Security
Home

 

Cookies

You probably have heard about Web cookies without having a clue to what one is. What does food have to do with pointing and clicking? Anyway, a cookie is a message that the Web server stores on the user's hard drive. It generally contains data you entered during a visit to a site that will be accessed later in order to personalize your visit.

Although, cookies are stored on your hard drive, they can only be accessed by the server that created them. This is important to note since you might be nervous that any Web server could access any cookie on your hard drive. Where a cookie is stored on your hard drive depends upon which browser you use. If you use Netscape, all of your cookies are stored in a single file called cookies.txt. Run a search on your hard drive for the file.

If you are using Internet Explorer, cookies can be found individually in a folder named "Cookies" in your user directory underneath C:\documents and settings.

Cookies seem like a great way for a site to personalize your visit to their site, so you might be wondering if your hard drive is going to be filled to the brink of destruction with cookies. Don’t fear...each browser can have no more than 300 cookie files, with no more than 20 coming from the same server. Whenever the limit is exceeded, older cookies are automatically discarded. Also, each cookie cannot be more than 4,096 characters. After this point, extra characters are ignored.

There are three main reasons Web sites utilize cookies:

  • Ordering Systems-If you have ever gone on-line and ordered a product, you may have experienced using a virtual shopping cart. Once you selected an item to purchase, you were able to continue shopping until you were ready to check out. Once you were done shopping, you would click a link to enter a secure area before entering your credit card data. Lo and behold, every item you selected to purchase would be listed on this page. How did the server remember what you clicked? It likely wrote a cookie to your hard drive updating your selection. You could have even shut off your computer, if the site permitted this, turned it back on, and revisited it before emptying your shopping cart.
  • Personalizing Web Sites—Many sites including amazon.com utilize cookies so you don’t have to sign in every time you visit. Other sites may utilize cookies so you only see the news that interests you upon visiting the page. You could visit a financial page and only see information on the stocks you own or are interested in. You could visit an entertainment page and see info on your favorite TV shows.
  • Tracking Site Navigation--Here is where the use of cookies starts to be questioned. Cookies can track WHERE you go in a site. Yes folks, you are not browsing a site anonymously. A cookie can track which links in a site you click on, and use this information to provide you a personalized start page. In addition, cookies can be used to track the number of times you’ve visited a page. If you’ve visited a certain page more than once, the site may offer you a discount to stop you from browsing and convince you to start buying! Or a site that sells books may list titles available from authors that have been purchased by customers with similar tastes as yours. Once you’re logged in at Amazon.com, they will display items from pages you just visited with goal of convincing you to buy the item.

So, you might say...what’s the big fuss about cookies. After all, they remain on my hard drive and they can’t be accessed by anyone else besides the server that sent it. Well, many of the most popular web sites use other companies to handle their advertising banners for them. If that advertising firm handles more than one site that you visit, they can begin to get a better picture of your browsing habits than you would like since they could access your individual cookie no matter which of their sites you visit.

Furthermore, suppose you fill out a form on a Web site that includes your name and address. The Web site could store that information in a cookie along with information it accesses from a database it purchased which includes a lot more demographic and psychographic information about you. Databases containing detailed information existed long before the Web. Combined with the Web, this information can be daunting. So if you ever ask yourself, "How did that site know this about me?" Now you know how!

The Platform for Privacy Preferences Project (P3P), developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.

So how do you configure your browser to accept or decline cookies? In Internet Explorer 6, you select tools-->Internet Options and select the privacy tab.

Clicking the edit button allows you to manually override your preferences by either allowing cookies to be written or preventing cookies from being written by specific Web site/s.

In Netscape, you also configure your browser to accept or decline cookies by selecting edit-->preferences.

Now, I can tell you from experience that deleting cookies from your hard drive is a lot simpler using Netscape than in IE. First of all, using Netscape, all you have to do is delete a single file. With IE, you have to delete all of the cookie files. Additionally, in IE the cookie files also exist in your temporary internet files directory. So if you have IE open when you delete, you may have some of your cookies rewritten.

So what do you do? You get your hands on a program like Cookie Cruncher (available at http://www.rbaworld.com/Programs/CookieCruncher/) that deletes cookies from your hard drive.

Cookie Articles

Internet Security

Security is broadly defined as the protection of assets from unauthorized access, use alteration, or destruction. There are two types of security: physical and logical. Physical includes tangible protection devices such as alarms. Protection of assets using non-physical protections is called logical security. Protection of computer assets is an example of logical security.

Computer security can be classified into three categories:

v     Secrecy—Prevents unauthorized data disclosure and ensures the authenticity of the data source

v     Integrity—Prevents unauthorized data modifications

v     Necessity—Prevents data delays or denial of service

 

Check your computer's home security.

Copyright and safeguarding intellectual property rights are also security issues. Copyright is the protection of expression and typically includes literary and musical works, graphics, and motion pictures. Intellectual property rights protect the owners of ideas and their tangible representations. It is very easy to put copyrighted Web based material onto your own site. This is why copyright violations run rampant on the Web.

For items published before 1978, copyright expires 75 years from the item’s publication date. For items published after, the copyright expires 50 years beyond the life of the author.  Most people online aren’t familiar with copyright law. However, ignorance is no excuse.

There are many secrecy and privacy threats online. Someone stealing your credit card number in a Web transaction is the most visible of the security threats. This can be accomplished through the use of sniffer programs that monitor and analyze network traffic. Used illegally, sniffer programs can capture log-in information, passwords, and credit card information that is not sent encrypted.

Over the last 10 years the most visible computer attacks have come from software. Hackers use Trojan horses, viruses and worms to attack computers and the programs they run.  See this article for more information.

User authentication is the process of identifying yourself to the computer you are trying to log into. The efficacy of the system is tied to the strength of the password, not the user id. A hacker cannot guess a long and/or complex password. This is why many sites require you to include at least one numeric in your password.

Hackers can run programs that create and enter passwords from a dictionary or a list of commonly used passwords to break into a system. This is called a brute force attack. The program tries character combinations until the system accepts one. Some systems only allow a certain number of log in attempts to battle brute force attacks.

When you enter your credit card information online, you want your information to be encrypted. Web sites automatically encrypt using Secure Sockets Layer. This is a widely used security protocol that lives on top of TCP/IP. You can tell if a page is using SSL by the locked padlock on the status bar and if the page begins with https: rather than http:

Other threats can come from rogue Java Applets, JavaScript applications and Active X components. Java applets are mini java applications. They can execute and consume all of the server’s resources. Java Script programs can execute without being compiled. Active X controls have full access to your PC’s file system. A hidden Active X component on a Web page could reformat your hard drive.

RELATED LINKS

Online Shopping Scams