EISST - Enterprise Information Security Systems & Technologies

June, 05. 2008

Where is my internet surfing data?

Navigating with any of the five mainstream Internet browsers mentioned above leaves a trail of data behind, stored in clear format inside well-known folders, readable by anyone who has access to the PC and by malicious codes (e.g. Trojans) silently executing in the background.

Where is my internet surfing data?

Sensitive data — browsing history, visited links, bookmarks, site cookies and, in some cases, digital certificates, Web form entries and passwords — are constantly in danger of being copied, captured or disclosed to others without the user’s knowledge. Most Internet browsers do provide some means for clearing navigation data, or cache, by periodically erasing the application files where such data are stored. This resembles more of a Catch-22 situation rather than true protection, however. In fact, one is really never sure of the right time to perform the deletion (before, during or after browsing?) and will always be tempted to postpone it, since the operation also erases useful links and data that one may need at a later time. On the other hand, access to the browsing applications is generally not controlled and no form of authentication is required to launch them. This implies that gaining access to someone’s PC log-in account also grants the freebee of unrestricted access to the user’s Internet environment. All these facts are well known to security professionals and to a growing segment of the user population—typically those who have learned the hard way about the standard browsers’ vulnerabilities.

There is no doubt that current technologies, both at the hardware and at the software levels, can provide a much stronger level of security to the average Internet user. Therefore, it should be possible to implement user authentication and strong encryption of all browsing data and thereby mitigate or even remove the majority of the security threats mentioned above.

There is still limited activity in this direction, however, compared to the dimension of the issue and the size of the affected population of end users. The few known initiatives for securing Internet browsers are not sponsored by global software multinationals, but by smaller companies with focused expertise aimed at occupying a specialized niche in the security market. Part of the reason for Microsoft’s disinclination to include local security measures into Internet Explorer 7.0 may lie in the strong coupling of its software to the PC operating system and to the application environment and its components, which still suffer from equally damaging security vulnerabilities. On the other hand, the general availability of encryption tools for protecting Internet surfing data may fuel fears of misuse and hinder the work of law enforcement officials against criminals and terrorists.

A recent initiative from Germany's Interior Minister Wolfgang Schäuble may help shed some light on the potential relevance of this concern. The ministry is advocating for the development of means to secretly install government Trojans (loaded with so-called "Remote Forensic Software") onto the computers of crime suspects . Needless to say, privacy advocates are concerned about such measures, pointing to the blurriness of the boundary separating a priori a crime suspect from an innocent citizen. The German supreme court recently determined that such "legal hacking" techniques cannot be used because no legal framework exists at present. This ruling, however, leaves room for further debate as Mr. Schäuble will reportedly push for the constitutional changes needed to allow the police to perform activities defined as "online house searches.” This case should not be considered an exception but rather an indication of a global reality that has been in constant development during the past decade , albeit subject to the general public’s low awareness and scrutiny.

According to The Economist, “These days, data about people's whereabouts, purchases, behavior and personal lives are gathered, stored and shared on a scale that no dictator of the old school ever thought possible. Most of the time, there is nothing obviously malign about this. Governments say they need to gather data to ward off terrorism or protect public health; corporations say they do it to deliver goods and services more efficiently. But the ubiquity of electronic data-gathering and processing — and above all, its acceptance by the public— is still astonishing, even compared with a decade ago. Nor is it confined to one region or political system.

« Back to section


COMPANY	SERVICES	PRODUCTS	PARTNERS	RESOURCES	SUPPORT

	Articles
	June, 05. 2008 Where is my internet surfing data? Navigating with any of the five mainstream Internet browsers mentioned above leaves a trail of data behind, stored in clear format inside well-known folders, readable by anyone who has access to the PC and by malicious codes (e.g. Trojans) silently executing in the background. Sensitive data — browsing history, visited links, bookmarks, site cookies and, in some cases, digital certificates, Web form entries and passwords — are constantly in danger of being copied, captured or disclosed to others without the user’s knowledge. Most Internet browsers do provide some means for clearing navigation data, or cache, by periodically erasing the application files where such data are stored. This resembles more of a Catch-22 situation rather than true protection, however. In fact, one is really never sure of the right time to perform the deletion (before, during or after browsing?) and will always be tempted to postpone it, since the operation also erases useful links and data that one may need at a later time. On the other hand, access to the browsing applications is generally not controlled and no form of authentication is required to launch them. This implies that gaining access to someone’s PC log-in account also grants the freebee of unrestricted access to the user’s Internet environment. All these facts are well known to security professionals and to a growing segment of the user population—typically those who have learned the hard way about the standard browsers’ vulnerabilities. There is no doubt that current technologies, both at the hardware and at the software levels, can provide a much stronger level of security to the average Internet user. Therefore, it should be possible to implement user authentication and strong encryption of all browsing data and thereby mitigate or even remove the majority of the security threats mentioned above. There is still limited activity in this direction, however, compared to the dimension of the issue and the size of the affected population of end users. The few known initiatives for securing Internet browsers are not sponsored by global software multinationals, but by smaller companies with focused expertise aimed at occupying a specialized niche in the security market. Part of the reason for Microsoft’s disinclination to include local security measures into Internet Explorer 7.0 may lie in the strong coupling of its software to the PC operating system and to the application environment and its components, which still suffer from equally damaging security vulnerabilities. On the other hand, the general availability of encryption tools for protecting Internet surfing data may fuel fears of misuse and hinder the work of law enforcement officials against criminals and terrorists. A recent initiative from Germany's Interior Minister Wolfgang Schäuble may help shed some light on the potential relevance of this concern. The ministry is advocating for the development of means to secretly install government Trojans (loaded with so-called "Remote Forensic Software") onto the computers of crime suspects . Needless to say, privacy advocates are concerned about such measures, pointing to the blurriness of the boundary separating a priori a crime suspect from an innocent citizen. The German supreme court recently determined that such "legal hacking" techniques cannot be used because no legal framework exists at present. This ruling, however, leaves room for further debate as Mr. Schäuble will reportedly push for the constitutional changes needed to allow the police to perform activities defined as "online house searches.” This case should not be considered an exception but rather an indication of a global reality that has been in constant development during the past decade , albeit subject to the general public’s low awareness and scrutiny. According to The Economist, “These days, data about people's whereabouts, purchases, behavior and personal lives are gathered, stored and shared on a scale that no dictator of the old school ever thought possible. Most of the time, there is nothing obviously malign about this. Governments say they need to gather data to ward off terrorism or protect public health; corporations say they do it to deliver goods and services more efficiently. But the ubiquity of electronic data-gathering and processing — and above all, its acceptance by the public— is still astonishing, even compared with a decade ago. Nor is it confined to one region or political system. « Back to section

		Login Register	Search:

Articles

Where is my internet surfing data?