news that works for you

biv

ISSUE 516: The high tech office- Sept 14 1999

ALAN ZISMAN

Paranoia about the Net is a justifiable reaction

They say that just because you're paranoid doesn't mean no one is out to get you.

A bit of paranoia seems justifiable as we get more reliant on the Internet for carrying out our business. Here's one week's worth of evidence:

* A Bulgarian hacker, Georgi Gun-
inski, announced the discovery of a problem with Microsoft's new Internet Explorer 5 Web browser. According to Guninski, who has found
security problems with Microsoft products in the past, this security hole allows Web pages to plant harmful programs onto users' computers. (Take a deep breath -- there's no evidence that anyone is exploiting this "feature" -- yet.)

* Another Microsoft problem was unveiled, this one potentially effecting millions of Windows 95 and 98 users, receiving e-mail with the company's Outlook or Outlook Express software, as well as users of Eudora. Texas-based Rice University's Dan Wallach describes the problem as "the Melissa virus, but even worse." The flaw in Micro-
soft's Java support allows hackers, according to a Microsoft security bulletin, to "create, delete or modify files on the user's computer, reformat the hard drive, copy data to or from a Web page or take other desired action." Unlike most viruses, which are included in e-mail attachments, these attacks can be encoded directly into an e-mail message, so simply viewing the message can trigger the attack.

Microsoft quickly responded, posting a fixed version of its Java Virtual Machine on its Web site (www.
microsoft.com/Security/Bulletins/MS99-031.asp). Alternatively, Java can be disabled in Outlook, using that program's Internet Options.

* Online bookseller Amazon.com, while claiming to respect the privacy of individuals, is releasing "Purchase Circle" data, showing the buying habits of groups of people. Since a Purchase Circle could be made up of, for example, employees of your company, such data could reveal your company's plans, as indicated by the books your employees purchased.

Amazon, responding to criticism, has said that information about individuals and individual companies will be removed from the database upon specific request. As well, the company notes that it does not compile information on groups smaller than 200 people.

* RSA Data Security announced that an international team of re-
searchers has successfully broken the code used to secure Internet credit card transactions. These transactions are encoded using 512-bit encryption, the strongest level of coding that the U.S. government allows to be exported. RSA suggests that Internet transactions should use the more powerful 768-bit coding, but they note that it took the code-breakers seven months, using 292 computers, to break the existing code.

* Hotmail, with 50 million customers, is the largest free e-mail service. It was recently forced to an-
nounce that a flaw in its programming allowed presumably private mail to be read. Simply by typing in a Hotmail user's name, anyone on the Web could read that user's mail with no password needed. All that was required was access to a short script that has begun to be widely distributed over the Internet.

Microsoft, the owner of Hotmail, claims to have fixed this problem as soon as it was discovered, briefly shutting down Hotmail servers and automatically redirecting users of the script to Microsoft's security area.

There are a few steps you can take, if these events worry you. First, remember that e-mail is never really private. Many businesspeople use free, Web-based e-mail services such as Hotmail for messages that they don't want to send via their company's e-mail system. Be aware that such services can be vulnerable.

You may want to check at www.
ziplip.com, a free service promising to work with your existing e-mail software, scrambling, locking and shredding your messages, to make them
"snoop-proof." When you send a message via Ziplip, the recipient does not receive your message. Rather they get a link to a Web site, where they can access your message. The actual message stays encoded at all times and therefore relatively safe from prying eyes (unless they're able to assemble 300 computers and spend seven months to decrypt it, apparently).

Alternatively, public-key encryption, using products such as PGP (Pretty Good Privacy, www.pgp.
com), offer individuals the option to encrypt their own e-mail, though this requires distribution of your public-key to your recipients so that they can read your messages. PGP encryption is included as an option in Eudora Pro e-mail (not the free, Eudora Light version).

Services such as Anonymizer (www.anonymizer.com) offer a mix of free and pay options to make Web browsing and e-mail anonymous.

Microsoft's Web browser relies on Active X, a technology that seems to be especially vulnerable to security problems. Internet Explorer users can turn off Active X. In the browser's Internet Options, go to the Security tab and set it for the highest level of security. This will also restrict so-called cookies, a technique where Web sites can deposit information on your computer without your knowledge, in some cases collecting information about your Web activities at the same time.

If you want to be an Amazon.com customer but opt out of purchase
circles, e-mail no-purchase-circles@
amazon.com. *


Google
Search WWW Search www.zisman.ca


Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan