http://www.defenselink.mil/news/Jun2001/n06252001_200106252.html By Steve Hara American Forces Press Service WASHINGTON, June 25, 2001 -- Defense Department computer security systems and specialists foiled nearly 22,500 would-be intruders in 1999 and 24,500 in 2000. There's no let-up in sight. Special agent Jim Christy said he and others on his law enforcement staff are in a "growth business" chasing hackers and spies and running other criminal activities to ground. As representatives of the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, they also counsel DoD employees on being an effective first line of defense instead of the weakest link. When he discusses computer security, Christy said, he drives home that average folks aren't expected to mount an ironclad defense. Rather, he stressed, they can do simple things that make life harder for bad guys -- and stop doing simple things that make life easy for them. Use different passwords at Web sites and on every machine you use. Reject all site and system offers to "remember" you and your password. Bad guys know many people use just one password, so attacking an easily hacked site gives them "skeleton keys" to tough ones. Don't open e-mail attachments from people you don't know, and don't open them uncritically just because someone you do know supposedly sent them. Hackers use attachments to inject viruses and other mischievous or malicious computer code into machines and systems. A common means to spread infections is by sending e-mail copies to everyone in a victim's address book -- using the victim's name. Log off or lock your workstation when you go on breaks or out to lunch. No point giving bad guys unfettered access to your computer and network -- and leaving you holding the bag because the system thinks you're at the keyboard. Never use personal diskettes, Zip disks and the like on classified systems. Computers divide files and write them to disk in units called sectors. If the file's last sector is only partially filled, the machine tops it off with data randomly pulled from memory or hard drives -- there's no real telling in advance where the information might come from. So writing and saving even your holiday greetings letter on a classified system is a potential disaster. That's why the practice is a security violation. You can be a security risk even if you don't work with classified files, have none on your computer and have no access to any. The mindset on the last point is wrong for at least three reasons, Christy noted. First, too many people think a secure system can't be hacked from their office computer network -- usually because they themselves don't know how. Fact is, good hackers really can launch attacks on your lowly machine if you give them the time and opportunity, he said. Second, he continued, intelligence analysts make a living by drawing conclusions and educated guesses from bits and pieces of unclassified and seemingly unrelated information. Third, information doesn't have to be classified to be sensitive. Medical records, personnel records and personal address and phone books aren't usually classified, but all contain data protected from public release by the Privacy Act of 1974. Good security, he said, means locking out all snoops, not just spies. Christy and company's growing business in security issues gives constant rise to another: personal privacy. You have none, and that roils many employees. Uncle Sam's machine, Uncle Sam's rules, Christy noted. Agency systems administrators are supposed to have the means to track every move made by every user in their realm. Literally. Every keystroke. Every mouse click. They can reconstruct any document you write, every Web site you visit, Christy said. Monitoring could be used to detect crimes and employee waste and abuse, but rarely is, he noted. More frequently, investigators and managers consult monitoring records to make or break cases after allegations surface other ways. Computer users can't claim a "probable cause" defense after being caught, because they all agree to be monitored as a condition of access. "There is absolutely no privacy on a government computer," Christy said. "Every time you turn one on, you get a message that the government can and will monitor you, and if you sign in, that means you understand and agree. Always assume you're being monitored." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:17:28 PDT