Using the Internet Securely
You can do many interesting and useful things
on the Internet, both in the office and at home, and you can do them securely -- if you
understand and avoid certain risks. The two main security risks are drawing attention to
yourself as a potential target for intelligence exploitation and unintentional compromise
of sensitive information.
Chat Rooms, News Groups,
Chatting on the Internet or posting messages
to news groups or bulletin boards might seem like a private pastime, but it is in fact a
very public activity. Message sent to "Usenet" discussion groups are broadcast
to anyone, anywhere in the world, who wants to receive them. These messages are archived
so that they are readily searchable by the public. The Deja.com archive contains messages
going back to March 1995.
Foreign intelligence collectors and
investigators collecting competitive intelligence regularly troll bulletin board, chat
room and newsgroup postings to identify individuals or information of potential interest.
If someone on the Internet finds that, because of the information you offer, you could be
a good "source," he or she will have no problem finding out more about you.
A knowledgeable information collector can
identify a great deal of information about you with little more than your e-mail address
and a newsgroup or chat room posting. One can probably obtain from online sources your
address, phone number, vehicle license plate number, social security number, date of
birth, name of employer, eye color, weight, credit report, real estate ownership records,
and the names, addresses, and phone numbers of nine to fourteen of your neighbors who may
then be called for additional information about you.
Once you are identified as a potential
target, a knowledgeable information collector may search for and read your newsgroup,
bulletin board, and chat room postings. For an example of how this type information can be
used by hackers, see the "Getting to Know You" section in Case 1.
Do not post any information on the Internet that calls attention
to yourself as a person with access to proprietary or classified information. This could
cause you to become a target.
If you are recognized as a government
employee or contractor, your words may carry a weight that you did not intend. The common
assumption is that you know more than you do, and that you have access to classified or
other sensitive information relating to the subject of discussion, which may or may not be
the case. If you are thought to have information of value, you may start to receive e-mail
solicitations from people asking questions and offering to provide you with information in
return. See How Do I Know When I'm Being
Targeted and Assessed?
Do not try to impress others with how much
you know. Specifically:
- Do not express any opinion in a way that
implies you have insider information, and therefore that your opinion merits greater
credence than the opinions of others.
- Do not imply or state outright that you have
access to proprietary or classified information. A statement such as "I can't say any
more, because I have a clearance" is an example of security consciousness gone awry.
It targets you as a holder of classified information.
- Do not refer to project code words, even
though the words may be used in other public media.
- Do not provide information about your work,
your employer, or job location.
The greatest risk on the Internet is when you
"chat" in real time with other users, using typed input that is relayed back and
forth. There are several reasons why this can be dangerous:
- Live chat does not allow you time to think
carefully before you respond. Once the message is sent, it's gone forever.
- What starts out as a casual information
exchange can quickly lead to much more.
- Your message on the Internet may be read by
tens of thousands of people worldwide.
When chatting on line or exchanging e-mail,
remember that the people you are communicating with are not always who they seem to be.
You don't even know what country they are in. Although there are country codes for
Internet addresses, they are not always used. For example, America Online is
international, and you don't know the home country of a person with an aol.com e-mail
Some messages are sent anonymously.
Unfortunately, it is not always possible to know which are and which are not. Reputable
"remailers" who forward mail anonymously make it clear that their messages are
anonymous. Less responsible remailers, however, substitute phony names and addressed, but
do not so indicate. Because messages can be forwarded from anywhere to anywhere, you
cannot assume anything about message origins. Be wary of responding to messages from
anyone whom you do not know personally.
For purposes of pre-publication review, an
electronic file is the same as a paper document. If you would need to get pre-publication
review for a hard-copy version of something you write, you need pre-publication review
before putting the same material on line. Get pre-publication review for any such document
or file that you:
- Submit to an online publication
- Draft and store on your publicly accessible
- Send to another Internet site, regardless of
the site or location.
Even though information is unclassified, it
may not be appropriate to put on a public Internet site. Before putting information on a
web site, see Pre-Publication Review of
Web Site Content.
Surfing the Net
The principal hazards of surfing the Internet
are discussed in greater detail in other topics. The greatest risk is probably downloading
files, as discussed in Viruses and Other
"Infections". The wealth of free software available for downloading from the
Internet is exciting but does pose risks. Many organizations explicitly prohibit
downloading and running software from the Internet. If you want to download a program,
check with your system administrator.
When logging in to an Internet
site that requires password and user ID, do not use the same password that you use to log
on to your office network. The password for your office network requires the utmost
protection, while the password used to log in to an external web site is vulnerable to
interception unless in it encrypted. Compromise of the one should not compromise the
The rapid growth of Internet commerce is
driving the development of additional security measures. Protection mechanisms such as
Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing rapidly.
SSL sits "between" your web browser and the web server you are communicating
with. It can exchange verification of both parties to the communication. It then encrypts sensitive information such as credit
card data when making a purchase or personal information filled in on a form to register
with a site. SET uses digital signatures to ensure that Internet credit card users and
merchants are who they say they are. With SET, your credit card number is never stored on
the merchant's computer.
Most browsers have a padlock or key symbol in
the lower left corner of the screen to show the security status of the connection. When
the padlock is open or the key is broken, no special security precautions are in effect.
When the padlock is closed or the key is unbroken, information is being encrypted. The
number of teeth in the key signifies the level of encryption. One tooth signifies a 40-bit
key; two teeth means a 128 bit key.
Related Topics: E-Mail Pitfalls, Viruses
and Other "Infections", Case 1, How Do I Know When I'm Being Targeted and
Assessed?, Pre-Publication Review of
Public Web Site Content