susan: welcome everyone.welcome to our webinar, nonprofit security bestpractices: are they out to get you? we are thrilled to host this webinar today.and i want to give you a brief rundown on how our platform works, so you’llhave an opportunity to chat with us, and julian our presenter today. we do usereadytalk. the chat box or the chat bar
Td Bank Secured Credit Card, which is on the far left-hand side of yourscreen is there for you to ask questions. you can also let us know if you are having anytechnical difficulties. i will receive those chats, and i will queue up any questions forjulian. during the event we will pause definitely at the end of the event,or towards the end of the event
to answer any cued up questions,and possibly throughout the event when we have the opportunity. so don’t worry.if your question isn’t answered immediately, we will get to it even if it is after the eventitself. there’s no need for you to raise your hand. simply chat in to the chat box anyof your tech problems or challenges, or your questions for julian. if you loseyour internet connection, you can reconnect using the link that was emailedto you in your confirmation email, or any one of the reminder emails.if you lose your phone connection if you’re using your phone, you canredial the phone number and just rejoin. for most of you, sound should comethrough your computer speakers.
if for any reason during the eventyour audio fails, or it cuts in and out, or it does not match what you are seeing on thescreen, we recommend you try logging in again, or simply call in by phone, or through skype.i’ve chatted out that phone number a few times in the chat box, and i will so again momentarily.just so you know, all your lines are muted so we can get a good clear recording. thewebinar will be available on our website along with all of our past webinars atwww.techsoup.org/community/events-webinars. you can also view all of our recordedwebinars on our youtube channel. i will be sending you an email with a link to thispresentation that julian will share, a recording, and all of the links that julian isgoing to discuss today within a few days.
you can also tweet us @techsoup,or use hashtag #tswebinars. okay, enough about our platform.i’d like to introduce you to julian. julian is our speaker today. he’s ourexpert. he has been working in the software and it industries for over 20 years. andin 2003 he cofounded freeform solutions, a not-for-profit organization with a missionto help other not-for-profits use technology more effectively. he is also the leadprogrammer of formulize, an open source software that lets non-programmers createdatabase systems on their website, cms, and mobile devices. we are very luckyto have him on this webinar today. i think you will find this presentationvery engaging and informative.
i’m susan hope bard. i’m the trainingand education manager here at techsoup. i’ll be on the backend cuing your questions,and also answering any tech challenges you have. a couple of quick things, youare here joining us at techsoup. we are located in beautiful sanfrancisco california. i’m going to ask you where you are joining us from today,so you get to practice in the chat box. tell us what city and state, orwhat country you’re joining us from. as you are doing that i am going toqueue up a couple of polling questions that julian has put together to kindof gauge the audience’s understanding of some security practices. so i see everyonechatting in, lots of folks from california
and the east coast, a couple folksfrom canada as well. welcome everyone. here is our first polling question. whatsecurity technologies are you most interested in or likely to work on in the comingmonths? so go ahead and use the cursor to indicate which of these technologiesyou’re interested in or likely to work on in the coming months; training to avoidrisky behaviors, payments, social media, are you ever really anonymous, emailand spam, uris, passwords, public wi-fi, protecting your website, thecloud, or protecting your computer. and i see we have 24 responses in, get thosefastest fingers going. we are now up to 45. i’m going to give everybody5 seconds, 4, 3, 2, 1.
wow, so we can see here julian, that we’vegot lots of people looking at training to avoid risky behaviors. that is so funny,because we were just talking about this that people’s behaviors, how can weinfluence or change individual’s behaviors. so this is great. this aligns with some of thethings we’ll talk about. it looks like we also have protecting your computer andthe cloud. those are the top 3. thank you very much for answeringthat question. and we’ve got one more. this next one, we are asking about your rolewithin your not-for-profit, ngo, or library. are you with it, a network admin, youare ed or a board member, decision-maker, program staff or non-it? are you avolunteer, are you operations or admin?
or is there something else you are? youcan feel free to chat that in the chat box. and you guys are much faster on thisone. wow! i am going to show results but i’m going to leaveit open for 5, 4, 3, 2, 1. okay, it looks like a lot of you are in it oroperations. these are all great things to know. so what i’m going to do now is i’m goingto turn this presentation over to julian who will take you through his preziand talk to you about security. julian. julian: hi there. thanks very much. so iassume that in a moment i’ll get some notice that i’m in charge of sharing my screen, andyou’ll i’ll see my screen i hope. [indistinct.] thank you everyone for coming today. it’salways fun to talk about these things,
because well, the whole reason i like towork with technology is to help people use it for some purpose. and it’s allabout people engaging with it. and i like a good detailed techproblem as much as the next geek, but it’s good to actually engage with peopleand this is all about how people deal with stuff in a very day-to-dayregular way. susan: and you may want to just doublecheck that you are sharing your desktop, the top button on the top of the screen. julian: there we go. so privacy and security online, it’s good tosee that a bunch of you are in the tech field.
