Surf Safely: How to Avoid Internet Minefields
Leon, James F., Journal of Accountancy
The Internet is a gold mine of information, but its also a minefield, loaded with scores of innocent-looking sites that contain stealthy programs designed to steal or destroy your data. But if you take proper precautions, you can browse the Web with relative safety.
In our illustration for ways to surf the Web, we use Microsoft's latest browser, Internet Explorer version 7, but you can apply these recommendations to other browsers as well.
GOING OR COMING?
When users surf the Web, they say they "go to" a page. In reality, though, when you type a URL (such as www.samplesite.com) or click on a link, the page actually is brought to your browser in the form of hypertext markup language (HTML)--the programming code that creates the screen image. In some cases, a malicious miniature program (written in what's called a scripting language) is hitching a ride with that HTML code. The moment that infected page reaches you, the hitchhiker executes its devilish program, which can do many nasty things, including copy your files, transmit them to the thief's computer or simply erase them. Such a script also can change your Windows system settings, leaving your computer in utter disarray.
How can a script steal information off someone's hard disk? Exhibit 1 is an example of a hypothetical script buried inside a Web page. Of course, a real script would not identify itself as coming from a dangerous hacker.
If you were to receive this fictitious script, the hacker's program would momentarily control your computer and you would be instantly redirected to his site, www.hacker.com. Once there, a sophisticated program called stealfiles.cgi would snap into action, steal data off your hard disk, then redirect you back to the original Web page. All this could happen in just a few seconds, without your ever being aware of it.
Be assured most Web sites are safe. However, a criminal hacker will try to inject a malicious script into almost any Web site--a scenario known as cross-site scripting, or XSS. Although anti-spyware programs are designed to thwart malicious scripts, they don't always work because clever scriptwriters often stay a few steps ahead of them (see accompanying article, "Spyware Protection"). So what's the alternative? If you want total safety, you have no choice but to take matters into your own hands and disable all scripts from running on your browser. And that's easier than you think.
To disable scripts, click on Tools, Internet Options, Security (see Exhibit 2). Under Select a zone to view or change security settings, click on Internet if it's not already highlighted. Then under Security level for this zone, click on Custom level.
You now should be at a menu called Security Settings-Internet Zone (see Exhibit 3). Slide down the scrollbar to the area labeled ActiveX controls and plug-ins and click on Disable for all 10 options. ActiveX is a Microsoft scripting language.
Then slide farther down the screen to the second section from the bottom called Scripting (see Exhibit 4) and click on Disable for all five options. This will stop any script that manages to get into your computer.
To implement your changes, click on OK at the bottom of the panel (see Exhibit 5).
CONSEQUENCES OF DISABLING SCRIPTING
Similarly, if you use a stock ticker at a financial site, such as http://moneycentral. …