DEPARTMENT OF ENERGY
INFORMATION SECURITY RESOURCE CENTER
PACIFIC NORTHWEST NATIONAL LABORATORY


ADVISORY NOTICE No. 13
February 6, 1997

INTERNET BROWSER SECURITY CONCERNS


SUMMARY
Internet browsers such as Netscape Navigator and Microsoft Explorer are used throughout the Department of Energy (DOE) to provide a user-friendly connection to World Wide Web sites. It should be understood that certain risks are accepted when using these applications, such as unintentionally transferring user information to the Web site host. Under certain circumstances, this risk could outweigh the benefit received from the Internet interaction. For example, a recently established World Wide Web site sponsored by North Korea could be used to collect information from visitors rather than provide news items and other information as promoted.

Internet users throughout DOE should be aware of potential information assurance and security concerns and should exercise caution when visiting Web sites, such as those known or suspected to be affiliated with certain foreign interests, such as intelligence organizations or US business competitors. Individual users should assess the risk versus the benefit of connecting to these or other potentially suspect sites. Users also should be cognizant that some suspect sites, including those affiliated with foreign interests, could operate from locations in the US.

BACKGROUND
While it is well known that serious vulnerabilities have been identified with executable files called "applets" (small applications) such as Java and ActiveX, this advisory focuses on an exploitable vulnerability associated with popular Internet browser applications such as Netscape Navigator and Microsoft Explorer.

Users can unknowingly or unintentionally provide information through these browsers to Web sites they visit. When you visit a Web site, it may request to transfer data back to your computer in the form of a "cookie" that will reside on your computer's hard drive. This cookie, or data file, consists of profile information about you (the user) and your computer; such as which portions of the Web site you visit, your browser type and version, and your computer's operating system. Information regarding a user's e-mail address also may be provided which, upon examination, often contains useful identifying information, such as user name and domain (i.e., user@doe.gov).

This cookie file transfer is an inherent feature of the browser application and is intended to make your visit to a particular Web site more convenient and useful by storing information about you that the Web site can retrieve upon subsequent visits, such as your entry password or your viewing preferences. As more cookies are accepted from other sites your cookie file expands, and may contain information pertaining to other recently visited Web sites and your preferences for those sites. Any Web site with access to the cookie file can obtain the entire file.

Web browser user information provided to a Web site host via the cookie file could contribute to intelligence targeting, collections, analysis, or related activities directed against DOE and DOE contractor personnel and programs. As a result, visits to Web sites known or thought to be operated by a foreign state, other adversarial entities, or economic competitors potentially entail risk.

One recent example helps to underline some of these issues. According to recent news media reporting, North Korea has opened a World Wide Web site, ostensibly to provide news in English from the state-controlled Korean Central News Service (KCNA). The Web site is administered from Japan by the Korea News Service, the Japan-based agent for KCNA.

Other Web sites affiliated with foreign military or intelligence organizations also should be viewed with caution. For example, one published report indicates that an unidentified foreign intelligence service surreptitiously operates a Web site (a hacker bulletin board in this case) for the express purpose of collecting information.

RECOMMENDATIONS
Although connections to the Internet are not inherently threatening or dangerous, DOE and DOE contractor personnel are reminded that it is their responsibility to help determine the value versus the risks inherent in visiting Web sites throughout cyberspace.

Internet users must remain aware that popular Internet browsers can transfer specific information about the user and their computer system to Web site hosts which could be exploited by a sophisticated adversary. Some ways to mitigate this transfer of information are:

Do not fill in any information in the browser's mail identity and server options and do not use the browser e-mail function. Use your site approved e-mail application.

Periodically delete the cookie and history file of the browser, typically located in a remote directory of the hard drive.

Periodically delete your cache file, or set the cache file size to zero bytes.

Be careful when filling out on-line forms or submitting information through Internet connections.

Turn on all security alert notification functions in the browser protocol option, especially for cookie file transfer and unsecure document transmission.

Disable Java/Java Script and ActiveX connections through the network connection option.


Return to Advisory Table of Contents


green graphical divider bar

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001