so some of this is probably review then. that’sokay. i hope if you are in that kind of situation, it’s at least useful information to getyou, to help you communicate with your staff, or whomever in your organization that youneed to help understand these things better. and some of it may be isn’t review,just maybe some tips, or ideas, or things that you can use. and those of youwho are less involved directly in technology, hopefully, there’s more thatyou’re less familiar with. please do put questions into thechat and susan will jump in on that, because i can’t see that as i’m going throughthis. so i’m not trying to ignore you or be rude, but it would be great to have somediscussion going on, because this is not meant
to simply be a sermon fromthe mount, that’s for sure. so it’s not being paranoid if they reallyare out to get you. in the last few years, it’s hopefully become more clearthat there are an awful lot of people who really are out to get you outthere. and in a way a healthy paranoia is actually one of the base lines thatcan be a good defense as you will see. about me, susan already introduced me.freeform solutions i cofounded many years ago now, and they are still around helpingnonprofits manage websites, and systems online. and i continue to do that kind ofwork independently since last year, with a deeper focus on data managementtools and things that are my stock and trade
and preferred way of doing things.so that’s me. just to jump right in, because there is a lot to go through, itis a huge topic. there’s a lot to know and it is hard to decide what youwant to do about all this stuff. so we should start by setting some goals.as my friend laura saidâ€, i have a hard time deciding how far in the sand to stick myhead when it comes to privacy and security.†so let’s set some goals so we can havea more measured approach than that. so i hope that you come away fromthis learning what you can control, learning how “they†out there are tryingto get you. and then with that in mind, may be you can stick your head a little lessfar in the sand, hopefully. so we’ll see.
i want to start with a little story.you tech folks may be familiar with this. it was well publicized a fewyears ago when it happened. mat honan, a writer at wired magazine.if you don’t know wired magazine, it’s basically like rolling stone for thegeek set. he had a twitter account @mat and somebody took a liking to @mat. theythought that’s a cool twitter account. i’d like to have that account. so in thebeginning, that was all that anyone knew, anyone interested in hacking himknew was the twitter account was @mat. but in his twitter profile he hada link to his personal website, so there was a little more informationout there. on his personal website,
he included his gmail address. so now there’sa bit more personal information out there that was just publicly available.so now the hacker got creative. they tried to reset his google password,his gmail password. and when he did that, google disclosed that the alternate back upaddress it would send the reset messages to was “m-something-something-something-n@me.com. the guy’s name was mat honan, so a little bit of guesswork might revealprobably what that email address was. and me.com is a domain owned byapple. those are apple email addresses. so that’s probably tied to an apple account. sonothing has sort of been classically hacked yet, but they are zeroing in on what informationis available and what to do about it.
this is where it gets really interesting.and there’s some security flaws in amazon’s practices, and apple’spractices that they changed after this event. but at the time, it was possible for theattacker to call up amazon on the phone, and say, “i want to add a credit card tomy account.†and amazon did this. the hacker identified themselvesas mat. and they knew the name. they knew the billing address, presumablypublic information what his mailing address was. and they knew his email address thatwas associated with the amazon account, taking a guess that it was eitherthe gmail one, or the apple one. so they identified themselves to amazon,and they were able to add a credit card
to his account which you maythink well, why does it matter? well because, amazon at the time had a quirkypolicy where if they called amazon back, which they did, they then asked, “i’d liketo add an email address to this account.†and some other operator on the amazonphone line, gleefully did this for them because they knew the name, and the billingaddress, and they knew a credit card number that was on the account, because theyhead just previously phoned them up and added a credit card number to theaccount. now they could call them up knowing the credit card number that they justadded, and ask, “can i put an email address on the account?†so amazon did thattoo. so the email address is of course,
really important, because now that theyhave an email address on this account, they can do a password reset on amazon. thatallowed them to log into his amazon account. so now they are really getting somewhere.and in amazon it doesn’t show you all the credit card numbers you have onfile, but it will show you the last 4 digits of every card you have onfile. so why is that important? because it turns out that at thistime, apple, if you called up apple and they wanted to verify your identity,they will be satisfied that you are you because you provide your billing address,and the last 4 digits of a credit card. so they had seen all his credit cards,the last 4 digits of all his credit cards
in his amazon account. call up apple,say they are mat, apple believes them, and applecare then dutifully givesthem a temporary password to login and reset the passwords toget into his apple account. so now, if you remember way back atthe beginning, it was the apple account that was tied to the resetof the gmail password. so they can now get into the appleaccount, and the gmail account. and then with access to the gmailaccount they reset his twitter password and they could take over the twitteraccount where this all started. and just to make it harder to see whatthey had done to cover their tracks a bit,
they used the remote features that appleprovides to wipe the contents of his iphone, his ipad, and his macbook, andthey also deleted is gmail account. that’s where it gets really nastybecause that’s an awful lot of data loss, besides the identity stuff. apple did helprecover the information off the laptop i believe, after this, but it’s a pretty damning situation.it’s a crazy story and it all happened really fast. the whole thing went down inlike an hour, less than an hour. but i think it illustrates a lot of great points.the one i would like to emphasize the most is, was there some super evil geniusprogrammer that wrote some crazy virus that infiltrated every ones’computer and took over the world. no!
