A Paranoid’s Guide to Web Security – So You Think You’re Safe…

By Ed Cartier, xAssets

You or your company has installed firewalls, anti-virus software and network filters. You can relax and safely perform web-based research or market or pricing research, secure in the knowledge that your data is safe. Don’t be so sure. Your PC/laptop may be safe from viruses and malware, but your search data and even your identity, the topics of interest to your company may be in real jeopardy. Worse, you may not even own the data that you used online. Combine that with the near wild-west environment of mobile computing, and you may quickly realize that you are not as safe as you first thought.

Raiding the Cookie Jar

Cookies are ubiquitous, and I’m not talking about the ones from the Girl Scouts of America® or Keebler®. It is virtually, if not completely, impossible to avoid having a website install a cookie on your computer. Some may say “What’s the harm? It’s just a little bit of text code.” My response is that small things a can be really dangerous. Would you taste just a little bit of cyanide?

True, some cookies are benign, or even helpful. These bits of code can help your bank or credit card company or favorite vendor recognize that it’s really you and help you get logged on. However, in these cases you have a voluntary and mutually beneficial relationship with that entity. But what about the other cookies that are deposited on your computer, from companies with which you have no relationship, who also want to collect information about you? Those bits of code can be re-classified from “cookies” to “spyware.” And that spyware can be a real threat to your company.

Skeptical? Then don’t take my word for it. In February of 2012, an article entitled “How Much Online Privacy Do You Really Have? Less Than You Think” begins with the statement, “Your privacy takes a beating every time you open your web browser.” The article focuses on the work done by PrivacyChoice, a company that both provides anti-tracking tools and ranks websites based on their privacy and security policies. Privacy scores are based on published privacy policies and practices. Low scores go to companies that have website attributes such as:

  • Not having a clear policy for dealing with users who ask to have their data deleted
  • Not advising users if data is requested from their computer
  • Associating with third-party ad and tracking companies that don’t respect sensitive boundaries
  • Not allow user opt-outs
  • Retaining data longer than one year

Think about the degree to which you use the web for business purposes. What information about your company’s interests is falling to the hands of third parties? Your searches can reveal what products your firm is looking to purchase, what markets it may want to enter, who it considers competition and even where it may want to locates. All are potentially captured by cookies and transmitted to some repository where it is sold to companies that mine for that exact kind of information.

But, you say, I can set my privacy settings in Windows Explorer to block all cookies. True enough, but try to get any meaningful information from the sites you visit without at least a medium-high setting. Letting cookies in seems to be the price you pay for the information you need. It’s up to you, or your IT group, to install the tools and practices to delete them. You might not be able to prevent cookies from being forced on your PC, but you don’t have to keep them. My own practice is to delete all cookies placed on my computer by third party firms as soon as I complete my search activity. It takes a few seconds, but I just feel safer behind the keyboard afterwards.

1984, Meet 2012

George Orwell wrote 1984, but it took search engines and the web to make it reality. Just as individual websites will place cookies on your computer, search engine companies collect information on your general search criteria. And if you think you can opt-out of the intrusion, think again. A major vendor has specifically stated that end-users cannot opt-out of its data collection policy. Without specifying the vendor referenced, I would turn your attention to an article in the Washington Post regarding the degree to which search information is both collected and analyzed. The paper reported that “[Company] can collect information about users when they activate a… mobile phone, sign into their accounts online or enter search terms. It can also store cookies on people’s computers to see which web sites they visit or use its popular maps program to estimate their location. However, users who have not logged on to [Company] or one of its other sites ….are not affected by the new policy.”

Consequently, as you use search engines to perform company related research, your data is being collected, analyzed and potentially sold to third parties. Of course, companies do have a choice of search engine vendors, and IT managers have the ability to block access to specified websites. Perhaps one way to better preserve the confidentiality of corporate web search activity would be to closely examine the privacy policies of the various search engine companies and authorize use of the one(s) with the most privacy-friendly policies.

