Your nonprofit is connected to the Internet in one way or another. Whether it’s through your nonprofit’s website, email address, social media presence, or even a listing on CanadaHelps, your information can be found online. Hackers, armed with a bit of your information and some decent computer skills (although not always necessary), can hijack your accounts and compromise your security. This is why it’s crucial for nonprofits to understand computer security threats and learn how to protect themselves.
Julian Egelstaff (FreeForm Solutions) joined us for April 8th’s Toronto Net Tuesday to discuss best practices for IT security and privacy online. This blog post summarizes the key discussion points from this event. You can also watch the event recording on TechSoup Canada’s YouTube channel and see Julian’s presentation on Prezi.
Protecting your nonprofit’s computer and IT networks takes more than just a simple anti-virus software installation. Your nonprofits needs to understand what the possible computer security threats are before you can learn to properly protect yourself against them.
Julian demonstrated the importance of IT security with the story of Mat Honan, who was hacked in 2012 by attackers who did not use any advanced computer skills or programs. Julian then shared with us a few tips, strategies and best practices for IT security, so your nonprofit can protect your information from both hackers and malicious software:
- The Epic (& Easy) Hacking of Mat Honan
- Payments Online
- Social Media
- Protecting Your Computer
- Are You Ever Really Anonymous Online?
- Email & Spam
- Protecting Your Website
- The Cloud
Note: Click on the links to jump to that section!
Without sufficient protection, anyone with the right amount of dedication and creative thinking can hack into your Twitter, Facebook, email and any other online account. Just ask Mat Honan.
Mat Honan is a Senior Writer at Wired (think of this as the Rolling Stones of the tech industry). In 2012, Mat’s Twitter, Amazon, Gmail and Apple account got hacked and deleted. The worse part? The hackers didn’t use any advanced computer skills to hack into Mat’s accounts.
Here’s how the hackers did it:
|Sources Used||Accounts Compromised
|Found Mat’s website displayed on his Twitter account|
|Found Mat’s Gmail address on his website||- Website|
|Requested a password reset on Gmail; Gmail partially revealed Mat’s secondary email address (firstname.lastname@example.org). Hackers guessed his secondary email address must have been a variation on his name (mat.honan?)||- Gmail|
|Looked up Mat’s billing address by doing a whois search on his personal web domain||
|Hackers called Amazon.com, verified their “identity” by stating Mat’s secondary email address & billing address, then added their own, personal credit card to Mat’s Amazon account||- Billing address
- Secondary email address
- Hacker's personal credit card
|Called Amazon.com back, verified their identity again, and added their personal email to Mat’s Amazon.com account||- Amazon
- Billing address
- Hacker's personal email
- Hacker's credit card
|Logged into Mat’s Amazon.com account. The hackers can now see the last four digits of Mat’s credit cards||- Amazon
- Hacker's personal email
|Called AppleCare tech support, verified their “identity” by using Mat’s billing address and the last four digits of his credit card. AppleCare gave the hackers a temporary password to Mat’s secondary email address at @me.com||- Billing address
- Last four digit's of Mat's credit card
|Hackers logged into Mat’s @me.com email address||- Temporary password (provided by AppleCare)||- Amazon
|Hackers successfully reset Mat’s password for his Gmail account||- Secondary email address||- Amazon
Hackers logged into Mat’s Gmail account to reset his Twitter account
|- Gmail||- Amazon
|Hackers deleted Mat’s iPhone, iPad, MacBook, Gmail and Twitter account||- Gmail
- Secondary email address
The hackers obtained Mat’s information through sources that are accessible to anyone with an Internet connection. This type of hacking is known as social engineering, where the hackers obtain confidential information through manipulating people/systems through a series of actions.
As demonstrated by this unfortunate incident, hackers don’t necessarily need a background in IT or use advanced computer skills to hijack an account.
Read more about Mat Honan’s Hacking: How Apple and Amazon Security Flaws Led to My Epic Hacking
Note: Mat Honan eventually recovered his accounts and the security policies for Amazon and Apple have become more strict. Mat, however, admits that if he had used a two-factor authentication process for his Google account, it's possible that none of this would have happened.