it wasn’t like you see on the movies. it wasjust simple social engineering, so-called. and that’s always been the most potenttool in any hacker’s arsenal, even today. a story from a couple years later, someonejust called up a server company in ottawa, where a company called canadianbitcoins had a bunch of servers. bitcoins being this digital currency,cyber currency that each bitcoin is worth a fair bit of money. this person calledthem up and at no point was ever challenged to prove who they were. and the techsupport person that they were talking to, basically granted them access to theservers of canadian bitcoins company. and this attacker just transferred bitcoins outto their own account valued at around $100,000,
just because he asked nicely,and sounded authoritative. so social engineering goes really far. it’sone of the things that the biggest defense against that is simple caution,or paranoia, as some would say. a great book by kevin mitnick called ghostin the wires, he has a lot to say about this in all the hacking he used to dowhen he was wanted as a major hacker. but so much of what he didwas actually nontechnical. so here’s a survey of all the sort ofnitty-gritty topics we might get into. and based on the survey responses there,it sounds like protecting your devices, and email and spam, and the cloudwere a couple of the big things
that people wanted to talk about.to start with, i’ll focus on those 3, but i’d like to start with urls, because it’shighly relevant to the email and spam topic, and to a lot of things in general. sobriefly indulge me to go through urls, and then we’ll dive into the otherstoo. urls, things to know about this to help you understand, or explainto people how to keep themselves safe. hopefully if you are interested in thistopic and you’re here, this is mostly review. but anyway, you’ll see. urls, links, addresses,site names, they are more and more hidden these days. whenever i talk to people,guide them through something and i say, “go to the address bar in the browser.†half thetime, people don’t know there’s an address bar
in the browser, because their browser opensup, it goes to google, they type in the website that they want into the google searchbox. the google search results come up, and then they go to the website they want, andthey sort of bypass the address bar entirely. but hopefully, everyone here is aware thatthere is an address bar in a web browser at the very top, and you can type in anaddress for a website directly, and go there. and everything on the internet has anaddress, and it’s the number one backstop that you have against being in the wrong place,giving the wrong information to the wrong people, to understand the addresses.so look at a simple address. and to those of us who know these things,it’s like, “oh, my god. this is so remedial.â€
but when you think about it, there’sactually a fair bit to know to understand how to read this properly. the firstthing is, everything after the slash, you can ignore it. it is totally irrelevantfor figuring out the validity of this address. from that point, you read it backwards towardsthe beginning. so the top level domain.com, or .net, .ca, .gov etc. there’s a zillion ofthem now. you can pay a quarter million dollars and run your own top leveldomain registry if you want to. it could be fun, it depends onwhat you want to offer i guess. after the top level comes the actual domainname, google. so that’s the key part right there. beyond that you get into what’s called thesub domain and that’s mostly irrelevant.
there might be more than one.sometimes you see websites that are something-dot-something-dot-something-dot-google-dot-whatever. it doesn’t matter how many thereare. they are all kind of irrelevant for figuring out where you are. and thenat the very beginning is what’s called the protocol, but it’s not even usually shown.oftentimes a web browser if you are looking at the address bar, it will just show you the sub- domain, the domain, the top level, and it will omit the protocol.so that’s what the address is, and it’s important to know how to dissectthat. and if you knew all that all ready, hopefully that’s at least a usefulillustration you can show to some other people.
now to learn what the actual url is, this is thething. you’ve got all these links in websites, or emails, or whatever. to learn what theurl is, a lot of people say you can look in the status bar at the bottom ofthe browser. if you didn’t know this, the browser will show you if you hover over alink, it will show you something at the bottom. that’s true, and most of the timethat’s correct, but those can be spoofed. lots of things can be faked on websites, andon the internet, and those can be as well. so if i’m going to give you some adviceabout the number one way to be sure where that thing goes, if you’relooking at something and it’s like, “if i click on this, what is going tohappen? is this really what it says it is?â€
if you right click on the link, or controlclick on a mac, you get the little pop up menu like what’s shown here. and if you copy thelocation, or in different browsers it might say, “copy the address,†or “copy the url,†or “copythe location,†or “destination,†or “address†this link belongs to, andthen paste it somewhere. then you’re not activating the link. you are notgoing to where it actually is going to take you, but you are seeing where it’s goingto take you if you click on it. and it’s just a simple step toactually see what’s going on. but you have to be able to read the link for thatto matter. it doesn’t help if you can’t read it. as i said, the saddest part at the bottomis common advice and it’s good advice,
but it can be spoofed. the thingis if you look at the status bar and the link is garbage, then great,you’re done. you know this is not something you want to click on. but itmight look good, and still be bad. that’s why the copying isthe most reliable thing to do. so we’ll see how on the ball you allare. we don’t have to do this as a poll. you can just tally in your own mind which oneof these is the real link for the real bank, taking into account the little runthrough of urls. can you read this and can you say to yourself confidently,“i’m going to click on one of these things and type in my banking user name andpassword, and i’m not going to lose any sleep
at night.“ which one, thetop one, or the bottom one? well, if you haven’t figured it out by now,it’s a bad sign. the top one is the real one. the bottom one is not. there is why. it’sbecause there’s right before the first slash, td.com, it belongs to td canada trust. and thisone right before the first slash, it’s banksite.cc. runaway fast! it’s not a realwebsite. well, it is a real website; it’s just not the oneyou want to go too. from there, sort offollowing on that theme, let’s look at email and spam them. becauseunderstanding that stuff is really critical, i think to understanding email and spamattacks. now the advice you always hear
and everybody always says it is,“don’t open suspicious attachments.†well yeah, but what counts assuspicious? because here’s the thing, if your friends get viruses, the virusis going to send messages to everyone in their address book. so if you geta message even from someone you know, but the content isn’t unique and speakingto you directly, it’s not saying things that only that person would really knowor say, then it counts as suspicious, anything that’s suspicious.this is the paranoia theme again. so yeah, like you tell your kids to lovethe world, and be friendly, and trust people, but everyone on the internet isa stranger with suspicious candy.
