=============================================================== T H E S E C U R I T Y O U T P O S T B U L L E T I N =============================================================== March 23, 2000 | Vol. 1, #04 | http://www.securityoutpost.com/ Contents 1. FEATURE: Attack of the Web Snoops 2. TIPS: Preserving Your Net Privacy * Educate * Evaluate * Use Pseudonyms * Boycott the Snoops * Anonymize * Kill Cookies * Avoid Identity Management 3. TOOLS: Anonymizers & Cookie Managers * Privacy.net Demos * Proxymate * Anonymizer.com * Freedom.net * Cookie Cruncher * Cookie Pal * NIS 2000 SPREAD THE WORDS -- Please take a moment and forward this newsletter to a deserving colleague or loved-one. =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide Since 1984" =============================================================== -------------------------------------------------------- 1. FEATURE: Attack of the Web Snoops -- The Sneak Attack on Your Online Privacy -------------------------------------------------------- Most civilized people agree that privacy is a fundamental human right.[1] Every individual has the right to be left alone, to be secure in his or her personal life, and to freely surf and communicate over the Internet without having to worry about leaking private information to untrusted and possibly hostile parties. Sadly, the fundamental right to privacy is under withering assault on the Internet. Through a combination of greed and ignorance, the Internet -- one of our civilization's greatest inventions -- is now being deployed as the greatest privacy-destroying technology ever. You may think you're alone in your thoughts as you surf the web. But as Deep Throat says on the X-Files, "There's always someone watching, Mr. Mulder." The Internet is eliminating personal privacy as corporate web sites track and profile visitors, maintain cookie "dossiers", and correlate visitor identities and interests with third-party marketing databases. This is offensive, because you *are* what you browse. Unknown third parties are observing the web pages you view, the searches you make, and the things you buy. In general, they're getting inside your head. It's just as if someone analyzed every book you read or movie you watched -- only more cross-referenced and precise. Do you think I'm being alarmist? Over-the-top? The list of sites that have been caught destroying Internet user privacy is long and growing. Consider the following recent news items (many of them sparked by Internet consultant Richard M. Smith): * Last month, DoubleClick was skewered in the press for planning to correlate visitors to the 2500 sites in its ad network to large off-line consumer databases. The furor was such that the company was forced to back off, at least for now. See http://www.Doubleclick.com/company_info/press_kit/pr.00.03.02.htm For an explanation of how banner ad network tracking works, see http://www.tiac.net/users/smiths/privacy/banads.htm * Leading medical sites have been dinged for selling highly sensitive information about their visitors. Last month, an investigative report by a healthcare trade group found that visitors to health-related web sites are not anonymous, even if they think they are, and personal information shared with these sites is highly vulnerable. See http://ehealth.chcf.org/priv_pol3/index_show.cfm?doc_id=33 * Last month, H&R Block's online tax filing service exposed some customers' sensitive financial records to other customers. See http://news.cnet.com/news/0-1005-200-1550948.html?tag=st.cn.1. * Last October, Smith disclosed that the RealJukeBox player software was surreptitiously sending off information to RealNetworks about users' music-listening habits, along with a unique player ID number that can reveal user identity. The company quietly changed its privacy policy in November to disclose this controversial practice. See http://news.cnet.com/news/0-1005-200-1426571.html For more details, see http://www.tiac.net/users/smiths/privacy/realjb.htm * Amazon.com subsidiary Alexa was caught sucking up personal information back in December. See http://www.tiac.net/users/smiths/privacy/alexa.htm Anyone browsing the web faces a severe threat model, one far worse than the Distributed Denial of Service attacks covered in the past two issues. You have to assume that all your travels on the web are recorded and stored in one or more databases. You have to assume that personal information -- from your name and address to the things you buy -- is captured and linked to those databases. Assume that your boss/spouse/parents/insurer/credit card company will gain access to this information about you. Assume that your credit card company and the credit bureaus will know when you surf to a bankruptcy or credit repair site. Be prepared for credit rejections based on your browsing habits. Assume that your health insurance company will know when you surf to a medical site and look up a disease or health condition that you're concerned about. Be prepared for higher insurance rates based on your browsing habits. All major sites post privacy policies full of high-minded language about privacy that boil down to a harsh truth: We can do whatever we want with our information on you, including the most personal financial and health-related information. Take Yahoo! for example. Here's an excerpt from its policy: "Yahoo! may disclose or access account information when we believe in good faith that the law requires it and for administrative and other purposes that we deem necessary to maintain, service, and improve our products and services."[2] Note the weasel language about "other purposes we deem necessary". Essentially, Yahoo! can disclose your personal information whenever and however it sees fit. Or this excerpt from the privacy policy for Microsoft's Passport system: "Microsoft Web sites will disclose Personal Information if required to do so by law or in the good-faith belief that such action is necessary to (a) conform to the edicts of the law or comply with legal process served on Microsoft or the site; (b) protect and defend the rights or property of Microsoft, this Web site, or participating Web sites; and, (c) act under exigent circumstances to protect the personal safety of users of Microsoft, this Web site, or the public."