The character of the
Internet has changed over time. The Internet started as a communications and
collaboration tool between groups of researchers. As the Internet was built,
there was hardly any thought about keeping things private. The focus was on
open communication. The fundamental communication element, a packet, carries
not only the destination address but also the sender's address. The Internet
user community has been growing all the while. User population growth was
fueled by the "World Wide Web" that started being implemented in
December 1990. This is a system of "hypertext to link and access
information in a web of nodes in which the user can browse at will". This
worldwide web or the web fueled the explosive user growth. Even the growth rate
is accelerating. The user community doubled during the five year period 2007 to
2012. What used to be 1.15 billion users grew to 2.27 billion during that
period. The browser was the tool to access the web and obtain useful
information and buy products and services from the increasingly commercialized
Internet.
Social networking was
another phenomenon on the net. People took to social sites on a huge scale. For
example, Facebook members have now surpassed what used to be the total number
of Internet users back in just 2004; the year the social networking phenomenon
came about. This is a large possible source of buyers of products and services
that no business could ignore. The usual techniques of marketing, increasing
brand recognition, brand building, promotion etc became equally important to
web based commerce as in the real brick and mortar world. It is equally
important in the virtual world to be able to divide prospects into as many
definable segments as possible. Then all the commercial activity costs could be
kept minimal, and made more efficient by exploiting these segments to the
fullest.
Accurate profiling of
prospect behavior, in both real world and the virtual, is needed to address
appropriate segments. Collecting detailed data is absolutely vital for sellers
of products and services. As long as this data does not contain any personally
identifiable data, actual address, name, social security number etc the data
about a person is simply statistics and privacy of the subject is protected. No
one should be able to misuse that data. Several items of personally
identifiable data by themselves and in accordance with other non-personally
identifiable data can uniquely identify a person and compromise his privacy.
These include beside the name, address, social security also date of birth,
birthplace, email address, IP address, vehicle registration, driver's license,
credit card details, digital identity, face, fingerprinting, handwriting etc.
There are other details that can help identify individuals. What's so important
about maintaining privacy is that such data can be criminally exploited. Scope
for such exploitation in the cyberworld is much more, as there is a criminally
motivated section of entities always looking for opportunities to exploit
individuals for profit, politics, power and other reasons.
While the aggregated
profiles are a legitimate need for marketing purposes, there are no guarantees
personally identifiable data (by themselves or in combination with other pieces
of data) would not be misused. One of the major activities related to the demographics
data is to sell this data to others for gain. As some personally
non-identifiable data could be used to track down individuals, it is prudent to
be very careful about profile data and to whom it is given out. Malicious
attacks that cause damage and stealing of private data and real money from bank
accounts happen often. They are a big threat to Internet use. Most of the
problems could be avoided if complete anonymous and private access was widely
available. Whatever policies, protocols, systems are implemented to protect
users are basically retrofits on the system that was intended to be free and
open. It is very difficult to completely close all the cracks in protecting
privacy. Being on guard seems to be a critical step towards protecting your digital
footprint.
In the Internet world
there are a range of companies in the electronic business who want to utilize
the surfing behavior of people visiting various sites. These companies acquire
the data by tracking the surfing behavior of individuals and then aggregating
and categorizing them. Most such companies maintain that no personally
identifiable data is collected or traded on. However, such data could be
collected easily if these companies wanted to or they might be doing it anyway
which is most likely for some. This article looks at how the tracking is done
and how a user, concerned with privacy, could minimize the digital footprint of
a surfing session. The terms plug-in and add-on are used interchangeably. When
we talk about "companies" it should be read as "entities"
since it can concern any party doing the tracking/breaching for any reason.
Although this article will try to cover a lot of the basics for safer browsing
it must be noted that there is a lot more to learn and use when it comes to privacy
which cannot be written in a single article.
Trackers Entry Points
This section takes a
look at how the tracking is done, the tools the tracking companies use and the
technological vulnerabilities that could be exploited. The anti-tracking tools
that could be used to avoid being tracked will be discussed later in this
article. Anti-tracking tools are able to identify and protect you against these
tracking companies. They offer options to allow or disallow a particular
company to track your online behavior - if you trust it enough. This is
particularly true, when you have faith in the company that the details provided
will be used only in aggregated form and no personally identifiable information
will be used. This is equivalent to filling out a survey from a trusted company
in the real world, which you may do willingly.
