Barbara has blogged here before about the new TechSoup Limited offerings available to nonprofits and libraries on a limited basis. It was just brought to my attention that there are four TS Limited products that organizations and libraries are allowed to re-distribute to their constituents, members, and individual supporters.

Our donor partner, PC Tools has made their Internet Security, Registry Mechanic, Spyware Doctor, and famous Spyware Doctor with Antivirus broadly available to nonprofits and libraries — and now to your members and users as well. 

Each of the three products includes 3 licences that can be installed on 3 different machines (for a total of 9 installations) so not only can your organization use their spyware, antivirus, and registry cleaning tools to keep your computers functioning well, but you can share them with the individuals you serve. According to the restrictions:

TechCrunch, the popular technology blog, just published a survey and matrix on some online apps to share large files. We had a forum thread on a similar topic a few weeks ago, and as the responses in the blog post and forum thread suggest, there is no clear "winner" in this field, and the best tool for you will depend on your organization's needs.

The recent theft of confidential documents from Twitter's Google Docs account points out the dangers of insecure passwords. NTEN's blog discusses the details of the break-in and lessons we should learn from it. The chief lesson: good passwords are key to good security. 

A 2007 NTEN post provided suggestions and resources for creating strong passwords and establishing a password policy.  More recently, Slate.com published an article called Fix Your Terrible, Insecure Passwords in Five Minutes with general password tips and a clever algorithm for developing strong passwords. You can also look at TechSoup's Security Corner for more tips, articles, blog posts, and resources on securing your information. 

Photo: Paul Linton

The front-page headlines read "Hacker steals Twitter's confidential documents," but the real story isn't about Twitter — it's that the stolen documents were stored online, "in the cloud." This could happen to any nonprofit or company storing data this way. As we've seen over and over, it's amazingly easy to guess or steal passwords. And anyone who gets access to the password of an employee with access to those online files gets access to all files shared with that employee. This can happen with internal network passwords as well, but there are differences:

• IT staff can require secure passwords for their own networks and email systems. They can't control the password requirements for web-based email accounts or cloud computing apps.
• IT staff can require employees to change their network passwords regularly. They can't do that for cloud apps.
• IT staff can test the security of passwords on their own networks. Do they do that with their employees' Google Doc passwords?
• IT can disable email and network accounts for former employees. Does anyone think to disable those employees' access to docs in the cloud?
  
  • Read more

At an event where managed security services provider MessageLabs (now part of Symantec) showcased Internet threats in artform, I had a chance to talk to Brian Hernacki, an Architect at Symantec Research Labs and Mark Sunner, the Chief Security Principal at MessageLabs. In addition to seeing malware and virus code realized visually, I gained some insights on the present and emerging threats on the Internet.

Hernacki asserted that since the acquisition of MessageLabs in November, Symantec has been able to see and address a wider range of threats that are on the Internet. Although he acknowledged that they are still in an integration phase, they are already able to leverage the intelligence that the MessageLabs network brings, and offer a broader range of services for customers. Being able to use a heuristic method and reputation-based scanning in addition to threat signatures allows for more robust surveillance and response. When asked whether the move or at least increased attention to cloud-based services makes the Internet easier or harder to secure, Hernacki believes that it's not one or the other, but just different. There are now more endpoints that organizations need to secure, and Symantec needs to have a global overview of threats as they emerge.

When asked a similar question — namely whether software, infrastructure, or applications as-a-service is a step down for large enterprises but a step up for small businesses — Sunner contended that isn't the case. He argued that the sheer volume of data MessageLabs processes allows them to react to threats quicker, as compared to when information about threats was independent. They have seen how instead of payloads delivered as attachments in email, users are now engineered to click on links from spam. It is thus more important to address the spam issue more vigilantly.

The National Cyber Security Alliance (NCVA), a nonprofit that serves to promote online security awareness and education, just launched their new initiative at the RSA 2009 conference. Named C-SAVE, for Cyber Security Awareness Volunteer Education Program, it is a program "to encourage and support security and IT professionals as well as other knowledgeable about cyber security to put their knowledge and expertise to work in local schools."

In their featured session, Executive Director Michael Kaiser outlined the importance of not only educating young people about online best practices, but also gave examples of the impact on their families and communities as more people become better informed. We sometimes forget the fact that many of us learn about computers, networks, and security as adults. Although many of our children are more adept with technology overall, they are not as informed about privacy and security implications, and school districts need our help too. We hope that nonprofits and public libraries too can get involved in such an important mission that affects our future generation.

Last year at RSA — the annual industry-wide information security conference held here in San Francisco — we noted that Web 2.0 was one of the question marks in terms of security and how to support users and data.

This year cloud computing is on the hot topic track and in one session, "Are Clouds Secure? Security and Privacy implications of Cloud Computing," the presenters from RSA and Sun Microsystems argued that due to a variety of factors, large enterprises are ill-advised to, or at least shouldn't be, using public clouds for their infrastructure or applications. At the same time, they believe that although software-as-a-service (SaaS) is likely to be a step down in terms of security for large enterprises, it may be a step up for small and medium businesses.

I think that the same can be said for nonprofits as well. The pay-as-you-go pricing makes it more like an operating expenditure rather than a capital expenditure, which fits our sector well in many cases.

Back in January, we blogged about the Downadup worm on the rampage. Fast forward two months, and not only has the problem not been suppressed, Downadup (also known as Conficker) has evolved and its variations have grown more sophisticated and potentially more virulent.

For example, it is said to have encrypted P2P (peer-to-peer) communication mechanisms to ensure a distributed command structure and disrupts Windows Update or other antivirus software from cleaning it. Currently it is still lying dormant.

Based on the code, some experts think that starting on April 1, infected computers can be activated to receive instructions as a massive botnet. If you haven't allowed Windows Update to address this issue since October 2008, or hadn't scanned your computer using updated virus definitions, at this stage perhaps the best protection may just be to ensure that your data is backed up and intact.

If your computer is infected with Conficker — as with any other instance of infections — be prepared to take any infected computers offline and even reinstall your operating system. Learn more about building stronger security for your personal and office machines in TechSoup's Security Corner.

TechCrunch is reporting a security flaw found by a security expert in Google Docs, but says that Google has not replied to the problem yet. Allegedly the flaw consists of:

• Embedded images in docs can be accessed by those without permissions, even after deletion. In other words images in docs do not inherit the permissions of their parent.
  
  • Read more

My friend and fellow consultant John Kenyon is fond of saying that, after people, data is an organization's most important asset. An organization's databases store its history: contact records; people served; donors, funders, and prospects; VIPs, volunteers, and vendors; event attendees, and more. Yet many organizations don’t pay enough attention to the care and feeding of their databases.

Without policies, procedures, training, management, and ongoing attention, databases will become filled with inconsistent, unusable data, and data will be scattered hither and yon in spreadsheets, shadow databases, and desk drawers.