The Burning Ring of Firewalls: New Technology, Heightened Interest and Big Money Can Make Your System Safer - and More Vulnerable - than Ever Before

It may surprise you to know that privacy is not a Constitutional right. The closest the 226-year-old (if you're counting), big, beautiful framework for this experiment we call democracy comes to addressing issues of privacy is in what can be implied, at best, from the Fifth and Fourth Amendments, the latter reading in part that citizens will be "secure in their persons, houses, papers, and effects, against unreasonable searches and seizures."

Webmasters, of course, can add a slew of other items requiring security, including computers, code, and more. In general, latter-day participants in Western Society have much more cause for concern over the intricacies of privacy than our forbearers could have imagined. An August 2000 survey sponsored by Dell Computer revealed that, even in those high-flying days of Internet optimism, loss of personal privacy ranked as an issue of higher concern for Americans than those of crime, health care, or the environment.

Here we'll outline some of the threats to, some of the solutions for, and some of the future of cyberprivacy.

THE WEB IS A BURNING THING

There are privacy threats everywhere. David Rittenhouse, in his excellent article "Privacy and Security on Your PC" (www.extremetech.com, 5/28/02), provided a so-inclusive list as to rattle the nerves of even the most laid-back of surfers.

"Many different kinds of individuals and agencies seek personal information," he confirmed, "each using differing methods: co-workers, family members, and hackers/crackers," their motivations ranging from "professional jealousy and curiosity to mistrust or malicious/criminal intent." They exploit, primarily, "inherent system weaknesses... such as simply asking for information that allows access, or use of specialized software tools such as monitoring programs, password cracking programs or Trojan horse programs."

Holes in an operating system allow the evasion of even a personal firewall's blocking capabilities. Also, DSL and broadband users are not the only ones in danger. While dial-up users' lower online time and lower speed might mean they are also at somewhat lower risk, hackers do still scan for slower connections, and worms travel through e-mail and Websites, making speed irrelevant.

Rittenhouse pinpointed businesses and commercial organizations that breach privacy to "gather, analyze, and maintain personal information about individuals without the individual's knowledge or consent. The techniques used include data mining to correlate data and deduce previously unknown facts about individuals: Web page cookies which gather data surreptitiously, and software spyware programs offered to the public which contain hidden functions, sending information secretly back to the manufacturer."

An extensive listing of spyware-infested programs can be viewed at www.fcenter.ru.

"Businesses can also constitute a threat to individual privacy by mishandling information they control," Rittenhouse affirmed.

The majority of privacy issues stemming from governmental agencies, he said, are generated by the Internal Revenue Service (IRS), Central Intelligence Agency (CIA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI). "The IRS and CIA have both [suffered] publicized incidents where they failed to safeguard private information within their possession...; [whereas] it is the information-gathering methods of the NSA and FBI that sometimes place those agencies at odds with individual privacy."

Jay Lyman outlined the "Seven Deadly Security Sins" for the NewsFactor Network (www.newsfactor.com):

"When it comes to computer break-ins and breaches, there are plenty of ways to place blame, but some security missteps are more common than others - and most of them fall into the category of often-overlooked basics.

"Among these blunders are the usual suspects: mis-configured servers, lack of patching, dangerous default settings and sloppy password management."

For companies, Lyman identified substandard IT hiring practices and network sharing, and a lack of an active security policy.

"If you don't have [a policy] formulated and you don't have it written down, it changes," warned security expert Ryan Russell. Yankee Group analyst Matthew Kovar reminded that when someone changes a system or network, they can inadvertently create new vulnerabilities.

"Experts also agreed that application design, server configuration and the default settings of newly-installed software often lead to computer break-ins," Lyman reported.

"In addition, one of the biggest security risks currently facing companies is the sharing of networks or access."

Anand Bhatt, former lead analyst at Doculabs/Forrester Tech Rankings and current CTO of Sonic Wave International/SWI Labs, said of businesses in general, "While many organizations believe their greatest security threat comes from outside the organization, recent studies that I've been involved with reveal that 60 to 70 percent of security attacks originate from within the organization. There's a certain threshold level - dependent on individual infrastructure - of how 'secure' a security and privacy system can be without hindering the employees' everyday duties."

Everyone can "layer" their privacy protection, maximizing security against all the threats listed above. Layering means building first-, second-, third- and higher-line defenses against a breach, the second one kicking in if the first one fails, etcetera.