Spammers often trick users into going to websites that are couriers of viruses, malware, spyware, Trojans, and other unwanted software in order to compromise the user’s computer. You and your staff can determine which website addresses are authentic and which addresses lead to suspect websites by learning how to read uniform resource locators (URLs).
URLs are read from right to left, starting with the top level domain (.com), domain name (google), subdomain (www.) then protocol (http://). All web addresses have a top level domain, domain name and protocol, however addresses can have multiple subdomains (e.g., en.can.example.com) or none at all (e.g., example.com).
To figure out whether a domain is authentic or not, ignore the slashes after the top level domain and carefully examine the URL’s subdomains. With that in mind, let’s see which of these URLs are authentic:
If we ignore the slashes after the top level domain, we’re left with:
Now to examine the subdomains:
The first URL’s subdomain is easywebsoc, domain name is td and top level domain is .com, whereas the second URL’s subdomain is easywebsoc.td.com, domain name is banksite and top level domain is .cc. After careful examination, it’s clear that the first URL is authentic and second is suspect.
This is what a secure password looks like: nCo5”1A#iM@,h0CQW:=&JPcf/
Yes, it’s nearly impossible to memorize this password, but remember: passwords are meant to protect your information from computers, not from other people sitting at a keyboard guessing your password.
If a hacker breaches your computer, they’ll steal a list of encrypted passwords (i.e. hashes) and use computers to guess the right combination of letters, numbers and symbols to your password. With enough guesses, these computers will get your password, as this is just a matter of probability.
A secure password is determined by it’s length (the longer the better, recommended min. 11 characters), a combination of upper and lower-case letters, numbers, symbols and aren’t part of a pattern. Don’t let your browser remember passwords to personal and sensitive accounts (e.g., bank accounts) and don’t use the same password for multiple accounts.
Julian recommended nonprofits to use a two factor/two step authentication process for highly sensitive accounts. A two factor authentication usually involves entering a password and another piece of information (e.g., authentication codes via RSA SecurID or a text from your cell phone) before you can log into an account.
You and your colleagues should also use a password manager, such as KeePass, PassPack or LastPass, to store and share your passwords. Password managers use state-of-the-art encryption technology to create a secure database to store your passwords, eliminating the need to write or memorize your passwords.
Julian explained how information and data on the Internet are sent in pieces (ie., packets) and through a series of connections. For example, when you send information from your computer to your bank’s website, your information breaks up into packets that travel across the Internet, from one machine to another until the packets reach the bank’s computers. Once the packets arrive, the bank assembles them to recreate the original information sent.
With this in mind, you need to pay careful attention to URLs protocol if and when you make a payment online:
If there’s no https and no “lock” symbol, you’re not on a secure connection. Without a secure connection, your information will be sent “in the clear”. This means your packets of information can be intercepted and interpreted by attackers. A secure connection, as indicated by the https, essentially encrypts your packets so only the intended recipient can interpret your data. As such, it’s highly recommended that you only enter sensitive information, such as a credit card number, on a secure connection. If you’re still wary of making online purchases on a secure network, another good practice is to use low-limit credit cards for online purchases.
It’s important for you to pay attention to your nonprofit’s social media privacy settings. Many social media platforms, such as Facebook, Twitter and Pinterest, change their privacy settings from time to time.
Nonprofits also need to be extra careful when it comes to sending any form of communications on the Internet. Julian equated social media and online communications to be as private as talking to your friends on a subway - your message may be intended for a specific audience, but there are other people around who can hear it as well. Even if you can delete or take back a message on social media, your message will still be on the Internet in one form or another (and in most cases, deleting or removing a message will only result in the Streisand effect).
Make sure your nonprofit is regularly performing backups. Automated or manual computer backups will protect your nonprofit against accidents (eg., deleting folders, hard drive failures, power surges etc.) and threats.
