Security Advisor

The Right To Remain Anonymous

Here are some tools to help you protect your privacy on the 'Net.

It's amazing how much information you can inadvertently reveal through everyday activities like browsing the Web and sending e-mail. While we've described numerous methods for securing your customers' data, what about your own personal privacy? Here are some tools and best practices for maintaining a modicum of privacy on the Internet.

Anonymous E-Mail
These days, more Web sites require that you sign up and provide your e-mail address before you can get to any information on the site. Once you sign up, they send a password or download a link to that address. This lets you finally access the information you need.

There's nothing inherently wrong with this model. There are times, though, when you don't want to give out your real e-mail address.

You can always create a Hotmail, Yahoo! or Gmail account for receiving a single e-mail and stop using it afterwards. However, this is extremely time-consuming and you'll have to remember yet another password. Services like Mailinator (www.mailinator.com) or PookMail (www.pookmail.com) let you create an e-mail address simply by entering it into a Web form. For example, without having to set up anything beforehand, I could provide the address securityadvisor@pookmail.com in a Web form and check for mail sent to this address simply by going to PookMail's Web site. There's no password, so anyone could read e-mail sent to a PookMail or Mailinator address, but these services are great when you're not expecting any confidential information and convenience is of the utmost importance.

Other services like Spamgourmet (www.spamgourmet.com) give you a disposable e-mail address, but also forward anything arriving there to your real e-mail address. This approach works better when you want to anonymously conduct an e-mail exchange that includes more than one or two messages. You do have to set up the disposable address in advance, though.

Anonymous Browsing
It may surprise you to learn what Web site operators can find out about you. After you've visited a Web site, the logs will contain a list of pages you've viewed and your computer's IP address. Your browser has also happily told the Web server about itself and your computer's operating system.

A Web site operator can find out whether you're using Internet Explorer or Firefox, which version, which OS you're running, which Windows Service Pack is installed, and which version of the .NET Framework you have. Your browser also shares your preferred language and which link you clicked to get to the Web site you've just visited.

The privacy impact of any cookies your browser may send to a Web server is much more worrisome. In reality, cookies are neither inherently good nor bad. Contrary to popular belief, they are not automatically dangerous.

Cookies can, however, gather information about you that you may not want to share. Session cookies, which are limited to a single browser session, are generally harmless. Persistent cookies may keep track of Web site visitors across multiple sessions. These can actually provide a better browsing experience, for example, when the Web server can provide personalized content.

On the other hand, cookies undermine your privacy if you don't want the Web site to track your activities. Third-party cookies, which may share your information with multiple Web sites, are especially problematic. These types of cookies are most often used by advertisers who want to track the ads you've seen, even when those ads are displayed on multiple Web sites. Companies that use third-party cookies may also track which Web sites you're visiting to tailor their advertising.

There are a number of techniques you can use to surf the Web anonymously. These can fully or partially prevent any information about you from being disclosed. Among the most efficient methods of anonymously surfing is to use a service that receives your Web page requests, and then sends out a separate request through one of their servers. Not only does this hide your IP address from the destination Web site, it also obscures all your browser's characteristics.

Anonymizer (www.anonymizer.com), one of the oldest services in this category, recently moved to a paid subscription model and locally installed software. There are other free Web-based services, though, like The Cloak (www.the-cloak.com). These let you type a Web address onto a form, and it retrieves the Web page for you. There may also be options to block cookies or advertising banners. A free Web-based service can be a better alternative than a paid subscription-based solution if you only occasionally need to surf anonymously.

Open proxies, which are easy to find on the Internet, technically work much like the anonymous forwarding services. There's an important difference, though. These open proxies are actually computers running software that accepts Web requests from anyone and forwards them on your behalf.

Be careful with these. Many of these computers run software that was installed by an attacker for their own nefarious reasons. Other open proxies are operated for the very purpose of capturing other people's Web requests, either to intercept credit card numbers, perform research or for a number of other shady purposes. Whenever you redirect your browsing through a third party, make sure that this third party is trustworthy. Open proxies are inherently suspicious.