it’s sad, but that’s the way you’ve got 2look at this. and the bottom line is the links, as we just saw. see the urls, thiswhole thing. you can do this in email. in your email program, you can do the samekind of thing. you can right click on a link and you can copy it, and there you go. andif that domain and tld doesn’t look right, then don’t click on it. now that’s a whole lot ofeducation. but honestly, i think the only solution to a lot of this, while you can putin all kinds of firewalls, and software and things that some organizations put in placeto prevent people from going to certain places, but that is sort of an endless game of whack-a-mole, because the way these spam things work these days is that attackers just hack somenew website, dump all their suspicious stuff
on that website in some hidden folder, andthen direct you there through their spam. so really, understanding andeducation is the only way out of this. it is easy to fake emails, but as sortof a final thing, i just want to point out you can also look at the headers of emails.all email programs will give you some option to view headers, or see the fulltext, or the source of the message. and in the headers, they look somethinglike this which looks really scary. but again, i think the importanceof understanding urls, and addresses, is once you know what theylook like you see them all over. and whatever that stuff at thebeginning is, the sub domains, 3 of them,
it doesn’t matter. it is utoronto.ca,so i know that this message started at the university of toronto, and there isa history here of where was sent and received between different servers at the university.and then eventually got picked up by google. and at the time, google still manages the free- form email system, so from google it got passed on to me at free- form. this is real headers from a real message. so a lot of that stuff is hard toread, but most of it is irrelevant. when you know what you’re looking for,you can actually quickly do a validation. and that’s true oflots of things online. so looking at protecting your devices, that wasa top thing that people were concerned about.
and some aspects of this i think arekind of boring. the number one advice about protecting your devices is backups!because it’s going to be lost, stolen, a hard drive is going to fail, some fool is goingto install something on it that renders it unusable, who knows. so you want to backup everything that is important. and you all have backups running rightnow, right, on all of your important things, i’m sure you do. before you sat down tothe webinar i’m sure it was the last thing you turned on. but, well, of course,sadly, that’s probably not true. backups are often the lastthing that people think about because it’s just not partof your day-to-day routine.
there’s nothing more important thanhaving a backup plan, or backup copy, especially of data that is sitting on any device,especially mission critical ones. that’s for sure. and then virus scanners, keep that kind of thingup-to-date. it is one thing to have it installed, but if it is not being regularly updated, theycan all be set to automatically update now, then it’s not much use. the thing thatis going to get you is not something that came out 5 years ago or whatever, it’sgoing to be something that is new on the scene and you want to be updated asap.the other thing to understand is the importance of securing your own devices.and why viruses are so bad, is especially, well windows has gotten better than it used tobe. it is still true that generally speaking,
software that is on your computer willhave access to what your computer is doing to a greater or lesser degree. as an example,i want to run through a useful tool here called prey. if you haven’t heard ofprey, you can install prey on your computer or your phone, and basically the originalpurpose is to monitor your device if it’s stolen. so you can see where it is, when it is turnedon, when it is connected to the internet. and it will sort of phone home to theprey servers and send you a notice saying “hey, your device has popped uponline and it is at this location.†so that’s kind of handy. andcertainly i would recommend that kind of software on any laptopsthat you have that are actually owned
by your organization that are leavingthe home base, and circulating out there, and are going to get stolen out of theback seat of somebody’s car, who knows what. so this is useful. but some of thethings it does, it’s kind of freaky. so i installed it on my laptop a while agoto create this. and one of the first things that popped up when i generated areport about what my laptop was doing and what had happened to it. it showed methis map. and i thought, “that’s really cool, but wait a minute, my laptophas no gps. so what’s going on?†well, the fact is, even without gps a deviceconnected to the internet can be geo located just based on the internet connection it is using.google and other services keep giant databases
of where all the ip addresses in theworld are actually physically located. so when you connect they can tell,“oh, that’s a toronto address.†or “that’s an address right there onmy street.†that map is quite accurate. that is just about precisely where myhouse is. now, prey will also do things like show you this snarling face of thenefarious person that stole your laptop, because the software can access theresources, including the camera, files. it can see what you are typing. there is ascreen shot there, or part of a screen shot of what was on the computer at the timethis report was sent to the prey servers. so this is handy from a security point ofview, a little freaky as well, but handy.
