The Internet is a gold mine of
information, but it’s also a minefield, loaded
with scores of innocent-looking sites that contain
stealthy programs designed to steal or destroy
your data. But if you take proper precautions, you
can browse the Web with relative safety.
In our illustration for ways to surf the Web,
we use Microsoft’s latest browser, Internet
Explorer version 7, but you can apply these
recommendations to other browsers as well.
GOING OR COMING?
surf the Web, they say they “go to” a page. In
reality, though, when you type a URL (such as
www.samplesite.com) or click on a link, the page
actually is brought to your browser in the form of
hypertext markup language (HTML)—the programming
code that creates the screen image. In some cases,
a malicious miniature program (written in what’s
called a scripting language ) is hitching
a ride with that HTML code. The moment that
infected page reaches you, the hitchhiker executes
its devilish program, which can do many nasty
things, including copy your files, transmit them
to the thief’s computer or simply erase them. Such
a script also can change your Windows system
settings, leaving your computer in utter disarray.
How can a script steal information off
someone’s hard disk? Exhibit 1 is an example of a
hypothetical script buried inside a Web page. Of
course, a real script would not identify itself as
coming from a dangerous hacker.
If you were to receive this fictitious script,
the hacker’s program would momentarily control
your computer and you would be instantly
redirected to his site, www.hacker.com. Once
there, a sophisticated program called
stealfiles.cgi would snap into action, steal data
off your hard disk, then redirect you back to the
original Web page. All this could happen in just a
few seconds, without your ever being aware of it.
Be assured most Web sites are safe. However,
a criminal hacker will try to inject a malicious
script into almost any Web site—a scenario known
as cross-site scripting, or XSS. Although
antispyware programs are designed to thwart
malicious scripts, they don’t always work because
clever scriptwriters often stay a few steps ahead
of them (see accompanying article, “Spyware
So what’s the alternative?
If you want total safety, you have no choice but
to take matters into your own hands and disable
all scripts from running on your browser. And
that’s easier than you think.
DO- IT-YOURSELF PROTECTION
To disable scripts, click on
Options, Security (see
Exhibit 2). Under Select a zone to view or
change security settings, click on
Internet if it’s not already
highlighted. Then under Security level for
this zone, click on Custom
You now should be at a menu called
Security Settings-Internet Zone
(see Exhibit 3). Slide down the scrollbar
to the area labeled ActiveX controls and
plug-ins and click on Disable
for all 10 options. ActiveX is a
Microsoft scripting language.
Then slide farther down the screen to the
second section from the bottom called
Scripting (see Exhibit 4) and
click on Disable for all five
options. This will stop any script that manages to
get into your computer.
your changes, click on OK at the
bottom of the panel (see Exhibit 5).
CONSEQUENCES OF DISABLING
You do pay a price for
disabling scripting. For example, for those who
use Yahoo e-mail, disabled scripting triggers a
switch back to an older version of Yahoo Mail (see
Exhibit 6). But if safety is your primary concern,
the cost is worth it.
you use a stock ticker at a financial site, such
you will lose the Quote watchlist
box (see Exhibit 7). You can reinstate
You may wish to
experiment with your favorite Web pages to see
whether you can tolerate the loss of
functionality. Remember, you can always change
your mind and re-enable scripting at any time.
You also have the option of specifying sites
you know are safe and allowing scripts to run when
you visit them. To do that, go back to the
Security tab in
Internet Options (Exhibit 2),
but this time select Trusted
sites. Then click on the Sites
button and list those you visit and know
are safe. When finished, click on OK
and then adjust the security level for
the Trusted sites zone just as
you did for the Internet zone,
but this time enable scripting.
sites acknowledge your visit by sending your
computer a small text file called a cookie
. Cookies do many things: They keep track of
all visitors and remember what they did and looked
at. While most cookies are benign, some store
information you enter when you buy something at
the site—your credit card number, address, phone
and, in some cases, even your Social Security
number and the identity of your bank account.
Although some sites keep cookie information under
tight security, others don’t bother to encrypt
cookies. If safety is a priority, you probably
want to implement some kind of cookie control.
A cookie may stay permanently on your hard
disk (called a persistent cookie ) or
just be for a single Web visit ( session
cookie ). If you have a persistent cookie,
any sensitive information on your hard disk is at
risk of being stolen.
Getting rid of
cookies is easy. While in your browser, click on
Options, General. Under
the Browsing history section,
click on Settings and then under
Current location click
View files. Now go to the
Name column, right-click on the
cookie you want to delete and choose
Delete. You can easily identify
those cookies that contain sensitive data from
sites where you purchased products and entered
financial information. You’ll also see cookie
expiration dates that are many years into the
future. Unless they are truly benign, delete them.
To play it safe, however, it’s best to tell
your browser not to accept any persistent cookies.
To do this, go to Tools,
Privacy and click on the
Advanced button. You’ll see a
menu that resembles Exhibit 8.
Override automatic cookie
handling, and Block for
First-party Cookies and
Third-party Cookies . Click
also on Always allow session
cookies. This will allow your browser to
only accept temporary session cookies while you
interact with certain sites; otherwise many sites
will deny you access.
When a Web site asks
whether you would like to remain logged in, it
actually is asking you whether you want to accept
a persistent cookie. If you answer “yes,” the site
will send you a persistent cookie with your logon
information. Always say “no.”
computer safety you need is a personal matter, and
it depends on how much you value your data.
Although there are commercial programs designed to
make your workspace relatively safe, as you can
see, gaps remain. The only way to be sure is to
take action yourself to close the gap.
James F. Leon
, CPA, CISSP, is a visiting assistant
professor and the director of IT training in the
Department of Computer Science at Northern
Illinois University, Dekalb. His e-mail address