But, as they say on TV, there’s more. It’s not just search engines that can hijack your privacy. How about the browser itself? Beyond the fact that just about any browser will add a cookie to your computer, one in particular can take control of how you can use your computer. This finding is based on my own personal experience. When I updated an application I use to delete cookies a second browser, which is owned by a search engine company, was placed on my computer. (That’s my own computer, not a company provided unit.) I deleted the new browser, and when I next tried to link to a news article I was immediately informed by a dialog box that I didn’t have authorization to make the connection. In researching the problem, which is documented on the web and easily found, I discovered that the search engine had modified my registry to the point where the software had to be present for me to go directly to an article or site from an embedded link. The only way to fix it was to go in and make some complicated (for me at least) code changes or reload the browser. I reluctantly reloaded the software but will not use it. If it can control how I use my computer when it’s not there, I shudder to think what information it collects when it’s in use. I still wonder if it tracks every site I visit.

Just as IT shops are ever vigilant about maintaining firewalls, anti-virus software and web filters, they now need to investigate what on-line tools expose the company’s web activities and which one protect it. There seems to be no reason to share more information that is really necessary.

Mobile Madness

OK, let’s say they you use your tablet computer or smart phone for most of your web browsing. That’s safe, right? Nope. On April 21 the Wall Street Journal ran an article entitled “Apple, Google Collect User Data.” The article details the degree and frequency to which both companies collect users’ exact GPS locations. However, the degree to which your privacy is infringed by mobile devices extends well beyond location alone. In a past article, the Wall Street Journal reported how some of the most widely used smartphone apps aggressively collect personal information and, in some cases, share it with third-party companies without the user’s consent or knowledge. For example, research performed at Purdue University and reported by NetworkWorld showed that:

“Those free apps, like Angry Birds, Instagram and Tiny Wings may be loads of fun but they suck the battery life out of your smartphone by tracking your geographical location, sending information about you to advertisers and downloading ads….

The free Angry Birds app for example was shown to consume about 75% of its power running “advertisement modules” in the software code and only about 25% for actually playing the game. The modules perform marketing functions such as sharing user information and downloading ads, according to the researchers.”

Now, some may say “so what if they track where I am or know what I do.” That’s a personal choice, however, that choice does not transcend to the corporate world. In Apple’s case, as reported by Wired, the data is recorded in an unencrypted file stored on the device. Any data-thief hacking into phones used for a company could easily identify the locations of sales staff (A.K.A customer locations), executives, service personnel or anyone else on company business. That data can be extrapolated into information and used against the company or sold to competitors. As Wired wrote, “in actuality the database of your approximate locations is accessible to anyone with physical or remote access to your iPhone or iPad. Again, that’s a security issue.”

Speaking of encryption, or the lack thereof, a recent report showed how vulnerable mobile devices are to hackers and cyber-criminals. In a ZDNet published article, researchers discovered that company data is encrypted only on about one third of devices, and that less than half of all devices in the bring-your-own device (BYOD) or mobile category are protected by the most basic of security measures. For example:

  • Less than one in ten people currently using personal tablets for work have auto-locking enabled
  • Only a quarter of smartphone owners used auto-locking features
  • One-third of laptop owners used auto-locking features

Couple that information with the actions of the phone and mobile OS providers and the apps developers and your smartphone or tablet can turn into a data sieve, transmitting everything from your location to what you look for on the web to whoever will buy the information.

Information is the New Currency

I really doubt if anyone would leave his or her wallet open so that the contents just flowed out into the open air, for anyone to pick up and use. However, that is exactly what is happening when computing and mobile systems are used without an awareness of what information is flowing out. There are some steps that IT pros and IT asset managers can do to protect a company’s web-use information from becoming available on the open market:

  • Research apps that can clean unauthorized cookies from corporate computers, and establish policies and practices that will run them several times a day
  • Research the privacy policies of the sites that your employees visit most often and determine the degree to which your browsing activities are safe
  • Choose a standard corporate search engine and browser that have the best privacy practices and block use of anything else
  • Develop and enforce an auto-locking and encryption policy for all supported mobile devices
  • Deny access to corporate data by unlocked or unencrypted personal devices
  • Prohibit use of apps that collect personal information on corporate provided devices
  • Prohibit access to corporate databases by of personal devices that use apps that collect personal information

Some of you may be shaking your heads and thinking, “This guy is just paranoid.” Maybe so, but I’d rather take a few precautions and guard my personal and corporate information rather than put it into the public domain.

About the Author