Security and Obscurity on the Internet

Properly configured personal firewalls, intrusion detection and antivirus are all very important, but user error can easily negate many of the benefits provided by such technologies. This document intends to offer several ways of improving your security and obscurity on the Internet by reducing such user error.

Email

The following are some suggestions on how to avoid having your email used against you.

Do not trust any email message or any attachments they may contain. Every aspect of an email message can be easily counterfeited, so confirm the contents of a message by some means other than email before taking any action based on the information.

Do not forward messages. A lot of information can be deduced from an email message that has been forwarded, such as:

- Personal relationships can be mapped. Obviously the sender knows the addressees to some extent, and those with which they have the strongest relationships are often towards the beginning of a string of multiple addresses. Mapping is even easier when aliases are used. For example the text "Dad"(beau.jangles@hotmail.com) blatantly divulges the name of the senders' father.
- The time and date when sent may indicate when the sender is typically at home or at work.
- Header information such as the IP addresses and time zones of the servers traversed can give you a very good idea of where the senders are physically located. Of course this technique doesn't work for web-based email.
- At the very least those with malicious intent get a list of valid email addresses which can be sold to Spammers.

To avoid forwarding messages simply copy the applicable text into a new message and send it instead.

Remember that the "To" field is for those from which you expect a response. The "Cc" field is for those who would benefit from the information but from whom you do not expect a response. The "blind carbon copy" (bcc) is used when you don't want others to see whom you have sent an email message to. Use "Bcc" as much as possible - you may discover that it is all you really need.

Think before you click on "Send". Attackers rely on the lack of discretion that accompanies a quick response. If you receive hundreds of messages a day like most people it can be difficult to censor yourself. Typically what I do is compose a reply for a message after I read it, but don't send it. Once I have finished reading all of my messages I go back through all of my open replies and reread them before they are sent.

Be very careful when addressing a message, as typos can be disastrous. Imagine someone registering the domain "fbi.com". They set up a mail server and configure it to accept everything. Since the ".com" domain is very often assumed it is likely the new owner of the domain will receive messages accidentally addressed to "agent@fbi.com" that were intended for "agent@fbi.gov".

A valid business, government or other entity will never need you to forward a message "to everyone you know". Don't ever, ever, EVER do it. Ever.

Detach email attachments to your hard drive before opening them. Don't expect your antivirus software to always integrate perfectly with your email application.

Do not give away information in your email signature. Do not include phone numbers, physical addresses or anything other than your name and email address. A single post to a news group will ensure that the details in your signature are saved to a web site for the entire planet to find. If you must include more sensitive contact information in your signature use a graphic image instead of text to help prevent the information from being indexed.

Try to avoid using automatic "Out of office" replies when you are away. If you absolutely must use them make sure they are sent only to the appropriate individuals such as fellow coworkers.

Do not click on any link in an email message. If you truly need to view a web site mentioned in an email message go there manually.

Do not send sensitive information via email unless it is encrypted. If you can't encrypt it then send the information by some other means.

Use caution when responding to those using Yahoo! Mail, Hotmail or other free email accounts. Legitimate businesses or government agencies don't use them.

Do not attempt to unsubscribe from a Spam message. Unsubscribing simply confirms that your email address is valid which is beneficial to Spammers, so simply delete such messages.

Web

The following are things to keep in mind while browsing the Internet.

Existence on a web site does not make information truthful, no matter how pretty the site is.

Always verify company information with a presumably disinterested third party. While state and federal databases can be queried I often find all I need to know with Google. Some helpful Google queries include:

- "Company Name scam fraud" - This will locate articles regarding fraud perpetrated by the company.
- The phone number in dashed format, for example "800-555-1234". This will perform a reverse lookup that will identify the registered owner. Keep in mind that no identification is required to enable phone service so this method is not foolproof, but you will know something is wrong if a contact number for a supposed multinational corporation is registered to an individual. If the reverse lookup for your number results in nothing try changing the last two digits. This should give you the address someone who is physically very near to the number you are trying to identify. If their city does not match the address given as the physical address for the company or individual you are verifying it is something to be concerned about.
- The address of the company or individual. You may discover that the address given for a fake online bank is actually the address for Sea World.

Do not store confidential documents on your personal web site. It appears as though some believe that if they simply don't link to the document from a web page then no one will be able to find it. This is absolutely not true - search engines will still find and index them. If you don't believe me go to Google and enter a search similar to "confidential filetype:xls".

Do not click on any part of a popup box, even if one of the options is to close the window. Instead close them by right-clicking the corresponding object on the task bar and select "Close".

Close all popup windows as soon as possible. Some exist solely to track where you are going.

Microsoft Word files, Adobe Acrobat files and the like contain metadata that includes such information as the document creators name, company name, modification dates, etc. Take care when making such documents available on a web site. For example many companies go to great lengths to keep personnel data such as corporate directories off of their site, but one can often map a companys organizational structure by studying the metadata from the documents available on their web site.

Do not trust the privacy policies on web sites. I am no attorney but it would appear that by the time I realize a given site has compromised my information it would be almost impossible to prove how the policy read at the time I submitted my information. If such is the case then privacy policies appear to provide practically no legal protection.

Don't divulge your passwords to anyone. If a technical support person truly has the authority to maintain your user account then they will have the ability to change your password to something they know and then they will tell you what your new password is.

If you have a somewhat unusual name, "ego surf" on a regular basis. This simply entails using a search engine to search on your name. You are likely to find such things as:

- People who quoted you without your approval or knowledge.

- Your inclusion in someone's family tree. Since your mothers' maiden name is a common identity verification question the consequences can be costly.
- Your personal information that someone else unknowingly divulged.

Use care when posting to newsgroups. Over time your postings can reveal a lot about your personal and professional lives.

The Internet is a public place accessible by millions of people. Don't put any information there that you don't want them all to know.

Keep an eye on the URL when following links. Poorly written web pages may be sending personal information in clear text. Look for parameters such as your name or account number within the text of the address bar.

Unless you intend to be contacted in the future there is no reason to provide valid information when registering on a web site. There are several companies who believe I am a 13-year-old mother of eight with a doctorate in sheep shearing.

Use a different user name and password for every web site with which you register. Should your user account be compromised this will help you identify the source. There are several encryption programs available that can help you manage numerous user accounts.

Some sites ask for a secret question when you create an account to facilitate the resetting of a forgotten password. Use a combination that doesn't make sense, for example "My favorite color - monkey". Like passwords you should use a different secret question combination for each web site.

FTP

FTP like Telnet possesses the shortcoming of sending both you user name and passwords in clear text. If at all possible use a method that encrypts the entire session like sftp or ssh.

When accessing an FTP server that allows anonymous access you will be prompted to enter your email address as your password. It is not necessary for you to provide your real email address so don't give it to them. Since the entries are logged I typically use an address like recon@cia.gov as a password in hopes of making the administrator of the server paranoid. Note that passwords for accounts that are not anonymous are not logged.

IRC and Instant Messaging

IRC and Instant Messaging are a social engineers dream -- anonymity is easily achieved and it is easy to lure people into saying and doing things that they shouldn't. Personally I feel the benefits of the services are not worth the risk involved so I avoid them altogether. Email is fast enough for me.

Conclusion

If you have difficulty remembering all of the aforementioned suggestions, at the very least try to keep the following principles in mind:

- Personal information is a gift. Once it is given you can't get it back, and you have no control over what the recipient does with it.
- Predictability decreases security.
- Connecting to any network increases risk.
- Any information that leaves the boundaries of your brain can be compromised.
- Pressure tactics are indicative of fraud.
- Security measures are intended to impede attacks, not to prevent them.