Harley Hahn's
Internet Advisor


Chapter 12...

Safety, Security and Privacy

There are millions of people on the Net — and millions of computers which you might access — and you and I have no control over any of them. Using the Internet connects your personal computer to the outside world, and that brings up several important concerns: safety, security and privacy. In this chapter, I will talk about all of these issues, and show you how to make your time on the Net pleasant and comfortable.

(In addition to what we discuss in this chapter, you may also want to take a look at Chapter 6, where I discuss privacy as it relates to email.)

Before we start, let me assure you that, regardless of what you might hear, safety, security and privacy on the Internet are not big problems for individual users. It is true, that if you are running a computer network at a company, a school or some type of organization, you do need to pay a lot of attention to security issues. The same is true if you have your own Web server or mail server. Indeed, many organizations have full- time network administrators whose job is to make sure the networks and servers are secure.

However, when you use the Internet at home, even if you have a small home network and a high-speed connection, you don't need to worry — not as long as you follow a few simple guidelines. We will talk about these guidelines later in the chapter. In the meantime, don't worry.

— hint —

For a fascinating discussion of privacy, safety and security issues, take a look at my book Harley Hahn's Internet Insecurity.

Jump to top of page

Is It Safe to Send Personal Information
Over the Web?

SECURITY on the Internet refers to protecting yourself against problems that might arise as you interact with the outside world. In the broadest terms, there are two types of situations in which you might encounter a security problem:

  • When data is going out of your computer.
  • When data is coming into your computer.

In this chapter, I will discuss the various possibilities, along with potential problems and how you should think about them. Let's start with a real-life example of what happens when information leaves your computer.

Imagine you are using the Web, and you happen upon the Web site of the Acme Internet Shopping Company. As you peruse the site, you see a stuffed Bill Gates doll on sale for only $29.95. You immediately recognize this as an ideal Mother's Day gift and decide to order one right away. To do so, you need to fill out a form on the Web site. You do so, typing your name, address and credit card information. Let's pretend that you have just finished filling out the form, and are about to click on the Send button. What is going to happen when you click that button?

So far, everything you have typed is still on your computer. However, once you click the Send button, the information on the form is going to be sent to a remote Web server run by the Acme Internet Shopping Company. At that point, the data will be processed by a program which, presumably, will do whatever is necessary to initiate your order for the stuffed Bill Gates doll.

As long as everything works perfectly, it seems like a good system. After all, it might take you months to find a nearby store with stuffed Bill Gates dolls, and it is certainly more convenient to buy one over the Web. However, before you press that button, you need to ask yourself, "Is it safe to send my personal information over the Web to the Acme Internet Shopping Company?"

This question really has two parts. First, is your personal information secure as it travels from your computer to the remote Web site? Second, do you trust the Acme Internet Shopping Company to use the information responsibly?

The answer to the first question is easy: your personal information is secure as long as no one intercepts it along the way. In theory, a gang of bad guys with sophisticated equipment, exceptional skills, a lot of time, and enormous motivation might find a way to intercept your data as it travels from your computer to the remote Web site. These guys could make a copy of all the data, analyze it so as to extract your credit card number, and then use the information for nefarious purposes. However, the chances of all this happening are about the same as you being hit by a meteor right now as you read this. In other words, don't worry — the Internet is secure.

Let's put this in perspective. Suppose the Acme Internet Shopping Company takes orders over the phone, and instead of using their Web site, you decide to call them to place an order. Is that really safe? After all, someone could be tapping your phone illegally, listening day and night on the off-chance that, eventually, he might overhear some valuable information. Since such a scenario is technically possible, shouldn't you be afraid to say your credit card number out loud over the telephone?

Of course not. Although it is possible for someone to tap your phone line, it's not likely to happen, so you don't worry about it. I can tell you it's a lot harder to intercept data on the Internet than to tap a phone line, and no one is going to do either one just to steal your credit card number. People who steal such numbers have ways to get them that are far easier and much less risky.

So, the answer to our first question — is your personal information secure as it travels from your computer to the remote Web site? — is yes, so don't worry about it.

But what about the second question: Do you trust the Acme Internet Shopping Company? After all, you are sending them your credit card number. This is the same question you need to answer before you place an order with any company you don't know, whether the order is over the phone, by regular mail, or on the Internet. You need to ask yourself if you feel comfortable doing business with that company.

The nature of the Web is such that you can't judge a company by the quality of its Web site. On the Net, it is easy for a small, one-person business to look like a large, well-established firm. Questionable companies will often design a great- looking Web site that very carefully gives no information about how to reach a real person. So here is my advice.

Never do business with a company or person over the Web unless their Web site gives their phone number and postal address. Before you send an order to a company for the first time, call them on the phone and check things out. At the very least, ask if the item you want is in stock, confirm the price, and have them explain their refund policy. If you can't get a real person on the phone, or if you get a funny feeling about the company, do not do business with them.

If you want to be extra careful, order over the phone the first time you buy something from a new company. If everything works out well and you like the customer service, you can start ordering over the Net.

— hint —

When it comes to sending personal information on the Web, you can assume that the Net itself is safe.

However, you do need to confirm that the people who will be receiving the information are trustworthy.

Jump to top of page

Spending Money on the Net

The most common way to spend money on the Internet is by using your credit card number. I suggest you keep a record, on paper, of everything you order: the date, the amount, and the name of the company. This information will come in handy if you have a problem. If you buy many things over the Net, you may find that some of the charges don't appear on your credit card account right away. Thus, it is important for you to keep track of what you are spending.