[3] Note the company's problematic language about defending its rights. Judging from the company's extensive legal problems, Microsoft has a very broad view of its rights. These and many other major sites also bear seals from "trust" organizations like TRUSTe. While these seals are designed to improve consumer confidence, they in fact are meaningless. According to TRUSTe: "When you see our TRUSTe seal, you can be assured that the Web site will disclose: * What personal information is being gathered about you * How the information will be used * Who the information will be shared with, if anyone * Choices available to you regarding how collected information is used * Safeguards in place to protect your information from loss, misuse, or alteration * How you can update or correct inaccuracies in your information"[4] Note that there's absolutely no stipulation that TRUSTe sites actually preserve privacy. While there is a requirement for notification, privacy policies are full of legal obfuscations and escape clauses, as noted above. Most of the privacy violators cited above are TRUSTe members. Despite several well-publicized breaches, not one TRUSTe seal has been revoked. Beware of anyone who strips you of a fundamental right while claiming to defend it. -------------------------------------------------------- 2. TIPS: Preserving Your Net Privacy -------------------------------------------------------- There are steps you can take to protect your privacy, even in the face of relentless online pressure to give it up. Tip #1: Educate Yourself and Others Educate yourself about the pressing issues in Internet privacy. Educate others. If you're an expert, share your knowledge. If you're a novice on privacy issues, learn whatever you can. If you're responsible for an organization's web site, be sure to develop and promulgate a clear and honest privacy policy. The Electronic Frontier Foundation has a solid collection of privacy resources accessible at http://www.eff.org/identity.html The Electronic Privacy Information Center offers strong policy-oriented resources: http://www.epic.org/ You can find additional computer privacy resources and links at http://www.pcguardian.com/portal/privacy_links.html Tip #2: Evaluate Web Site Policies Startup company enonymous.com rates the privacy protections offered by major web sites. Its simple, but effective, four-star system asks two questions: Does the site *contact* users without their permission? Does the site *share* personal information about users with third parties without explicit permission? A web site gets four stars if it does not contact you without your explicit permission and does not share your personally identifiable information with third parties. At the other end of the scale, a web site gets one star if it shares information about you without your explicit permission. enonymous.com's list of one-star companies that sell or share personal information without permission includes many of the leading Internet sites: amazon.com angelfire.com askjeeves.com barnesandnoble.com cdnow.com expedia.com fortunecity.com geocities.com go.com goto.com icq.com infospace.com lycos.com mapquest.com microsoft.com msn.com msnbc.com netscape.com pathfinder.com previewtravel.com real.com sidewalk.com simplenet.com snap.com sony.com tripod.com yahoo.com zdnet.com enonymous.com's list of four-star sites is dismally short: aol.com bluemountainarts.com digitalcity.com For up-to-date listings and a detailed explanation of the enonymous rating system, see http://www.enonymous.com/ Tip #3: Use Pseudonyms Given the ability of advertising networks to connect the information you provide to one site with the other sites you visit and third-party marketing databases, you should stop providing any personal information to web sites. If a site forces you to provide a name, feed it a bogus name. Ditto for a street address, unless you want the site to send you something via US mail. Ditto for an email address, unless you want the site to send you something via email. Never give out your phone number. Become "John Doe, 124 Any Street, Anytown". List your email address as anyone@example.com (per Internet standard, the example.com domain can't be registered, so an innocent party won't get spam if you enter this address). Tip #4: Boycott the Snoops This is tough because so many of the top ecommerce sites are the worse privacy offenders. Consider sending a warning first -- "Please improve your privacy policy or I'll have to take my business elsewhere" -- to the email contact listed in the company's privacy policy. Another tactic is to file a complaint with TRUSTe -- I may have more on this in a future issue. Tip #5: Use an Anonymizing Proxy A proxy acts as an intermediary server between your web browsing software and the web site you're visiting. Typically, proxy servers are set up by companies for performance and security reasons. However, an anonymizing proxy is designed to protect privacy and prevent web sites from collecting IP addresses. In order to use an anonymizing proxy, you must configure your browsing software to send all web requests to the proxy (instead of sending them directly to the web site). The anonymizing proxy strips out your IP address and other identifying information, and makes requests to the web site on your behalf that can't be traced back to you. Most of these solutions are network-based and built around the Squid proxy server.