and viruses are software justlike any other piece of software, they could be doing all of this but withoutyour consent. so some people i think, don’t – oh, your computers got a virus. well, i’lljust have to wipe it, or clean it, or whatever. it’s a big deal. if your computeris compromised, a lot can go wrong. a lot could potentially happen. notnecessarily, it might be nothing, but you just don’t know. and it is somethingthat people should take very seriously. i think if they took it as seriouslyas it potentially is, there might not be so many security problems. anotherthing that’s important to do for your own devices is encrypt the contentsof them. so here is a program called truecrypt
that you can install on your computer. andit will basically scramble all the information on your hard drive. it will encrypt it, thetechnical term. that’s so that it can’t be read if it is stolen. or even if it is not stolen,there are people who work in, for example, human rights nonprofits, and they don’t wantthe governments of countries they are visiting to be able to seize their laptop and see what’son there. and there’s even people concerned about that in not so far-flung places.so truecrypt is useful for that. but asterisk here, there are nofuture versions of truecrypt planned. the team that was working on it has disbanded.so as far as is known from a software audit that has been done on it, there are no seriousissues with the software. it’s worth using.
it is still good, but it is not goingto be maintained into the future. so there are some other alternativeshere. veracrypt is a fork of truecrypt that some other people are carrying on.there is another software called diskcryptor which does similar things. the thing is, thereare also built-in tools in the operating system now for all the major operating systems.you could use those to encrypt your device. not everyone trusts those, becauseit depends on your level of paranoia. a lot of these things depend on yourlevel of paranoia, and sort of which risks are worth how much inconvenience. so the riskthat there’s back doors built into windows for the nsa is a concern to some people.to others it’s not. only you can decide
if it’s worth using these things foryourself or not. what about your phone. a lot of that stuff is all primarily for yourlaptop, although prey will work on your phone. but certainly device encryption, the sadnews is there is no equivalent of truecrypt for your phone. there is no reallysort of robust like, just going to work, can make a general recommendation foranybody. there’s no equivalent third-party independent software that youcan use to encrypt your phone. so if you’ve got tablets, or phones, orother things that are leaving your office, and you need to keep them secured, well, youare kind of stuck with what apple gives you. since ios 8, iphones are fully encryptedif you use a pass code to lock them.
and there are encryption features inolder iphones as well. android encryption, because so many differentmanufacturers and versions and things, it varies quite a bit what you can do fromdevice to device. but generally speaking, there is some device level encryptionyou can turn on in most of them, well, all new ones these days. so you’ve gotto kind of got to go with what you’re given. it’s like going with the windowsversion of encryption on your laptop. which is if what you are concernedabout is someone stealing the device and being able to read informationoff it, this is probably good enough. if you are concerned about some point of attackfrom a government, or some other organization
with similar resources, thenhopefully, none of this is news to you. anyway, i’ve been zipping through a lot of stuffhere. i was going to jump into the cloud next, but i thought i’d ask susan if there’sany questions or other discussion or things worthrevisiting, or digging into. susan: yeah, great. we’ve had a coupleof questions. the first is from craig. he’s asking, “do you need tobackup files on google drive?†julian: ah! do you need to backupfiles on google drive? i don’t myself, so i guess that’s an implicitvalidation for not doing it. the thing is, the infrastructure thatgoogle and other cloud services have,
and i’ll talk about that next, the infrastructurethat they have it’s not like in the old days it would be like, “oh, we have a file serverand it’s like this computer under sally’s desk that’s running 24/7.†and then one daythe hard drive fails. and it’s like, “oops! do we have a backup of that ornot?†like the google infrastructure is obviously so much like the exactopposite of something like that. like they are the largest buyer of computers inthe world, because they have just so much stuff. and there isn’t really a computer outthere that your google files are sitting on. there are probably multiple copies ofthem throughout this ecosystem of servers that google has. now that’s not to sayof course, that something won’t go wrong
somewhere at some point, and somefile you have in the google cloud might become corrupted or who knowswhat. more likely, would be some situation where you have got multiple people who areaccessing a file, and somebody overwrites the file with something else bymistake, or who knows what’s going on, and the file has essentially become damaged,because somebody did something to it, rather than the file being lost.now google has great revision history on all your files as well. so even if thathappened, you should be able to go back and find the version that you liked, and sortof revert to that. so i think it’s always good to have backups, but i don’t thinkit’s necessary for the cloud stuff.
