by Dave Moore, CISSP
11/20/22
As much as they should know better, from time to time I still hear people say, “Why, I don’t care if anyone sees what’s on my computer; I don’t keep anything important there, so, what do I care?”
This reminds me of a fellow who once proudly declared to me, “I’m safe, because I don’t do online banking. All I ever do is login, check my balance, and then log right back out.” He then looked at me with a defiant, self-assured grin, as if he was daring me to find something wrong with his online banking “safety” scheme. He believed that if he wasn’t actively engaged in money-moving transactions, and all he ever did was login to check his balance, that meant he didn’t “do” online banking.
One thing these attitudes are missing in regards to computer and Internet safety is that, it doesn’t much matter what information you store on your computer. What you do with your computer is often more valuable to cybercriminals than what you store on your computer. These days, the bad guys can mess you over more with the information you send across the Internet, rather than what you store, or “save,” on your computer’s hard drive.
“I never send anything important across the Internet,” you might think. “I never put anything important in an email.” While never sending emails that contain sensitive, personal data may be a good security policy, that wouldn’t let you off the hook, by a long shot. What do you think happens every time you sign in to your email account? You say you’re not sure? Read on.
Every time you sign in, log on, or whatever the term of the day is, to any Internet-based account, be it email, banking, Facebook, Twitter, eBay, etc., you are sending your sign-in information (user I.D. and password) to numerous places in the blink of an eye.
First, your username and password (a.k.a., your “credentials”) go from your fingers to the keyboard, and from there, to the inner workings of your computer. It matters not if you are using a desktop computer, laptop, iPad, smartphone or Android tablet, the process is exactly the same. Your credentials go into the computer, somehow, to be transported somewhere else. They are, if only for a moment, stored in your computer. If you are not taking the proper precautions, this information can be intercepted by Internet criminals.
If you use an email program such as Outlook, Apple Mail, Windows Live Mail, or similar products, your credentials are actually stored in a file on your computer. You may not think you are storing anything important, but your username and password are stored on your computer’s hard drive, to save you the extreme hassle of having to manually type them in every time you want to check your email. As soon as you start up your email program, it grabs the file where your credentials are stored and, in essence, types them in for you, sending them on to your email provider.
If you use webmail, meaning, you use a browser to go to a website (Google, AOL, Yahoo, MSN, etc.) to do email tasks, and have checked the “remember me” or “keep me signed in” boxes, so your username and password are automatically filled in, then, again, your email credentials are stored in a file on your computer. In this case, your browser, just like a regular email program, instantly sends your credentials across the Internet as soon as you click the “Sign In” button. Automatic login methods like these can also be intercepted and fall into the wrong hands.
After you startup your email program, or your browser automatically signs you in, your credentials take a crazy path all over the Internet and even into outer space before finally landing at your email provider’s headquarters. Next week, let’s look at that path, and examine ways how you can protect the sensitive, private information you didn’t even know you were sending.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.com