Buying things over the Internet is so easy that the money will add up faster than you might expect. For example (and this is a true story), I have a friend who bought a lot of stuff over the Internet and didn't keep track of what she was spending. When the credit card statement came, it was so costly, she didn't have money left to pay her phone bill.

— hint —

As you buy things over the Internet, keep a running total of all the money you are spending.

Before you use your credit card to buy something, take a moment to calculate how many hours of work it will take you to pay for the purchase.

Jump to top of page

Unnecessary Security Warnings

From time to time, you may see a warning telling you that you are about to send data from your computer to the Internet. Typically, this will happen when you have filled out a form of some type and have just pressed a button to send the information. Figure 12-1 shows a typical warning you might see with Internet Explorer. When you see such a warning, you must choose whether or not you want to continue with the data transmission.

Figure 12-1: Security warning when sending data

These warnings are useless, and you can always ignore them. In fact, you should select the option within the warning box to indicate that you never want to see these warnings again.

So why are these warnings used in the first place? After much thought, the only reason I can come up with is to limit the legal liability of the browser company. Once Microsoft or Netscape shows such a warning to you, you cannot sue the company and say their browser sent information to the Internet without your knowledge. This is why, if you don't want to see the warnings all the time, you must turn them off explicitly.

Surely no one at Microsoft or Netscape actually believes you need a reminder that information is being sent to the Internet — not after you have just used your browser to fill out a form and have clicked on a Send button.

Jump to top of page

Secure Connections

When electronic commerce started on the Internet in the mid-1990s, the Web was still new, and many people were reluctant to use it for sending personal information, such as credit card numbers. This, of course, was an obstacle to business on the Net, and a number of companies, realizing that a lot of money was at stake, decided to do something about it.

Their goal was to make people feel comfortable about online transactions. To do so, they popularized the idea that what was holding back commerce on the Net was the lack of a completely secure means of data transmission. So, having invented a nonexistent problem, they proceeded to create a solution: a way to encrypt (scramble) data as it is sent over the Web. At the other end, the remote Web site that receives the data automatically decrypts it. When data is transmitted in this way, we say that it is sent over a SECURE CONNECTION.

Once secure connections were available, the Internet industry announced that electronic commerce was now "safe". As long as data is encrypted, they declared, you have nothing to worry about, because even if some bad guys do intercept a data transmission, they will not be able to read it.

Actually, as I explained earlier in the chapter, there is nothing inherently insecure about sending information over the Net, and, in real life, secure connections are never necessary. What you need to worry about is what you send and to whom you are sending it, not the safety of the actual transmission.

The reason I mention all this is because your browser has a lot of unnecessary security features. I won't go into them in detail, but I do want to mention them so you won't waste time worrying about silly ideas. Moreover, I do not want you to get a false sense of security. A secure connection will not protect you if you send valuable information to dishonest people.

— hint —

Technology, no matter how sophisticated, is not a substitute for common sense.

There are a number of systems and protocols used on the Web to provide secure connections. The most common protocol is SSL which stands for Secure Sockets Layer. (A "sockets layer" is a facility used by programs to pass data back and forth.)

On occasion, you may see Web pages whose URLs begin with https (as opposed to http). The extra letter, s, indicates that the page uses a secure connection to transmit data. However, if you would like to know when you are using a secure connection, there is an easier way to tell. Just look on the status bar (the bottom line of your browser window).

Within Internet Explorer, a secure connection is indicated by a small picture of a locked padlock on the right half of the status bar. When you don't see a padlock (most of the time), it indicates a normal connection.

Jump to top of page

Cookies

As you wander around the Web, have you ever asked yourself, "Can a remote Web server track what I am doing?" The answer is, yes it can, to a limited extent. Such tracking is done by using what are called cookies.

A COOKIE is data sent by a remote Web server and stored in a file on your computer by your browser. At any time, a Web server (either the same one or a different one) can request a particular cookie, at which time the browser will look in the file, get the cookie and send it to the server. In other words, cookies are a way for any Web server in the world to store information on your computer for later retrieval.

What's in a Name?

cookie


The term "cookie" dates back to the Unix operating systems, which are much older than Windows.

In technical terms, a cookie is a small token of data that is passed between two programs in order to relate the current transaction to a later one. Consider the following analogy.

In many parking lots, you get a ticket as you enter, and on the ticket is the time and date. Later, when you leave the lot, you give the ticket to an attendant, who uses the information to tell you how much you need to pay. The parking lot ticket is a cookie.

Within Unix, such tickets have long been known as "magic cookies". At some point, an early Web programmer with Unix experience must have taken the name "magic cookie" and abbreviated it to "cookie".

Nobody knows the exact origin of the word "cookie", but clearly, it reflects a spirit of whimsy — neatly capturing the idea of a small object that is passed from one program to another.

In principle, cookies can be used to store just about any type of textual data. In practice, they are usually used to track your identity, your preferences, and your actions as you navigate the Web.

Obviously, this is a gross invasion of your privacy. Why, you might ask, would the browser companies build a cookie facility into their products? The answer to this question lies in understanding who are Microsoft's and Netscape's real customers. You and I are not their customers. We got our browsers for free, and no one makes money giving away free software. The real customers are the companies that pay for the server software and the programming tools used to build commercial Web sites. These companies want a way to track what you do on the Web, and that's why Microsoft and Netscape put a cookie facility into their browsers.

