The Internet may either be a useful tool or a very hostile environment, depending on the sites you visit and the actions you take.  Many people do not realize that sending and receiving e-mail occur over the Internet.  There are no guidelines or applications that can provide absolute security for Internet connected computers.  Hackers are very active and spend much time and plenty of resources developing ways to infiltrate computers.

     Most sources dealing with safe-surfing on the Internet state that you should only visit trusted sites.  Trusted sites being those that you are relatively certain will not inject any nasty applications, like viruses, Trojans, worms, spyware, ransom-ware, rootkits, ...  into your computer or otherwise place you at risk while you visit the site.  This risk could be the compromise of personal information, identity theft, or joining your computer to a botnet.

     Many of these sources are aimed toward corporate audiences who work for companies with defined security policies and these safe-surfing guidelines may not be practical for home users who interface with the Internet for entertainment as well as business and education purposes.

     Although there is no substitute for caution and common sense, the following guidelines are tailored to aid families in safe web surfing:

Internet Posts are Forever

     When sending snail-mail (the term used by the cyber-generation to describe mail delivered by the Postal Service) you can assume that the parcel will be delivered or get lost.  In either case the message will probably be discarded and forgotten about in a short period.  The same assumption can generally be made regarding phone conversations.

     You cannot make this assumption regarding e-mail messages and posts to Internet web sites.  The mail-servers and web-servers that make up the world wide web are normally backed up on a regular basis so even if you delete a message or post there is likely a copy of the content stored somewhere in cyber-space.

     There have been recent cases of students being suspended and employees being terminated as a result of posts made to social networking sites so use good common sense when composing e-mail or posts to social networking sites.  A good rule of thumb is that you should not post anything you would not want your grand mother to see.

Secure Websites

     Secure web sites encrypt login credentials and and the data that traverses the links to and from the user.  These sites normally contain "https" (notice the "s" at the end of https) at the beginning of the address bar or URL.  These sites use certificates to guarantee their authenticity and the site's identity may be verified through the agency that granted the certificate.  Certificate management is way beyond the scope of this article so let us just say that these sites may be trusted.

     You should only post personal information to site forms originating from secure websites.  The information is safe in transit and the site should have a valid purpose for the information.  Do not post personal information to non-secure web sites; the information may be intercepted and you risk the threat of identity theft.

Check the Privacy Policy

     Before posting personal information to any web site, check the site's privacy policy to see haw the site operators will use the information.  If the site does not publish a privacy policy or you disagree with the terms of use then do not release the requested information to them.  If all you need to release is an e-mail address then you may consider a disposable e-mail address (see below).

Disposable E-mail Address

     Most web sites require an e-mail address in order to complete the registration process.  One reason for the requirement is that the site will send a verification e-mail to registrants.  Normally a link is provided in the e-mail and clicking the link completes the registration process.  However, many sites also sell lists of the e-mail addresses of registered users to marketing companies.  Some of these marketing companies generate endless flows of SPAM.

     Using disposable e-mail addresses permits you to create an address for the purpose of registering with a web site  and avoiding any SPAM coming back to your main inbox as a result of the registration.  These addresses typically last for 15 minutes to an hour, which is plenty of time to complete the registration process.  "You can read and reply to e-mails that are sent to the temporary e-mail address within the given time frame" (GuerrillaMail.com, 2009).  You can view e-mail going to the address for as long as the address remains active so if you see a flood of e-mail to a disposable address then you have a good indication that the site you just registered for generates SPAM.
    

User Accounts

 
     Too many home users set up their computers using the generic administrator account with no password.  This practice is an open invitation for a hacker to gain access and take over the computer.  Make sure that you set up a user account with a password for each user who accesses the computer.  You especially want to set up accounts for children who use the computer so that you may limit the activities they can perform and monitor their web access.

Administrative Priviledges

     You should only set up one account with administrative priviledges.  This account should not be one that a child uses to access the computer.  Only use the administrative account to install applications and change configuration settings.  After making such changes, log off the computer and log back in as a normal user. 

     If a hacker gains access to a computer using the administrative account then he may do what ever he wishes with the computer.  If you are logged in under a normal user account and a hacker gains entry then he is less able to cause major damage.  Do not login to the computer using administrative priveiedges when you are going to surf the web.

Guest Accounts

     Most computers arrive at the home with an active guest account that contains no password.  Although this account has limited access, it is a known target for hackers to use in an attempt to infiltrate a computer.  Disable or delete the guest account.

Strong Passwords

     Weak passwords are a known entry point into computers for hackers, especially when applied to the administrative account.  A week password would be any word located in a dictionary or combinations of words discovered using social engineering techniques.  Hackers use "brute force" tools to attempt "dictionary attacks" on computers using specialized dictionaries that they create.

     Strong passwords help eliminate the possibility of a hacker gaining entry using a dictionary attack.  A strong password would be a password at least 8 characters long, containing both upper and lower case letters and at least one special symbol (these symbols are any of the characters above the numbers on a standard keyboard).  Using strong passwords increases the number of unique possibilities geometrically as the number of characters in the password increases.  An 8 character password using 32 different characters translates to over two-trillion possible combinations.  This would take a hacker quite some time to attempt all combinations.