Virtual technologies can also help you protect your privacy. Microsoft's Virtual PC and VMware Workstation let you create a virtual machine that reverts to its original state once you shut it down. This means any local traces of your earlier surfing -- including cookies, spyware and viruses -- evaporate once you close the virtual machine.

Your real computer remains safe, no matter what nasty things your virtual browser picks up on the Internet. Obviously, this doesn't hide your IP address or any information sent by your browser, but it does prevent Web sites from tracking you with cookies.

If your main concern is cookies, then you can configure your browser to either not process them or be selective about which ones to store. For example, the Privacy page of Internet Explorer's Options dialog box provides good descriptions of what each cookie blocking option does and why. Choose the cookie-management level that balances your need for privacy with your desire for browsing convenience and regularly clear the cookies from your computer. If you do that, you probably won't have to worry about cookies affecting your privacy and security.

Low-Tech Solutions
Despite widespread concerns about Internet privacy, most people willingly disclose personal information. Many people are happy to share information about themselves -- whether it's their e-mail address, their shoe size or any communicable diseases -- in return for a small incentive.

If a Web site you visit or service you use asks you to divulge something about yourself that you don't want to share, simply don't provide that information.

Other low-tech strategies include thoroughly reviewing the privacy policy of your ISP and every company whose Internet-based service you use. This can be a lot of work, but it may reveal some interesting and enlightening information. For example, did you know that Google's privacy policy for its Gmail service lets them do extensive data mining on their subscribers' e-mail messages? Fortunately, that policy doesn't include viewing individual messages.

Do you have any other low-tech (or high-tech) solutions for Internet privacy you want to share? If so, let me know -- preferably anonymously.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.

comments powered by Disqus

Reader Comments:

Tue, Oct 16, 2007 Anonymous Anonymous

previous poster, I agree that nothing is completely secure, but users can do things to reduce their risk. I use a bootable CD (Knoppix in this case) for doing internet banking and other browsing that I need to be more secure for. In these cases I do not even boot of a writable CD/DVD drive and refrain from using this CD for general browsing. My philosophy is to take reasonable steps to protect the OS on my PC from "nasty" items, but to not trust that that is foolproff for items that I deem require more security.

Wed, Sep 26, 2007 Anonymous Anonymous

Sorry Joern, but you are wrong on all counts. I have tried all the mentioned techniques and even gone further - I deleted all the contents of the network control panel of the host machine when using vmware - tcpip, file and print sharing, microsoft client, and reverted to base image on close - and the bad guys still got through! I think via the bridge capability of my router... Speaking of which, my router is totally owned. It is supposed to be a top of the line adsl2 wifi voip router with spi. Hah! The firmware is based on readily available linux opensource components, the hardware is well known, and the source is only partially gpl'd - the drivers are not 'open' . So I cannot really implement my own safe formware. It takes only a short time for the thing to be owned after I have reset it and reblown the firmware. I think it has been deliberately backdoored by the manufacturer - Taiwanese, probably to attack China in mass DDOS botnets...
I have had all modern OS's fall to these &%&%
If I try to retaliate by fuzzing 'em via backtrack say, then my ISP cuts the connection...

So I am trying to fight with both hands tied behind my back!

Why are they doing this - I think the large scale harvesting of IP is close to the mark, as well as just ordinary phishing.

No computer attached to the internet via ordinary modems and routers can be considered secure. Updates just give the bad guys a regular way in.

Nothing you have said or recommended in any way makes any computer secure and you should stop saying so NOW.

We need real action on producing demonstrably secure appliances and applications, proper hardware and software reviews and audits in the popular press, and large scale class actions against those corporations that continually push deliberately and shoddily insecure applications and hardware on us for their benefit only. Yes that means Microsoft - perhaps a 100 billion dollar world wide class action will make then stop and rethink how they do business.

Wed, Sep 26, 2007 Anonymous Anonymous

Very interesting article. What you don't explain is in an article about privacy why the remondmag.com website tries to save cookies that my virus scanner has identified as spyware. I know this because I block cookies from the following sites (adbureau.net, doubleclick.net, atdmt.com) all of which IE is telling that your web site is trying to save on my computer and I’m blocking. Articles like this are great, Ad’s are necessary to keep it free, but tracking cookies stink.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.