HACKERS AND PASSWORD PROTECTION
E-mail can transmit hundreds of pages of text throughout the world in a few minutes. Most experts recommend, however, that particularly sensitive information (e.g., medical and financial records) be sent by alternative means. This is due in part to the lack of security on the Internet.
Although a user needs a password to send E-mail, typically no real barriers to entering another users area and reading that persons mail exist. Hackers are expert network users who specialize in illegal access and manipulation of user areas. In 1993, there were 1334 confirmed hacking incidents on the Internet.22
By using privacy-enhanced mail (PEM), Internet users can use cryptography to decode and encode their messages. Under PEM, each user is given two numbers, known as keys, that lock and unlock computerized messages. One number is the public key, which is freely distributed. The other number is the private key, which is kept secret.
A user can send secure mail by typing in the recipients public key, which is public information. The recipient then has to apply his private key to decode the message, so only that person can read the message. The system can also verify the senders private key signature; the recipient can unlock it using the senders public key. Messages are then secure as long as a users private key is kept secret.23
To protect E-mail and other data, the following recommendations will prove useful to individuals and organizations:24
- Passwords should be changed frequently. A password should never be written down, especially next to a terminal.
- Passwords should never be given out to anyone, especially if someone claims to be an employee of the computer network. Such requests should be reported to the system administrator.
- Passwords should never be included in E-mail messages.
- English words should not be used as passwords. Hackers can run dictionary programs that attempt every word in the English language as a password.
- Passwords that contain personal information (e.g., nicknames, childrens names, spouses names, or birth dates) should be avoided. A hacker can determine a users password based on personal information.
- Immediate steps should be taken to disable an employees password when that employee leaves the organization.
- Many organizations require that users change their passwords on a regular basis and not reuse them. If a user feels that a password is no longer secure, the system administrator should be contacted for a new password. If an employee does choose to take this action, it should never be used as an indication that the employee is less than scrupulous with his or her use of the computer network.
Until a more secure method of transmitting E-mail is developed, users should remain cautious about what they send and store on the Internet. It is often a good idea to rely on alternative means of sending messages.
RECOMMENDED COURSE OF ACTION
The Internet and E-mail have drastically changed the ways in which society does business. As with any new technology, problems can develop. The following recommendations should be beneficial in reducing problems:
- Individuals should be extremely careful of what they send in E-mail. If a document should not be left in clear view on a desk overnight, an alternate method to transmit the document should be used.
- Policies should be clearly defined. If an organization chooses to ban personal messages from its E-mail system, this policy should be explicitly spelled out to all employees.
- Organizations should respect the privacy of their employees. E-mail should not be read unless a crucial reason for doing so is evident. If such actions are necessary, they should be conducted on a short-term basis. Employee privacy and corporate personnel procedures should be honored.
- Organizations should be extremely careful to ensure that software is purchased from legitimate vendors. Illegal copies of copyrighted software are frequently downloaded from bulletin boards. Use of this software could be disastrous to an organization.
Organizations and individuals must take serious steps to ensure that communications are secure and confidential. Common sense, restraint, and a high level of integrity should be exercised by all parties involved.
References
- 1. Newsletter Faces Libel Suit for Flaming on Internet, Wall Street Journal, April 22, 1994, p. B1.
- 2. Krol, E., Whole Internet, Sebastapol, CA: OReilly & Associates, Inc., 1994, p. 13.
- 3. Harowitz, S., Building Security into Cyberspace, Security Management, June 1994, p. 54.
- 4. Nelson, C.L. Employers Have No Right to Snoop Through Mail, Computerworld, June 27, 1994, p. 135.
- 5. Hacked Off, Sporting News, March 7, 1994, p. 6.
- 6. Katz vs. U.S. 389 U.S. 347, 88 S.Ct. 507, 1967.
- 7. Schowengerdt vs. U.S., 944 F.2d 483, 9th Cir. 1991.
- 8. 18 U.S.C. §2510 et sequation.
- 9. 18 U.S.C. §2703.
- 10. Cubby vs. CompuServe, 776 F. Supp 135, SDNY 1991.
- 11. Wiener, Free Speech on the Internet, The Nation, June 13, 1994, p. 825.
- 12. Cyberspace Swindles: Old Scams, New Twists, New York Times, July 16,1994, p. A35.
- 13. Cortese, Warding Off the Cyberspace Invaders, Business Week, March 13, 1995, p. 92.
- 14. Crimes of the Net, Newsweek, Nov.14, 1994, p. 46.
- 15. Gunn, Law and Disorder on the Internet, PC Magazine, March 14, 1995, p. 30.
- 16. Fisher, S. Riding the Internet Highway, Indianapolis IN: New Riders Publishing, 1993, pp. 33-37.
- 17. Seeking Victims in Cyberspace, U.S. News World Report, Sept.19, 1994, p. 73.
- 18. Wiener, Free Speech on the Internet, Nation, June 13, 1995, p. 69.
- 19. Ness, Big Brother @ Cyberspace, Progressive, December 1994, p. 22.
- 20. Miller vs. California, 413 U.S. 15, 1973.
- 21. Who Speaks for Cyberspace? The Economist, Jan.14, 1995, p. 69.
- 22. Kierman, Internet Wide Open to Hacker Attack, New Scientist, April 2, 1994, p. 8.
- 23. Protecting E-mail, Technology Review, August/September 1992, p. 11.
- 24. Wilson, Computing Insecurity, Chronicle of Higher Education, Feb. 16, 1994, p. A25.