Using the Internet Securely

You can do many interesting and useful things on the Internet, both in the office and at home, and you can do them securely -- if you understand and avoid certain risks. The two main security risks are drawing attention to yourself as a potential target for intelligence exploitation and unintentional compromise of sensitive information.

Chat Rooms, News Groups,
Bulletin Boards

Chatting on the Internet or posting messages to news groups or bulletin boards might seem like a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion groups are broadcast to anyone, anywhere in the world, who wants to receive them. These messages are archived so that they are readily searchable by the public. The Deja.com archive contains messages going back to March 1995.

Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll bulletin board, chat room and newsgroup postings to identify individuals or information of potential interest. If someone on the Internet finds that, because of the information you offer, you could be a good "source," he or she will have no problem finding out more about you.

A knowledgeable information collector can identify a great deal of information about you with little more than your e-mail address and a newsgroup or chat room posting. One can probably obtain from online sources your address, phone number, vehicle license plate number, social security number, date of birth, name of employer, eye color, weight, credit report, real estate ownership records, and the names, addresses, and phone numbers of nine to fourteen of your neighbors who may then be called for additional information about you.

Once you are identified as a potential target, a knowledgeable information collector may search for and read your newsgroup, bulletin board, and chat room postings. For an example of how this type information can be used by hackers, see the "Getting to Know You" section in Case 1.

bullet   Do not post any information on the Internet that calls attention to yourself as a person with access to proprietary or classified information. This could cause you to become a target.

If you are recognized as a government employee or contractor, your words may carry a weight that you did not intend. The common assumption is that you know more than you do, and that you have access to classified or other sensitive information relating to the subject of discussion, which may or may not be the case. If you are thought to have information of value, you may start to receive e-mail solicitations from people asking questions and offering to provide you with information in return. See How Do I Know When I'm Being Targeted and Assessed?

Do not try to impress others with how much you know. Specifically:

  • Do not express any opinion in a way that implies you have insider information, and therefore that your opinion merits greater credence than the opinions of others.
  • Do not imply or state outright that you have access to proprietary or classified information. A statement such as "I can't say any more, because I have a clearance" is an example of security consciousness gone awry. It targets you as a holder of classified information.
  • Do not refer to project code words, even though the words may be used in other public media.
  • Do not provide information about your work, your employer, or job location.

The greatest risk on the Internet is when you "chat" in real time with other users, using typed input that is relayed back and forth. There are several reasons why this can be dangerous:

  • Live chat does not allow you time to think carefully before you respond. Once the message is sent, it's gone forever.
  • What starts out as a casual information exchange can quickly lead to much more.
  • Your message on the Internet may be read by tens of thousands of people worldwide.

When chatting on line or exchanging e-mail, remember that the people you are communicating with are not always who they seem to be. You don't even know what country they are in. Although there are country codes for Internet addresses, they are not always used. For example, America Online is international, and you don't know the home country of a person with an aol.com e-mail address.

Some messages are sent anonymously. Unfortunately, it is not always possible to know which are and which are not. Reputable "remailers" who forward mail anonymously make it clear that their messages are anonymous. Less responsible remailers, however, substitute phony names and addressed, but do not so indicate. Because messages can be forwarded from anywhere to anywhere, you cannot assume anything about message origins. Be wary of responding to messages from anyone whom you do not know personally.

Pre-Publication Review

For purposes of pre-publication review, an electronic file is the same as a paper document. If you would need to get pre-publication review for a hard-copy version of something you write, you need pre-publication review before putting the same material on line. Get pre-publication review for any such document or file that you:

  • Submit to an online publication
  • Draft and store on your publicly accessible home page.
  • Send to another Internet site, regardless of the site or location.

Even though information is unclassified, it may not be appropriate to put on a public Internet site. Before putting information on a web site, see Pre-Publication Review of Web Site Content.

Surfing the Net

The principal hazards of surfing the Internet are discussed in greater detail in other topics. The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of free software available for downloading from the Internet is exciting but does pose risks. Many organizations explicitly prohibit downloading and running software from the Internet. If you want to download a program, check with your system administrator.

bullet  When logging in to an Internet site that requires password and user ID, do not use the same password that you use to log on to your office network. The password for your office network requires the utmost protection, while the password used to log in to an external web site is vulnerable to interception unless in it encrypted. Compromise of the one should not compromise the other.

The rapid growth of Internet commerce is driving the development of additional security measures. Protection mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing rapidly. SSL sits "between" your web browser and the web server you are communicating with. It can exchange verification of both parties to the communication. It then encrypts sensitive information such as credit card data when making a purchase or personal information filled in on a form to register with a site. SET uses digital signatures to ensure that Internet credit card users and merchants are who they say they are. With SET, your credit card number is never stored on the merchant's computer.

Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security status of the connection. When the padlock is open or the key is broken, no special security precautions are in effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit key.

Related Topics: E-Mail Pitfalls, Viruses and Other "Infections", Case 1, How Do I Know When I'm Being Targeted and Assessed?, Pre-Publication Review of Public Web Site Content

 

<-- PrevNext -->
SECURITY BRIEFING TABLE OF CONTENTS