Introduction

This the third article in a three-part series devoted to helping readers develop secure habits when using the various components of the Internet. Although for many people the Internet and the World Wide Web are interchangeable terms, this is not accurate; the World Wide Web is an application of the Internet. The World Wide Web allows for the exchange of documents formatted in HTML (Hypertext Markup Language) which facilitates text, graphics and layout. As the World Wide Web has grown in popularity, its capabilities have expanded to include the exchange of video, audio, animation and other specialized documents.

The Web has grown to become an integral part of our social and economic world. For many people, surfing the Web has become a daily activity at home, work and school. Unfortunately, the Internet and, by extension, the World Wide Web, was designed for ease of communication, rather than for security. While software programs such as firewalls, intrusion detection systems (IDSs) and antivirus software can be provide protection, the best way to for users to ensure their security while surfing the Web is to learn and practice secure behaviors.

Firewalls

One of the first precautions users should take before going online is to install a Personal Firewall on their computer. A firewall protects the user by monitoring incoming and outgoing traffic and watches for malicious information that hackers may try to install on users' computer. These firewalls can also be set to block content such as ActiveX, Java, JavaScript, popup windows, and cookies (which will be explained later in this article.) Similar to programs that a user may install from a disk or CD-ROM, ActiveX, Java, and JavaScript are applications that actually execute or run, performing a variety of functions. Downloaded content may contain embedded viruses, scripts, or malformed content that may have the potential of altering files or content on the users' hard disk. As a result, these scripts can be a security risk.

Once the firewall is installed, it should be tested for proper operation. (For a more detailed look at firewalls, please see the SecurityFocus article entitled 'Firewalls for Beginners' article.) Firewalls can be tested for proper operation by visiting sites such as Norton, orGibson Research Corporation's Shields Up, which simulate an attack and inform the user of results of this attack. A successful attack indicates that the firewall is probably not configured properly and should be readjusted. Tests such as these are very beneficial and should be conducted on a regular basis in order to ensure optimal firewall efficiency.

The underlying assumption of this article is that users should not rely passively on software to protect them. Rather, they should actively develop habits that will help them protect themselves against the many threats that lurk on the Net. While firewalls can be powerful programs, it is a good idea for users to regularly review the logs generated by the firewall since this would give an indication of any abnormal activity that may be occurring on the computer on a regular basis.

Browsers

Users navigate the Web using web browser software. There are numerous browsers available today, by far the most popular being Netscape Navigator and Microsoft Internet Explorer. The web browser in its earlier version was an environment within which hyperlinks were displayed that users could click on to go to other documents. Soon the text-only material was enhanced by graphics, audio, and video within the browser window. Now there are other advanced technologies such as Java, ActiveX, and other plug-ins that work within browsers to provide an enhanced user experience. While browsers are very powerful tools, they are also a vulnerable gateway that can be exploited to tap into user information. As a result, they have received significant attention from the hacker community.

Vulnerabilities, as the term suggests, are weaknesses in the way a software has been coded. These weaknesses can be exploited by talented hackers to gain unauthorized access to the computer on which the browsers are operating. Once inside the computer, an intruder may have access to all of the networks to which that computer is situated. Some of the things that hackers can do once inside a computer include: resetting a users' home page without permission, creating malformed scripts that make the browser interact with other applications on the users' hard drive, running scripts within the browser to collect and send back sensitive information or entire files, and running software to track and report user activity using the web browser, amongst other malicious activities.

As browser vendors become aware of these vulnerabilities, they release patches to update the software. These patches allow users to upgrade the security of their browsers without needing to go out and buy entirely new software. It is a good idea for users to regularly visit the web site of their browser vendor to update news of any vulnerabilities that might have been discovered in their browser. At this point, the vendor will advise the user whether or not a patch is required. If so, the web site will offer directions on how to apply the patch. In addition to regularly checking for vulnerabilities and patches, users should periodically update their web browsers with the latest version. This will ensure that the most recent security measures are being implemented on the users browser.