the other thing about backups is thereason people don’t do them very often, as often as they should, because it’s often hardto institute a regular recurring backup policy. like, what is the process we are goingto go through to back up everything? and backing stuff up off google, the bestthing you can do if you don’t know already, for all these services dropbox, google driveetc., you can download a program from them to install on your computer, and it will mirrorthe contents of google drive to your hard drive, or to your laptop or whatever. and that’svery handy, because then you can interact with the files if they’re not just google docfiles, but if they’re just regular old files, you can interact with them off the hard driveof your device. and you make some changes,
let’s say in microsoft office to this excelsheet, save it. and then the google software will sync that back into the cloud.that’s kind of an implicit backup already, because then you’ve got it sitting therein the cloud, plus you’ve got the copy on your hard drive. so that would be whati’d really recommend when it comes to that. sorry, long answer, butthere you go. yes and no. susan: great. thank you. and onemore question before you go back to your presentation. this comes froma nonprofit that says they purchase a lot of their necessary items online,their credit card has been stolen twice. what can they do to prevent this?
julian: what can they do to prevent this?well, not as much as you’d might like to. maybe i’ll just do a quick detour into payments,because there’s not a lot to say about this. but when you are doing paymentsonline, the thing is “https.†the protocol at the beginning of theaddress, you want an “s†on the end of it, and your web browser will have the lock symbol.if you are doing a lot of purchases online, hopefully this is not news to you. youwant to see that lock. you want to know the connection is encrypted so no one’sgoing to steal the communication in transit. because that is what it means,you are on a secure connection, and no one is sort of eavesdropping, and noone is going to steal the credit card number
as it travels over the internet to the store.now here’s may be something that might help. don’t ever store your credit card informationon the website. that would be my recommendation. it’s not a law. but the thing is, they allhave this “save your profile information, and save your payment information to make iteasier next time, or check out faster etc.†and what that means though, is if youdo that, that means they have a copy of all that information including yourcredit card number. and i just don’t think that’s ever a good idea, because if theirsystem gets hacked – this is the thing, i don’t know how your cart has beenstolen, but there are 2 ways most likely for how it got stolen. one of them is the serversof the system where you’re buying this from,
they got hacked and your credit cardgot stolen out of their database. if you don’t store it on theirwebsite, they don’t have a copy of it, so it’s not going to get stolenthat way. now caveat to that, maybe you want to store credit cards onpaypal, because paypal’s business is – i’m sort of throwing this out there asan example, like as a thought-provoking kind of thing because essentially, howmuch convenience is worth how much risk? is paypal better at securing things, becausetheir whole business is built around payments, and online commerce and stuff? are they betterat this than some random shopping website out there? i think they probably are, betterthan some, certainly. and if you can check out
using paypal instead of giving your creditcard information directly to a website, does that sort of put a layer betweenyou and this potential attack factor? how much convenience is worth how muchrisk? something i alluded to earlier. yeah, when it comes to payments,that’s kind of all there is to it, because you’re really kind of at the mercyof who you are engaging with at the time when you are making that transaction. but youcan give them as little information as possible. the other thing is if you found thatinformation has been stolen a couple times, then questions to ask are; howmany people know that card number? was it actually stolen through technical means,or was it just because it was written down
on a sticky notes on somebody’s desk, andthe cleaning lady noticed it, or something. i mean, not to cast dispersionson cleaning ladies in general, but it’s an example that there are lotsof ways that it could have been taken. on a technical level, may be thebrowser has saved in the information, or someone’s phone has saved the information.and the thing is, if you have secure information, important information like that on a laptop,and you are making connections to wherever, but then say that laptop gets infected byvirus. remember what we were just looking at about protecting your device. well, a virus couldread files and other things off the hard drive, and might find the credit card numberthat way. so for a lot of things,
not just stealing credit card numbers, but fora lot of things in general, a basic question is how exposed is this information? howwidespread is it? is it stored on the servers out there? is it only known by you? is it savedon the laptop, or do you type it in every time? so the less exposure any bit of informationhas, the less likely it is to be taken through whatever means. susan: great. thanks. i think some of theother questions talk about cloud servers like office 365, sharepointand things like that. julian: okay, then let me dive into thefew things i had to say about the cloud. and if there is more beyond that thenwe’ll see. we’re at quarter to the hour too,
so we’ll zip through here. so thecloud, yeah, is probably more secure than so-called local storagesystems. the extreme counterexample being the server under sally’s desk.and that’s because these cloud systems, they are always going to be up-to-datewith security patches, firewalls, people are monitoring the logs, the datacenter is physically secured and so on. like all of those things are notnecessarily true of non-cloud alternatives that people have used in thepast. and it’s really convenient to be able to access your stuff whereveryou are. what i described before, if you have your laptop syncing togoogle drive, and so on, then you can –
it’s sort of effortless in a way, onceyou get all the parts all synced up. but there are obvious privacy implications. andit also changes – there is an economic aspect to it as well, because the licensing modelsare different in how you pay for access to some of these things is different. although,techsoup can help with that in some cases. and i am focusing primarily on the securityand privacy, not the financial aspects. and from that point of view, there areprivacy implications. they are promising to never look at your data, but it’s noton a computer that you control anymore, and it is known that all of thesecompanies, all of the big companies are forced by the us government to turnover whatever information they might want
at any point in time, or at every point in time.so it’s a balancing act again, like i said before, how much convenience is worth what kindof risks? to some people those risks are not relevant. and to some people,depending on their line of work, or the information that they areconcerned with putting in the cloud, that might be really, really relevant. sothese kind of services are here to stay, i think. clearly for years now, it’s been amodel that the industry has moved to wholesale. we are not ever going to go back to the wayit was when you bought discs at the store, and had that kind of control over things. buteven then, you didn’t have that much control unless it was open source, because youare stuck with whatever they are giving you
on the disc. so it’s a differentmodel and it has some benefits, but it is a different set oftrade-offs than it used to be. was their specific things in people’squestions, nuances beyond the general there? susan: i think folks were really looking atoffice 365, sharepoint. i think you covered that. one question was, “if you have a cloudserver, is it possible to encrypt that server, or is a firewall sufficient?†so ithink that’s a kind of nuanced question. julian: so if you have stuff in the cloud,then you are basically relying on the security of the [indistinct] stuff. i don’t necessarilyknow what stuff exactly you’re talking about, but i’ll give 2 examplesof different sides of this.
