What I Learned: Three Gems from Peter Jungck

Posted on December 10, 2010 by Kate Bladow

Quarterly, the University of Maryland, Baltimore County hosts the Visionaries in Information Technology Forum. Peter Jungck, the Vice-President/CTO of CloudShield Technologies, Inc., was their latest speaker and explained why technology systems need to be protected from unknown as well as known threats.

As I listened to him speak, I jotted down three highlights to share with you:

  • Security threats come from a variety of sources: script kiddies, hackers and crackers, insiders, competitors, organized crime, and cyber warriors. (I've listed them in order of increasing technical skill and resources.)
  • Mr. Jungck encouraged the audience to approach securing systems as if "your network is already compromised and you will never be completely secure." Scary, huh? Think about it--how many people have touched your computer before you got it? Those people have compromised your computer before it arrived at your office.
  • Everyone in an organization has some responsibility for security. HR may not be responsible for deleting user accounts when a staff member is fired, but they are responsible for notifying the IT Department that the accounts need to be deleted.

Want to hear Peter Jungck's entire lecture? Shortly, it should be posted on UMBCtube, UMBC's YouTube channel. - K

Tags: ,

Talking Tech in Big Sky Country

Posted on September 20, 2010 by Kate Bladow

This week, I'm at Montana Legal Services Association's Annual Training in Helena, Montana and am thrilled to be spending a few days with my former co-workers. They invited me to talk with them about technology: first about computer and information security and then technology tips for poverty law advocates. Later, I'll post a summary of the presentations here on techno.la.

But, in the meantime, I'll whet your appetite with two neat tools I found while doing research.

Any tech tip or security precautions that you think the Montana Legal Services Association staff needs to know? Let me know in the comments, and I'll pass it on. - K

Tags: ,

What I'm Reading: September 17

Posted on September 17, 2010 by Kate Bladow

I come across so many articles that I'd like to blog about. Instead of saving them until I have time, which could be a while, here's a quick review of what I've been reading.

Enjoy! - K

Tags: , ,

Explaining Good Password Practices (Again)

Posted on August 4, 2010 by Kate Bladow

Given my interest in helping people create strong passwords and my adoration of Common Craft's simple videos that explain technical topics, I would be remiss if I didn't point out Common Craft's newest video: Secure Passwords. In three and a half minutes, this video explains why passwords need to be secure, how to create strong passwords, and why you shouldn't give anyone else your password. - K

 

Tags: ,

How Secure Do Computer Systems Have to Be?

Posted on June 1, 2010 by Kate Bladow

Security is a frequent topic on the LSTech e-mail list, and although everyone agrees that security is important, the community has differing opinions on the level of risk faced by legal aid organizations. So, when catching up on reading over the weekend, a quote from the article "A San Francisco Technology Charity Gets a Lesson in Online Security" caught my eye:

"Especially in the last two years, the threat has gone up exponentially as hackers have gotten more sophisticated and have a greater understanding of the value of the kinds of data they can steal," says Richard Collins, who is in charge of cyber security at TechSoup. "The other main threat is that hackers are targeting smaller organizations and organizations with fewer resources now because many of the bigger ones have already made their systems more secure."

A simple analogy? Your house gets hit by thieves, not because you have the best stuff, but because you forgot to lock the door and it was easy to get in.

But fixing this problem doesn't have to be expensive. The article above even gives you the first step-train your staff. Three areas to cover:

Use secure passwords.
Not every password needs to be a long string of gibberish that only a savant could remember, but every password should contain a combination of at least 7 letters, numbers, or symbols.

Resources on creating secure passwords:

Watch what you click.
You need to watch what you click every time that you click, and if you click a malicious link and know it, say something to your tech person immediately.

Resources on identifying what not to click:

Connect carefully.
If you take a laptop home, use USB keys to transfer information, or view files over public WiFi networks, you need to be very careful not to lose your data or give someone access to your network inadvertently.

