Insecurities and How To Avoid Them

Knowledge is power and by knowing where the insecurities are, you can become safer. The following list outlines the various ways in which your information or communications can be improperly accessed or manipulated, and suggests ways to avoid the insecurity.

Talking
Information does not need to go through the Internet to be improperly accessed. When discussing vulnerable issues, consider the following questions:

1. Do you trust the people with whom you are speaking?
2. Do they need to know the information you are giving?
3. Are you in a safe environment? Often bugs or other listening devices are specifically planted in areas where people assume they are safe such as private offices, busy streets, home bedrooms and cars.

It may be difficult to know the answer to the third question because microphones or bugs can be planted in a room to record or transmit everything being said within, and because laser microphones can be directed at windows from great distances to listen to what is being said within. Heavy curtains provide some protection against these laser bugs as does installing double glazed  windows. Some secure buildings have two sets of windows installed in all outside offices to dampen  or reduce any pick up from laser listening devices.

What can you do?

• First, and foremost, assume you are being listened to at all times. If you adopt an attitude of healthy paranoia, you are more likely to not forget  when it comes to confidential matters.
• Bug sweepers or sniffers can detect listening devices but can be expensive and difficult to obtain. Also, sometimes the people hired to conduct the bug sweeps are responsible for the original bugging. During a sweep, they either find a few throw-aways  (cheap bugs designed to be found) or miraculously find nothing and declare you are clean.
• Keep in mind that your cleaning staff could be a serious threat to your security. They have after-hours access to your offices and they take all your garbage away with them every night. Janitorial staff should be vetted carefully for security clearance. This clearance should be ongoing as your staff may be compromised after they join your organization.
• Change meeting rooms as often as you can. The more rooms or places you use to discuss and exchange information, the more manpower and equipment will have to be used to listen to you.
• Beware of any gifts that are designed to be kept with you at all times (such as an expensive pen, label pin or broach) or used in your office (such as a beautiful paperweight or large picture). In the past, both types of objects have been used to listen in to conversations.
• Use code words to protect particularly sensitive names, addresses, organizations and events. Change these code words often. Extremely sensitive information can be coded differently by event or group of people. This way, even if your communication is overheard, and decoded, it is only useful until you change the code.
• Assume that some portion of your information is compromised at any given time; you may wish to change plans and codes often giving your listeners only fragments of true information. Consider given out false information to see if it is handled by any listeners.
• To avoid laser microphone effectiveness, discuss delicate matters in a basement or a room with no windows. The effectiveness of some laser listening devices can be reduced during rainstorms and other atmospheric conditions.
• Play an audio recording of white noise or a popular song to interfere with sound pickup. Only expensive technology can filter out random noise to hear a conversation.
• Delicate matters may also be discussed while walking rapidly in a randomly selected but heavily treed area  the random selection helps to avoid the effectiveness of surveillance while the trees get in the way of laser microphones.
• Wide-open spaces, however, can be both helpful and harmful. While meeting in a secluded place, it is easy to see if one is being followed or otherwise observed, it is also difficult to escape detection by blending in  if detected. In crowds, it is easier to blend in, but far easier to be watched (and heard).

Cell phones
" Analog cell phones are much less secure than digital cell phones, and they are much less secure than land lines.
" Your location and conversations can be picked up through cellular surveillance. You do not have to be talking for your location to be tracked  this can be done anytime your cell phone is on.
" Do not keep vulnerable information such as names and phone numbers in the memory of your cell phone. This information can be used to track down and implicate the people you want to protect if your cell phone is stolen.

