[ Go to September 1997 Table of Contents ]

The Explorer /
Fred Langa

All Safe and Secure
Here's the scoop on encryption tools and other easy ways to enhance your security online.

Personal security issues seem to generate more hype and misinformation than just about any other area of the Web. TV, radio and the popular press would have you believe that the Web is a carnival of password theft, credit card fraud, e-mail snooping and so on.

Let me come right out and say it: It just ain't so. I believe that online personal security problems are hugely overrated. Oh sure, bad things can happen online, just as they do in the offline world. After all, the Web is a reflection of society-no better, no worse-and all the same abuses that go on in "meat space" also can happen in cyberspace. But online or off, you can take simple, reasonable precautions to reduce or eliminate the dangers. I'll prove it to you at the end of this column by offering you a chance to try to snoop one of my private files!

But first, let's compare some risks. Take your credit card information, for example. You run a risk any time you give your credit card to a waiter or waitress or salesperson-if they're dishonest, they can run off extra copies of your imprint or jot down your numbers to use later without your knowledge. But that hardly ever happens. You also run a risk when you read your credit card numbers to a shop-by-catalog phone clerk. It's theoretically possible for someone to tap your line or listen in on the conversation, or for the clerk to appropriate your numbers for his own use. But that also hardly ever happens.

Likewise, if you transmit your credit card data over an open, insecure Internet link, it's possible (difficult, but theoretically possible) for someone on the Web to "listen in" on your link and grab your numbers, or tap into the account information in a sales-oriented Web site. But you know, that hardly ever happens either. There's no special "extra" risk involved with the online transaction. Given the ratio of Web users to phone users (a few tens of millions to many hundreds of millions), your phone fraud risks are probably much higher than Web fraud risks.

Or take passwords. In the real world, if you're careless in using an ATM (cash machine) or long-distance card, someone peering over your shoulder can memorize your account code and PIN, and drain your account or run up your phone bill. Likewise, if you're careless online with your passwords, it's theoretically possible for someone to peer over your virtual shoulder and steal the information for nefarious purposes. Real world or on the Web, it's the same risk.

Rather than rare high-profile problems like these, the real risks of being online are usually more subtle-they involve prosaic issues like downloading a file with a virus in it, running a rogue Java or ActiveX applet and accidentally sending or receiving information intended for someone else. What can you do about these less flashy but more common problems?

Well, lots. Note that I'm not referring here to heavy-duty corporate solutions but rather to security-enhancing steps we all can take. It's a huge topic, so we've asked WinMag contributor Karen Kenworthy to pull together a comprehensive feature on online security, and she's working on it now. Her story will appear next month, but in the meantime, here are some great first steps:

Perhaps the single most important thing you can do is make sure you're using a current browser. For example, both Navigator/Communicator and Internet Explorer offer reasonable safeguards for conducting online commerce (that is, the ability to connect to and exchange encrypted data with secure servers). Both also offer personal certificates to help you reliably identify yourself in online communications and transactions, and both work with third-party products to let you virus-check files you're downloading. Both offer varying degrees of code signing and code certificates to help you verify the authenticity of applets or active content you might encounter. Both give you the ability to know when a site is requesting information from your browser or is seeking to track your usage patterns, and so on. Both browsers work; the choice is yours. For a much fuller overview of many browser security features, including the difference between Navigator/Communicator and Internet Explorer, check out the security section of BrowserTune at http://www.winmag.com/flanga/bt97/bt810.htm.

What about when you're online but not using a browser? For sensitive e-mail or file sharing, there's an absolute boatload of excellent free and low-cost encryption products that will lock your data from all but the most determined and sophisticated attacks. For example, check out Kremlin, a $10 shareware package that supports eight encryption algorithms, including DES, Blowfish, PGP and RC4 (used in browsers). You can grab a copy from WinMag's Superior Shareware library at http://www.winmag.com/scripts/download.pl/superior/1997/9707jul/krem106.zip.

Ten bucks is peanuts, but you may not have to spend even that much to increase your security if you don't mind taking an extra step or two. For example, if you're already using a product like PKZip or WinZip to compress the files you send electronically, try using the Zip software's password feature. While less secure than a true encryption process, a password-protected ZIP file will thwart casual snoopers and most amateur hackers. Send the password to your recipients in separate e-mail, or-if you're really paranoid-by phone.

Better yet, you can combine methods for particularly sensitive information: Place a password-protected ZIP file inside an encrypted file or e-mail (or vice versa), and you've made it that much harder for an unauthorized person to crack your data.

If you want to see for yourself, try opening my files at http://www.winmag.com/flanga/security.htm. The files use no exotic, high-end cryptography. In fact, one file isn't encrypted at all, another was scrambled with literally decade-old technology, and another used a $5 piece of shareware to protect it. Yet even this very basic level of protection is enough to thwart most casual snoops. See if you can crack 'em-and see for yourself how easy it is to protect your private information!

Fred Langa is vice president and editorial director. Contact Fred via his home page at http://www.winmag.com/flanga/hotspots.htm or at the addresses on page 20.

Windows Magazine, September 1997, page 43.

[ Go to September 1997 Table of Contents ]