Save a PDF version of this document*
*To view this document you will need Adobe Reader. To get your free download click here

3/24/2005

The Wild Wild Web

By Marcus Mullins


Go online, young man

The American West of the mid-1800s was a wild, lawless time in our history. Many of us tend to watch and read depictions of that era with a mixture of amusement, disbelief and a sense of detachment. That was a part of America long ago, and we’re much more civilized now in our 21st century society.

Or are we?

A more structured environment may exist in today’s world, but we now have a new frontier — the Internet. Like its counterpart 150 years ago, this land is anything but tame. Highwaymen roam the streets and alleys. Thugs wait around dark corners to steal our wallets. Conmen seem to lurk everywhere and have new tools to aid them in their constant quest for our money and identities.

Like towns of the Old West, the online world has relatively few law enforcement officers compared to the vast landscape to be policed. Today’s Internet consists of millions of Web sites, e-mail accounts, and users. But unlike the American West, the online world spans nearly every continent and nation, making law-enforcement and security even harder to maintain. It doesn’t help that governments are just now coming to understand the nature of this new world.

So what can be done? Do we abandon the Internet in fear, retreating to the physical world to avoid dangers and pitfalls that our traditional protectors are unable to guard against? Perhaps some will. But others may find that, like the pioneers of 150 years ago, personal security often depends on our ability to defend ourselves. Pick up your rifles and throw the bolt on the front door as we take a look at the dangers we face online and how we might mitigate those risks.

A Winchester, a fast horse, and a 120 lb guard dog

In the Old West, having good defenses and keeping a watchful eye usually provided better protection than waiting for the Sheriff and his posse to arrive. And so it is with the online world. Big Brother isn’t able — or willing — to stand guard at every door, so we have to make sure proper defenses are in place.

A wide range of attitudes exist regarding how to treat Internet access, spanning the spectrum from devil-may-care openness to full-bore paranoia. Some users prefer to ride the online trail with no protection; reusing the same ID and password on every Web site, never verifying if their connection is secure, and handing out personal information like presents at Christmas. Others ride out with a full compliment of personal armor, bodyguards, and several pack mules loaded with weapons and ammunition. Neither extreme tends to work well, so we’ll focus on an approach closer to middle ground.

A good place to start is with a broad understanding of issues involved, so we’ll begin with a few high-level concepts. Online security falls into four broad categories:


• The ability to prove who we are and to determine who someone else is (authentication).
• The ability to guard our information (encryption and system security).
• The special challenges of traveling in the ether (wireless).
• Understanding the dangers we face (risk assessment).

Make sure you take that letter from the governor

Authentication is important for establishing identity. Unlike the real world where we can recognize a face or go to a physical location such as a bank or store, the Internet can only be experienced in an abstract, arms-length way. When I go to my bank to make a deposit, I know it’s my bank because it’s the same location where I opened my account. It would be very difficult for an imposter organization to remove the existing bank and set up shop as a trap to gain my confidence. Unfortunately, the electronic world makes just such a ploy possible, depending on the circumstances.

But all is not lost. A way of identifying ourselves and others exists via mechanisms such as IDs/passwords and something called a certificate. The latter is simply an electronic document devised to prevent forgery … imagine a system similar to your signature on a check, but much more difficult to mimic. IDs and passwords tell an online bank or store that we are who we say we are, while certificates are generally used to verify that the Web site we’re connected to is actually the place where we intended to arrive.

So we have a way to tell who is who, but what about eavesdroppers? Unlike going to a bank in person or calling a catalog store, our communications online can pass through several intermediate locations before arriving at the final destination. This is similar to sending a letter through the U.S. Postal Service. A letter sent from one coast to the other passes through at least two post offices and several hands. Unlike sending a letter, sending an e-mail can leave copies of the message at every stop. You probably wouldn’t feel comfortable if your letter was duplicated at each post office, with the duplicate sent on to the next location. Yet this isn’t far from what happens online.


Lemon juice ink and a good lockbox

This brings us to our next concept: encryption. It’s technology that scrambles our messages so others cannot read them, even if they’re intercepted. Web access can be encrypted using something called SSL, or Secure Socket Layer, which is built into most modern Web browsers. However, you can’t control when this protection is used. The Web site does that. If you see a padlock somewhere on the bottom of your browser, your communications are encrypted. Otherwise, everything you type can be viewed by someone else in the right place with the right computer tools.

Files to be transferred can be encrypted using programs such as PGP or Secret Agent. You might want to check out Google.com and search the Web for PGP if you’re handy with running programs from a DOS or UNIX command prompt. If not, then contact your local computer geek for assistance.

E-mail encryption is possible, but it’s not simple to understand or configure, so get assistance from someone with significant software configuration experience if you’re interested in this protection.

System security involves the use of techniques to protect your computer system from intruders while you’re online. And make no mistake - attackers are very adept at gaining entry to a user’s PC while he browses the Internet, particularly if the user has a broadband connection. Protection usually involves the use of a firewall and intrusion-detection software. I suggest checking online or magazine reviews of these packages to determine the best option for your situation. Also, these packages need to be used properly to be effective — the best firewall on the market is useless if it’s configured to allow almost any incoming communications.

