Whenever you go to a website, everything you see is downloaded to your computer and stored. Also, whenever you select preferences on a website, this information is stored in what is called a “cookie”. That way, when you go to your favorite news website again, it reads your preferences from the cookie and takes you right to your personalized page. The settings for how long this information is to be stored are set in your browser. Also, your browser stores the history of websites that you have visited.
Herein lies the problem, hackers can setup a website that looks legitimate. When you go to this website, it could use a software program that reads your history cache and tell what sites that you have been on. They may also be able to access your cookies. Why is that so bad you ask? Well, say you give this bogus site a name and password, to sign up for a fake newsletter or such. Most people like to use the same name on many sites. It could also be the name you use for your company login. Also, you do use different passwords for different sites right? If you don’t, they now have your username, password and a list of your other sites that you visit. You didn’t give them your credit card number too did you??
Okay, so how to protect yourself? Don’t order online, unless you feel the site is legit. Don’t use the same password for your online backing and your social networking accounts. Delete your history and temporary internet cache whenever done on a secure site, like banking, ordering online, or any government or military accounts. Check your internet browser help for instructions on deleting your internet history.
Most internet browsers cache what site you last visited and offers that information to the next site you go to. It is called an HTTP Referrer. This information is used for website statistics and demographics. This information could potentially be used for nefarious reasons. The company GRC makes the well known Spinrite hard disk recovery software and security software. According to their site:
“The web’s HTTP protocol was designed with little concern for a web surfer’s privacy and well before aggressive commercial interests decided to track surfers across the web, while storing and compiling any personal information that might leak from their browser.
Information is leaking from web browsers?
Yes, absolutely, and frighteningly so. The often repeated claims that “no user identifiable information is being sent or collected” is just so much nonsense. Those statements are meant to lull trusting and uninformed Internet users into a false sense of privacy and security.
When a web resource is requested from a server, the “Referer” header line provides the requested server with the URL of the web page that requested the item. But if an online web form has just been filled out and submitted using the most common “GET” method, the web surfer’s potentially personal and private data will appear in the URL and it will be sent to any third-party servers, such as advertising, tracking, or web-bug servers, whose resources appear on the form’s submission confirmation page!”
Now some browsers, like Internet Explorer, are supposed to block this HTTP Referrer when you leave a secure site and go to a none secure website, but not all browsers do. Also, your IP address is given to websites so they can track demographics. If you are not using a proxy, firewall or internet security software, this could point directly back to your individual machine. While you are at GRC, it is also a great place to check and see if you have any open ports on your system. Their Shields Up! online program checks to see if your firewall is doing its job and blocking access to your computer. The best you can get is a “True Stealth” rating, which means that your firewall doesn’t give your computer away by responding to general ping or probing requests. If you have open ports, you should check into it.
Daniel W. Dieterle
Just a couple things come to mind thinking about the NY Times article mentioned in the last post.
First of all, how much time do you spend securing your network? Herein lays the problem. American businesses are very busy. To be competitive, we have cut staff, and have very limited budgets. When a new server needs to be put in, it needs to be done quickly. Be it a small business or corporate datacenter, time is money. A corporate server is set up quickly, usually from a checklist and then some sort of security program and anti-virus is installed. The programs are “supposed” to auto update without intervention. Rarely do people go back and make sure that the servers are updating. Anyways, the security program control panel said it sent the updates to the server. On a small business server, many times the server is set up, and locked in a closet. It is set to get security and anti-virus updates automatically, but does it?
Time is the issue. In the NY Times example, the hacker spent 6 hours a day hacking. 6 HOURS! Hackers do not have time limits or budget constraints. They usually go for easy prey, but if your site has something of interest to the hacker, they will spend weeks, months or in the extreme case years to find a way in.
This leads me to my second point. Most secure servers by checklists. If A through Z has been done, the server is secure. Server security is structured and precise. Hackers work out of the box. They don’t follow the rules. There is a lot to do in setting up a server. A random Server 2008 book has almost 1500 pages. That is about the same amount of pages as a Bible. Also, with the huge amount of code in a Microsoft operating system, holes are found very frequently. Usually, only the good guys reveal to Microsoft when an exploit has been found. Foreign hackers guard these exploits and as the article states, hope to use them in the future.
The odds are definitely in the bad guys favor, but with due diligence, we can harden our systems so the casual hacker will bypass our systems and look for easier prey.
Daniel W. Dieterle
Continuation of “Computer Security Tips for Small Businesses – Part 1”
5. Change Server administrator passwords once in a while, especially if an employee leaves who knew the password. User passwords should be a combination of letters, numbers and symbols. These are much harder to crack. Also, do not use the same password everywhere. Some administrators will use one password for their servers and also their online accounts.
6. Have an IT company check your system for common vulnerabilities. Software like SAINT is available to check for exploits in a network system.
7. When thinking of putting up a web server, if you are just putting up a non-confidential informational site, not tied to an internal database, it is always a good idea to have an external hosting company run it for you. This way if it is hacked, the hackers will not gain access to your internal network.
8. One less common thing is to use online searches like Google to check for confidential information that may have been placed on a social board regarding your company. Believe it or not, disgruntled employees have placed sensitive company information on blogs before.
This is just a quick list, but hopefully it will give you some ideas in planning the security of your network.
Daniel W. Dieterle