MAKING A FIERY RING

* Develop and adhere to good privacy protection habits. "First and foremost," Rittenhouse said, "develop the habit of non-disclosure." This includes not filling out online information forms, using the standby "N/A" or "Not Applicable." "You can be more proactive, if you like, handling excessive demands for personal information with a campaign of disinformation. Simply alter a few characters of a name, zip code, or social security number... thus defeating data mining and profiling techniques."

Educate yourself about the specific weaknesses of your hardware, operating system, and applications. For instance, "most browsers have an auto-complete feature that remembers what you've typed when you fill in online forms," reminded Rittenhouse. "After you've typed a few characters, the auto-complete feature creates a drop-down box that contains the remainder of a zip code or other data. How did your computer know what information was needed to fill in the desired blank? You might be shocked to find that your Social Security number, bank account number, passwords, birthday, address, mother's maiden name, and credit card numbers are all stored on your computer if you've entered them into forms."

You can clear out this information and disable the feature this way: From the Internet Explorer Tools menu, click Internet Options/Content tab/auto-complete button, then uncheck all three boxes and click the two buttons to "clear forms" and "clear passwords"; click "OK" to close the open dialog boxes.

* Protect yourself logging in and clean up after yourself logging out. Get into the habit of masking your passwords. Although a pain in one's memory, it's safest to have different passwords for every log-in account you keep. Secure passwords are generally eight to 10 characters long, combining numbers, upper and lower case letters, and punctuation marks, and are not a word from a dictionary of any language.

Before you sign off, eliminate temporary files and hidden text. Rittenhouse said, "A simple, but tedious, protection measure that avoids the problem of old document contents being invisibly stored is to use the 'save as' command... [this] preserves the old (pre-saved) versions of the document in a visible form, and makes them easier to securely delete." Also, using your disk-cleaning utility restores space, and, as covered below, there is software available to securely erase that space.

FALL INTO A RING OF FIREWALLS

* Implement physical barriers and firewalls. "Of all the various privacy protection methods, barriers are the easiest to implement," said Rittenhouse. If fewer people have access to a computer system, it is easier to prevent unauthorized access - and one of the easiest ways to effect this is to keep your computer in a lockable room."

Firewalls are a next-line-of-defense option, and deducing your security needs is the first step in navigating a virtual sea of products. But don't limit your protection by thinking you need to settle on one. Izhar Bar-Gad reported for Network World Fusion (www.nwfusion.com) in June that, "While traditional firewalls address network access control [and] blocking unauthorized network-level requests, application firewalls... specifically protect the Web communication stream and all associated application resources from attacks that happen via the Web."

When users realize the need for a firewall, they are faced with a decision between standalone products and integrated antivirus protection suites. Most professionals recommend separate firewall and antivirus programs over all-in-one security suites.

Norton (www.symantec.com) and McAfee (www.mcafee.com) provide popular security systems.

Kerio Technologies (www.kerio.com), publisher of WinRoute Pro network firewall software, developed Personal Firewall 2.1 to secure desktop computers. The key component of a firewall, according to the company, "is the stateful inspection of packets... inspecting all traffic entering and leaving the desktop to ensure only authorized communication is permitted." Blocking all inbound traffic can render a system invisible to random scans by hackers.

Martin Viktora, CEO of Kerio, said "Anti-virus software, although vital, is insufficient to protect from data theft or denial-of-service attacks."

Stonesoft Corporation's (www.stonesoft.com) StoneGate 2.0 enables static routing of IP multicast traffic through a firewall, without requiring tunneling protocols, supporting static IP multicast routing.

CNET (www.cnet.com) reviewed ZoneLabs' (www.zonelabs.com) ZoneAlarm Pro 3.0 positively this spring, saying "It's easy enough for anyone to set up and use, and it offers sufficient options and flexibility to keep power users content."

Lyman informed "Personal firewalls from BlackICE (www.iss.net), Sygate (www.sygate.com), and Tiny (www.tinysoftware.com), among others, all erect barriers by flagging or blocking access attempts. Most of these products come in free or inexpensive basic editions, as well as premium professional versions."

In addition, Web filters prevent the tracking of personal Internet browsing history from outsiders. Software can be installed permanently on your machine, or Web-bound tools ("Anonymizer" at www.anonymizer.com or "Rewebber" at www.rewebber.de) are available. And through tracking detection programs, you can pinpoint which sites are infringing upon your privacy, and even deactivate such tracking (Privacy Companion, www.idcide.com; Who's Watching Me, www.trapware.com).