generally speaking, if you havelike a sharepoint server in the cloud that you are leasing from microsoft,or whatever the arrangement is, or you are just using office 365, part of whatyou are buying, part of the convenience there is the security that they are providing.they are basically guaranteeing that the office 365 website is not goingto get hacked, that your files in there – google does the same thing with googledrive – they are basically saying we are not going to get hacked and your filesare not going to end up on the front page of the new york times. and you’vekind of got to trust them on that. and the premise is that you can probablytrust them better then you can trust
a lot of other people, because like thepaypal example, their whole business is built around this, and they have peoplewhose job it is to make sure that things are patched and up-to-date, and soon, and so on. and yet, we do hear about these hacking stories and all that.but the thing is, if you want to do it better, like that’s kind of what it comesdown to. could you do it better? could you hire people to do a better jobthan the people that microsoft has hired to do that for them on office 365? probably not.it depends what kind of organization you are, and who your staff is, and soon. but that is what you buy into. now the other thing is though, if you aretalking about just cloud servers in general,
beyond the services that you buy in thecloud, you can just buy a server, a machine, or an imaginary machine floatingaround in the cloud somewhere there, and what about encryptingthat or protecting that? if you are running your own serversin the cloud, then yeah, essentially hopefully you have some serveradmin people on staff who know how to keep those kinds of things secure.because if you are running your own machine, whether it is a cloud server or a dedicatedserver, or whatever kind of thing it is out there, it will need certain things done toit to make sure that it is secure. maybe on that point, i will jumpbriefly through protecting your website.
there’s a good old-fashioned hacked websitepage. it’s what you don’t want to have happen, but that’s not really what happensanymore. people that hack websites it’s not to deface them like this. it’ssort of quaint now to see thing like that. because these days, they want to kind ofactually sort of take over the website, and use the space for their own purposes.say they are putting up fake pharmacy websites behind your website that then theyare directing people to from spam. anyway, to protect against all thatstuff, and this applies to cloud servers and any sort of technical service youare running yourself really, on the web. you need to have those peoplewho know what they are doing,
and how to keep things up todate with security patches. most of the attacks that are goingto happen are automatic attacks. it’s not some kid sitting there behinda keyboard figuring out your password; it is some automatic process thattakes advantage of known security holes. so you want to make sure that you’re up-to-datewith all the known fixes for those security holes. as i was saying before about the credit cardexample, make sure that all the computers where anyone is making changes to thewebsite are completely clean and secure. because if the website that hasthe ftp password for the website, and that is where someone logs inand makes changes to the website,
and that computer has got a virus on it,chances are it has maybe stolen the password to the website. so you want to makesure that your systems are clean, because everything connects to everythingelse. never mind that it is a website or server that you are running yourself, itcould just be your office 365 password or your sharepoint password. this is whyviruses, and protecting your own computer are really important, because it’s not justyour computer that’s going to necessarily be compromised. it could be anythingthat that computer has touched is possibly tainted at that point. strongpasswords for all your access points to the website whether that is the servercontrol panel, ftp, administrator accounts
on the website. we may not have time to jumpthrough the whole password section of this, but i’ll just throw in here while we’re onthe subject, use two-factor authentication, not just strong passwords. two-factorauthentication is where you have google or whomever, whatever company, whoeverruns the password like you have a password for google, you have a password formicrosoft, you have a password for apple etc. these companies can turn on two-factorauthentication, or you can turn it on as part of your profile, part ofyour account settings with them. it means that they will send you a code on yourphone as well as you typing in your password. to oversimplify it, you could think of it asdouble the security. it’s really more like 20 times
the security. and it’s just, turn ontwo-factor authentication wherever you can. just do it now. it’s thebest advice you’ll get. make sure that the people who are managingyour website, or building these things, understand what these technical terms mean.i won’t explain them although i can after. you have to have people that knowwhat’s going on running the show. and be prepared to pay for whatyou get. you get what you pay for, and doing this stuff cost time andmoney. it’s not going to happen for free. that is why the subscriptionservices in the cloud are so popular, because you don’t have to employ peopleto do that stuff; you are trusting,
