Technola : Public Interest Law & Technology Updates & Commentary : Matthew Burnett & Kate Bladow : Tech Advice for the Non-Profit Legal Sector

After I posted "We Love the Cloud; We Hate the Cloud," I noticed a tweet from Tim O'Reilly: two free webcasts on cloud computing on January 20.

• Cloud Security & Privacy - A 75-minute look at a large number of privacy and security issues.
• Cloud Security Deep Dive - A 90-minute session focusing on three areas--data security, identity management, and governance.

Both sessions are led by the authors of "Cloud Security and Privacy." You can register for one or both online. - K

• Email This
• Print
• Comments
• Trackbacks

This month, the Federal Trade Commission (FTC) asked the Federal Communications Commission (FCC) to examine the security risks of cloud computing as the FCC puts together the national broadband plan. This request grew from the FTC's concerns that Americans love cloud computing but don't understand the risks of storing data on remote systems.

Cloud computing is something I've written about before (Cloud Computing Explained) and something that I've become enamored with. I like not being tied to one computer and not worrying about losing a lot of information if a computer fails.

But I know that cloud computing comes with risks that stem from no longer being in control of my data. Perhaps someone will intercept my data transfer, the provider isn't as trustworthy as their privacy policy and terms of service suggest, or maybe they don't care about security as much as they should. Each time I add data to the cloud, I need to think about whether I'm okay with the risk.

For a more in-depth analysis of the security Software as a Service (SaaS), a type of cloud computing, check out two articles from Idealware: Is SaaS more secure? and SaaS and Security - the Response! - K

 

• Email This
• Print
• Comments
• Trackbacks

Do you have an online thief or two on your holiday gift list? If so, ComputerWorld highlights five ways to give them the gifts they want: your data and money. For the rest of us, the FTC offers guidelines we can use to protect ourselves while online. - K

• Email This
• Print
• Comments
• Trackbacks

The BBC, Lifehacker, and many other sources are reporting that Gmail, AOL, Yahoo, Hotmail, Comcast, and Earthlink passwords were made public. While these passwords were gathered through phishing and the incident wasn't the fault of any of the providers, to me it seems like as good of a day as any to change my passwords for these services. - K

• Email This
• Print
• Comments (2)
• Trackbacks

In late January, Technola reported the existence of the Confickr botnet. The scariest part of that report: experts weren't certain how the botnet was going to be used or when. Well, they now know a bit more.

First, the good news. According to the New York Times, experts know when the botnet is supposed to be activated--April 1.  The bad news? Confickr has mutated to make itself even more difficult to remove. And researchers still don't know what the botnet is intending to be used for. - K

• Email This
• Print
• Comments
• Trackbacks

A critical vulnerability has been found in Adobe Reader 9 and Acrobat 9 and earlier versions. Here is the information available from the Adobe site:

This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25.

More information and the updates are available here. -M

• Email This
• Print
• Comments
• Trackbacks

Andy Carvin pointed out an article that looks at the passwords that users choose when they aren't forced to use secure passwords. Turns out 123456, password1, and dragon are not good passwords. But you already knew that, right? - K

• Email This
• Print
• Comments
• Trackbacks (1)

The Houston Chronicle reports that the Houston Municipal Courts were struck with a virus last week. While only 475 of their 16,000+ computers were affected, the courts had to suspend minor arrests and cancel hearings. - K

• Email This
• Print
• Comments (1)
• Trackbacks

ABA Site-tation, a blog that covers technology issues facing the legal community, recently re-launched at a new address and with an updated look. Check out the the great information it offers on security, online tools, and mobile computing. - K

• Email This
• Print
• Comments
• Trackbacks

I was asked this morning, "How do I know if I'm a part of the botnet or at risk of becoming part of the botnet that you mentioned in your last post?" I'm not an expert, but here are a few resources that I found this morning:

• Microsoft's Security Bulletin. The initial warning from Microsoft about the vulnerability.


• Protecting Against the Rampant Conflicker Worm (PC World). A great article that walks you through the what issues are, how you can protect yourself, and what to do if you are infected.


• F-Secure Site. A lot of information about the worm is on this site. Check out an overview of the worm and their malware information page with removal tools.


