The Internet is a dangerous place, full of profiteers who sell your personal data to information brokers and cunning criminals who have nothing better to do than steal your identification numbers, obtain credit cards in your name, go on spending sprees, and ruin your credit rating.

So whether you're shopping online or chatting with your buddies over ICQ, you'll need to take certain precautions to keep your personal info from falling into the wrong hands.

Fortunately, there's no need to get paranoid. To protect yourself, you simply need to understand potential dangers and know how to defend yourself. So get ready, because we're going to give you a whirlwind course on how to stay safe and keep your information private.

(Note: Because the majority of our readers are running some flavour of Microsoft Windows, this article assumes that you do, too. However, many of our tips also apply to the Mac OS, Linux, or any other operating system that connects to the Internet.)

Safe surfing quiz
Do you practice safe surfing? This short quiz will let you know just how safe you really are.

Hide your identity
Once spammers and hackers know your IP address, they can find your PC on the Web and possibly break into it. We'll show you how to keep your IP address to yourself.

Stop hostile apps
Web snoops use viruses, cookies, and various software tools to gain access to your PC and the data within. Find out what you can do to stop them.

Deter IM invaders
Without the proper precautions, instant messengers give nosy Nellies easy access your computer. Here's how to keep them at bay.

Secure your financial transactions
Find out how to shop and bank online properly so that you don't accidentally hand your cash to a crook.

Block spammers and scammers
Sometimes it seems like no matter how you configure your email, you still end up with a plateful of spam at the end of the day. Try some of these tricks to stay spam-free.

Safe-surfing quiz

1.   I'd know right away if my PC were infected with, say, the SirCam Virus.
False. Many viruses behave stealthily, so you need to buy antivirus software or regularly update the virus killer you already own.

2.   I am 100 percent safe if I use my credit card only for purchases from large, established e-tailers.
False. Even large online stores can be hacked and have customer data stolen.

3.   If someone steals my credit card number, I am responsible for paying the bill.
False. Except for a US$50 deductible, which many banks waive for victims of online fraud, you aren't responsible for that shipment of computer parts Igor made to Lithuania on your Visa and MasterCard. Amex and Discover have their own rules, but they usually follow the other guys' lead. Many banks will waive the fee if you ask, and some just waive the fee by default.

4.   I don't care if I get spam; I don't need to protect my email address anyway.
False. Spam itself is only part of the problem; the volume of spam you receive can make reading email a chore, and your in-box can quickly fill up with these unnecessary messages. Your employer may get suspicious if you start receiving a lot of unsolicited mail about porn sites, for instance.

5.   I get lots of messages from strangers in my instant-messaging program, and there's no way to stop them.
False. See our tips for specific instructions.

6.   Hackers cannot steal my credit card number if I send it to a site that uses SSL encryption.
True. Your number is safe while it travels between your browser and the store's server. However, a hacker could break into the company's servers and steal the numbers long after you receive your product if the company's machines aren't well protected. If you have questions about this, email the retailer to ask about how it secures purchase record archives on its servers.

7.   It's OK to let my health insurance company/bank/mortgage company use my Social Security number as my user ID on their Web site.
False. In many cases, your Social Security number and name are all a criminal needs to open bank and credit card accounts in your name. To prevent identity theft, never give out or use your Social Security number on a Web form. Ask your bank or insurance company to change your account to another number immediately.

8.   Anyone can read my email over the Internet--even before I click the Send button.
False. Email resides only on your computer until you click the Send button. After that, it's anybody's guess how many people have an opportunity to read your message as it travels to its destination. Use encryption software if you don't want anyone but the recipient to be able to read it.

9.   The locked padlock icon at the bottom of my browser means that my computer is completely protected from privacy risks on the Internet.
False. It means only that the site is encrypting data sent between you and the site, and that applies only to the page you're using at the very moment you see the locked padlock icon.

10.   Once I start receiving spam messages, there's no way to stop them.
False. In virtually all cases the way to stop spam is not to reply. When you reply to a spammer, he or she knows that the address is still valid and will continue to send mail to that address.

Hide your identity

• Someone on the Net can make money by selling your personal data.
• Every time you go online, you give someone new information--however small a piece it may be--about your preferences.
• Some data collectors are not content to wait for you to come to them and may try to trick or steal more information from you.

We can call these the Basic Rules of Personal Information, and they hold true for everyone who uses the Internet, from your Uncle Sid to Larry Ellison. Your good name and every iota of data about you is for sale. Since you're not getting a cut of the profits (at least, most people aren't), it's best to keep your private information to yourself. After all, once it's out of your hands, you have no control over who gets it and how they use it.