Problems start with
things that evolved over time to facilitate the user. This includes
(super)cookies. Others are inherent problems in programming languages and web
technologies used to create attractive and dynamic sites. These include
problems with Flash based applications, Java applets, ActiveX, Javascript and
many more. There are some sites where users are invited to use their real
(residential) IP addresses to enable free products or services. Then there are
the streaming audio/video sites that offer to install their own plugins.
plugins then can send details to some designated server(s). To top all these
issues, the user-agent in the browser you use, offers the information on the major
and minor version of the browser software. That clearly tells someone the
security patch level of the browser and what vulnerabilities to exploit if one
wanted to. By providing the version data of the browser, the intention was, to
help web sites dynamically adjust the web experience that is optimized for the
user accessing it. Malicious exploiters, on the other hand can use the browser
vulnerabilities to easily remotely exploit computers. What's more, the features
that were supposedly implemented to facilitate the user through the browser,
often make it easier for the attackers.
The Tracking Process
Cookies were introduced
to make website visits a little more comfortable. This is a process by which
the website visited stores data on the user's computer. On a later visit, the
website is able to identify the preferences of the user (potentially the user
identity too). For example, if you wanted the site to remember your password
and help you log in easily from the same computer, the cookie can help. The cookie
can hold details that setup the website so that color preferences and other
options available at the site are remembered. You do not need to set up these
preferences every time you visit. Since the sites are able to store data on
your system, it can store identifying data snippets. This data then can be used
to track your movements to other sites and the pattern of your visits, which
sites, which specific pages and what activities are undertaken by this user.
What started off as a means of convenience for the user as well as for the
websites to setup the site preferences of large number of users (without
wasting storage for them and spending the search time to find them), has become
an easy means of tracking your movements across cyberspace.
Notice, for example,
when the website can clearly associate the userid and password with you, you
become vulnerable to many kinds of attacks. This information could now be sold
to others and if it does match the pair you use for your bank, then that could
easily be under attack. Other part of the threat is that the free sites we love
to use need to earn revenues by some means. The usual means is to let
advertisers run ads on the site. These companies would like to show the user
specific ads that are tailored to the customer preferences, identified by the
data in the cookies. These companies store their own cookies that help track
the user and find his/her behavior on the net. These thirdparty cookies are
used to track users. The ads can take the form of popup ads, banners or other
variations. Profiling through the cookies involves collecting several events
(which URLs you visit) that are linked to the original user. Cookies from
traffic tracking sites are installed and additional information is tagged to
the cookie. The data is sent to a tracking server. The behavior history in the
cookies keeps growing with each session.
Aggregated surfing
behavior would be legitimate, if stripped of personally identifiable data as
discussed already. But the whole cookie process is a stealthy process; you are
normally never aware of who dumps a cookie into the local storage via the
browser although modern browsers can block cookies. However, this can make
visiting your preferred website inconvenient. The site would not be able to handle
the preferences anymore. Nowadays many browsers let you automatically delete
cookies after a surfing session ends. As tracking/profiling depends on
continuing access to the undisturbed cookie, blocking them altogether or
purging the cookies after a session could be an effective defense against
profiling. This led to use of other cookie varieties known as Flash cookies,
persistent cookies, zombie cookies and ever cookies. Flash cookies, a.k.a
locally stored objects, exploited vulnerabilities in Flash technology and are
difficult to erase. All of these newer cookies have this property in common.
With recent versions of various browsers, it is possible to delete these local
shared objects (LSO) of the flash player. Except for flash cookies, all the
other cookies get stored in different storage modes. So if the one stored in
the browser or the local storage is erased, other copies could be accessed or
the cookie regenerated. Zombie cookies are stored in folders that are common to
all the browsers. Thus, even if you were to change the browser, the zombie
cookie remains accessible. Evercookies are a type of zombie cookies. These are
Javascript applications that have the ability to store the cookie via ten (or
more) different types of storage mechanisms of a browser. When the application
detects any one of the copy to have been deleted, it is recreated and stored
back. Most current browsers have the ability to exterminate the Evercookie now.