Browser Options

Many home and small office users are not aware that they can configure the browser to operate in certain ways according to their needs and desires. Users can increase the security of the browser by familiarizing themselves with the various options and preferences available in web browsers and configuring them appropriately. As browsers have become more complicated by the inclusion of increasingly sophisticated features, the preferences and configuration information have also become more complex. Failure to understand and act on these options can make systems vulnerable to intrusion. To keep this from happening, browsers have certain level of controls that can be set within the 'Preferences' options of the browser. Users should familiarize themselves with the security options that are available within 'Preferences' option of their particular browser, as they can be used to optimize security.

One of the browser options includes the ability to set the security level at low, medium, or high. The low option provides minimal safeguards and warning prompts, and runs most active content (such as Java and ActiveX programs) without prompting the user. The medium option provides slightly better control by prompting the user in case of potentially unsafe content that the browser may encounter, the high option provides the best security but is least convenient since it prompts the user on every cookie, active content, etc. that the browser comes across on web sites. Initially, it is best to set security at medium and to adjust this setting based on user's comfort level, taking into account the desired balance between convenience and security.

Privacy

One of the major security concerns associated with the World Wide Web is user privacy. Indeed, it is almost impossible, at this point in time, to surf the web anonymously. It is very easy for people to track a user's surfing habits. There are programs available that promise to anonymize your surfing habits, but these are generally expensive, somewhat difficult to operate and not guaranteed to be effective. The best way to ensure one's privacy is to be very careful about what information one discloses over the Web. However, whatever precautions are taken, users should be aware that when they go out on the Internet, there is no such thing as anonymity.

Cookies

With millions of web sites available for users to browse through, one way for web sites to attract visitors has been to offer a web page that is customized to the user's individual taste. Imagine going to an online bookstore and instead of browsing through millions of book titles, seeing books only on subjects that you may be interested in. This not only saves you time and effort on locating a particular book, but when you are ready to make a purchase, the web environment also has the capability of storing your name, mailing address, credit card information etc. so that if you have made a prior purchase, there is no need to enter this information every time. This capability is achieved by using a technology called 'cookies', which are small text files that are stored on your hard drive when you visit the site for the first time. The main purpose of cookies is to identify users and prepare customized Web pages for them. When a user visits a Web site that employs cookies, he or she may be asked to fill out a form providing such information as your name and interests. This information is stored in a cookie and sent to your Web browser which stores it for subsequent visits to that site.

With all the monitoring and tracking of personal habits that they allow, are cookies evil? Not necessarily. If you don't care about being tracked without having your name and other personal information associated with it, cookies can assist sites in offering you personalized experience. However if you are concerned about your privacy and how the data may be shared, and/or cross-matched with other records, then you may wish to turn off the cookie option by selecting appropriate preferences in your browser. The cookie options provided to the user include the ability to automatically accept all cookies from any server, accepted cookies from selected servers, or block ALL cookies.

Users should dictate use of cookies by asking the browser to appropriately reject, accept, or prompt user for action when the web site tries to set a cookie. Users who are concerned about their privacy should not disclose valuable personal information. If personal information is required for a transaction, users should develop the habit of reading the privacy statements of the web site. Some web sites will state clearly in their privacy statement whether or not they will disclose user information to other organizations. Users should make their decisions about the disclosure of information accordingly.

Secure Web Transactions

In most cases, information being communicated along the Inernet between the user and server is transferred in plain text. This means that if anyone intercepts the communication, the information would be easily readable. For most sites, users are just reading information (such as the news) that may not have any sensitive user data associated with it and is open for anyone to read. But if the user were making a purchase from a online store, conducting banking transactions from an online bank, or buying stocks, there is likely to be an exchange of very valuable personal information. If the appropriate steps are not taken, this could create a serious security risk.

