The Confluence Gallery and Art Center has flourished since 1988 as a hub of the arts community in Twisp, Washington. The nonprofit gallery holds seven group and individual exhibits each year, showcasing the work of local and regional artists from North Central Washington. Special exhibitions draw from farther afield, highlighting noteworthy artists from the Pacific Northwest.

As participants in NPower’s statewide training and technology support program funded through the Greater Everett Community Foundation in 2008 and 2009, Confluence Gallery completed a Stable and Secure Assessment which pointed to a severe need to upgrade aging hardware. NPower consultants assisted Gallery staff in selecting a new desktop system, provided funds to cover the purchase (thank you GECF!), and procured software donations (Microsoft Windows and Office — thank you Microsoft!) to support key accounting and grant writing functions. In an “extreme makeover” story, Executive Director Sybil Macapia says Confluence Gallery is now in a much stronger position to support the administrative needs of the organization, and recently procured a much-needed grant that she links directly to the availability of that single new computer system.

Congratulations, Confluence staff! And thank you to the Greater Everett Community Foundation, Microsoft and our other supporters who make miracles like this one possible for nonprofits in Washington state.

The New York Times ran an article earlier this week indicating that 20% of online users choose a simple, easily guessed password to protect their data.  Imperva, a data security vendor, examined a list of 32 million passwords that were stolen from a social network software company.  According to their analysis, the five most popular passwords are 123456, 12345, 123456789, password, and iloveyou.

While it is preferable to have a different password for each Web site or account, this is difficult for most to implement and track.  To help minimize the risk of a stolen password, experts suggest “at least two different passwords — a complex one for web sites where security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.”

For more information on establishing good password policies and practices, check out the following resources:

• TechSoup’s Security Corner: Tips, articles, blog posts, and resources on securing your information.
• NTEN: Suggestions and resources for creating strong passwords and establishing a password policy.  (Although this is an older post, it still offers relevant advice.)
• Microsoft Security: Tips and resources to keep online activity as secure as possible, including a password checker.
• Slate Magazine: General password tips and an algorithm for developing strong passwords.
• Vassar Computer Center: Basic rules and examples for creating strong passwords.

The New York Times article is available on their website.  In addition, you can read Imperva’s full analysis in their white paper on Consumer Password Worst Practices.

A number of recent events have provided a reminder of the importance of security in our computing lives.  Instead of elaborating in one long blog post, I will break these out into smaller, individual discussions.  Top of mind for me today is the recent trend of cyber theft – costing businesses, schools, and other organizations tens to hundreds of thousands of dollars.

The general approach is for the attackers to use a keystroke logging program, typically placed on a computer system through a virus or malware, to steal the credentials that the organization uses to manage its bank accounts online.  A common method for placing these spies is through email promoting “too good to be true” offers like an unexpected refund/rebate or generous money making opportunity.  Once in place, these rogue programs may go undetected by your antivirus protection software.  Once the thieves have gathered the necessary bank credentials, they can then access them online to make outbound transfers to their network of accounts.  The money movement does not stop there, as the funds will be moved again and eventually land overseas.

So what can we do to help protect ourselves?  Unfortunately, in today’s wired world, we cannot insulate ourselves completely.  However, we can reduce our risks by implementing the following precautions:

• Email: Always be mindful that not all email is good email.  Only open email from trusted sources.  And even then, if the message seems suspicious, treat it as such or check with the sender to verify before opening.
• Antivirus: In addition to having antivirus protection software installed and running on your computers, make sure that they are being updated with the latest virus signatures.  Outdated signatures leave you at risk from new and evolving threats.  If a computer does happen to become infected, consider seriously the risk/benefit of reinstalling the operating system and applications, instead of just removing the virus.  The upfront inconvenience may reduce or eliminate future frustrations.
• Bank Accounts: Stay vigilant in monitoring your banking activity.  In the several instances that I am aware of personally, the organization spotted the fraudulent activity itself.  Early detection will help limit the potential loss and increase the chance of recovering those funds.  In fact, failure to identify and dispute unauthorized activity on a commercial account within a couple of business days greatly reduces the likelihood of retrieving any of the money that was transferred.
• Dedicated Terminal: To maximize protection from unwanted access, dedicate a computer for online banking and then limit it to only that activity.  Do not do any other web browsing or email from that workstation.  When you are done with your banking, turn it off until you need to access your account again.