[5] They are quite effective in protecting privacy, though there are performance/latency issues. For information about three anonymizing services, see the Tools section below. Tip #6: Crunch Your Cookies Cookies -- the small text files placed on your system by web sites that want to track you -- can be deleted. There are two ways to do this: manually, or by using one of several cookie-crunching programs. I cover two cookie-crunching tools below. To manually delete cookies from Netscape Navigator 4.7, quit out of the program. Go to C:\Program Files\Netscape\Users\username and delete the cookies.txt file. To manually delete cookies from Internet Explorer 5, quit out of the program. Go to C:\WINDOWS\Cookies and blow away all the separate little cookie files. Tip #7: Avoid Identity Management Services This a new breed of Internet-based services pioneered by several startups as well as Microsoft (Passport) and Novell (DigitalMe). These network-based services store your information -- everything from name and credit card number to shoe size and favorite color -- and release it to web sites on your behalf. Common features include single sign-on to web sites that require registration, automatic form-filling, and digital wallets. While these services claim to provide privacy, they don't. What they actually provide is convenience, particularly for web sites that want easy access to personal information. They actually diminish user privacy by making it easier to surrender. Instead of requiring a deliberate user effort to give up information by filling out forms, these services make it trivial for users to leak info with one easy click. See http://www.passport.com/ for a preview of a future where large ruthless corporations steal privacy while pretending to protect it. -------------------------------------------------------- 3. TOOLS: Anonymizers & Cookie Managers -------------------------------------------------------- Some of these privacy-enhancing tools run directly on your computer. Others are available via the Internet. Tool #1: Analyze Your Connection Privacy.net has a neat online demonstration of the information your web browsing software leaks with each and every web visit you make. See http://privacy.net/analyze/ Tool #2: Online Tracking Demo Privacy.net also has a neat demonstration of how banner ad networks like Doubleclick can violate your privacy and track your travels on the web. See http://privacy.net/track/ Tool #3: Proxymate Proxymate is a slick Bell Labs spin-off that provides reasonable privacy protection. This proxy service enables anonymous browsing: web sites are blocked from discovering your IP addresses. Proxymate also automatically filters out information from your HTTP headers. ProxyMate will keep track of your usernames, passwords, and even your searches. You don't have to remember or type in usernames and passwords to enter your personalized web sites. Proxymate can also filter spam. The service is not perfect, however: it runs slowly at times. Even worse, it's possible for determined snoops to defeat its privacy protections. Still, it works well enough, and the price is right: free. See http://www.proxymate.com/ Tool #4: Anonymizer.com A long-running anonymizing proxy service with both free and paid options. See http://www.anonymizer.com/ Tool #5: Freedom.net Zero Knowledge Systems is an up-and-coming company that offers a very thorough and well-engineered "pay for privacy" system. Freedom.net launders identity and IP addresses through at least seven intermediate Freedom Servers. "Absolute Privacy Protection" is their motto; their technology, marketing, and patents back this up. See http://www.freedom.net/ Tool #6: Cookie Crusher Keeping tight control of the cookies written to your system by web sites is an excellent way to enhance your online privacy. Cookie Crusher, from The Limit Software Inc., has several features for managing cookies. It makes it easy to blow them away. It can be set to transparently accept or reject cookies from particular sites. It can also be set to reject cookies from unknown sites, or to prompt for confirmation. This kind of software makes it easier to allow certain cookies through while rejecting random ones that risk your privacy. Cookie Crusher is shareware and costs $15 after a 30-day trial. See http://www.thelimitsoft.com/cookie.html Tool #7: Cookie Pal Cookie Pal works a lot like Cookie Cruncher. It's also shareware that costs $15 after 30 days. See http://www.kburra.com/cpal.html Tool #8: NIS 2000 While Norton Internet Security 2000 is primarily a personal firewall, it does a great job of blocking things like cookies and ads. It can also block the leakage of personal info using its packet inspection technologies. You can download a trial version or buy it for $53.95. See http://www.symantecstore.com/Product/0,1057,2-1-SN105991,00.html -------------------------------------------------------- A CALL TO ACTION -------------------------------------------------------- If you feel as strongly as I do about the pressing issues of Internet privacy, I hope you'll help me in spreading the word. Please take a moment and forward this issue to one or more people that you care about. Also, if you have any observations or feelings about the need for online privacy, please feel free to send them on. I'll compile your responses for a future distribution of the newsletter or keep them private, as you wish. --Seth T. Ross NEXT MONTH: Attack of the Email Snoops -- The Secret Attack on Email Privacy. 'Til then, keep your guard up. -------------------------------------------------------- REFERENCES -------------------------------------------------------- [1] A Canadian legislator has proposed recognition of privacy as a fundamental right: http://www.wired.com/news/politics/0,1283,34949,00.html [2] Yahoo's privacy policy can be found at http://docs.yahoo.com/info/privacy/ [3] Microsoft Passport's privacy policy can be found at http://www.passport.com/privacypolicy.asp [4] An explanation of TRUSTe for users: http://www.truste.org/users/users_how.html [5] Home of the Squid Server: http://www.squid-cache.org/ =============================================================== ABOUT THIS NEWSLETTER The Security Outpost Bulletin is published monthly by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com SPREAD THE WORDS Please take a moment and forward this newsletter to a deserving colleague or loved-one. SYNDICATION/RE-USE Need hot security content for your web site? Ask about our free syndication program. =============================================================== FEEDBACK OR QUESTIONS Did you find this issue of the Security Outpost Bulletin interesting? Insightful? Overstated? Please let me know. Contact the author directly: Seth T. Ross Director of Security Publications & Resources PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 +1 415-459-0190 x143 sross@pcguardian.com =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2000 PC Guardian. All rights reserved. ===============================================================