Using the Internet Securely
You can do many interesting and useful things on the Internet, both in the office and at home, and you can do them securely -- if you understand and avoid certain risks. The two main security risks are drawing attention to yourself as a potential target for intelligence exploitation and unintentional compromise of sensitive information.
Chat Rooms, News Groups, Bulletin Boards
Chatting on the Internet or posting messages to news groups or bulletin boards might seem like a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion groups are broadcast to anyone, anywhere in the world, who wants to receive them. These messages are archived so that they are readily searchable by the public. The Deja.com archive contains messages going back to March 1995.
Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll bulletin board, chat room and newsgroup postings to identify individuals or information of potential interest. If someone on the Internet finds that, because of the information you offer, you could be a good "source," he or she will have no problem finding out more about you.
A knowledgeable information collector can identify a great deal of information about you with little more than your e-mail address and a newsgroup or chat room posting. One can probably obtain from online sources your address, phone number, vehicle license plate number, social security number, date of birth, name of employer, eye color, weight, credit report, real estate ownership records, and the names, addresses, and phone numbers of nine to fourteen of your neighbors who may then be called for additional information about you.
Once you are identified as a potential target, a knowledgeable information collector may search for and read your newsgroup, bulletin board, and chat room postings. For an example of how this type information can be used by hackers, see the "Getting to Know You" section in Case 1.
If you are recognized as a government employee or contractor, your words may carry a weight that you did not intend. The common assumption is that you know more than you do, and that you have access to classified or other sensitive information relating to the subject of discussion, which may or may not be the case. If you are thought to have information of value, you may start to receive e-mail solicitations from people asking questions and offering to provide you with information in return. See How Do I Know When I'm Being Targeted and Assessed?
Do not try to impress others with how much you know. Specifically:
The greatest risk on the Internet is when you "chat" in real time with other users, using typed input that is relayed back and forth. There are several reasons why this can be dangerous:
When chatting on line or exchanging e-mail, remember that the people you are communicating with are not always who they seem to be. You don't even know what country they are in. Although there are country codes for Internet addresses, they are not always used. For example, America Online is international, and you don't know the home country of a person with an aol.com e-mail address.
Some messages are sent anonymously. Unfortunately, it is not always possible to know which are and which are not. Reputable "remailers" who forward mail anonymously make it clear that their messages are anonymous. Less responsible remailers, however, substitute phony names and addressed, but do not so indicate. Because messages can be forwarded from anywhere to anywhere, you cannot assume anything about message origins. Be wary of responding to messages from anyone whom you do not know personally.
For purposes of pre-publication review, an electronic file is the same as a paper document. If you would need to get pre-publication review for a hard-copy version of something you write, you need pre-publication review before putting the same material on line. Get pre-publication review for any such document or file that you:
Even though information is unclassified, it may not be appropriate to put on a public Internet site. Before putting information on a web site, see Pre-Publication Review of Web Site Content.
Surfing the Net
The principal hazards of surfing the Internet are discussed in greater detail in other topics. The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of free software available for downloading from the Internet is exciting but does pose risks. Many organizations explicitly prohibit downloading and running software from the Internet. If you want to download a program, check with your system administrator.
The rapid growth of Internet commerce is driving the development of additional security measures. Protection mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing rapidly. SSL sits "between" your web browser and the web server you are communicating with. It can exchange verification of both parties to the communication. It then encrypts sensitive information such as credit card data when making a purchase or personal information filled in on a form to register with a site. SET uses digital signatures to ensure that Internet credit card users and merchants are who they say they are. With SET, your credit card number is never stored on the merchant's computer.
Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security status of the connection. When the padlock is open or the key is broken, no special security precautions are in effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit key.