* Hire a consultant. Bhatt noted that the cost of personalized security consulting is getting lower, and Webmasters and small businesses who are serious about security should make the commitment.

"The bottom line is, e-commerce and small businesses need to spend money on consulting services, especially with security and privacy issues. The main reason why security consulting services aren't so popular with Website owners and small companies is associated high costs. The top consulting groups may also refuse to work with pornography-related material. As a remedy, analysts from top consulting groups have joined CertAire Technical Services [http://www.certaire.com], a technical group that is most known for its mechanical science research and testing. CertAire leverages its research and testing revenue in order provide expert consultants at a low-cost pricing model targeted towards Website owners and small businesses. Now that it's affordable, adult e-commerce and other Web companies won't cut corners on their security and privacy - which is another reason why security is such an issue."

AND THE FLAMES WENT HIGHER

* Look into spyware software. If, even after all of these measures have been undertaken, unauthorized access to a computer occurs, Rittenhouse advised that "it is important to be aware of the intrusion so that it can be dealt with as quickly as possible." Software can detect even invisibly-run hacker's/tracker's tools such as Trojan, key logging, and spyware programs. Rittenhouse suggested two free programs to be found at www.sysinternals.com.

* Minimize exposed information. "In the event that all of the foregoing methods fail and someone does break into your machine," Rittenhouse said, "you should take steps to limit the information to which the intruder can have access. This fallback position includes techniques to securely delete unneeded information and encrypt sensitive information that must be retained."

"Wiping" software is a tool with which to securely delete old information; also, old "cookies," Internet history, temporary files and broken links and "deleted" files can be wiped. Encryption and steganography products are also available, although these are more complicated and come with disadvantages that could outweigh the advantages for the average user. The red flag raised by the implementation of such technology could be of major concern to an individual in this day and age (al Qaeda operatives were rumored to have employed steganography).

* Prepare a scorched earth scenario. Finally, "In certain rare circumstances," informed Rittenhouse, "the cost of disclosure for private information might outweigh the cost of the computer on which the data is stored." Diagrams of not-yet-patented inventions, soon-to-be-published research results, and the confidential client files of doctors or attorneys might require the adoption of extreme failsafe protection.

"Methods for this could range from the use of harmless tricks [like program loops] that put the computer's software in limbo, to more extreme methods [virus booby traps, hardware-altering programs, self-destruct mechanisms] that prevent data disclosure via permanent destruction. In any instance where data is critical enough to warrant this degree of protection, it is assumed that you will have properly backed up the data in an alternate secure location."

BEFORE THE FIRE GOES WILD

South Florida Sun-Sentinel (www.sun-sentinel.com) writer Purva Patel warned against going protection-purchase wild in the June 2002 article "Vigilance, Not Technology, Keeps Networks Secure."

"You might want to rethink spending $50,000 on another firewall. 'In the real world, security is a process of prevention, detection and response - not dependence on 'magic' technology,'" Patel reported from security technology expert Bruce Schneier.

"He advised his audience to focus more on watching existing firewalls, servers and routers - and looking for patterns, abuses and breaches to spot hackers before they do much damage. Simply relying on the latest, better technology is useless, he said."

The current hysteria surrounding security - at airports, in foreign countries, in big cities, at corporations, and even at home, on a personal computer - has been manipulated to pimp products. The IDC, a division of IDG, an IT media, research and exposition company, projected in a July report that "Web intrusion protection spending growth will triple by 2006."

Remember that no one can sell you vigilance, attention to detail, and personal accountability. Buying into the panic is "like building a second wall around a castle when the first one is breached instead of posting guards," to quote Schneier, the founder of Counterpane Internet Security Inc. in Cupertino, Calif., which provides security-monitoring services to organizations worldwide.

Still, Rittenhouse warned, "As technology continues to advance, so do the methods in which an individual's private information may be procured and misused. The solution to avoiding a dystopian future... lies not in a Unabomber-like attitude of seclusion from all technology, but rather in assuming the responsibility for educating ourselves about protection of privacy, and taking prudent privacy protection measures."

As Lyman proposed in his "Internet Bodyguards" piece, even "consumers are benefiting from improvements in firewalls that are bringing corporate-style security and scanning to home PCs."

Though we have certainly fallen for the Internet "like a child -

"Oh, but the fire went wild" - securing yourself, your computer and your privacy can keep the ring of fire from burning you.