When wireless doesn’t refer to a telegraph

Fairly recently our ability to go online became much more convenient. No wires. No ball and chain tying us to desks. Now we can connect from the couch, the kitchen, practically anywhere within range of a wireless base station. Using wireless communication is definitely more convenient, but what about security?

The wireless path is a new trail, and we’re going to have to come up with ways to deal with potential risks. Toward that end, a technology called Wireless Encryption Protocol (WEP) was invented to encrypt our wireless messages. Unfortunately, it works more like a tight doorknob than a deadbolt — it can slow someone down but won’t keep a determined intruder from getting in. WEP uses the same encryption technology as SSL, but due to poor design decisions, this potentially significant protection was hamstrung before it ever left the gate.

Time to get a faster horse. Wi-Fi Protected Access (WPA) is a new technology that promises to address the security weaknesses in WEP. Unfortunately, WEP was the leader and is now the dominant approach. So for now we should rely on Web, file and e-mail encryption software to address our privacy needs when using wireless connections.

Computer users who have access to VPN (Virtual Private Network) may activate this encryption technology after they connect to the wireless network. However, the network does not provide VPN.

The Hot City network does not support the ability for one computer using the service to communicate directly with another on the network. In other words, the PC user next door cannot attack your computer just because you’re both using the same system. However, Hot city users should still heed general risks of Web browsing.

Curious characters and highwaymen

Our final topic concerns the general risks involved with going online. In a nutshell, Internet communications are subject to monitoring and even tampering. This results in the following risks:


• Lack of privacy when someone intercepts our messages.
• Loss due to identity theft.
• Inconvenience or disaster when our computer is compromised.

Hey! Whatcha doin’ in my cabin?

No one wants someone else rifling through his or her personal possessions, but this is exactly what happens online every day. When we don’t protect our IDs and passwords, when we send private data without encryption, when we’re too eager to provide information about ourselves, we invite the curious and the criminal to invade our space.

Why would someone care to do this to us? Simple human voyeurism often plays a part, but sometimes it’s more sinister.

Stick em’ up!

Hackers - not the criminal “cracker” variety - have always roamed the dusty and often remote roads of the Internet. But commercial interests have drawn a new, more dangerous interloper: the con man. Like the outlaw 150 years ago, these individuals typically have the singular goal of separating us from our money. This can occur from hacked bank accounts, stolen credit card numbers, or identity theft.

The latter has begun to reach almost epidemic proportions in the past few years as more and more of our business transactions move online. A popular tack of late is phishing. This attack relies on the difficulty of establishing the identity of those who communicate with us online. This usually starts as an e-mail from a “trusted” institution requesting that we click on a Web link to connect to their site to address an issue with our account. Not surprisingly, many people fall for such a scam because in the physical world we’re used to receiving information from trusted sources. When was the last time you received a phony but official-looking letter from someone posing as your bank, requesting that you call an included toll-free number to verify your account information? I haven’t received any of those, either. The closest most people come to that in the real world is when a con artist calls and tricks someone into parting with important information.

A good rule of thumb is identification, identification, identification. Make sure you know who’s communicating with you.

I don’t feel so good, Ma

Just like the world of the pioneers, the Internet is rife with all manner of nasty viruses. Computer viruses spread from system to system by replicating themselves. Each new host can then be used to infect others. Sound familiar? That’s why they’re called viruses. Worms can be a little more complex, but they pose less of a threat to most home PCs. However, both infections can do damage, from a system slowdown or annoying message that occasionally appears to something more disastrous such as having your hard drive formatted.

We may consider the medical science of the Old West to be primitive by modern standards, but our current approach to vaccinating and curing computers is almost as crude as having someone bite down on a stick during an operation. System security engineers have yet to devise a vaccine for anything but the most specific viruses and worms.

And unlike the human variety of bug, computer viruses are intentionally engineered to circumvent our defenses. The best we can do to protect ourselves — for the time being — is to purchase antivirus software and keep it updated. Basic preventive procedures such as never opening e-mail attachments from strangers and turning off HTML support in our e-mail readers can also eliminate much of the problem. Consider the latter as similar to your doctor’s advice concerning diet and exercise. A little preventive medicine goes a long way.

Riding off into the sunset

The online frontier may seem like a barren, inhospitable wasteland at this point, but there is hope. Diligence is the key. Protect your IDs and passwords (don’t give them away), be the driver of most business communications (don’t be quick to respond to e-mails you received from unknown addresses), don’t send private data unless it’s encrypted, don’t open gifts (emails) from strangers, and make sure you install and properly use a firewall and/or intrusion detection package.

You won’t find yourself with hands raised overhead and a revolver in your back if you’re careless online, but you may lose just as much financially, and otherwise, just as if a highwayman and his gang had robbed you.

 

Back to Article list
© 2005 Dayton Microcomputer Association, Inc. (DMA®)

Computerfest ®, DMA ® and the DMA ® Arrow Logo are either registered trademarks or are trademarks of the Dayton Microcomputer Association, Inc., an Ohio 501c(3) non-profit organization. All content, except external link images, are copyright 2005 The Dayton Microcomputer Association, Inc. ALL RIGHTS RESERVED.