One risk is that potential crooks could set up a 'rogue' site, one that looks like a legitimate site, such as a bank, but which is not. Users should always keep an eye on the URL address bar to note the web site address after initial connection is made. Even if it is a legitimate enterprise, and it usually is (spoofed sites are relatively uncommon,) any data going over a non-secure link in these types of transactions could be intercepted. This could put a users credit card number and personal information in the hands of unauthorized persons. To prevent this from happening, it is a good idea to conduct sensitive transactions over a 'secure link'. In a secure connection, the data is sent to the server in encrypted format that is difficult to decipher even if it is intercepted.

How does the user transmit data securely? First, the user would have to determine if the server supports secure transactions which are usually done by using digital certificates and using a technology called SSL (Secure Sockets Layer) to transfer the data. SSL is a protocol that allows the secure, encrypted transmission of information over the Internet. SSL is the industry standard for e-commerce businesses to ensure the safe transmission of customers' vital information such as credit card numbers. The online merchant sends its public key to the shopper's browser, which the browser uses to send a randomly-generated secret key back to the server in order to have a secret key exchange for that session.

When communicating over a secure link, the user can determine if data is being transferred securely by watching the lock icon in the browser window. A locked icon is an indication that data is being encrypted and sent securely. Prior to disclosing personal information, such as credit cards, etc. users should always ensure that the site is SSL-protected.

Taking this one step further, double-clicking on the lock would provide additional information on validity of the digital certificate (so that the user is sure the web site is who they claim to be), the level of encryption being used, and other relevant information. Users must make a habit of checking the certificate since there have been known instances of web sites being 'hijacked' by hackers, and when the user connects to this hacked site data is being sent securely but you, the user, may be connected to a rogue site!

Credit Cards

The most contentious security issue on the Web is credit card numbers. Many credit card companies have realized vulnerabilities exist with credit cards, and have developed new business models that minimize risk. Examples of some of these models are disposable credit card numbers that can be used for only one transaction, and credit cards embedded with smart chips that require a cardreader connected to the computer and a PIN number before the transaction can be completed. Use of these models reduces the risk of huge losses. For users who make frequent purchases over the web, these different types of credit cards (which also offer incentive programs and fraud protection guarantee where the user is not held responsible for unauthorized online charges) should be considered.

For those using regular credit cards, basic precautions should be followed, such as not giving credit card numbers to web sites that do not provide secure link. Users should also look for policy statement on web sites. These policy statements often include information on security aspects of the site. This usually includes information on the type of security used, what a company does with the information collected on the site, sharing/selling customer records with other companies etc. that gives a pretty good idea about business practices of the company. There are also third-party endorsements that are now available which ensure compliance against certain standards. Although these are voluntary, vendors who display these seals of approval give the appearance of being more credible and therefore attract more online business.

A third solution to the issue of credit card fraud is to maintain a separate card specifically for on-line transactions. Many banks and credit card companies will allow users to get a separate card with a very low balance for such purposes. Because of the low balance, if the credit card information is stolen the potential damage is kept very low.

Conclusion

The web is here to stay and has in fact become a primary medium for interacting with commercial web sites. A major portion of the burden of maintaining a secure environment lies with the user. It is crucial that users follow good security practices and understand there are risks involved in surfing the web and/or conducting business online. By using proper precautions such as periodically auditing firewall logs, monitoring new sites for web browser patches and updates, understanding and setting browser preferences, limiting the type and amount of information a user provides to web sites, communicating over secure link for conducting online transactions, checking digital certificates, using specialized credit cards that are made specifically for online use, users can do their best to minimize the risks that are inherent in surfing the web, making the web experience safe and productive.

Dr. Sunil Hazari is a faculty member in the R. H. Smith School of Business and Office of Information Technology at University of Maryland, College Park. His teaching and research interests are in the areas of E-commerce security, usability, and infrastructure design.