That is another reason to keep your browser updated.
Other situations that enable
tracking include Java applets download. Allowing interesting sites to download
and install (useful) applications (plugins) can open you to vulnerabilities.
Downloaded Java applications can do anything beyond the stated features, such
as storing a cookie that enables tracking. Similar concerns apply to that nifty
application downloaded and installed by the streaming audio/video/game-sites
you found. ActiveX, another popular scripting technology, has vulnerabilities
that could be easily utilized. As discussed here, totally avoiding cookies and
thereby tracking, is nearly impossible. Thus the next level strategy is to
detect these trackers and block them as you move from site to site. Browser
plugins that help prevent tracking your browser (you) are designed around this
defense strategy.
Popular Privacy Plugins
In the following
sections we will discuss several plugins for various browsers starting with
Firefox. Firefox is reputed to be the most secure among the popular browsers
that include Internet Explorer, Opera, Chrome and Safari. The three most
popular Firefox plugins that help defend against tracking are named
"Ghostery", "NoScript" and "FlashBlock".
Ghostery:
Is a plugin that
recognizes the hooks used on websites by the analytics and ad companies to tag
your browser for tracking. They are able to identify the companies trying to
track you. These companies use what is known as "web bugs". Like a
real life bug in a room, these are left hidden in a webpage or an email that
helps trackers to find if a user is visiting the site or a mail was opened by
the user. Often they are called by names such as beacon, tag, etc. These are
implemented as pixel, clear GIF, 1x1 GIF (... ) elements which are a single
transparent embedded image to be loaded from a server of the tracking company.
The request reveals your IP address as that is where the image is requested
from. The trackers use this address to place a special tag in some kind of a
persistent cookie into your local storage. As the browser is used more and more
the cookie inside your computer builds up browsing history. Periodically
cleaning cookies helps as it fragments the history collected. The webserver
that serves the pages of sites you visit usually logs your IP address. However,
the thirdparty trackers do not get access to these logs and have to resort to
listening to the communication interchange when a page is requested, much like
listening to a bug in the physical world to find if someone has entered the
bugged room. Identifying such trackers comes down to monitoring if image
requests are going to external servers and identifying them. If these images
are prevented from loading and any further communication then the tracking will
be blocked. The images being transparent do not interfere with the webpage presentation.
So called iFrame HTML tags are also used to help the thirdparties place a
cookie on your computer.
You can set pre-emptive
settings to stop all tracking companies found. A purple box appears on the
right hand corner of the screen and shows the names of companies detected and
deleted (displayed with a strike-through on the name listed if blocked).
Additional information about the company, their privacy policy and contact
details regarding privacy matters are provided by the plugin with a single
click of the mouse. Ghostery also has an option, known as GhostRank which
allows sending anonymous statistical information the servers of the Ghostery
developers. That helps update data and protection against these tracking
companies.
Ghostery is available
for all the major browsers Firefox, Internet Explorer, Chrome, Opera, Safari
and works the same way. The plugin is also available on the iPad, iPod Touch
and iPhone. When you download the plugin, a wizard helps set up the plugin. The
plugin is entirely free to use and does not violate your privacy.
DoNotTrackMe:
Previously known as
DoNotTrack Plus is an addon that has similar functionality available across the
major browsers except Opera. It may not be able to block everything compared to
Ghostery. Trackers that are being blocked can be viewed. Cookies are blocked as
are ads with tracking functionality. Alerts are provided when privacy policies
of the tracking sites change.
Some websites will force you to enable a specific tracker before you can continue using their service which is a very questionable practise.
Some websites will force you to enable a specific tracker before you can continue using their service which is a very questionable practise.