• Symantec Overview. A good overview of that provides links to Symantec's free products that detect the worm. (Not all of the free products necessarily do.)

The good news that I found from F-Secure: as of Thursday, January 13, 2009, only about 4,000 of the infected computers were in the US. The bad news: the number of infected computers has increased dramatically since then. - K

• Email This
• Print
• Comments
• Trackbacks

In October 2008, Microsoft released an out-of-band update, or a critical update that is released outside of the normal update schedule. Well, for those of you who didn't update your systems, it might well be too late. The New York Times reports that this vulnerability is now being exploited and has already infected nine million computers.

What's going to happen if your computer is infected? Experts say that it will become part of a huge botnet; however, they don't know what that botnet will be used for. At the least, it sounds likely that your IT staff will be clearing up a mess with your computer, apologizing to your ISP, and attempting to get them to not classify all of your organization's outgoing e-mail as spam. A more serious prospect--it captures client information, like social security numbers, or modifies files, like your accountant's records.

My favorite quote from the article:

"I don't know why people aren't more afraid of these programs," said Merrick L. Furst, a computer scientist at Georgia Tech. "This is like having a mole in your organization that can do things like send out any information it finds on machines it infects."

Security researchers don't know who created this worm, but from their comments, they suspect that it was someone who knew what he or she was doing. - K

• Email This
• Print
• Comments (2)
• Trackbacks (2)

Last year, NPower Greater DC Region, a non-profit technology assistance provider, included a little something extra in their monthly e-newsletters: twelve tips for keeping your network stable and secure. Each tip was written plainly, intended for accidental techies, non-profit managers, and others who need an introduction to the basic characteristics of a high-quality network.

So what are those twelve benchmarks?

1. Ensure all PCs have the minimum configuration.


2. Standardize the OS Platform.


3. Network your office computers or get a file server.


4. Give your staff broadband access.


5. Install a hardware firewall.


6. Secure your wireless networks.


7. Backup mission critical data and establish recovery processes.


8. Protect your e-mail.


9. Patch your web browsers and be careful what you download.


10. Establish effective security plans.


11. Document your technical infrastructure.


12. Have regular, competent tech support.

So are there any benchmarks that surprised you? Or anything you think that they missed? - K

• Email This
• Print
• Comments
• Trackbacks

If you are a techie, I know that you've told your staff that e-mail attachments are dangerous. In fact, I'm pretty sure that you've said it more than once. But have you told them why?

No, not the explanations of "because you'll get a virus" or "they put the network's security at risk" or "it creates more work for me." You and I know what these reasons imply. But do your staff know why getting a virus is bad or why you have to work so hard to get rid of it?

Let them know plainly that this is also about advocacy and the best interests of their clients. It is about stopping the abusive spouse who wants to access the case management system to get his ex-wife's current name and address or the opposing party who wants to check out your firm's strategy, arguments, and evidence. Remind them that you can't protect the system from intrusions alone and need their help. They need to be careful about the e-mail attachments that they choose to open and let you know as soon as possible if they think that they've made a mistake.

If you need help putting together an easy-to-understand example for your staff, check out Mitigation Monday: Defense Against Malicious E-mail Attachments. It starts with an example scenario that you can easily customize for your firm. And then it gives you a list of defenses that you can implement to help your staff avoid making mistakes. - K

• Email This
• Print
• Comments
• Trackbacks

A key responsibility for system administrators is to keep unauthorized people out, and it's not an easy job. The security landscape changes rapidly, and hackers start to use new tactics even before their current methods fail. News stories of data theft from multi-million dollar companies are becoming more frequent.

While legal aid organizations are not high-profile targets, their system administrators still need to keep their guards up. Legal aid organizations collect a lot of valuable information, including social security numbers, evidence and arguments for court cases, and names, phone numbers, and addresses of domestic violence survivors, who are likely trying to avoid being found. And as we all know, legal aid programs don't have a whole lot of extra money to spend on fancy security systems.

Fortunately, there is a free option: SNORT. SNORT is an open-source network intrusion prevention and detection system. System administrators give SNORT a set of rules to follow, and SNORT analyzes your network traffic based on those rules. It alerts you to probes, attacks, and other things that aren't quite right. A special Free Friday bonus: Emerging Threats, which is funded by the National Science Foundation and the Army Research Office, has a set of SNORT rules available for free.