This is not to say that cookies are always bad. They are often used to keep track of information in a way that makes your life a bit easier. For example, there is a movie information site I sometimes use to find the names and times of movies playing in my town. The first time I used this Web site, I entered my zip code, which the Web server stored as a cookie on my computer. Now, each time I visit the site, the server retrieves my zip code (from my computer), and shows me information about the movies in my area.

Here is another example. Say you visit an online shopping site in which you move from one Web page to another, putting various items into your "shopping basket". When you are ready to "check out", the Web server sends you an order form containing a list of all the items you have chosen to buy. How does the server keep track of what you want? By storing cookies on your computer.

In such cases, cookies serve the legitimate needs of commerce. All too often, however, cookies are used to track your movements and your decisions as you use the Web. For example, many companies program their Web servers to store cookies on your computer documenting what you did when you visited their site. Later, as you visit various Web pages, those cookies are retrieved by servers that run sophisticated programs. These programs can control what you see, based on your previous movements. The programs also accumulate statistics and other information which is used for commercial purposes.

Similarly, a marketing company can put up attractive advertisements around the Web in order to induce you to click on them. Once you do, the server to which you connect might show you various types of information in order to gather data about your preferences and habits. This data can be stored on your computer, to be picked up later by the Web site of any company that subscribes to that particular marketing service.

Learn how to...

Control and Delete Cookies

If you want some control over how your browser handles cookies, there are various settings you can control.

So what can you do about cookies? You have several choices:

  • You can look upon cookies as a necessary evil and forget about them.
  • You can change certain settings in your browser. With Internet Explorer version 6, you get a lot of control over cookies. If you care about cookies, this is the browser for you. With older versions of Internet Explorer, you get a lot less control.
  • You can use a special program to give you control over cookies. Some of the ad blocking programs I mentioned in Chapter 7 will block cookies as well as advertisements. As I write this, my ad blocking program has blocked 111,689 cookies and 98,923 ads for me in the last 48 days. (I use my computer a lot.)

Try the different choices, and see what you prefer — you can't harm anything by experimenting. If you want, you can look at your cookies, or even delete them.

Jump to top of page

Java and ActiveX

Earlier in the chapter, I said there are two types of situations in which you might encounter a security problem:

  • When data is going out of your computer.
  • When data is coming into your computer.

We have already discussed what can happen when data leaves your computer. I would now like to talk about the possible risks of data from the outside world entering your computer and causing a problem.

The term "data" is a general one. It encompasses anything that can be stored on a computer. However, it is important to realize that the only type of data that can damage your computer is data that actively does something (such as a program). Data that just sits there (such as text or pictures) can't hurt you.

A program running amuck on your computer can cause a lot of damage. Such a program might freeze the entire system, modify important settings, or delete a lot of files. A cookie file, on the other hand, might contain information that invades your privacy, but the file itself won't damage your computer. Only a program that is running can damage your computer.

So, when we look at risks from the outside world, we have to ask the question: Is it possible for a program to enter your computer without your knowledge, and to start running automatically? If so, such a program poses a possible security risk.

Before I can answer this question, I need to digress for a moment and talk about two systems, called Java and ActiveX.

The Web was originally developed as a system to display various types of information. Information is sent from a Web server to your browser. The browser receives the information, and does whatever is necessary to process it for you.

Some years ago, programmers realized that the power of the Web could be increased significantly if Web servers could send more than information to be displayed. If there were a way for a Web server to send a program that would be run on your computer automatically, such a facility could open the door to a lot of cool and useful stuff.

Of course, a system that downloads programs from the Net and starts them running on your computer also opens the door to a massive amount of potential problems. For example, imagine you are using the Web, and you see an advertisement for free money. You click on the ad, and it takes you to a Web site where the server automatically sends a program to your computer that wipes out all the files on your hard disk.

Such catastrophes do not necessarily need to be the work of an evil mind. Even a legitimate program can have a bug that causes damage accidentally. The point is, if you are going to design a system in which programs can be run automatically on someone else's computer, you have to be very careful.

The programmers who wanted to develop such systems were well aware of these considerations. The first such system, JAVA, was developed by Sun Microsystems. From the very beginning, Java was designed with safeguards. (By the way, the name Java doesn't mean anything in particular.)

Java was based on a system that Sun had originally designed for controlling consumer electronic devices such as microwave ovens and telephones. The basic idea is to create small programs, called APPLETS, that are embedded within a larger system. (On the Web, Java applets are embedded within Web pages.) To maintain security, applets can only run within a special operating environment. This environment — called the JAVA VIRTUAL MACHINE — is provided by your browser. The Java system is designed very carefully to ensure that no applet can ever cause a problem on your computer, either on purpose or by accident. Moreover, Java is portable, so that an applet created for one type of computer (say, a PC) can run on another type of computer (such as a Macintosh).

The design of Java draws a clear line between your computer and the outside world. There is a basic assumption that programs that arrive from the outside world cannot be trusted. Thus, they are only allowed to run in a restricted environment (the Java virtual machine) that sets limits on what the program may do.

At Microsoft, they have a different philosophy. Microsoft (and especially Bill Gates) feels that there should not be a well-defined line between your computer and the rest of the world. You should be able to look at data and programs anywhere, and use them without caring where they are. Within this vision, a program that resides on a computer down the hall, or on the other side of the world, should be as accessible as a program on your own computer.

Thus, when Microsoft wanted their own Web-based facility to download and run programs automatically, they developed two completely different solutions.

First, they licensed Java from Sun Microsystems and created a Java system of their own. Thus, Internet Explorer (as well as Netscape) will run Java applets.