Protect your IP address

Like the number and street name of your real-world address, a computer's IP address tells others where and how to find the computer online. This identifier is composed of four numbers, each between 0 and 255, separated by periods (for example, 123.123.23.2). Every Web site and electronic device connected to the Internet must possess a unique IP address; that is, no two devices can have the same IP address at the same time.

If spammers or hackers manager to get your IP address, they can assault your PC with viruses or even hack directly into it to steal your personal data. You can put up dedicated hardware or software firewalls and install antivirus programs on every node in your network, but, given enough time and resources, a determined hacker can break into almost any computer.

You should guard your IP address as carefully as you would your full name and street address. Neither your browser nor Windows itself allows you to hide your IP address from the outside world, but some third-party software takes care of this problem. For US$5 per month, Freedom, from Zero-Knowledge Systems, masks your true IP address from the real world by routing all your Internet data through the Zero-Knowledge network. This program can stump even Web bugs (see below).

If you use a dial-up connection, you're less at risk because your IP address changes with every session. But if you have an always-on connection, such as DSL or cable, you probably have a static or unchanging IP address. A static IP can leave you vulnerable to repeated scans and attacks. On the other hand, if you get a different IP address each time you connect to the Internet--a dynamic IP address--you can present a moving target for the hackers. If you're privacy conscious, ask your ISP for a dynamic IP address. Intruders will have a much harder time finding your computer time and time again if your address isn't constant.

Cookies keep track

But Web sites also use other technologies to track you down and trace your movement online. Cookies are small data files that the Web sites you visit can store in your browser's cookie file to track your path across the Web or record your user preferences. Most cookies have useful purposes. For example, if you register to view a specific Web site (such as the New York Times on the Web), the site can plant a cookie on your computer so that, thereafter, you won't need to enter your username and password to access the site. There are two kinds of cookies: persistent cookies, which remain on your computer even if you shut it down, and per-session cookies, which are often used to store the contents of a shopping cart and won't be saved once you power off your PC.

The threat cookies present isn't from the depth of the information they can reveal; cookies don't permit hackers unfettered access to your private files, for instance. The threat is a small but long-term erosion of your privacy. Most sites record cookies every time you click a new link within the site and can later find out which pages you read and how long you lingered. Such information may be very useful to marketers who mine it for details on your habits and likes or dislikes. Over time, these minute data fragments can help companies build a profile of you, which they could sell to yet more aggressive marketers.

Bugs do it better

If you delete the cookies regularly or configure your browser not to accept them (see Stop hostile apps for instructions), snoopy sites can't collect enough data to profile you. That's why some companies use Web bugs as a user-tracking backup if cookies don't work. Here's how Web bugs work: These tiny graphics, sometimes just a pixel high and a pixel wide, are the same color as a Web page's background. Any time you visit a site, the site must have your IP address before it can load any Web graphic file (including a Web bug), and, with your IP address in hand, the machine that hosts the Web bug can log your address for the duration of your session. Even with cookies blocked, bugs let sites track users surreptitiously. In many cases, the tracking may be benign--a site monitoring how popular a particular page is--but it isn't always just the site that uses a Web bug. Commercial sites with banner ads have discovered that ad banner companies themselves, such as DoubleClick, may use Web bugs to track the traffic on the sites that host their ads. So Web bugs can open you up to unwanted profiling, and (if the Web bug loads after a user fills in a Web order form, for example), possible junk mailing.

Stop hostile apps

Take a bite out of cookies

Fortunately, your browser makes it easy to disable cookies: In Internet Explorer 5.x, click Tools >Internet Options, then choose the Security tab. Click the Earth icon labeled Internet, then click the Custom Level button near the bottom of the window. In the Security Settings window that opens, scroll down to the section labeled Cookies. To keep your browser from automatically planting cookies on your PC, select the Disable or Prompt option next to "Allow cookies that are stored on your computer" (in other words, the persistent cookies we mentioned earlier). It's generally OK to leave the per-session cookies enabled; these are the cookies that remember what's in your shopping cart when you use a Web store.

In Netscape, click Edit >Preferences and select the Advanced item in the left pane. Here, you can opt to block all cookies or to decide on a site-by-site basis. We recommend that you pick the second option and allow your browser to use cookies for some sites. That way, you can exercise a measure of control over your information and still take advantage of the cookie conveniences. If you're truly paranoid, however, you may want to disable all cookies even if it prevents you from, say, shopping efficiently online.

If you're curious about how many sites set cookies, check the "Warn me before accepting a cookie" box, and Navigator will pop up a dialog box each time a site tries to set a cookie. (Internet Explorer still lacks such an option.) We recommend that you try this for only a short time; the sheer volume of cookie request dialogs will likely drive you batty.

Be selective

Simply disabling cookies may not work for you, however. Internet Explorer doesn't let you block cookies sent to advertising companies while permitting cookies from the site you're visiting; it's all or nothing. Blocking all cookies eliminates the timesaving benefit of user preferences on free customisable news sites such as My Yahoo. If you use IE and want to pick and choose which sites are allowed to plant cookies on your hard drive, try the handy freeware CookieWall from AnalogX. CookieWall runs in your System Tray, silently monitoring your Internet Explorer cookie file every minute or so and allowing you to pick and choose which cookies to permit. When the program encounters a cookie that it hasn't seen before, a dialog box pops up to ask you what to do with cookies from this site--handy if, say, you register to use My Yahoo and don't want to have to enter your username every time you load the page.

Antiviral warfare

If you don't have antivirus software on your computer, get with the program! Every day your PC goes without proper protection is another day it risks infection--and infecting others. Viruses don't just wipe out your hard drive; some can steal your entire email address book or implant programs on your hard drive (such as SubSeven or BackOrifice) that hackers can later use to break in to your computer. For $20, eTrust Antivirus software provides virus protection nearly as good as the big guns from Symantec or McAfee. Best of all, you can try it free for two months. For a more comprehensive antivirus program, however, you may want to shell out a few bucks for Norton AntiVirus.

Connection protection

If you use a high-speed connection such as DSL or cable, consider downloading ZoneAlarm, a free personal firewall. Firewalls not only keep hostile apps from entering your PC from the outside, they also block hidden or unknown software on your PC (the sort a virus could install) from connecting to the Internet without your knowledge and giving away your valuable information.

To find out how secure your connection is, go to Steve Gibson's Shields Up site and get a free test of your security. Shields Up performs many of the same tests hackers use to probe your computer for vulnerabilities and provides you with a summary assessment of your PC's security and what you need to do (if anything) to make yourself less vulnerable. Gibson's scan can tell you if the back door program is running but not if it has been (or is being) used. But a little information goes a long way. If you know the Trojan is there, you can work to get rid of it. Again, the price is right, so what are you waiting for?

Deter IM invaders

The problem: IP address exposed!

The most serious instant-messaging security threat: ICQ allows your IM correspondents to discover your IP address. Many instant-messaging programs work by connecting two computers directly to one another, and, as a result, each computer can determine the other's IP address, but ICQ uses direct connections for nearly everything. Though an inexperienced hacker may have trouble figuring out your IP address on his own, many free tools make it easy to ferret out your address. Such tools monitor Windows' network connections to get a list of all the IP addresses the computer connects to. (Even DOS commands such as netstat can display the addresses of other computers when they're connected.)

Once malicious surfers know your IP address, they can launch attacks against your machine to crash the system or slow your Internet service to a crawl. Using free, easy-to-obtain programs, these unfriendly folks can also flood your PC with so much data that the Internet connection can't get a message out; occasionally these programs exploit a weakness inherent in Windows and make the operating system freeze up.

The solution: protect your IP address

• In ICQ 2000 - Click the ICQ button and pick Security and Privacy. Choose the General tab and make sure the Web Aware check box is unchecked. Choose the Direct Connection tab and select the radio button labeled "Allow direct connection with any user upon your authorisation." ICQ lists the parts of its program that could allow others to see your IP address.
• In AOL Instant Messenger - In the AIM Preferences window, select the Privacy tab. Uncheck the box labeled "Allow users to see how long I've been idle" and select the radio button labeled "Nothing about me" in the section titled "Allow users who know my email address to find..."
• In MSN Messenger - In the Options dialog under the Preferences tab, uncheck the three options that appear under the General header.

The problem: log files on display

All instant-messaging programs let you log the conversations you have with others; in fact, ICQ logs your conversations by default. Just in case hackers ever break in to your PC, you may not want to keep records of your conversations, and you may want to eliminate the logs you already have.

The solution: delete your log files

• In ICQ 2000 - When you install ICQ, it brings along a second program called dbconvert.exe, which is stored in the same folder as ICQ itself (the Windows default is C:\Program files\ICQ). To eliminate your existing log files, close ICQ and run dbconvert. Pick your ICQ account from the top drop-down list, choose "No history (contact list only)" from the bottom drop-down, and click Next. When the program clears the ICQ database of logs, click Next one more time, then Done to close the program. You can also prevent ICQ from logging conversations with specific individuals on your contact list: right-click the name in the contact list, choose Alert/Accept Modes, open the Accept tab, and check the box labeled "Do not log event history." To stop logging altogether, click the ICQ button and choose Preferences, pick the Events item from the left pane, and fill in the check box next to "Do not log event history," then click Apply.
• In AOL Instant Messenger - All of AIM's logs reside in the folder located in C:\Windows\AIM95\your username. While the program doesn't log conversations (unless you choose File : Save in the message window), it does keep a log of your buddy list and any file transfers you may have made using AIM. Delete the contents of that folder to eliminate the logs.
• In MSN Messenger - MSN Messenger doesn't log chats automatically, although you can save individual threads by clicking File > Save in the chat message window. You can later delete any conversation logs you save by dropping the icon in the Recycle Bin.

The problem: instant spam

Instant messengers sometimes deliver a flood of spam in the form of annoying "forward me to everyone you know" chain messages or links to pornographic Web sites. Instant-messenger spam is often even more annoying than its email cousin because most programs by default alert you with a flashing icon or a sound the second you receive any messages, even the unwanted ones.

The solution: block spam

• In ICQ 2000 - Click the ICQ button and pick Security And Privacy. In the resulting dialog box, select the Ignore tab and fill in all the check boxes. Select the "Users not on my contact list" option from the drop-down menu. Next, choose the General tab, select the radio button marked "My authorisation is required before users add me to their contact list," and click Save.
• In AOL Instant Messenger - To tell the AOL Instant Messenger client to block messages from people not on your buddy list, click My AIM >Edit Options >Edit Preferences. Select the Privacy tab, then select "Allow only users on my Buddy list."
• In MSN Messenger - Click the Tools menu and select Options. Select the Privacy tab, then add the usernames you would like to be able to receive messages from or block certain people by moving their usernames between the two fields using the arrow buttons (located in the center of the dialog box).

Secure your financial transactions

Attention, E-mart shoppers

For the most part, shopping online is a low-risk activity, privacy-wise. That's because most shopping sites use a method of scrambling your credit card number and other information while it travels between your PC and the Web server called SSL (or Secure Sockets Layer); SSL makes it more difficult for someone "listening in" to the data flowing on the wire to intercept these sensitive numbers.

Shopping with a credit card is probably safest. When you use a credit card, you have the legal right to dispute any charge "if the product or service is misrepresented or never delivered," according to a MasterCard International online shopping guide. "If you pay by check or money order, by the time you realise there is a problem, your money will probably be gone."

Still, shopping online isn't completely risk-free. Criminals do indeed troll the Net for unprotected credit card info, addresses, and Social Security numbers. Fortunately, forewarned is forearmed.

Browser encryption

Your credit card info is most vulnerable as it travels across the Net from your computer to an online store. Hackers can intercept your credit card numbers en route by running sniffer software on Web routers that act as traffic signals on the Internet. The sniffers can see all the bytes inside a packet and look for keywords such as password inside. Fortunately, most modern browsers support Web sites that encrypt, or scramble, data in transit. Before you shop, look for sites that say they use SSL encryption (a common standard among reputable e-tailers). When you enter a secure area of a Web site, you should see a small, locked padlock icon at the bottom of your browser window; always check for this when using an online shopping cart. And if at checkout an e-tailer offers to store your credit card information on its servers, just say no. Occasionally, hackers break into store computers and steal that sensitive customer information.

Get the toughest encryption available

Netscape browsers since Navigator 4.61 (the browser portion of Netscape Communicator) ship with 128-bit SSL encryption support (the toughest available). Determine which Netscape version you're currently running by clicking the Help menu in Netscape Navigator and choosing About.

If you use any version of Internet Explorer earlier than 5.5, you'll need to download the 128-bit SSL High Encryption Pack from Microsoft. Internet Explorer 5.5 or later doesn't require this download; all new browsers now ship with 128-bit encryption. You can determine your version by clicking the Help menu in IE and choosing About.

Know your store's reputation

If you're considering shopping from an online retailer for the first time, search the Better Business Bureau's BBBOnLine site first to see if other consumers have reported problems with the company. Also, read the store's shipping, privacy, and return policies to be sure that the site clearly lists the street address and telephone number of its corporate headquarters. (An email address alone isn't sufficient; a real street address can help ensure you're not dealing with a fly-by-night operation.) Sites that claim positive ratings from consumer-friendly organisations such as BBBOnLine or TRUSTe should provide links back to the organisation's own site where you can verify the records yourself.