Passwords in Web-browsers

     Many browsers will ask you if you would like the browser to remember your user name and password so you can automatically login the next time you visit the site.  These passwords are often stored in plain-test files that may be read by anyone who gains access to the computer. If a hacker gains access to the computer then he can read the password file and gain access to any of the referenced web sites. 

     This would be a very bad situation if you happen to use online banking services or other sensitive web-based applications.  If you must store passwords because you access too many sites and simply can't remember them all, then use an encrypted password vault to store those passwords.

Antivirus

     Install, activate, and use antivirus and antimalware software. If your computer connects to the Internet, even if only for e-mail, then there is a good chance that viral-type infections will head your way. These software applications cannot guarantee that you will not get infected but they will certainly prevent the most common types of infections. You also need to make maintain your antivirus and antimalware packages. Most publishers include the ability to automatically update the infection listings (called signature files) of their packages as long as there is an active connection to the Internet.

E-mail Filters

     Configure e-mail filters on your e-mail software.  Most applications, such as Microsoft Outlook, include the capability to filter e-mail on a number of criteria, such as who sent the e-mail.

     A good practice is to set up a filter to retain the addresses that you expect to receive e-mail from then forward all other addresses to either a SPAM directory or the Deleted Items directory.  This strategy takes some effort to set up and maintain but the results are well worth the effort.

Unknown Senders

     Do not open e-mail received from unknown senders or e-mail with a blank subject line.  One typical method for a hacker to gain access to a computer is to send an e-mail to the prospective victim.  When the victim (user) opens the e-mail a rootkit may be downloaded permitting the hacker to take control of the computer.

Embeded Links

     Do not click on embedded links in e-mail from un-trusted senders or those who you do not know.  Embedding a link in an e-mail is another method that hackers use to gain control of computers.

Parental Controls

     Activate parental controls in the web browsers that children use to access the Internet.  Parental controls and content filters permit parents to approve or disapprove of the content children view and the activities that children participate in over the Internet.

Firewalls

     If your operating system includes a firewall, like Microsoft Firewall or Windows Defender, then take advantage of the firewall to help prevent viral infections from the outside world.  Hardware firewalls are also available and some of these even contain content filters. 

The Barracuda Web Filter is designed to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection. It also facilitates automatic removal of spyware from previously infected Windows PC’s with the integrated Barracuda Spyware Removal Tool (Baracua Networks, 2009).

Wireless Routers and Access-points

     Wireless routers and access-points are becoming quite common in the household.  If you use one of these devices at home then turn on security and encryption for traffic to and from the device.  This will help ensure that nobody could read intercepted information and also helps prevent your Internet connection from being hijacked. 

     You do not necessarily need the most powerful device on the market.  If you only need the device to communicate with devices in other rooms in the house, less than one hundred feet away, then you do not need a device with a range of 1000 feet.  Using a device with a range of 1000 feet would permit a user on another block to surf the web using your connection, especially if security is not turned on.

Web Browsers

    
     Upgrade your web browser when new versions become available unless you have a valid reason not to.  Some web sites may not support the newest version and if you frequently visit a web site that does not support the latest release of your browser then that would be a valid reason.  Otherwise upgrade your browser because newer releases are inherently more secure than their predecessors.

Security Zones

     Newer versions of Microsoft Internet Explorer (IE) incorporate security zones, which are actually classifications of the security level of web sites.  There are four zones that you may configure and they include the following:

• Internet Zone
• Local Intranet
• Trusted Sites
• Restricted

     There is also a fifth zone that you have no control over and that is the Local Computer zone.  You may use each of the other zones to put web sites and domains into classes that determine the actions that the computer is permitted to perform.  You can add sites to and remove sites from each of the four zones listed above and adjust the level of permitted activity, such as how cookies are handled or whether to accept active content.

     By default, all web sites are listed in the Internet zone until they are placed in one of the other zones.  You should only trust secure sites, those with “https” in the address bar and place sites that you inherently trust into the Trusted Sites zone.  The trusted Sites zone permits the web site to perform actions that you would only want a trusted partner to perform.

     Any sites that you discover that you determine are bad sites should be placed in the restricted sites zone then set the zone to not permit any actions to be performed on the computer.  This helps eliminate the risk of those sites causing any harm to you, your family, or your computer.

Conclusion

     The only truly secure computer is one located in an air-gap. No computer that connects to other computers or permits input from people or other devices can be truly secure. However, there are steps that may be taken to help reduce the risks to security from various sources.

     This article has presented some safe-surfing guidelines geared to families. Not all of these guidelines may be practical in your given environment. So, follow the guidelines that you feel are relevant and valuable and discard the rest. Any steps that you take are a step in the right direction. 

     May you and your family enjoy safe computing!

References

Baracuda Networks (2009). The baracuda web filter.
     Available from
     http://www.barracudanetworks.com/ns/products/.

GeurrillaMail.com (2009).Disposable Temporary E-Mail
     Addresses. Available from
     http://www.guerrillamail.com/