Are you leaving behind a digital footprint when you browse the Internet?

CLEVELAND - The flashing images you see online, popup advertisements and sites that remember who you are without logging in all make browsing easy. However, is this technology doing more than meets the eye?

"It's absolutely tough to surf anonymously, privately and securely," SecureState Senior Consultant John Melvin explained.

Some sites make it easy to figure out what the website knows about you.

For example, Google forms a profile of you based on the sites you visit in the Google Display Network. If you visit a lot of news sites, you may be listed as being interested in news.

Google explains all this to the consumer through its " Ads Preferences" tool.

Google said its "Ads Preferences", "Makes the ads you see on the web more interesting." Websites partner with Google to show ads to their visitors based on your profile.

You can change your preferences or simply opt-out.

Google said it doesn't know your name or any other personal information about you. It simply recognizes the number associated and stored in your browser.

Most sites track this information. Google makes it easy to see, and gives consumers options.

However, security experts said every website is not created equally. On some sites, it's unclear what's being tracked about you and it's raising privacy concerns.

Cookies left on your computer can be used to profile you

Our investigation with the information security management consulting firm, SecureState, found some tracking devices used by various online sites can put you at risk.

Websites form a profile of you based on your surfing and browsing habits. When you land on a site, a "cookie" is placed on your computer. It's a tremendous tracking tool for advertising purposes, but our investigation revealed the cookie can also put your family at risk.

"I see the utility in it. They're just trying to do their marketing, but it's a little weird they can see so much about you and know so much about you. So, that's a little disconcerting," consumer Celeste Asmar said.

With Asmar's permission, we had SecureState's Forensics Team search her Internet files to see if she's leaving behind a digital footprint.

"Is this your daughter's name and grade?" Matt Neely, SecureState Profiling Team Manager asked Asmar.

"Yes," Asmar responded.

"Roughly?" Neely asked.

"Oh exactly," Asmar remarked.

Asmar thought she was taking the right steps to protect her daughter's privacy. But, the security consultants at SecureState know her daughter's school and homeroom teacher's name.

"That I find very troublesome," Asmar said.

Asmar doesn't know the forensics team at SecureState. But, they know all about her after their analysis of her computer's Internet files.

"Pretty much I went through everything you did and saw what kind of information you provide to websites," Neely said.

SecureState said the information you provide during browsing is saved in a dozen locations on your computer. SecureState found little bits of information all over, and then pieced it all together to form a profile.

SecureState even knew Asmar's age.

"You got my weight in there, too?" Asmar questioned.

Not quite, but Asmar's Internet files reveal her age, address, unlisted phone number, her employer, her husband's name and activities he likes, and the car they just bought.

Bits of information lead to a profile

Even information that may not appear sensitive can be dangerous in a hacker's hands. The hacker can use the basic information to gain your trust and then you'll lead them to more personal information.

For example, SecureState knew Asmar bought a car. They knew the type, dealership and the fact it was certified.

"If we wanted to be a hacker and gain some additional information we could call her up at the phone number we discovered in the Word document. We say 'hello we are calling from such and such dealership, and you recently purchased this car. We are working on the extended warranty and we need some additional information from you,'" Neely explained.

Then, the hacker could get more information from you and you may think you're talking to the car dealer the whole time.

That's why it's essential to verify who you are talking to. It's always best to ask for a phone number to call that person back. That will help you verify someone's authenticity when they are asking for personal information.

The profilers use the information they gather to establish trust. Then, they launch their attack.

Sensitive information easy to find

Damage can be done with just basic information if it ends up in the wrong hands. In our test, we found very sensitive information stored in Asmar's internet files that could have led to her identity being stolen.

"Are those two socials of someone in your family?" Neely asked, pointing to two social security numbers.

"Ugh! Yes," Asmar replied.

A social security number is all you need to steal someone's identity. Our findings get worse.

"I have his username and password for Turbo Tax, all based on your Internet history," Melvin said.

"My husband will be horrified," Asmar exclaimed.

Protecting yourself

Asmar's husband saved a chat session with a TurboTax representative in a Word Document. He emailed the document to himself in case he needed the technical advice later. SecureState found the footprint for that email.

"Any file that is sent through webmail could be saved in the cache and hackers can then gain access," Neely explained.

That's the first tip to protect yourself and minimize your digital footprint. Don't send sensitive information to yourself, or anyone for that matter, with webmail. If you want to save a file for later use, store it on a flash drive or hard drive that you don't leave connected to your computer.

Secondly, log out at the end of sessions and try to avoid using public computers.

Run anti-virus software, and perhaps try several different kinds. Even the best software likely won't find all the viruses or tracking cookies.

Delete your cookies, and go into your tools menu and select "private browsing."

"You go into that mode and any data that's stored during that, when you close that browsing session, will be deleted," Neely said.

You may also want to explore plug-ins like TACO (Targeted Advertising Cookie Opt-Out) for Firefox. It's a plug-in that promises to prevent more than 100 online advertising networks from displaying ads.

These are simple steps you can take to erase your digital footprint. Check out these instructions for each of the major browsers, courtesy of Secure State:

• Internet Explorer
• Firefox
• Safari

Google Chrome also offers privacy options for users. The company explains the steps to going "incognito."

Hackers find ways around security tools

The hackers are already finding ways around these security tools. There's what's called an "EverCookie" that stays on your system forever.

It's very new, and security teams are scrambling to find a security patch.

Asmar didn't have an "evercookie" on her computer, but SecureState did find she'd be vulnerable to the latest attack.

SecureState was able to log into Asmar's husband's email without knowing his username or password.

They used forensic tools to do this but, "A new tool was released called Firesheep that really automates that whole process of stealing cookies and logging into other people's sessions with them. That's a very valid attack," Neely explained.

It's an attack the security community wants you to know about, because they feel knowledge is power.

"The bad guys know about it already so in terms of keeping that stuff hidden we are not helping the bad guys we are hurting the good guys," Neely said defending why he named the automated program.

Security experts are now scrambling to find a solution.

Security is like a cat and mouse game.

"The bad guys come up with an attack. We figure out a way to stop it," Neely explained.

That's why it's essential users always take precautions.

"You guys have definitely enlightened me," Asmar said. "I intend to share the information on how to lock it down with other people. I think people need to be much better educated."

Trade Groups try to give consumers more protection

SecureState said legislators are trying to address privacy concerns, but it may be years before that's accomplished. The Federal Trade Commission is even considering a Do Not Track list similar to the Do Not Call registry.

In light of the security and privacy concerns, several trade and media marketing associations launched a self-regulated program to give consumers more control over the collection and use of data relating to their web habits. The website, AboutAds, explains the initiative and options for consumers to increase their privacy online.

An "Advertising Option Icon" will be added near online advertisements or on websites that collect data for advertising if they're participating in this program. Consumers can click on the icon and see a disclosure statement that allows them to opt out or simply view the company's policies for data collection.

More safety tips

Here are more security tips from Secure State:

• Never share personal information on social networking sites.
• Try to keep two separate email address, one for your daily activities online and the other for registering on other sites that you may not be accustomed to.
• Passwords must be complex, with 10 or more characters, and include special characters. Avoid using any personal information within the password.
• Change passwords every 30 to 60 days, and never reuse a password.
• Do not open email attachments from unknown senders.
• Use a known Antivirus Software or Internet Security Suite.
• Research and test security software that provides private browsing, secure Internet sessions, sandboxing, and the ability to clean or analyze files stored and downloaded while surfing.
• Configure browser or security software to remove all temporary Internet files, history and session files upon exit.
• Reference the browser documentation for specific steps.
• Ensure the system and applications used for Internet surfing are patched for latest security fixes.
• Validate sites being visited where privacy is a concern; research IP address of URLs (Web address, example www.securestate.com) you visit often, and cross-check the address each time you visit that web site.
• Always type the URL into a browser instead of clicking on links.
• Do not enable checkboxes that say “Keep me logged in” or “Remember my session”, etc.
• Always click “logout” or “sign out” when closing a logged on session; do not just simply close the browser.
• Always use a system account with least-privilege (not an administrator) for daily activities and surfing.
• Use a separate and distinct account for each online activity that would require a logon session; for example a separate email logon from a bank logon.
• Never click on links for URLs (Web address, example www.securestate.com) where logon sessions are required,
  always type out the URL manually.
• Ensure the system and applications used for Internet surfing are patched with the latest security fixes.
• Search for online privacy, online security and private browsing for your particular browser and system for more
  suggestions