Physical security in the office
" Lock the office at all times, including doors and windows. Use double bolt locks on the doors and bars on the windows.
" Use keys that require specific authorization to be copied and keep track of all copies. Do NOT give keys to third parties even for maintenance and cleaning staff, and make sure someone is always present when third parties are in the office. If this is not feasible, ensure you at minimum have a single room with limited access where vulnerable files are kept. Consider locking all office doors and leaving the (non-confidential) trash outside in the hallway at night.
" Use a cross-cut  shredder for anything confidential. The strip  shredders are mostly useless. For particularly confidential material, consider burning the shreddings, pulverizing the ashes and flushing the ashes down the toilet.
" Use cameras at access doors to limit entry.
" Lock down computers when leaving the office if possible.
" Turn computer screens away from the windows.
" Use surge protectors for all power outlets.
" Keep backup media (including paper files) in a secure separate location. Make sure your backups are secure by maintaining them on an encrypted hard drive, with a secure data backup organization, or secured by sophisticated physical locks.

Basic computer and file security
" To avoid someone accessing your computer while you are away, passphrase protect your computer and always shut off your computer when you leave it.
" If they can get by your passphrase protection, or if you have left your computer on, your files can still be secure if you encrypt your files.
" If your computer is stolen, you can get back your files if you have created a secure backup every day. Keep the encrypted backups away from your office in a safe place.
" Your erased files cannot be reconstructed if you have wiped them using PGP Wipe or another utility instead of just throwing them into the Trash or Recycle Bin.
" Vulnerable files will not be as much of a target if they are not easily identifiable. Do not use names, dates or significant words to identify key files. Instead use your own code, including recipes, party planning, games or other seemingly innocent file names.
" Your computer can be programmed to send out your files or otherwise make you vulnerable without your knowledge. To avoid this, obtain your computer from a trusted source, flatten the computer (reformat the hard drive) when you first get it, and then only install the software you want. Only allow trusted technicians to service your computer and watch them at all times.
" Consider unplugging your computer s phone (or otherwise physically disabling your Internet connection) when you leave the machine unattended. This way, rogue programs that call out in the middle of the night will not work.
" Never leave your computer on when you leave for the day. Consider installing software that will disable access after a certain set time of inactivity. This way, your machine is not vulnerable while you get a coffee or make a photocopy.
" In your Web preferences, enable file extensions so you can tell what kind of file you have before you open it. You don t want to launch a virus by opening an executable file that you thought was a text file. While in Internet Explorer, go to the Tools menu and choose Folder Options. Click View and make sure Hide extensions for known file types  is NOT checked.

Internet insecurities
Your email does not fly directly from your computer to the computer of the intended recipient. It goes through several nodes and leaves behind information as it passes. It can be accessed all along the path:
" Someone can be looking over your shoulder as you type. This is especially problematic in Internet cafes.
" If you are connected to a network, your email maybe accessible by everyone else in the office.
" Your system administrator may have special administrative privileges to access all email.
" Your ISP has access to your email. Anyone who has influence over your ISP may be able to pressure it to forward them copies of all your email or to stop certain email from getting through.
" As it passes through the Internet your email flows through hundreds of insecure third-parties: hackers can access email messages as they pass.
" The ISP of your intended recipient may also be vulnerable, along with the network and office of your intended recipient.

Basic Internet safety
" Viruses and other problems such as Trojan Horses (or Trojans) can come from anywhere; even friends may unknowingly spread viruses. Use a good anti-virus program and keep up-to-date with automatic online updating. New viruses are constantly being created and discovered so check out the Virus Information Library (vil.nai.com) for the latest virus protection patches.
" Viruses are usually spread through email so practice safe email (see later in this document). Viruses are single programs designed to replicate and may or may not be malignant. Trojans are programs designed to give a third party (or anyone!) access to your computer.
" A good firewall can help you appear invisible  to hackers and keep out intruders who are trying to get into your system. This ensures that only authorized applications are connecting to the Internet from your computer. This prevents programs such as Trojans from sending out information or opening backdoors  to your computer through which hackers can enter. (See Introduction to Firewalls for more information).
" A key logger  system can track every keystroke you make. These programs are spread either by someone putting it on your computer while you are away, or through a virus or Trojan you get over the Internet that attacks your system. Key loggers track your keystrokes and report back your activities, usually over the Internet. Key loggers it can be defeated by passphrase protecting your computer, practicing safe email, using an anti-virus program, and using a mouse-guided program to type in your passphrase. Key loggers can also be disabled by physically disconnecting your computer s Internet access (usually by simply unplugging the computer s telephone connection) when you are not using the computer.
" An email address can be spoofed  (faked) or used by someone other than the true owner. This can be done by obtaining access to another person s computer and password, by hacking the service provider, or by using an address that appears to be the specific person s address. For example, by exchanging the lowercase l  with the number 1 , you can create a similar address and most people will not notice the slight difference. To avoid being fooled by a spoof, use meaningful subject lines and periodically ask questions that only the true person could answer. Confirm any suspicious requests for information with a follow up through another form of communication.
" Keep your browsing activity private by not accepting cookies and by deleting your cache after every time you use the Web. In Internet Explorer, go to Tools, then Options. In Netscape Navigator, go to Edit, then Preferences. While you re in either of these menus, delete all your history, any cookies you may have and empty your cache. Remember to delete all your bookmarks as well. Browsers also keep records of the site you visit in cache  files. Find out which files should be deleted on your system.
" Upgrade all Web browsers to support 128-bit encryption. This will help safeguard any information you want to pass securely over the web, including passwords and other sensitive data submitted on forms.
" Install the most recent security patches for all software used, especially Microsoft Office, Microsoft Internet Explorer and Netscape.
" Don t use a computer with delicate information for non-essential Web browsing.

Basic Safe Email Practices
These are safe email practices to follow and to make sure all your friends and associates follow. Let everyone know that you will not open their email unless they practice safe email.

1. NEVER open email from someone you don t know.

2. NEVER forward email from someone you don t know, or that originated with someone you don t know. All those think happy thoughts  emails that people send around could contain viruses. By sending them to your friends and associates you may be infecting their computers. If you like the sentiment enough, retype the message and send it out yourself. If it s not worth it to you to spend this time retyping, it s probably not that important a message anyway.

3. NEVER download or open an attachment unless you know what it contains and know it is secure, and turn off automatic download options in your email program. Many viruses and Trojans spread themselves as worms  and modern worms often appear to have been sent by someone you know. Smart worms scan your address book (especially if you use Microsoft s Outlook or Outlook Express) and replicate by masquerading as legitimate attachments from legitimate contacts. PGP-signing your emails, both with and without attachments, can greatly reduce confusion over virus-free attachments you send to colleagues.

4. DON T use HTML, MIME or rich text in your email; use only plain text  enriched emails can contain embedded programs which could allow access to or damage of your computer files.

5. If using Outlook or Outlook Express, turn off the preview screen option.

6. Encrypt your email whenever possible. An unencrypted email is like a postcard that can be read by anyone who sees it or obtains access to it. An encrypted email is like a letter in an envelope inside a safe.

7. Use meaningful subject lines so the reader knows that you intended to send the message. Tell all your friends and co-workers to always say something personal in the subject line so you know they truly sent the message. (Otherwise someone might be spoofing them, or they may have a Trojan that has sent out an infected program to their entire mailing list including you!). However don t use subject lines in encrypted email that gives away secure information. Remember, the subject line is not encrypted and can give away the nature of the encrypted mail, which can trigger attacks. Many hacking programs now automatically scan (and copy) email messages with interesting  subjects such as report , confidential  private  and other indications that the message is of interest.

8. NEVER send email to a large group listed in the To  or cc  lines. Instead, send the message to yourself and include everyone else s name in the bcc  lines. This is common courtesy as well as good privacy practice. Otherwise, you are sending MY email address to people I don t know, a practice that is rude, offensive and potentially both frustrating and even dangerous.

9. NEVER respond to spam, even to request to be taken off the list. Spam servers send email to vast hoards of addresses and they never know which ones are live   meaning, someone is using the email address actively. By responding, the server recognizes you as a live  account and you are likely to receive more spam.

10. Keep a separate computer, not connected to any other, that accepts general email and contains no data files.