Use a credit card (not a debit card) for purchases

Most banks now offer account holders ATM debit cards that sport a Visa or MasterCard logo. Since these cards function like credit cards, you can use them for most online credit card purchases. However, if someone were to steal your debit card number, he or she wouldn't merely run up a huge credit card debt; the criminal could conceivably drain your entire checking or savings account before you could say "Stop, thief!" By virtue of the Visa logo on your debit card, banks provide a fraud-protection refund policy (with a $50 deductible) for all cardholders, but it can take several months to get your money back, so it's best to avoid the risk altogether.

Try disposable income

Recently, the members of the credit industry (including American Express and Discover) devised a new tactic to prevent credit card fraud: the disposable credit card number. To get a disposable number, you simply register with your credit card company. Then, whenever you want to make an Internet purchase, you return to your credit company's site and enter the amount of the purchase into a form. The credit card company then provides you with a one-time-only number that you can use for that specific purchase.

Bank safe

If you're considering banking online, you face many of the same issues that online shoppers do. To keep your account information safe as you send it back and forth between your PC and your bank, make sure your bank's Web site uses 128-bit SSL encryption for all transactions. Look for the telltale locked padlock icon; then, before you start using your online account, be sure you're running a browser version that supports SSL (see recommendations above).

You'll also want to make sure that your bank doesn't sell customers' names, addresses, phone numbers, or other sensitive personal information to marketers. This practice exposes you to junk mail and spam. Read your online bank's privacy policy carefully to see who the bank shares information with and ask them to opt you out of any information-sharing programs at the time you sign up for an account.

Block spammers and scammers

The spam scam

How do the spammers get your address in the first place? Most of them acquire their stock of addresses through harvesting, a process that uses software to scan Web sites for any text with an @ symbol, recording the addresses in databases. Then they send their own spam to these addresses and/or sell or trade the addresses to other spammers.

What's one of the best ways to keep spammers from tracking you down? Avoid using your primary address; instead, sign up for a free email account at a site such as Hotmail or Yahoo, then use these alternate addresses every time you post messages publicly or order products from Web stores. (For more antispam tips, check out our "Take back the Net" and "The great CNET spam-off" features.)

Spammers also harvest email addresses from posts you make to Usenet newsgroups and online archives of mailing lists you might subscribe to. Never enter your email address into your newsreader program's settings. It's easy for spammers to skim message boards for email addresses, so use a free email account to sign up for and reply to these. On those rare occasions when viruses send the contents of your address book to spammers, there's nothing you can do, so it's best to have antivirus software running all the time.

Keep a low profile

Of course, the easiest way to keep spam out of your in-box is to keep your email address private in the first place. Give it only to trusted friends, family, and colleagues. Don't enter your primary address into Web forms or shopping order pages, and don't enter your address into your Web or Usenet browser's preferences; some sites can read your email address or real name straight from the preferences. In general, when a Web browser or a Usenet newsreader asks you to enter your real name and/or email address in a settings dialog, just leave the fields blank and move on.

Once spammers get ahold of your email address, they can use HTML email messages to acquire additional addresses from you. HTML email looks different from plain-text email in that it can be formatted with different type sizes and live Web links right in the body of the message. Unfortunately, these messages not only take a long time to load, they can also contain hidden scripts that send the list of addresses in your address book to the composers of the messages. It's fairly easy to disable HTML email messages: simply go into your email program's preferences dialog and deselect the preference to view mail as HTML. (In later versions of Eudora, for example, you click Tools > Options, then select Viewing Mail in the left pane and uncheck the box labeled Use Microsoft's Viewer.)

Other tools, including AnalogX's free Script Defender can stop malicious code in your email before it activates. Script Defender, like CookieWall, runs in the background, waiting until it detects a malicious script. Then it stops the script from activating and lets you know what happened.

Encryption protection

Of course, even if you stick to all of these rules, email messages themselves aren't safe from prying eyes; anyone who intercepts messages between your PC and their destination can read them. Unless, that is, you encrypt, or scramble, the contents of the messages so that only you and the intended recipient can read them. You can use a free programs such as PGPfreeware to encrypt your mail, but both you and the recipient have to install and configure it ahead of time.

Some email clients offer encryption options, but they require that you acquire a digital ID from a third party. To encrypt messages within Outlook, for example, you must first subscribe to a company such as VeriSign for a yearly fee for an ID.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.