Second, they created a brand new system called ACTIVEX. ActiveX is based on Microsoft's family of programming tools, and is promoted as a richer, more powerful alternative to Java.

Unlike Java, ActiveX programs (which aren't really applets) are not constrained to run within a restricted environment. Thus, they have no limitations and, as such, are the cornerstone of Microsoft's vision that there is no real line between your computer and the outside world. Of course, having no limitations also means that it is possible for an ActiveX program to cause damage to your computer.

Obviously, there is a security problem here. If you can't guarantee that a program is safe, how can you feel comfortable running it on your computer? The answer is, you can't, so there is a clear tradeoff:

  • Java keeps its programs safe, but by doing so, limits their usefulness.
  • ActiveX is not safe, but it allows more powerful and more useful programs.

So what did Microsoft do about this? After all, customers — especially corporate customers — are uneasy knowing that every time a person clicks on a link, he might be downloading and running a potentially damaging program.

To reconcile all these considerations, Microsoft created a system of security settings within Internet Explorer that gives you the illusion of safety without limiting the power of ActiveX. To me, this is a remarkable achievement — a triumph of marketing and double-talk over rational thought.

Are you intrigued? Read on.

Jump to top of page

Security Settings in Your Browser

One day, a total stranger walks over to where you are sitting, hands you a cup containing an unknown liquid, and says, "Drink this." He then walks away. Would you drink the liquid or would you be too suspicious?

Suppose your mother were to offer you a similar- looking drink. Would you be more likely to try it?

As far as Microsoft is concerned, the answer is yes, because you trust your mother more than you trust a total stranger. This is the idea behind the Internet Explorer security settings.

As I explained in the previous section, Java applets are inherently safe, but limited in what they can do for you. ActiveX programs can be much more powerful, but pose a definite security risk. ActiveX, however, is Microsoft's first choice, so to deal with the uncertainty, they have devised a complex scheme that is implemented within Internet Explorer by a system of security settings.

There is no way to guarantee that any particular ActiveX program is safe. However, you can ask yourself, "Who created the program, and do I trust that person or organization?" For example, if an ActiveX program comes from the Web site of an unknown college student, you might think twice before allowing the program to run on your computer. On the other hand, if a program comes from, say, Microsoft's Web site, you would feel more comfortable about letting the program run on your computer. At least, that's the theory.

To put this theory into practice, Internet Explorer requires you to classify all Web sites as being in one of four different categories, called ZONES. You can then assign a particular SECURITY LEVEL to each zone. Whenever you visit a Web site, Internet Explorer checks to see what zone it is in. Then, based on what security level you have assigned to that zone, the browser knows what to do if the Web site sends an ActiveX program to your computer.

The details, as you might imagine, are appalling, and the whole system is pretty much useless. However, as I said earlier, the system does give the illusion of safety, which is not to be sneezed at. In real life, very few programs on the Web actually cause trouble, and realistically, there isn't all that much to worry about. As such, there is a lot to be said for making people feel more secure.

In case you want to investigate the Internet Explorer security system for yourself, I'll give you a quick summary, and then tell where to find the actual settings.

The four different zones are as follows:

Internet Zone: All the Web sites that are not part of another zone.

Local Intranet Zone: This zone contains all the Web sites within your organization's internal network (which doesn't mean much unless you have an organization with an internal network).

Trusted Sites Zone: This zone contains all the Web sites you believe will not cause damage to your computer.

Restricted Sites Zone: All the Web sites you believe might cause damage to your computer.

Your job is to assign a specific security level to each zone. You have several choices:

  • High Security: Never do anything that could potentially cause trouble.
  • Medium Security: Warn the user and ask for permission before doing anything that could potentially cause trouble.
  • Medium-low Security (Internet Explorer version 6): Allow a few actions that could cause trouble but are highly unlikely to do so.
  • Low Security: No warnings, no protection. (Just do it!)
  • Custom Security: A customized security level, based on selections you make from a large list of confusing choices.

Of course, all of this begs the question, how do you know whether or not a Web site has the potential to cause a problem? Microsoft's solution is to recommend that Web sites use a SECURITY CERTIFICATE, an electronic confirmation that a particular Web site is "secure and genuine".

For example, let's say you are willing to put a particular IBM Web site into your trusted sites zone, as long as you are sure that the site really does belong to IBM. The way IBM convinces you the site is really theirs (and hence, can be trusted) is by obtaining a security certificate for that site. Whenever you go to the site, the IBM Web server sends your browser the security certificate, which your browser can verify automatically.

Are you confused? So is everyone else. My advice is to ignore the whole thing and hope for the best. The chances of your ever running into a damaging ActiveX program are very low. In fact, I have never met anyone who has had trouble — it's mostly a psychological problem.

If you are curious, and you would like to look at the Internet Explorer security settings:

  1. Pull down the Tools menu and select Internet Options.
  2. Click on the Security tab.

— hint —

When I was in medical school, I had a good friend named Tim Rutledge who once made a philosophical observation I will never forget.

The reason I mention it here is that Tim's comment is the very best advice I can give you about the Internet Explorer security settings:

"When you get serious about bullshit, you're getting into serious bullshit."
    —Tim Rutledge

Jump to top of page

Computer Viruses

You have probably heard about computer viruses, but you may not understand exactly what they are. Is a computer virus like a real virus? Computers don't really get sick — or do they?

The answer is, a computer virus is not a real virus. The idea is a metaphor. A computer VIRUS is a small program that is designed to insert itself into a file containing another program. When the second program runs, the virus becomes active. Depending on how the virus is designed, it may or may not cause a problem. Thus, computer viruses are not biological organisms. They are small, carefully crafted programs deliberately designed by bad people to do bad things.