Resources on protecting your data and network:

Are you reviewing basic computer security practices with your staff? If so, what else do you review and how often? If not, what's keeping you from getting started? Tell us in the comments below. - K

Tags: ,

Free Cloud Computing Webcasts from O'Reilly

Posted on January 12, 2010 by Kate Bladow

After I posted "We Love the Cloud; We Hate the Cloud," I noticed a tweet from Tim O'Reilly: two free webcasts on cloud computing on January 20.

  • Cloud Security & Privacy - A 75-minute look at a large number of privacy and security issues.
  • Cloud Security Deep Dive - A 90-minute session focusing on three areas--data security, identity management, and governance.

Both sessions are led by the authors of "Cloud Security and Privacy." You can register for one or both online. - K

Tags: ,

We Love the Cloud; We Hate the Cloud

Posted on January 11, 2010 by Kate Bladow

This month, the Federal Trade Commission (FTC) asked the Federal Communications Commission (FCC) to examine the security risks of cloud computing as the FCC puts together the national broadband plan. This request grew from the FTC's concerns that Americans love cloud computing but don't understand the risks of storing data on remote systems.

Cloud computing is something I've written about before (Cloud Computing Explained) and something that I've become enamored with. I like not being tied to one computer and not worrying about losing a lot of information if a computer fails.

But I know that cloud computing comes with risks that stem from no longer being in control of my data. Perhaps someone will intercept my data transfer, the provider isn't as trustworthy as their privacy policy and terms of service suggest, or maybe they don't care about security as much as they should. Each time I add data to the cloud, I need to think about whether I'm okay with the risk.

For a more in-depth analysis of the security Software as a Service (SaaS), a type of cloud computing, check out two articles from Idealware: Is SaaS more secure? and SaaS and Security - the Response! - K

 

Tags: , ,

Protecting Your Identity Online

Posted on November 23, 2009 by Kate Bladow

Do you have an online thief or two on your holiday gift list? If so, ComputerWorld highlights five ways to give them the gifts they want: your data and money. For the rest of us, the FTC offers guidelines we can use to protect ourselves while online. - K

Tags: ,

Passwords Leaked from Major Webmail Services

Posted on October 6, 2009 by Kate Bladow

The BBC, Lifehacker, and many other sources are reporting that Gmail, AOL, Yahoo, Hotmail, Comcast, and Earthlink passwords were made public. While these passwords were gathered through phishing and the incident wasn't the fault of any of the providers, to me it seems like as good of a day as any to change my passwords for these services. - K

Tags: ,

April 1: Revenge of the Botnet

Posted on March 20, 2009 by Kate Bladow

In late January, Technola reported the existence of the Confickr botnet. The scariest part of that report: experts weren't certain how the botnet was going to be used or when. Well, they now know a bit more.

First, the good news. According to the New York Times, experts know when the botnet is supposed to be activated--April 1.  The bad news? Confickr has mutated to make itself even more difficult to remove. And researchers still don't know what the botnet is intending to be used for. - K

Tags: , ,

Security Updates Available for Adobe Reader 9 and Acrobat 9

Posted on March 13, 2009 by Matthew Burnett

A critical vulnerability has been found in Adobe Reader 9 and Acrobat 9 and earlier versions. Here is the information available from the Adobe site:

This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25.

More information and the updates are available here. -M

Tags: ,

Recent Hack Points Out Bad Passwords

Posted on February 10, 2009 by technola

Andy Carvin pointed out an article that looks at the passwords that users choose when they aren't forced to use secure passwords. Turns out 123456, password1, and dragon are not good passwords. But you already knew that, right? - K

Tags:

Virus Hampers Work of Houston Municipal Courts

Posted on February 9, 2009 by technola

The Houston Chronicle reports that the Houston Municipal Courts were struck with a virus last week. While only 475 of their 16,000+ computers were affected, the courts had to suspend minor arrests and cancel hearings. - K

Tags:

ABA Site-tation Gets a New Look

Posted on January 30, 2009 by technola

ABA Site-tation, a blog that covers technology issues facing the legal community, recently re-launched at a new address and with an updated look. Check out the the great information it offers on security, online tools, and mobile computing. - K

Tags: , ,

An Update on the Botnet

Posted on January 23, 2009 by technola

I was asked this morning, "How do I know if I'm a part of the botnet or at risk of becoming part of the botnet that you mentioned in your last post?" I'm not an expert, but here are a few resources that I found this morning:


The good news that I found from F-Secure: as of Thursday, January 13, 2009, only about 4,000 of the infected computers were in the US. The bad news: the number of infected computers has increased dramatically since then. - K

Tags:

Are You Part of the New Botnet?

