. Internet applications such as Instant Messenger, ICQ, chat rooms, and e-mail are already subject to specific attacks. Everything from viruses to denial-of-service attacks can be launched over these types of Internet applications. However, these technologies all have some type of countermeasures. Security is a moving target that changes on a daily basis, but security software for these technologies is always just a half-step behind the hackers. The consumer must be vigilant to ensure that the gap in security is not wide and deep, causing compromises of her system from different sources.
Technologies such as ICQ and chat programs inadvertently give away system information to anyone on the connecting end or even anyone searching the Internet looking for these running programs. After an attacker knows you exist and can contact your machine, he can launch attacks, as described in Chapter 11. These programs have security options in some instances, but the user must be aware of their existence before they can be used. Combining these programs with technology such as encryption is an option most users are not aware of.
Encryption technology can be a mystical art if you do not know the basics behind how it works. It does not belong strictly to academic or corporate heavy weights. The home user has many options regarding how she encrypts data and communications to keep her information safe from eavesdroppers. If encryption is used correctly, an attacker could compromise the home network, but with disclosure kept to a minimum. Several freeware and for sale products are available; we discuss them and the benefits of each for different scenarios.
To use available Internet applications and yet be secure, you must understand how those applications can be attacked and compromised in the same vein as the operating system. Chapter 12 focuses on how to protect communications between your PC and the rest of the world and how to have a secure mini-domain, which is your PC.
Chapter 13, “Securing Your Home Network”
The connectivity provided by broadband connections has given the home user the ability to run his own networks. Personal firewalls provide functionality that allows you to network all the computers in your home.
But with more connectivity and more systems on the Internet, the risk of being attacked is increased beyond just being vulnerable on one machine on a dial-up connection—your network can be attacked. You therefore need to know how a real hacker goes about attacking your systems, where you have potential vulnerabilities, and how to fix them.
Chapter 13 outlines how attacks are performed. You will understand how you can test your own network's security before the bad guys do. After you find out where you might have a hole in your network, you can go about fixing it so a real attacker will not be able to gain access to your network.
Chapter 14, “Securing Your Privacy Using Other Digital Devices”
The realm of privacy concerns goes far beyond the Internet and your PC. PCs are no longer the sole technology for communications, shopping, and information dissemination. New functionality is being developed to use the Internet for everything from online gaming to watching movies to paying bills. Even as vast as the Internet is and with all the technologies it employs, new technology is creating new paths for Internet-like services in other mediums. The force driving this development of alternative technologies to replace what has been working on the Internet is the consumer's need for convenience. It's becoming easier to shop and talk to people everywhere in the world, and consumers want more and more.
Ease of communications is probably one of the greatest characteristics that has been ported to other mediums. Devices from personal digital assistants (PDAs) to cell phones have developed capabilities far beyond that of their original designs. They are allowing consumers to communicate anywhere at anytime, and this capability can become addictive. Many cell phones now have instant messaging—one of the key features of AOL. We have become addicted to instant messaging on the computer over the past several years, and now it's even easier to do with your cell phone. Cell phones are also capable of wireless Web access. You can shop and browse the Internet from tiny cell phone screens (although, if you have tried this, you know the technology is not quiet ready for prime time). What hasn't been discussed with these advancements is how your personal information is being transmitted and who is seeing it on the other end. If you make purchases on your cell phone, does your personal data get encrypted just as it would be if you were using your desktop?
Wireless technology is the latest frontier to be conquered. As cell phones and PDAs use wireless technology to bring shopping and Web browsing to handheld devices, consumers will have a greater range of possible avenues to spend their money and share their information with the rest of the world. Wireless technology has taken greater care with regard to security, such as encryption and authorization, but as we have mentioned, privacy is not the same as security. Is your data being kept private when it is transmitted via wireless protocols?
The manner in which your information is transmitted and stored is very vague, and consumers have very little knowledge about how these new devices and functionality will affect their privacy. We cover a number of devices and technologies in Chapter 14 and detail the threats they pose to your security and privacy of information. The industry trend is to move beyond the PC to perform different functions; however, advancements in technology are not without cost.
Chapter 15, “Parental Controls”
Using the Internet securely can be taught by reading books or practical experience. But how do you manage to impress the need for security of personal information on your kids? Many kids are even more knowledgeable about using the Internet than their parents, but that doesn't mean they know or even care whether they are giving away personal information to anyone in a chat room or by filling out a survey by using a service such as Napster or Morpheus.
As the parent and system administrator of your home, you need to understand how your family members are using computers in your home and how you can help them use technology securely. This can come close to invading your children's privacy, so it is a fine line that must be walked in securing your family in your home.
We cover several technologies in Chapter 15 that can help you protect your kids and allow you to monitor what they are doing. Much like you would not want children watching an R-rated movie, you will want to protect them from R-rated and X-rated material on the Internet.
Chapter 16, “Guarding Your System Against Hacking”
After we have discussed all the methods of securing your systems and devices and restricting access to your personal information, we discuss on-going security measures you must take to maintain your privacy. There will be continuous threats to your privacy, so you need constant vigilance to keep your information secure.
One key factor in maintaining good security is understanding how to detect a system compromise or detect someone making unauthorized access requests for your information. You will need to know how to respond to an attack and what steps are necessary to close the holes in your systems and maintain a good security posture.
Aside from technology monitoring of your systems and information, you do have legal rights in prosecuting attacks. Legal action is not as effective for home users as it is for corporations, but that will change over time. You must also know what the line is between securing your systems from a hacker and becoming a hacker yourself when you try to retaliate against someone. It's an easy step from victim to attacker, and you must know how to avoid stepping over the line. Chapter 16 is dedicated to understanding how to respond to attacks and maintain security over your information and systems on an ongoing basis.