Your computer cannot be "infected" by a virus, the way you and I can catch a cold. The only way you can get a virus on your computer is to run a program that already contains the virus. Now, the Internet is the largest repository of software in the world. (See Chapter 9.) It is natural to wonder whether or not it is dangerous to download software from the Net.

The answer is no. There is virtually no chance that you will encounter a virus by downloading software. Personally, I have downloaded more software than I can remember, and I have never even seen a virus.

The reason that downloading is safe is because the people who run software repositories scan programs for viruses before making the programs available to the general public.

There are only two situations in which you need to be concerned about viruses: when you use a floppy disk to copy programs from another computer, and when you open email attachments. Let's deal with each one in turn.

If you copy a program from someone else's computer to your own, that program might have a virus. This can happen when you use a floppy disk that was in a public computer, such as the ones you find in a library or in a school. Because so many people bring their own disks to use with public machines, it sometimes happens that such computers have a program containing a virus.

Here is an example. Your son is working at school and he finds a program he wants to use at home. So he puts a floppy disk into the school computer, and copies the program to the disk. Later, your son brings home the disk, and copies the program to your home computer. Unfortunately, if the program had a virus, it has now spread to your computer.

The easiest way to avoid this problem is to make a rule that no one is allowed to put a floppy disk in your computer, if the disk has ever been in a computer that is outside your control.

— hint —

To prevent a virus from spreading to your computer:

  • Never use a floppy disk to transfer a program from someone else's computer.
  • Never allow your children to bring home floppy disks from school.

Jump to top of page

Email Attachments and Viruses

As I explained in the previous section, a virus will only become active when you run a program in which the virus is embedded. Is it possible for a virus to get to your machine via an email message? The answer is, yes, it is possible, but only if someone mails you an attachment that contains a program and you run that program.

An attachment is a file that is sent along with an email message (see Chapter 5). To access an attachment, you must open it.

In Chapter 9, we discussed what happens when Windows "opens" a file. There are two possibilities. First, if the file contains data, Windows will start a program that knows how to deal with that type of data. For example, if you open an attachment that contains a picture, Windows will start a program to display the picture for you. If you open an attachment that contains a word processing document, Windows will start your word processor.

The second possibility is that the file contains a program. In that case, Windows will run the program, and herein lies the problem. Most of the viruses on the Net are embedded in programs that are passed, as attachments, from one person to another. A typical scenario is that someone receives a message from a friend. The message contains an attachment and, without thinking, the person clicks on the attachment, which tells Windows to open it. Windows then starts running the program, and the virus becomes active.

How can this happen? There are two main reasons.

First, the malevolent people who write email viruses disguise them to look safe. (I'll give you an example in a moment.) Unless you know what to look for, it is easy to be fooled into opening an unsafe attachment. When you do, you activate the virus.

Second, there is a serious security flaw in the way Microsoft has designed its email programs, Outlook and Outlook Express. This security flaw allows a virus to email a copy of itself to everyone in your address book. This means that everyone whose address is in your address book will get a message that looks is if it came from you and, within the message, will be an attachment containing a copy of the virus.

When this happens, the virus does its work silently. You won't even know what happened until you start to get complaints from your friends. Fortunately, this can't happen unless you use Outlook or Outlook Express. However, since these mail programs are widely used, the problem is a significant one.

— hint —

If a message containing an attachment comes from someone you trust, can you assume that the attachment is safe to open?

No. It may be that the message was sent by a virus running on your friend's computer.

Jump to top of page

How to Guard Against Email Viruses

How do you guard against email viruses? It's easy; all you have to do is make sure that you never open an attachment that contains a program. Unless you are 100 percent sure that an attachment is safe, don't click on it. Just delete it.

At attachment is just a file. As we discussed in Chapter 9, you can tell what is contained in a file by looking at its name. In particular, you need to look at the last part of the name, called the extension.

For example, let's say someone sends you a file named cat.jpg. In this case, the extension is jpg, which indicates that the file contains a picture in JPEG format. This file is safe to open.

However, let's say you get another file named freestuff.exe. In this case, the extension is exe, which indicates that the file contains a program. This file is not safe to open.

So how can you tell whether or not an attachment is safe to open? Easy, just look at the file name and determine the extension by checking with the lists in Figure 12-2 and 12-3. The extensions listed in Figure 12-2 indicate that the file contains some type of program. These files are not safe to open.

Unless you are sure that the attachment is safe to open, delete it. That's all you have to do, and you will never have problems with an email virus.

Figure 12-2: File extensions: unsafe to open

Extension Meaning
batBatch file
chmCompiled HTML file
comProgram
emlOutlook Express mail message
exeProgram
htmHTML file
htmlHTML file
jsJScript program
jseEncoded JScript program
lnkWindows shortcut [link]
nwsOutlook Express news message
pifProgram information file
vbsVBScript program
vbeencoded VBScript program
wsfWindows Script File program
wshWindows Scripting Host Settings File

Figure 12-3: File extensions of attachments: safe to open

Extension Meaning
gifPicture in gif format
jpgPicture in jpg format
mp3Music
txtPlain text
wavsound

There is one trick virus programmers use of which you should be aware. They try to disguise the file extension of the virus file in order to fool you.