The Internet provides us with many benefits, but it also leaves us open to unfriendly human interference if we are not careful.  So use common sense as you surf and email.  If you have questions or concerns about the safety of your network and computers, work with your IT professional to review your environment and implement any necessary changes.

If you want to read more about this trend in cyber theft, check the following posts from Brian Krebs’ blog:

• Cyber Crooks Target Public & Private Schools
• Data Breach Highlights Role Of ‘Money Mules’

Let’s be safe out there …

We’ve been trying to make sense of the hype around “cloud computing” for a couple of years now. One thing that muddies the discussion is the plethora of different solutions that fall into the bucket hyped as “the cloud.” Some of it is nothing new—Gmail is cloud computing. And Amazon EC2 is cloud computing. And Salesforce.com is cloud computing. And while they all have some similarities, there are a lot of differences, too. Getting your email archives in and out of Gmail is so simple I can do it.  EC2 is a utility—you start saving money with EC2 if you are a smart-as-heck software developer, but it isn’t something your average small-to-medium-size nonprofit would be able to use and become more cost efficient. At least not yet and not without a lot of help. Salesforce is somewhere in between the other two examples. So it is a continuum, I think.

We’ve been shooting around links to dueling cloudbusting/cloudfluffing articles lately on our internal email lists. Some folks point to the New York Times‘ take on Twitter “hacking” and the perils of Web-based tools and ITIC’s survey showing a slow cloud technology adoption rate. Other colleagues reference Microsoft’s survey showing rosier adoption plans and “Look, even Bruce “Security Guru” Schneier says cloud computing is the future…sort of.”

The security issue reminds me of a big knock-down, drag-out debate that we had at Town Meeting in the small Massachusetts town I lived in before we moved to Seattle. The debate was around whether we should all invest in a town sewerage treatment system or if we should continue on our merry way with every household having its own septic tank. Nothing gets New Englanders more riled up than a nice public discussion of where to put their poop. My neighbors fell into a couple of main camps:

• Pro Public Sewers: it would be more efficient to have everyone on one system so that we can manage our town’s waste in a professional manner and individual households don’t have to worry about the integrity of their own tanks. And it is better for the environment since you can monitor one system rather than having multiple septic tank failures that can ruin our water supply and hurt wildlife.
• Anti Public Sewers: maybe it would be more efficient, but now you have a single point of failure that, when it fails, will be catastrophic.

There were variants:

• Anti Public Sewer Seniors:  why does everything need to keep changing in this town since that new development went in off Sweetland Farm road? Individual septic systems were good enough when this place was first resettled after King Philip’s War in 1657 (the Indians burned the whole thing down don’t you know); why isn’t it good enough now and I was raised here and I have lived to 82 years of age next October and I’m still upright and my house has had the same leech field in the backyard since Eisenhower was sworn in and another thing: you people need to tell your kids to stay off my lawn and why is there a limit on th number of videos I can take out from the library and why are we switching almost exclusively to DVD’s when I have a perfectly good VHS machine, thank you very much.

• City Slickers Keeping Up with the Joneses: well Medfield put in public sewerage in 1999 and their house values have increased 217% since then, so why can’t we have public sewers and house values as high as Medfield’s?

And so on. In the end, I feel like there is no one right answer to these sorts of things—there is the right answer for the particular situation, your openness to risk, to the possible reward, and so on.

What are your cloudy thoughts?

Who doesn’t have a cell phone these days? But as they get more and more sophisticated we need to take greater pains in keeping them safe. Last year I finally got, after much begging of the spouse, an iPhone. Like most smart phones it can do a lot, and I do mean a lot.

So keeping it safe is important. Not that I have personal, sensitive data in it. I keep my credit card #’s and Social Security information elsewhere. But one thing that I was reminded of today was shopping.

I mean, I have the Ebay application on my phone. I’ve seen similar ones for Amazon and my phone has a browser too. I can log into any website on my phone that I could access on my computer at home or work. But what I hadn’t thought about was

“do I take the same steps to keep myself and my personal data safe with my phone as I do on my computer?”

Duh! Why hadn’t I thought of that before? It’s so easy now-a-days to fire up the phone and get that really hot deal on a new pair of shoes. OK maybe not shoes but you know what I mean. Do I check to make sure that the site I’m using is secure?

Security is a big deal when it comes to computing today. Here at NPower we have a Security for Nonprofits training to focus on trying to keep nonprofits safe.

One of my favorite “deal” sites has a great posting about just that. What steps should you take to make sure your transaction is safe? Check it out at http://dealnews.com/features/Five-ways-to-shop-safely-on-a-smartphone/275031.html

As for me, I’m going to serious think about the security on my phone. Should I put a password lock on it? After All that nice little Ebay application automatically logs into my account. Thank goodness Ebay doesn’t allow you to access your PayPal account without putting in a password!

If it’s a work phone, you may be safer than you think. My co-worker, Patrick, pointed out that for our work phones that are using WindowsMobile operating system; we have Microsoft ActiveSync installed. This lets us synchronize our phones with Outlook and our desktop computers. Very nice. But that also includes a “kill” feature. If a phone is lost or stolen, with a flip of the “switch” we can have all of the data removed. Now that’s a great safeguard!

Microsoft released a critical security alert today. Please read and distribute to the team responsible for managing your server environment.

There is an update available, and Microsoft recommends applying that update immediately.

Here’s a bit more about the alert:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

So today I’m reading the September issue of Consumer Reports; which has a big section on online security, ID theft, and security software reviewed. Wow! what an eye opener.

Some take aways:

Criminals are using malware to log on to routers & change their address setting for website. This will send you to a rogue site even when you type in the correct address into your browser.

Social Networking sites are havens for spyware because people who frequent them often drop their guard.

Where does that leave us nonprofits? Not in a good place according to the results of NPower’s Stable & Secure Scan. What’s that, you say? Never heard of it.

NPower Seattle and NPower Indianacreate 12 benchmarks to measure nonprofit’s technology infrastructure. Last year we sent out volunteers to run an assessment, or scan, on Puget Sound nonprofits to see how the measured up against the benchmarks.

Boy has it been insightful. In some ways we’ve come along way but in many others we still have a lot of work to do. And one of those was around security, almost 3/4 of the nonprofits we scanned FAILED the security benchmark.

What does that mean?

• While three quarters of nonprofits in the region have virus protection software installed, only 44% update the definitions daily or weekly.
• Only half of nonprofits in the area believe that their staff members could identify a “phishing” email or instant messaging attempt to acquire sensitive information—such as usernames, passwords and credit card details.
• Only 62% believe that their staff members know what to do if they receive a suspicious email that has a virus attached.

What can you do? Of course I have some recommendations.

1. If your organization hasn’t already done so, sign up for our Stable & Secure Scan. We’re offering it for free to local nonprofits as part of the United Way’s Day of Caring on September 12th.
2. Attended NPower’s Security for Nonprofits webinar in October.
3. Check out the September issue of Consumer Reports.

And no, I’m not talking about the kind that comes in a can and you can eat. Spam is the bane of our e-communications. And Spammers are getting more and more clever in their attempts to verify that your email address is valid, so they can sell it of course.

Recently I’ve been receiving the following “types” of emails:

It LOOKS like I’ve signed up to get news alerts from CNN, a reputable source. But as in many things on the internet, looks can be deceiving. I most certainly did not sign up for news alerts from CNN (or MSNBC, the other spam that I’ve been getting).

And I most certainly did not click on the conviently provided links; either to the story or to unsubscribe. As that would unlease a flood of new spam into my inbox at best. At worst, and this one turns out to be in that category, my computer would be infected with Malware, Spyware, and other Virus ridden stuff.

I’m certainly going to add this one to NPower’s Security for Nonprofits training.

Recently I did a training on Security: Viruses, Malware, Adware, Spam & Phishing. Boy did I learn a lot as I was creating that class. With a good anti-virus program, it’s fairly easy to stay safe. but once in a while you’ll try installing something and your anti-virus program will ring the warning bell.

Well the folks over at LifeHacker.com, one of my favorite blogs to read, were asked about this. And their answer was really interesting. There are several online virus checkers that you can upload files to and have them checked for viruses. I recommend you check out their post.

And if you’re nonprofit doesn’t have anti-virus or just needs to update it, then you’ve got until June 30th to get an updated version from TechSoup. Their fiscal cycle ends on the 30th and you can start all over again on July 1st with a clean slate. TechSoup, if you didn’t know, partners with software companies to provide discounted software to nonprofits. You only get a certain number though, which is why getting a copy now would be great, then you have your full allotment starting on the 1st.

And if security & spam are a concern for you and your organization, watch for this training from NPower. I will be offering this again before the end of the year.