WWW.huh?: You Are the First Line of Defense
By Steve Hara
American Forces Press Service
WASHINGTON, Jun. 25, 2001 Defense Department computer security systems and specialists foiled nearly 22,500 would-be intruders in 1999 and 24,500 in 2000. There's no let-up in sight.
Special agent Jim Christy said he and others on his law enforcement staff are in a "growth business" chasing hackers and spies and running other criminal activities to ground. As representatives of the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, they also counsel DoD employees on being an effective first line of defense instead of the weakest link.
Safer Websurfing for Kids
Disturbing news for you and your parents:
According to a study released June 20, 2001, one of every five U.S. youths of 1,500 surveyed recently said they'd received unwanted sexual solicitations while Web surfing.
The youth, ages 10 to 17, said they regularly used the Internet. The study, by the Crimes Against Children Research Center at the University of New Hampshire, Durham, defined "solicitations" as requests to engage in sexual activities or sexual talk, or to give personal sexual information.
The sleaze is real, and it's out there. To help keep it at bay, special agent Jim Christy, a Defense Department computer security expert and law enforcement investigator, dispenses the following tips whenever he talks to young people. Set up rules with your parents for going online. Don't reveal your name, address, phone number or school location without your parents' permission. Never accept e-mail, pictures or files from strangers online. Never meet anyone from chat sessions without your parents' permission. Tell your parents about inappropriate language or pictures you see online.
When he discusses computer security, Christy said, he drives home that average folks aren't expected to mount an ironclad defense. Rather, he stressed, they can do simple things that make life harder for bad guys -- and stop doing simple things that make life easy for them.
- Use different passwords at Web sites and on every machine you use. Reject all site and system offers to "remember" you and your password. Bad guys know many people use just one password, so attacking an easily hacked site gives them "skeleton keys" to tough ones. (See video, 38 sec.)
- Don't open e-mail attachments from people you don't know, and don't open them uncritically just because someone you do know supposedly sent them. Hackers use attachments to inject viruses and other mischievous or malicious computer code into machines and systems. A common means to spread infections is by sending e-mail copies to everyone in a victim's address book -- using the victim's name.
- Log off or lock your workstation when you go on breaks or out to lunch. No point giving bad guys unfettered access to your computer and network -- and leaving you holding the bag because the system thinks you're at the keyboard.
- Never use personal diskettes, Zip disks and the like on classified systems. Computers divide files and write them to disk in units called sectors. If the file's last sector is only partially filled, the machine tops it off with data randomly pulled from memory or hard drives -- there's no real telling in advance where the information might come from. So writing and saving even your holiday greetings letter on a classified system is a potential disaster. That's why the practice is a security violation.
- You can be a security risk even if you don't work with classified files, have none on your computer and have no access to any.
The mindset on the last point is wrong for at least three reasons, Christy noted. First, too many people think a secure system can't be hacked from their office computer network -- usually because they themselves don't know how. Fact is, good hackers really can launch attacks on your lowly machine if you give them the time and opportunity, he said.
Second, he continued, intelligence analysts make a living by drawing conclusions and educated guesses from bits and pieces of unclassified and seemingly unrelated information.
Third, information doesn't have to be classified to be sensitive. Medical records, personnel records and personal address and phone books aren't usually classified, but all contain data protected from public release by the Privacy Act of 1974. Good security, he said, means locking out all snoops, not just spies.
Christy and company's growing business in security issues gives constant rise to another: personal privacy. You have none, and that roils many employees.
Uncle Sam's machine, Uncle Sam's rules, Christy noted. (See video, 42 sec.)
Agency systems administrators are supposed to have the means to track every move made by every user in their realm. Literally. Every keystroke. Every mouse click. They can reconstruct any document you write, every Web site you visit, Christy said. (See video, 30 sec.)
Monitoring could be used to detect crimes and employee waste and abuse, but rarely is, he noted. More frequently, investigators and managers consult monitoring records to make or break cases after allegations surface other ways. Computer users can't claim a "probable cause" defense after being caught, because they all agree to be monitored as a condition of access.
"There is absolutely no privacy on a government computer," Christy said. "Every time you turn one on, you get a message that the government can and will monitor you, and if you sign in, that means you understand and agree. Always assume you're being monitored."