Suppose you receive an attachment with the name:

sexpicture.vbs

You would know not to open it because the file extension is vbs, which indicates a type of program. However, what if you receive a file named:

sexpicture.jpg.vbs

You must look carefully. Ignore the fact that this looks like a jpg file. It isn't. It's really a vbs file. A file can only have one extension. In this case, the jpg is thrown in to be misleading.

The problem is that, in some cases, your mail program may not show you the full file name. It may omit the extension, thinking it is doing you a favor. If this happens, all you will see is:

sexpicture.jpg

You will then think that the attachment is safe, when it isn't. Fortunately, this only happens with Microsoft mail programs. To keep this from happening, you must tell Windows that, at all times, you want to see full file names. You do so by setting an option in Windows Explorer. Take a moment and do it right now.

  1. Start Windows Explorer. (Click on the Start button. Select Programs, and then click on Windows Explorer.)
  2. Pull down the View menu and select Folder Options. (With some versions of Windows, you pull down the Tools menu and select Folder Options.)
  3. Click on the View tab.
  4. In the Advanced settings area, look in the Files and Folders section. Look for the option Hide file extensions for known file types. Make sure this option is turned off.
  5. Click on the OK button to close the window.
  6. Close Windows Explorer.

Jump to top of page

Protecting Against Email Viruses
with Outlook Express

If you have Outlook Express version 6 (it comes free with Internet Explorer version 6), there are some settings you can use that go a long way toward protecting your system against email viruses.

Here is how to use them:

  1. Start Outlook Express.
  1. Pull down the Tools menu and select Options.
  1. Click on the Security tab.
  1. Under Virus Protection, make sure that the following two options are turned on:
    • "Warn me when other applications try to send mail as me."
    • "Do not allow attachments to be saved or opened that could potentially be a virus."
  1. Click on the OK button.

Jump to top of page

Antivirus Programs

To help detect and protect against viruses, there are a variety of ANTIVIRUS PROGRAMS available. Such programs will scan your computer's memory, as well as all the files on your hard disk, looking for telltale signs of known viruses. Antivirus programs may also run in the background, continuously checking for viruses as you work.

Do you need an antivirus program? Under certain circumstances, the answer is yes:

  • If your computer is on a network that you do not control, say, at work.
  • If people can access your computer and you cannot guarantee that they will follow the rules we have discussed in this chapter.
  • If you are running some type of server, such as a Web server or mail server.

In general, if you have a computer at home, or at a small office without a network, you do not need an antivirus program. I know that you have probably heard a lot about viruses. I also know that many people say that, to be safe, you need to have an antivirus program. This is not true. As long as you follow the guidelines I have outlined in this chapter, you will be okay.

But why not use an antivirus program anyway? The answer is that antivirus programs are not completely benign. Because they are so intrusive, they can slow down your system, and they can cause other programs to fail in mysterious ways.

When you use an antivirus program, you must keep it up to date, and updates cost money. (That is how antivirus companies make money.)

Here is the whole thing in a nutshell. If you use an antivirus program, you won't be absolutely safe unless you follow the rules we have discussed. But if you follow the rules, you don't need an antivirus program.

— hint —

To protect yourself against viruses, all you have to do is follow these three precautions:

  • Delete all email attachments except those with a file extension of gif, jpg, mp3, txt or wav.
  • Never use a program that has been on someone else's computer.
  • Never put a floppy disk into your computer if it has been in another computer.

In case you do need an antivirus program — for example, if you can't control what your kids are doing on the family computer — here are some resources to help you.

Jump to top of page

Macro Viruses

Some programs, such as word processors, have a facility called MACROS. A macro is a list of instructions that you create in order to automate a specific task. Once you create a macro, you can attach it to a document.

It is possible to make a macro that, if attached to a document, will act like a virus when that document is opened by a program. Sometimes, such MACRO VIRUSES are attached to files that are then shared among a number of people. Thus, if someone sends you a word processing file by mail, it behooves you not to run any macros that may be attached to the file.

If you use Microsoft Word or Excel (a spreadsheet program that also offers macros), there is an option you can set to help guard against macro viruses.

Within Microsoft Word or Excel...

  1. Pull down the Tools menu and select Options.
  2. Click on the General tab.
  3. Make sure Macro Virus Protection is turned on. If not, click on it.
  4. Click on the OK button.

Once you set this option, the program will warn you whenever you open a file that might contain a macro virus. You can then choose to disable the macros attached to that file. As long as you always disable such macros, you will never have a problem with macro viruses. Thus, the only way to have trouble is to open a document that has a macro virus and then choose not to disable the macros.

Since macros run within a specialized environment (such as a word processing program), macro viruses are not as harmful as regular viruses. Still, a macro virus can be troublesome if you get one. This might happen if you work with people who mail you documents that contain macros that you do not want to disable.

If you work in such an environment, you may want to get an antivirus program that is capable of checking for macro viruses. Such a program will scan every document as you open it and tell you if it contains a macro virus. If so, the antivirus program will neutralize the virus. This allows you to use macros sent to you by other people.

For most people, macro viruses are not a problem. Just set the option I mentioned above, and make sure you disable any macros that come from an outside source.

Jump to top of page

Virus Hoaxes

Far more troublesome than actual viruses are virus hoaxes. Information spreads rapidly on the Internet, and rumors and myths spread fastest of all. A VIRUS HOAX is an erroneous belief that a particular virus (which may or may not exist) is a potential source of trouble. Virus hoaxes spread by mail and on Usenet discussion groups when well- meaning people warn other people about nonexistent problems.