that’s the thing. how i learned tostop worrying and love the cloud; you either go for it or you don’t. susan: thanks julian. we do have quite afew other questions that i’d like to get to before we close for the day. you obviouslyhave a lot more information to share as well, which we will be sharing outyour prezzi with everyone. julian: yes. and i will just emphasize about that,the prezzi is sort of self documenting sort of, or self-explanatory. you can run through ityourself, and hopefully, it more or less explains the basics of everything that’s in there. itdoesn’t require someone to talk through it, although that helps. and you can emailme any time. i’m happy to chat with anyone
about this stuff whenever.that’s no problem at all. susan: great. and i will include youremail in the follow-up email for everyone. fabulous. okay, so i want to get to a coupleof questions. the first is from allyson. and i think some of this will betaken care of in the follow-up email. but she is a relative it newbieand she needs to educate herself. she is not completely unfamiliar withtechnology, but she is now newly responsible for a lot of the daytoday troubleshooting. julian: yes! a common nonprofit story. susan: exactly, the creep of scope of work.could you recommend resources or reading,
in addition to the ones i’m going to share outwith everyone via the chat that i’ve already done, or in the follow-up email. isthere some where we could point her? julian: gee. that’s a great question,and i wish i had a better answer, or any answer really. because in my travels inever come cross those things in my own work, or day today running or just doing things. i’msorry. i can talk about most things if i have to, but i’ll save time and just sayi don’t really know. i’m sorry. susan: and i’ve chatted out a url toan article that we have on techsoup. techsoup does have quite a bit on security,so i will try to include those links as well in the follow-up email tohelp allyson. so thank you.
lisa asks, “is there a particular virusprotection that the presenter recommends?†julian: not strongly, as in, i don’t monitorthat space closely or keep super up-to-date on how things are going. but in the past,2 that i have used in been pleased with and i like the model that they follow, are avast,a-v-a-s-t, and also one called malwarebytes, malware b-y-t-e-s. i’vehad good success with those. keeping with the paranoia theme,it’s good to run more than one because some will catch things thatthe other doesn’t, and vice versa. the thing with virus software is someof them really slow down your computer because they are sort of doublechecking every single thing all the time,
and it is really annoying. and there can beother sort of annoyances through using them. if you find one that is not quite to your liking,or there are things that are bugging you about it, that’s fine. go find another one, there’s lotsout there, but those are 2 that i’ve used before and bed happy with. susan: great. this question, iapologize for this coming a little late because michelle did ask it earlier, buti wanted to make sure i understood it. but michelle is asking, “are email headersjust as useful when so many organizations use mailchimp and those type of services?â€i think she is looking at detecting the risk. julian: yeah. well, email headers from interms of detecting the source of the message,
they will reveal, somewhere in there willbe some clue that it came from mailchimp. so that’s still useful. the mail headers basicallyjust tell you, unless they’ve been tampered with. the thing is, most spam messages and fakemessages, they are preying off the lowest, lowest common denominator. they arenot trying to trick edward snowden into clicking on the link. so they are notgoing to spoofed anything and everything, and make it sort of undetectable.they are hoping that your grandma, the proverbial grandma – we alwayspick on the grandmas using technology, and what do they know, those old folks?but some of them are smarter than you think and they are pretty savvy. butthey are trying to trick somebody
into doing this who doesn’t know a whole lotabout it. so if you start to look under the hood, like at the headers you are probablygoing to see some fishy stuff going on. but if it’s actually from mailchimp, youwould see that. so it is still useful. it gives you the path that themessage traveled from mailchimp to you. it’s always useful because more informationis more power in these situations. susan: great, thank you. i am actually goingto close the question and answer session because we are right at noon. i wanted to leteverybody know about some upcoming webinars and events. and if you could, justbefore you jump off please take our survey and if you could just chat one thing youlearned. we are having another security webinar
tomorrow and it is very specific to the microsoftcloud. so i think that if you came to this, and you are additionally interested in thesesecurity topics, please join us tomorrow. we also, next week will be havingan event about adobe illustrator, and also something about digital storytelling.i’d like to thank julian for volunteering his time and his expertise to share this informationwith you. i am now sufficiently, not scared, but i am definitely wiser for having taken thiswebinar alongside everyone on the call today. so thank you julian, we really appreciatethis. this was super. this was really awesome. i want to thank all of the learners joiningus today. we know your most valuable asset is your time so thank you for your hour today.i hope you have a great rest of your week.
and a special thank you to readytalkfor providing this platform for us. so thanks, and hope to see you on ournext presentation, perhaps tomorrow. thanks julian. bye-bye.
0 Response to "Td Bank Secured Credit Card"
Post a Comment