Posted on January 23, 2009 by technola

In October 2008, Microsoft released an out-of-band update, or a critical update that is released outside of the normal update schedule. Well, for those of you who didn't update your systems, it might well be too late. The New York Times reports that this vulnerability is now being exploited and has already infected nine million computers.

What's going to happen if your computer is infected? Experts say that it will become part of a huge botnet; however, they don't know what that botnet will be used for. At the least, it sounds likely that your IT staff will be clearing up a mess with your computer, apologizing to your ISP, and attempting to get them to not classify all of your organization's outgoing e-mail as spam. A more serious prospect--it captures client information, like social security numbers, or modifies files, like your accountant's records.

My favorite quote from the article:

"I don't know why people aren't more afraid of these programs," said Merrick L. Furst, a computer scientist at Georgia Tech. "This is like having a mole in your organization that can do things like send out any information it finds on machines it infects."

Security researchers don't know who created this worm, but from their comments, they suspect that it was someone who knew what he or she was doing. - K

Tags:

Benchmarks for Creating a Stable and Secure Network

Posted on January 14, 2009 by technola

Last year, NPower Greater DC Region, a non-profit technology assistance provider, included a little something extra in their monthly e-newsletters: twelve tips for keeping your network stable and secure. Each tip was written plainly, intended for accidental techies, non-profit managers, and others who need an introduction to the basic characteristics of a high-quality network.

So what are those twelve benchmarks?


  1. Ensure all PCs have the minimum configuration.

  2. Standardize the OS Platform.

  3. Network your office computers or get a file server.

  4. Give your staff broadband access.

  5. Install a hardware firewall.

  6. Secure your wireless networks.

  7. Backup mission critical data and establish recovery processes.

  8. Protect your e-mail.

  9. Patch your web browsers and be careful what you download.

  10. Establish effective security plans.

  11. Document your technical infrastructure.

  12. Have regular, competent tech support.


So are there any benchmarks that surprised you? Or anything you think that they missed? - K

Tags:

Tell Them Why You Don't Like Email Attachments

Posted on December 17, 2008 by Kate Bladow

If you are a techie, I know that you've told your staff that e-mail attachments are dangerous. In fact, I'm pretty sure that you've said it more than once. But have you told them why?

No, not the explanations of "because you'll get a virus" or "they put the network's security at risk" or "it creates more work for me." You and I know what these reasons imply. But do your staff know why getting a virus is bad or why you have to work so hard to get rid of it?

Let them know plainly that this is also about advocacy and the best interests of their clients. It is about stopping the abusive spouse who wants to access the case management system to get his ex-wife's current name and address or the opposing party who wants to check out your firm's strategy, arguments, and evidence. Remind them that you can't protect the system from intrusions alone and need their help. They need to be careful about the e-mail attachments that they choose to open and let you know as soon as possible if they think that they've made a mistake.

If you need help putting together an easy-to-understand example for your staff, check out Mitigation Monday: Defense Against Malicious E-mail Attachments. It starts with an example scenario that you can easily customize for your firm. And then it gives you a list of defenses that you can implement to help your staff avoid making mistakes. - K

Tags:

Free Friday: Stop Spam Webinar

Posted on December 5, 2008 by Matthew Burnett

On Tuesday, December 9th at 10:00 a.m. Pacific, TechSoup Global will be hosting a free webinar on stopping spam. Kami Griffiths will interview Eytan Urbas from Mailshell to help nonprofits understand how they can save money and keep their inboxes secure. You can register online here, and send questions to kami@techsoupglobal.org. -M

Tags: , , ,

Free Friday: Snort & Snort Rules

Posted on November 7, 2008 by Kate Bladow

A key responsibility for system administrators is to keep unauthorized people out, and it's not an easy job. The security landscape changes rapidly, and hackers start to use new tactics even before their current methods fail. News stories of data theft from multi-million dollar companies are becoming more frequent.