If you ever receive such a message, couched in terms of breathless panic and warning you of an impending virus, I can tell you right now the message is wrong. Perhaps it is human nature, but many people are all too eager to believe that forces beyond their control (such as computer viruses) are lurking nearby, ready to swoop down and cause a catastrophe. Unfortunately, too many people are willing to accept such a warning, no matter how unfounded it may be, simply because they don't understand the details.

One of the most common types of virus hoaxes purports to describe a deadly email virus. Such a hoax comes in the form of a message warning you not to read messages with specific words in the subject line. The warning declares that even the mere act of opening such a message may trigger a virus that will damage your computer. The virus hoax spreads because well-meaning people, who don't know any better, send copies of the warning to all their friends, thus perpetuating the hoax.

In real life, virus hoaxes are far more common (and far more disconcerting) than actual viruses. In fact, some people feel that the real viruses are the hoaxes themselves.

If you ever do receive a virus warning via email, take a moment and check with the Web sites mentioned below. It may be that the virus is real, in which case you can share the information with your friends. Most likely, however, the warning will be a hoax. For this reason, do not forward any type of virus warning to anyone until you have checked it out.

— hint —

The only way to activate a virus on your computer is by running a program in which the virus is embedded.

It is impossible to activate a virus by reading the text of a mail message, as long as you never open an attachment that contains a program.

Jump to top of page

Spyware

Spyware refers to a program that runs on your computer, without your knowledge, and secretly uses your Internet connection. How does spyware get on your system? A number of programs — in particular, some freeware and shareware programs — secretly put a spyware program on your computer as part of their installation process. Of course, the companies that offer these programs don't tell you that, when you install them, you will be getting an unexpected visitor.

The purpose of the spyware is to monitor what you are doing and to send information about your computer and your activities to a remote computer. In most cases, this information is used for marketing purposes. However, spyware is not always benign. Some spyware programs will actually make changes in your system.

To make things worse, in many cases, when you uninstall the original program, the spyware still stays on your system! If you think about it, you can see that, in many ways, spyware is like a virus. The main difference is that spyware does not spread by itself.

How do you detect spyware? Easy. Just use one of these free anti-spyware programs.

Jump to top of page

Children and the Internet

There is an interesting paradox with respect to how we think about children. On the one hand, we know children need supervision and guidance. No matter how grown up they may act, they are not adults. On the other hand, we sometimes treat children as if they are fragile, worrying about them more than we need to.

There is an irony here, because we were all children ourselves at one time. Think back, and I bet you can remember how silly the adults seemed when they worried so much about things that were perfectly harmless. However, as we grow up, our memories fade, and one day we find ourselves having the same types of worries as our parents. Of course, now it is different, because these are our children.

So how should you think about the Internet when it comes to your children? Different children have different needs, and you have to do what you think is appropriate. My intention is to give you a few guidelines to consider and then talk a bit about the nature of the Internet, so you can figure out what's best for you and your kids.

In general, the Internet is a safe place. After all, when your kids use the Net, they are indoors, not wandering around the outside world. Because of the nature of the Net, you do need to show your children how to evaluate information and how to maintain their privacy. However, you do not need to worry about physical danger.

But what about those stories you read in the newspaper? Isn't it true that there was a kid who met an adult on the Internet, who then lured the kid to a real-life meeting in which something bad happened?

Perhaps somewhere in the world, at some time, something like this actually happened, but let me assure you that it's not going to happen to your kids. Millions of children around the world use the Internet every day in perfect safety. The cumulative effect of the scary stories you see in the newspaper is highly exaggerated.

Actually, what your kids already know about talking to strangers is most of what they need to know about the Internet. Tell them there are certain things they should not talk about (make up your own list) and certain types of people they should avoid.

Just as important, help your children understand that they must protect their privacy. Young children should know they cannot give out a mail address, phone number or street address without asking you first. Some parents do not let their kids fill out any form that requests information until they have shown it to a parent. For example, you may not want your children to fill out surveys that ask for marketing information about your family. Similarly, you might make a rule that your children are not allowed to download any files or programs without your permission.

Explain to your children that the Internet is a place where you really don't know whom you are talking to unless you already know the person in real life. For example, just because someone in a Web chat room says she is a 15-year-old girl, it doesn't mean she really is a 15-year-old girl. It is common, and perfectly acceptable, for people to use an alias (pretend name) when they talk to people on the Net.

What really helps is to find time to explore the Internet with your kids. As you use the Net, explain to them that they can't believe something just because they see it on the computer. Young children especially may not understand that anyone can create a Web site with whatever content they want.

Show your children that you expect them to make active judgments about the quality of the information they see. Teach them how to decide whether or not to believe what they read. At the same time, you may also want to talk to them about the massive amount of advertising they are going to encounter, and how they should think about it. (I strongly suggest you use one of the ad blocking programs I discussed in Chapter 7.)

A great way to help your children is to steer them toward Web sites that are suitable for their age level. There are several ways to do so. First, you can spend some time searching for Web sites you like and build your kids a customized Favorites or Bookmarks list (see Chapter 7). You can also trade URLs (Web addresses) with other parents.

With young children, it is best to start with a Web site that has lots of activities for kids their age. When you let them play on their own, take a look from time to time to make sure they haven't accidentally wandered off track.

Similarly, you can introduce your little ones to electronic mail in a gradual fashion. Have them send mail to friends you know, and read the replies together. As your kids get older, you can give them more freedom. Eventually, you can let them send and receive mail on their own, but they should know that you control the computer, and you have the right to look at any mail whenever you want.

If you would like some ideas about Web sites for your kids, I have a few suggestions. First, take a look at my book Harley Hahn's Internet Yellow Pages where you will find lots of Internet resources. In particular, there are sections for children, teenagers, families and parents.

Aside from books, another good way to find Web sites for your kids is on the Internet itself. Here are some places to get you started:

Jump to top of page

Harley Hahn's 3 Guidelines for Happy
Family Internet Usage

There is a lot we can talk about with respect to children and the Internet. You will find a detailed discussion of this topic in Chapter 14 of my book Harley Hahn's Internet Insecurity. Within that chapter, you will also find a lot of information about the Internet and relationships. (If you suspect that your husband or wife is up to some funny business, this is the place to look for help.)

In the meantime, here are some guidelines to help you ensure that your children have a safe, rewarding time using the Net.

1.  Learn about the Internet yourself.

In particular, learn how to send and receive mail (Chapters 5 and 6 of this book), how to use the Web (Chapter 7), and how to instant message (Chapter 8). It is important that you understand IMing (instant messaging), as your kids will spend a lot of time doing it.

2.  Put all the family computers in an open area.

Your kids should know that they can only use the computer in an area that is not private, such as your living room or TV room. They should not be allowed to use their computer in the privacy of their own room with the door shut.

Yes, I know your kids will complain about this, especially if they are teenagers ("But Mom, Kalissa gets to have a computer in her bedroom. You treat me like such a child...")

Just remember, you are the parent. Be firm.

3.  Set basic rules and stick to them.

It is important to develop a realistic sense of what might hurt your children.

When your kids are young, spend some time with them, using the Internet together. As they get older, let them use the Internet by themselves, but make sure they understand that you have the right to monitor what they are doing whenever you want.

(For a lot more information, including suggestions as to what rules to set, see the book I mentioned above.)

Jump to top of page

Filtering Software and Rating Systems

The very best guardian for a young child is the eye of a parent. However, you can't be everywhere all the time. For this reason, there are various programs you can buy to restrict your children's use of the Internet. These programs are called FILTERING SOFTWARE or CENSORWARE, depending on your point of view. (You will also see a lot of other euphemisms, such as "parental control software", "content filters", "blocking software", and so on.)

There are two basic approaches to such programs. Some operate with a list of forbidden sites called a BLACKLIST. The program works with your browser to make sure your child cannot go to any of the Web sites on the blacklist. Other programs use a WHITELIST of approved sites. In this case, the program allows access to only those Web sites that are on the list.

Such programs usually have a number of options that can be changed, but only by someone who knows the password (which you set). Thus, you can turn the various features off and on as you see fit.

The big question, of course, is how does a particular Web site get on a blacklist or a whitelist? Usually, these lists are maintained by the companies that sell the filtering programs, and as you might imagine, there is a lot of controversy. Although filtering software seems like a noble idea, in practice, such programs are restrictive and highly arbitrary. In my experience, parents who understand the Net well do not use these programs.

What works best is to tell your children what is acceptable and what is not, and then enforce the rules. With young kids, it is a good idea to use the Net together. With older kids, you can talk about their Internet activities around the dinner table. In this way, you can keep a careful eye on what your kids are doing, while having the same type of sparkling conversation that you already enjoy about their school activities:

PARENT: So, what did you learn on the Net today?

CHILD: Nothing.

PARENT: And what did you do?

CHILD: Nothing.

PARENT: What Web sites did you visit?

CHILD: Nothing important.

PARENT: Well, who did you talk to?

CHILD: No one...

(You get the idea.)

Another approach to parental control is to use Web site ratings. The idea is to have many Web sites rated in some manner, and to use a browser that looks at the rating for each Web site before loading it. By changing various settings within the browser, you can control access to Web sites based on their ratings.

Toward this end, a set of standards called PICS has been developed for creating rating systems. (PICS stands for Platform for Internet Content Selection.) Internet Explorer has a built-in facility, called the CONTENT ADVISOR, that lets you control access to Web sites, based on ratings from any PICS-compliant rating service. To access the content advisor:

Within Internet Explorer:

  1. Pull down the Tools menu and select Internet Options.
  2. Click on the Content tab.
  3. Under Content Advisor, click on the Enable button.

For more information about the Web site rating systems, you can check out the following resources:

However, before you rush into any of this, I want to say a few more words.

The Internet is a public arena used by millions of people all over the world. Some of those people are bad, and some of the ideas on the Net are bad, and it is possible that your children could get hurt in some way by using the Net. However, the chances of anything bad happening are slight, and there is no reason why you can't feel comfortable letting your kids use the Internet.

Filtering software and rating systems may seem like worthwhile ideas, but my advice is to avoid them. Why? With any filtering system, you always have to ask, who is the censor? Who gets to decide for your kids what is okay and what is not okay? In my opinion, many (but not all) of the people involved in these schemes are fanatics, who see the world as a scary place and are doing their very best to scare as many other people as they can.

Moreover, filtering software and rating systems are far from foolproof, and using them can give you a false sense of security. In spite of what children may think, they do need our guidance — the child who doesn't need rules has yet to be born. However, it is also true that youngsters are far more resilient than we sometimes realize. (Just remember back to when you were a kid.)

Realistically, there is no such thing as a computer program or a ratings system that is going to protect your children. On the Internet, as in other aspects of life, the children who do best are the children who have the help of the people who love them more than anyone else in the world: their parents.

— hint —

As your children use the Internet, their safety and security are guaranteed by their behavior, your good judgment, and the innate goodness of the Net itself.

Jump to top of page