NoScript and Similars:
Firefox has a plugin
named NoScript and prevents scripts from any website to execute in your browser
unless the user specifically allows it. JavaScript, Silverlight, Flash, ActiveX,
Java and others can only be executed if you allow them. Creating a whitelist
will enable adding trusted sites that are allowed to execute scripts on a
continuing basis. The script execution can be enabled very easily with a simple
left click on the NoScript status bar icon when visiting a specific site. The
plugin helps block (the vulnerabilities related to) these scripts and gives you
control. It has some other advantages from a security standpoint too. It
prevents cross-site scripting and click-jacking among others. This plugin
affects the working of many sites. What a user needs to do is build up the
whitelist for their favorite sites. This needs to be done manually one by one.
Internet Explorer script
policy could be set through the Internet options available in the tools menu.
Disabling of different flavors of scripting is available through the Security
set of options. Security level high disables everything as expected. You can
selectively whitelist sites in different security zones defined in IE by
default.
Opera has a plugin named
ScriptWeeder which is similar to NoScript functionality. It has three modes;
whitelist, whitelist + same origin and blacklist. Scripts are blocked unless
they are on the whitelist. In the second mode, the only exception made is if
the script is from the same domain (script being run from the original
website). In the blacklist mode all scripts are allowed to run unless the site
is listed on the blacklist.
Chrome has the NotScript
plugin with functionality similar to NoScript for Firefox but is somewhat
limited. The usual whitelisting functionality is available. The limitation is
that some java applets may not be blocked properly.
Safari has recently a
plugin available called JavaScript Blocker. It is in many ways comparable to
the NoScript plugin for Firefox but requires a very recent version of Safari.
Flashblock and Similars:
Firefox and Chrome have
a plugin named Flashblock which blocks downloading elements like Silverlight,
Shockwave, Flash and other variations. Placeholders are shown on the pages
where they would normally appear and clicking on them downloads the specific
element. Flashblock will not work if a scriptblocker like noscript is active or
javascript disabled. Whitelisting is available for sites that can be allowed to
work unrestricted.
Internet Explorer has a
kind of flash-blocking option built-in. It is not very obvious but can be
turned off/on easily. Default is to allow all flash elements. To set its status
you need to go to Manage Add-ons and select it from the list assuming a flash
plugin was installed. This also depends on which version of IE you are using
since microsoft does not seem to have a clear path about the future of flash /
third party plugins in recent versions like IE 10.
Opera has a Flashblocker
plugin, equal in name, available although it does require some attention in the
way to use it. It is recommended to check the latest instructions.
Safari has a built-in
plugin-blocking mechanism that stops older Flash versions from downloading
through its plugin blacklist feature. Only the latest secure version will be
allowed. To block flash you can use the ClickToFlash add-on available for
Safari. Elements are turned into placeholders and clicking on them loads the
content. Flash videos get converted to H.264 format from selected websites with
a single click. It also offers whitelisting features.
Conclusion
It is always a good idea
to take care of the following issues to be safe in your journey through
cyberspace. By default you should always have a capable virus and malware
protection system, constantly updated, as a first level of safety. The starting
point is to keep everything patched up to the latest patches released by the
manufacturers. The operating system, your browser and certainly the browser
plugins. It is easy to forget about updating the plugins. Keeping, among
others, Java, JavaScript, ActiveX and Flash controls turned off. Allow them only
when you are absolutely certain of the site providing them to you. Have the
option setup such that you are alerted when needed and then be able to choose
to allow them. Revert to no-script settings as soon as you are done. Disable
cookies, if it interferes with operation of your favorite sites then delete
them after a browsing session; do this regularly. Keep all applications,
particularly if they are for multimedia, patched and configured up to the
latest security levels. Blocking pop-ups can help as some may contain a
malicious payload. Always be vigilant when it comes to your data and the
digital footprint you leave in cyberspace. It is very difficult to repair your
privacy on the internet if it is out in the open. A known good firewall that is
always kept current is another strong protection layer against privacy invasion
and security threats.
Privacy & Liberties
is our business
http://www.trilightzone.org
The TriTeam
http://www.trilightzone.org
The TriTeam
Article Source: http://EzineArticles.com/?expert=Rohan_Beorgo
Article Source: http://EzineArticles.com/7915181
No comments:
Post a Comment