It’s also important to have an anti-virus program and keep it up to date. Julian explained how software on your computer, regardless of whether it’s malicious or not, can access everything on your computer, such as programs, webcam, etc. To demonstrate this point, Julian used the Prey Project, a program that allows you to remotely monitor your computer or phone when its stolen, as an example. The Prey Project can track your stolen computer/mobile without using GPS and allows users to access the computer’s functions remotely (such as the webcam to take a picture of the thief or a screenshot so you can see what’s happening on your stolen computer screen). The Prey Project is a fully legitimate and safe program designed to help users track their stolen devices, but it also demonstrates how any program installed on your computer can access anything on your computer.
To protect highly sensitive data, nonprofits can also install encryption software, on their computers. Encryption software scrambles the information on your hard drive so it cannot be read if your computer is stolen. You can use encryption software to encrypt data on your USBs too.
No one is ever, truly anonymous online and this isn’t a bad thing. That’s just how the Internet works. When you go to a website, you are requesting information from a server on the Internet to retrieve information and display the webpage. If you are truly anonymous, the server won’t know where to send the information to and therefore, you won’t be able to access anything on the web. This is why your device will always reveal your Internet Protocol (IP) address, which allows you to request and receive information over the Internet.
An IP address doesn’t equate to “your identify” and can change if you use different Internet connections (e.g., IP address for home, work or coffee shop connections are different). However, if your nonprofit wants to add an extra layer of security to protect your Internet browsing activities, you can. Julian recommended nonprofits (who are looking for a very high level of online security) to use Tor Project, a program that makes it nearly impossible to track your online activities. Tor prevents people from learning your location or browsing habits and can be used on web browsers and instant messaging programs. This can be especially useful to protect sensitive projects, such as human rights or political activities.
Aside from your IP address, you also leave behind information on your own computer in the form of browser and flash cookies. Cookies are bits of information that an external website leaves on your computer so it can remember you (e.g., saved form fields etc.). Private browsing, like Google Chrome’s Incognito Mode, doesn’t save browser cookies but it still stores flash cookies. If you’re concerned with leaving behind browsing history and information, remember to clear your browser cookies regularly.
A good rule of thumb is to not open suspicious attachments! What counts as suspicious? Everything (remember, we’re paranoid). Your friends, family and colleagues can get viruses that sends messages to everyone in their address book, so unless an email contains information that you are expecting, consider it suspicious.
There are numerous ways you can check if an email is “fake” (composed by a spammer/hacker) or legitimate (composed by your friend), but the best way is to examine the links. When you hover over links in your email, your mail client should have some way to display the link’s destination. Remember the URL lesson and ask, “what’s the destination of this link and do I want to go there?”. If the domain and top level domain in the link are suspicious, don’t click on it! Another good precaution is to run your anti-virus program, as it will most likely stop any malicious websites and programs from loading.
Hackers often exploit vulnerabilities on websites to steal information without the victim even knowing. To ensure your nonprofit’s website is well protected, have an IT professional who knows what they’re doing to manage your website, and keep the your site up to date with the latest security patches. The recent discovery of the Heartbleed bug is an excellent example of why it’s important to update your security patches. Most attacks on your website are automated and take advantage of known holes that have known fixes.
Julian also suggested nonprofits to use strong passwords for all crucial access points (i.e., FTP, server control panel, website administrator accounts) and save these passwords in a password manager. Julian’s last advice was to make sure your web developer, or whoever is building your website, understand what “XSS”, “SQL Injection” and “CSRF” means.
Many nonprofits are concerned about data security in the cloud but in reality, the cloud is more secure than many “local” storage systems that are being used right now. Many organizations don’t properly encrypt their data, backup their files or update their SSL patch. The cloud, on the other hand, is always up-to-date with the latest security patches, has the best firewalls, has people monitoring the security logs daily, is physically secured and the data is being backed up regularly. The cloud is also very convenient for you and your staff, as you can access your files no matter where or what device you’re using.
Although there are many benefits to cloud computing, nonprofits should be aware that working in the cloud will require more bandwidth.
Want to learn more about the cloud? Check out our blogs on cloud computing!