Granted, the total cost of ownership of this software is not free. There is a significant learning curve; however, there are additional free resources to help system administrators learn how to use the tool and a large user community, including Snort User Groups, that system administrators can turn to with questions. - K

• Email This
• Print
• Comments (1)
• Trackbacks

Everyone has a different scheme for creating passwords. Perhaps it's your favorite book titles, strings of random characters that make sense to you, or your children's names. Ideally, your scheme follows recognized best practices: using a combination of letters, numbers, and symbols, having more than seven characters, not using easy-to-guess words, and never using the same password twice. Myself, I'm becoming a huge fan of SafePasswd, because it means that I get closer to following these recommendations without having to come up with any passwords on my own.

But even if you employ these best practices, do you know how strong your passwords is? Or for those weak passwords that you just never get around to changing, do you know how quickly they can be cracked? To find out, try Hackosis' Brute Force Calculator. Enter how many upper case letters, lower case letters, numbers, and special characters that you have in your password, and it will tell you how long it will take to crack your password. The results might surprise you. - K

• Email This
• Print
• Comments
• Trackbacks (2)

Lately, I've been running across stories about computer security that run the gamut from trivial to terrifying. For example:

• NPR had a segment about those annoying CAPTCHAs and how they can be used to help digitize old books.
• Sophos confirmed that we aren't very good at protecting our own privacy -- 41 percent of Facebook users gave up personal information to a small green plastic frog.  As a part of this research, Sophos put together a list of best practices for protecting your privacy on Facebook.
• The NSA published a report on How to Safely Publish Sanitized Reports Converted From Word 2007 to PDF. And if you are looking for additional security how-tos, check out their security configuration guides.
• Wired ran a story about how to protect yourself from snoops when you are using Gmail.
• The New York Divorce Law Blog reviewed a ruling where a wife was allowed to use evidence of her husband's Internet activities in the proceedings.
• The ABA Journal reported that the MIT students who hacked the transit system can talk publicly about the security flaws.
• The BBC wrote about a new exploit that inserts a malicious link into clipboards. (My favorite line: "Our work would be so much easier if our enemy would be stupid." It's so true under so many circumstances.)
• VentureBeat passed on information that pacemakers can be hacked. This hack was presented at from DefCon, a huge security conference.

The good news is that TechSoup.org is currently putting on a Special Security Event, so you can learn about what you need to do to protect yourself. - K

• Email This
• Print
• Comments
• Trackbacks

On Saturday, The New York Times was brave enough to say what we all know: Passwords are inherently insecure. And this insecurity can't be blamed on the users who write passwords down and post them on their computer monitors, use one of the common passwords, or don't change their passwords often enough. Even if users followed these basic rules, passwords still wouldn't work because the log-on procedure itself is risky due to phishing, keystroke logging, and other security threats.

While the article suggests using an alternative that depends on cryptography instead of mnemonics, currently it looks like there isn't a good solution for this problem. (For those of you who are suggesting biometrics, fingerprints aren't as secure as you would think: Burn Notice taught me that a copy of the fingerprint is left on the scanner and can be pulled off with Play-Doh to be used again.)

So since it looks like it will be a while until there is an accepted replacement for passwords, I've pulled together some resources to help you educate your users about password security.

• SafePasswd will generate strong, but easy-to-remember passwords.
• Montana Legal Services Association's Password Creation Guidelines provides guidelines for users on how to and how not to create strong passwords.
• Strong Passwords and Password Security from Microsoft provides some information about strong passwords, how to create them, and even some security tips on passwords and Windows XP. - K

• Email This
• Print
• Comments
• Trackbacks

Are you still trying to convince staff that there are certain websites that they don't need to look at while at work? You know, the sites where they are likely to pick up a nasty little virus and make a huge mess that you are going to be responsible for cleaning up? Well, McAfee feels your pain. To help with your ongoing efforts to educate your co-workers, they dug in and researched the most dangerous websites. You can check out their report for the full details, but it looks like you need to focus on keeping your staff away from .hk, .ch, and .info. - K

• Email This
• Print
• Comments
• Trackbacks (1)