While legal aid organizations are not high-profile targets, their system administrators still need to keep their guards up. Legal aid organizations collect a lot of valuable information, including social security numbers, evidence and arguments for court cases, and names, phone numbers, and addresses of domestic violence survivors, who are likely trying to avoid being found. And as we all know, legal aid programs don't have a whole lot of extra money to spend on fancy security systems.

Fortunately, there is a free option: SNORT. SNORT is an open-source network intrusion prevention and detection system. System administrators give SNORT a set of rules to follow, and SNORT analyzes your network traffic based on those rules. It alerts you to probes, attacks, and other things that aren't quite right. A special Free Friday bonus: Emerging Threats, which is funded by the National Science Foundation and the Army Research Office, has a set of SNORT rules available for free.

Granted, the total cost of ownership of this software is not free. There is a significant learning curve; however, there are additional free resources to help system administrators learn how to use the tool and a large user community, including Snort User Groups, that system administrators can turn to with questions. - K

Tags: ,

How Strong Are Your Passwords?

Posted on November 6, 2008 by Kate Bladow

Everyone has a different scheme for creating passwords. Perhaps it's your favorite book titles, strings of random characters that make sense to you, or your children's names. Ideally, your scheme follows recognized best practices: using a combination of letters, numbers, and symbols, having more than seven characters, not using easy-to-guess words, and never using the same password twice. Myself, I'm becoming a huge fan of SafePasswd, because it means that I get closer to following these recommendations without having to come up with any passwords on my own.

But even if you employ these best practices, do you know how strong your passwords is? Or for those weak passwords that you just never get around to changing, do you know how quickly they can be cracked? To find out, try Hackosis' Brute Force Calculator. Enter how many upper case letters, lower case letters, numbers, and special characters that you have in your password, and it will tell you how long it will take to crack your password. The results might surprise you. - K

Tags:

Security News Highlights

Posted on August 21, 2008 by Kate Bladow

Lately, I've been running across stories about computer security that run the gamut from trivial to terrifying. For example:

The good news is that TechSoup.org is currently putting on a Special Security Event, so you can learn about what you need to do to protect yourself. - K

Tags: , , ,

Passwords Are Broken. What Now?

Posted on August 12, 2008 by Kate Bladow

On Saturday, The New York Times was brave enough to say what we all know: Passwords are inherently insecure. And this insecurity can't be blamed on the users who write passwords down and post them on their computer monitors, use one of the common passwords, or don't change their passwords often enough. Even if users followed these basic rules, passwords still wouldn't work because the log-on procedure itself is risky due to phishing, keystroke logging, and other security threats.

While the article suggests using an alternative that depends on cryptography instead of mnemonics, currently it looks like there isn't a good solution for this problem. (For those of you who are suggesting biometrics, fingerprints aren't as secure as you would think: Burn Notice taught me that a copy of the fingerprint is left on the scanner and can be pulled off with Play-Doh to be used again.)

So since it looks like it will be a while until there is an accepted replacement for passwords, I've pulled together some resources to help you educate your users about password security.

Tags: , ,

Dangerous Websites

Posted on August 4, 2008 by Kate Bladow

Are you still trying to convince staff that there are certain websites that they don't need to look at while at work? You know, the sites where they are likely to pick up a nasty little virus and make a huge mess that you are going to be responsible for cleaning up? Well, McAfee feels your pain. To help with your ongoing efforts to educate your co-workers, they dug in and researched the most dangerous websites. You can check out their report for the full details, but it looks like you need to focus on keeping your staff away from .hk, .ch, and .info. - K

Tags: