As we have all come recognize, the Internet can be a hazardous place.  As a result, you likely have different types of filters in place that help to ensure potentially dangerous email is blocked.  However no filtering mechanism is 100% reliable and malicious messages will get past this line of defense.

As a result, we as individual computer users need to be attentive to the email arriving in our Inboxes.  If something does not look right, then it probably is not.  Although the people sending these messages are smart and clever, there are some common clues that are dead giveaways:

• Security Updates: Be particularly aware of any messages that contain either an attached security patch or a link to download such a patch.  Security updates and patches are not distributed in this manner.  Your computer is likely configured to automatically update itself with minimal or no user interaction required.
• Misspellings/Odd Grammar: Messages that contain misspellings or oddly constructed grammar are likely to be malicious.  Many of these emails originate from places where English is not the primary language so, for once, our ridiculously complex grammar rules can be beneficial.
• Generic Messages: While we all send out form letters from time to time, there is typically some sort of personalization.  A common clue that the message might not be from the named sender is the lack of a signature (or the expected/standard signature).  Even mass form letters will be signed in a standard manner that should be familiar.  That said, be wary of messages that are signed by official, but anonymous, sounding people (e.g. “The IT Support Administrator”) of whom you have never heard.

The folks over at SonicWALL have collected a few examples of phishing attempts.  It is worth taking the quiz (there are only ten examples) and reading the explanations.  You can get there from here: http://www.sonicwall.com/phishing.

Let’s be careful out there …

The Confluence Gallery and Art Center has flourished since 1988 as a hub of the arts community in Twisp, Washington. The nonprofit gallery holds seven group and individual exhibits each year, showcasing the work of local and regional artists from North Central Washington. Special exhibitions draw from farther afield, highlighting noteworthy artists from the Pacific Northwest.

As participants in NPower’s statewide training and technology support program funded through the Greater Everett Community Foundation in 2008 and 2009, Confluence Gallery completed a Stable and Secure Assessment which pointed to a severe need to upgrade aging hardware. NPower consultants assisted Gallery staff in selecting a new desktop system, provided funds to cover the purchase (thank you GECF!), and procured software donations (Microsoft Windows and Office — thank you Microsoft!) to support key accounting and grant writing functions. In an “extreme makeover” story, Executive Director Sybil Macapia says Confluence Gallery is now in a much stronger position to support the administrative needs of the organization, and recently procured a much-needed grant that she links directly to the availability of that single new computer system.

Congratulations, Confluence staff! And thank you to the Greater Everett Community Foundation, Microsoft and our other supporters who make miracles like this one possible for nonprofits in Washington state.

The New York Times ran an article earlier this week indicating that 20% of online users choose a simple, easily guessed password to protect their data.  Imperva, a data security vendor, examined a list of 32 million passwords that were stolen from a social network software company.  According to their analysis, the five most popular passwords are 123456, 12345, 123456789, password, and iloveyou.

While it is preferable to have a different password for each Web site or account, this is difficult for most to implement and track.  To help minimize the risk of a stolen password, experts suggest “at least two different passwords — a complex one for web sites where security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.”

For more information on establishing good password policies and practices, check out the following resources:

• TechSoup’s Security Corner: Tips, articles, blog posts, and resources on securing your information.
• NTEN: Suggestions and resources for creating strong passwords and establishing a password policy.  (Although this is an older post, it still offers relevant advice.)
• Microsoft Security: Tips and resources to keep online activity as secure as possible, including a password checker.
• Slate Magazine: General password tips and an algorithm for developing strong passwords.
• Vassar Computer Center: Basic rules and examples for creating strong passwords.

The New York Times article is available on their website.  In addition, you can read Imperva’s full analysis in their white paper on Consumer Password Worst Practices.

A number of recent events have provided a reminder of the importance of security in our computing lives.  Instead of elaborating in one long blog post, I will break these out into smaller, individual discussions.  Top of mind for me today is the recent trend of cyber theft – costing businesses, schools, and other organizations tens to hundreds of thousands of dollars.

The general approach is for the attackers to use a keystroke logging program, typically placed on a computer system through a virus or malware, to steal the credentials that the organization uses to manage its bank accounts online.  A common method for placing these spies is through email promoting “too good to be true” offers like an unexpected refund/rebate or generous money making opportunity.  Once in place, these rogue programs may go undetected by your antivirus protection software.  Once the thieves have gathered the necessary bank credentials, they can then access them online to make outbound transfers to their network of accounts.  The money movement does not stop there, as the funds will be moved again and eventually land overseas.

So what can we do to help protect ourselves?  Unfortunately, in today’s wired world, we cannot insulate ourselves completely.  However, we can reduce our risks by implementing the following precautions:

• Email: Always be mindful that not all email is good email.  Only open email from trusted sources.  And even then, if the message seems suspicious, treat it as such or check with the sender to verify before opening.
• Antivirus: In addition to having antivirus protection software installed and running on your computers, make sure that they are being updated with the latest virus signatures.  Outdated signatures leave you at risk from new and evolving threats.  If a computer does happen to become infected, consider seriously the risk/benefit of reinstalling the operating system and applications, instead of just removing the virus.  The upfront inconvenience may reduce or eliminate future frustrations.
• Bank Accounts: Stay vigilant in monitoring your banking activity.  In the several instances that I am aware of personally, the organization spotted the fraudulent activity itself.  Early detection will help limit the potential loss and increase the chance of recovering those funds.  In fact, failure to identify and dispute unauthorized activity on a commercial account within a couple of business days greatly reduces the likelihood of retrieving any of the money that was transferred.
• Dedicated Terminal: To maximize protection from unwanted access, dedicate a computer for online banking and then limit it to only that activity.  Do not do any other web browsing or email from that workstation.  When you are done with your banking, turn it off until you need to access your account again.

The Internet provides us with many benefits, but it also leaves us open to unfriendly human interference if we are not careful.  So use common sense as you surf and email.  If you have questions or concerns about the safety of your network and computers, work with your IT professional to review your environment and implement any necessary changes.

If you want to read more about this trend in cyber theft, check the following posts from Brian Krebs’ blog:

• Cyber Crooks Target Public & Private Schools
• Data Breach Highlights Role Of ‘Money Mules’

Let’s be safe out there …

We’ve been trying to make sense of the hype around “cloud computing” for a couple of years now. One thing that muddies the discussion is the plethora of different solutions that fall into the bucket hyped as “the cloud.” Some of it is nothing new—Gmail is cloud computing. And Amazon EC2 is cloud computing. And Salesforce.com is cloud computing. And while they all have some similarities, there are a lot of differences, too. Getting your email archives in and out of Gmail is so simple I can do it.  EC2 is a utility—you start saving money with EC2 if you are a smart-as-heck software developer, but it isn’t something your average small-to-medium-size nonprofit would be able to use and become more cost efficient. At least not yet and not without a lot of help. Salesforce is somewhere in between the other two examples. So it is a continuum, I think.

We’ve been shooting around links to dueling cloudbusting/cloudfluffing articles lately on our internal email lists. Some folks point to the New York Times‘ take on Twitter “hacking” and the perils of Web-based tools and ITIC’s survey showing a slow cloud technology adoption rate. Other colleagues reference Microsoft’s survey showing rosier adoption plans and “Look, even Bruce “Security Guru” Schneier says cloud computing is the future…sort of.”

The security issue reminds me of a big knock-down, drag-out debate that we had at Town Meeting in the small Massachusetts town I lived in before we moved to Seattle. The debate was around whether we should all invest in a town sewerage treatment system or if we should continue on our merry way with every household having its own septic tank. Nothing gets New Englanders more riled up than a nice public discussion of where to put their poop. My neighbors fell into a couple of main camps:

• Pro Public Sewers: it would be more efficient to have everyone on one system so that we can manage our town’s waste in a professional manner and individual households don’t have to worry about the integrity of their own tanks. And it is better for the environment since you can monitor one system rather than having multiple septic tank failures that can ruin our water supply and hurt wildlife.
• Anti Public Sewers: maybe it would be more efficient, but now you have a single point of failure that, when it fails, will be catastrophic.

There were variants:

• Anti Public Sewer Seniors:  why does everything need to keep changing in this town since that new development went in off Sweetland Farm road? Individual septic systems were good enough when this place was first resettled after King Philip’s War in 1657 (the Indians burned the whole thing down don’t you know); why isn’t it good enough now and I was raised here and I have lived to 82 years of age next October and I’m still upright and my house has had the same leech field in the backyard since Eisenhower was sworn in and another thing: you people need to tell your kids to stay off my lawn and why is there a limit on th number of videos I can take out from the library and why are we switching almost exclusively to DVD’s when I have a perfectly good VHS machine, thank you very much.

• City Slickers Keeping Up with the Joneses: well Medfield put in public sewerage in 1999 and their house values have increased 217% since then, so why can’t we have public sewers and house values as high as Medfield’s?

And so on. In the end, I feel like there is no one right answer to these sorts of things—there is the right answer for the particular situation, your openness to risk, to the possible reward, and so on.

What are your cloudy thoughts?