|
'Moles' are one thing, but malicious e-mails are an even worse form of Web abuse
LAST WEEK, I wrote about a new kind of code I call "moles." Moles are e-mail messages or Web pages that cause your PC to send back information about you or your system, without your knowledge.
Moles match your e-mail address with your IP address or with a "cookie." Cookies are small, unique text files stored on your PC by Web sites to track the pages you view. It's often claimed that cookies can't reveal any personal information about you. Yeah, right.
To create a match, you are sent an e-mail containing a link to a small, invisible graphic, typically 1 pixel square. If you use an HTML-capable e-mail program -- such as Microsoft Outlook, Outlook Express, Netscape Messenger, Eudora, or Hotmail -- your PC contacts an Internet server to retrieve the graphic. This transmits to the server your e-mail address, your IP address, and any cookies that were previously deposited on your hard drive by Web sites associated with that server.
The next time you browse a Web site that has access to this database, your cookie or IP address uniquely identifies your e-mail address. Linking this with other databases produces your street address, your Social Security number, and other personal data.
The last thing we should want is someone to know all the Web sites we've visited. People who use the "subscribe" feature of a browser to keep Web links updated may be scanning hundreds of sites every night -- and each one is capable of keeping notes.
When Judge Robert Bork was nominated to the U.S. Supreme Court in 1988, a furor broke out when a video store revealed his rental habits -- which The Washington Post printed. Congress quickly passed the Video and Library Privacy Protection Act to preserve video privacy. We need something like this to keep our identity private in cyberspace.
I spoke with security consultant Richard M. Smith, who's studied moles extensively. "Name-brand companies like Amazon, Microsoft, Sony Music, eToys, HP, and the Gap are using them, not just spammers," he said.
There are services that promise to protect your name and identity on the Web, but Smith said, "All ISPs should provide anonymizing services. It's sort of like Dolby on your stereo." You push the Dolby button once, and you have noise reduction. You should be able to protect your name with the same ease.
Even worse than a mole, Smith has found, is "mobile code" -- a program that operates remotely in Web sites and e-mail. Your browser or e-mail client may allow such code to run on your system without warning. This means the mere act of viewing a Web page or an e-mail message (without even opening an attachment) can run a program that contains a virus or deletes your hard drive.
This occurs because programs such as Outlook Express, by default, run ActiveX controls, JavaScript, and Java applets without warning. These small but powerful programs, in the hands of malicious hackers, can exploit weaknesses to gut your hard drive.
Smith maintains a Web site that prescribes steps to eliminate this threat and many others. He recommends that you configure Outlook Express, for example, not to run JavaScript in e-mail. To do this:
Step 1. In Outlook Express, click Tools, Options, Security, Restricted Sites Zone, OK.
Step 2. In the Control Panel's Internet Options applet, click Security, Restricted Sites, Custom Level. Scroll down to the Active Scripting category, then click Disable and click OK twice.
Step 3. Download and run a patch to correct a weakness in Microsoft's ODBC driver that allows malicious code to run. For Office 97, go to officeupdate.microsoft.com/downloaddetails/excel97odbc.htm. For Office 2000, replace the "97" in the address with "2000."
Smith's site has a much more detailed explanation of this problem at www.tiac.net/users/smiths/acctroj/oe.htm.
You can test your system's vulnerability to rogue ActiveX code at another one of Smith's pages, www.tiac.net/users/smiths/acctroj/axcheck.htm. This URL tests your configuration for 17 different types of known problems and describes cures. Ironically, if you've already "hardened" your system against mobile programs, your browser will display a warning that the page is attempting to run "dangerous" code. Simply click Yes to allow the page to test your system.
Readers Glenn Cole and Jim Mackraz will receive a free copy of More Windows 98 Secrets for being the first to send me tips I printed on applets and moles.
In upcoming columns, I'll write about two sites that claim to solve many of these problems: see www.zonelabs.com/zonealarm.htm and www.freedom.net/info/why.html. If you have information to share, e-mail me with "privacy" as the subject. Meanwhile, Happy New Year.
Brian Livingston 's latest book is More Windows 98 Secrets (IDG Books). Send tips to brian_livingston@infoworld.com. He regrets he can't answer individual questions.
| |