POWER USER

Cookies, Java, ActiveX ingredients require a personal firewall recipe

John McCormick

Web cookies help customize site views for you, the user, and many sites would be virtually useless without them.

How often would you visit a news site, for example, if you had to re-enter your preferences at every log-on?

Electronic commerce sites already track your purchases in their accounting databases, so there's no harm in having their cookies online to customize the pages for you.

What's truly dangerous about cookies is that other sites can grab them from the sites you have entrusted with sensitive information. Most cookies merely contain a user identifier, not full information, but someone using the identification might be able to log on as you.

Certain cookies have such useful data tidbits as ZIP codes, passwords and user names. Even if they don't, the presence of a cookie proves that you have visited a particular site.

It's possible to gather people's e-mail addresses by means of a graphic in a Hypertext Markup Language message'a security hole that exists in Netscape Navigator and Microsoft Internet Explorer browsers.

I've heard no indication that either browser publisher plans to close the hole, which can link e-mail addresses to cookies.

For more information about this vulnerability, read a discussion by security advocate Richard M. Smith at www.tiac.net/users/smiths/privacy/cookleak.htm.

Often harmless

Cookies are not executable programs.

If there's nothing confidential stored in them, they're harmless. But cookies aren't the only things your PC shares with Web sites.

To see what your browser already knows about you'and shares with any Web site that asks'check out privacy.net/anonymizer.

On my test system, the anonymizer reported the innocuous fact that Apple QuickTime was installed and, somewhat more dangerously, the presence of Intuit Quicken 99 financial software, although I don't use it.

Much worse, my browser reported my IP address, computer name, screen resolution, local clock setting and much more that would be useful to a hacker.

Your browser might be automatically giving out your e-mail address'a great reason for using dummy addresses. My browser blabbed such things as which company owns my Internet provider and who my telephone carrier is.

To block cookies on your own, or at least to learn how your browser is configured, follow these steps:

For Internet Explorer 5, select Tools, Internet Options, Security and Custom Level, then look at the Cookies section.

For Netscape Navigator, select Edit, Preferences, Advanced.

It's a start

At the very least, set your browser to permit cookies to be sent only to the originating server. That isn't real security, but it's a first step.

On a headquarters network, an administrator determines how to handle security issues, but many small offices connect client systems directly to the Internet. Road warriors and telecommuters are in the same boat.

Here is where Norton Internet Security 2000, a so-called personal firewall from Symantec Corp. of Cupertino, Calif., could help.

Many of the package's features are designed to protect children who use the Web, but there is a good basic firewall that can block the transmission of sensitive data such as credit card numbers, manage cookies, and control Java and ActiveX applets.

Although cookies alone are relatively harmless, more and more Web sites use Java and ActiveX for site services such as instant calculators. These small programs download themselves to your computer and run locally.

More dangerous

Java is bad enough, causing long loading delays for some so-called enhancements. But ActiveX is more dangerous because it can be used to take control of your system.'

Internet Security 2000 is self-configuring for novice installers. Select medium-level protection for most things such as Java.

You can increase to high security, blocking all potentially dangerous Web activity, or you can approve Java and ActiveX applications on an individual basis from trusted Web sites, either permanently or with a one-time authorization. In addition, Internet Security 2000 blocks advertisements, and its child filters can keep users away from sites that, according to government office policies, they likely should not visit.

For a government perspective on cookies, check out ciac.llnl.gov/ciac/bulletins/i-034.shtml, an Energy Department site.

To find out some eye-opening information about the nosy sites you've visited, read the Navigator cookies stored on your hard drive in ASCII text under the Net-scape program folder as cookies.txt.

John McCormick is a free-lance writer and computer consultant in Punxsutawney, Pa.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group