A 2007 NTEN post provided suggestions and resources for creating strong passwords and establishing a password policy.  More recently, Slate.com published an article called Fix Your Terrible, Insecure Passwords in Five Minutes with general password tips and a clever algorithm for developing strong passwords. You can also look at TechSoup's Security Corner for more tips, articles, blog posts, and resources on securing your information. 

Photo: Paul Linton

read more

• IT staff can require secure passwords for their own networks and email systems. They can't control the password requirements for web-based email accounts or cloud computing apps.
• IT staff can require employees to change their network passwords regularly. They can't do that for cloud apps.
• IT staff can test the security of passwords on their own networks. Do they do that with their employees' Google Doc passwords?
• IT can disable email and network accounts for former employees. Does anyone think to disable those employees' access to docs in the cloud?
  

  read more

Dear Webmail User,

This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are
received. The program is run weekly to ensure no one's inbox grows too
large. If your inbox becomes too large, you will be unable to receive
new email. Just before this message was sent, you had 18 Megabytes (MB)
or more of messages stored in your inbox on your Webmail. To help us
re-set your SPACE on our database prior to maintain your INBOX, you must
reply to this e-mail and enter your:

email:helpdesk.account01@gmail.com

Current User name: { }
and Password: { }

You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmail will move your oldest
email to a folder in your home directory to ensure that you will
continue to be able to receive incoming email. You will be notified by
email that this has taken place. If your inbox grows to 25 MB, you will
be unable to receive new email as it will be returned to the sender.
After you read a message, it is best to REPLY and SAVE a copy.

Thank you for your cooperation.
Webmail Help Desk.

-----Original Message-----
From: apache@net.lg.ua [mailto:apache@net.lg.ua] On Behalf Of Webmail Support
Sent: Friday, March 27, 2009 9:12 AM
To: undisclosed-recipients:
Subject: PLEASE UPDATE YOUR EMAIL ACCOUNT

Dear Webmail Users

We are currently upgrading our data base and e-mail account center i.e
homepage view. We shall bedeleting old email accounts which are no longer
active to create more space for new accounts users.we have also
investigated a system wide security audit to improve and enhance our
current security.

In order to continue using our services you are require to update and
re-comfirmed your email account details as requested below.

To complete your account re-comfirmation,you must reply to this email
immediately and enter your account details as requested below.

Username : ( )
E-mail Login ID( )
Password : ( )
Date of Birth : ( )

Failure to do this will immediately render your account deactivated from
our database and service will not be interrupted as important messages may
as well be lost due to your declining to re-comfirmed to us your account
details.

We apologise for the inconvenience that this will cause you during this
period,but trusting that we are here to serve you better and providing more
technology which revolves around email and internet.It is also
pertinent,you understand that our primary concern is for our customers, and
for the security of their files and data.

COMFIRMATION CODE: -/93-1A388-480 Technical Support Team

Security in-a-box includes a How-to Booklet, which addresses a number of important digital security issues. It also provides a collection of Hands-on Guides, each of which includes a particular freeware or open source software tool, as well as instructions on how you can use that tool to secure your computer, protect your information or maintain the privacy of your Internet communication.

Security in-a-box includes the following how-to booklets:

read more

Infected computers become members of a worldwide botnet. F-Secure predicts that the botnet could be huge, "giving the malware gang a free hand to do whatever they want with all of the infected machines."

According to the San Francisco Chronicle:

Security vendors haven't figured out what payload the Downadup/Conficker worm plans to deliver, but it's not good. "This could be the biggest infection we've ever seen," said David Perry, global director of education at Trend Micro in Cupertino. "We know they're intentionally infecting a mass audience."

Perry offered the following advice to secure your machines:

read more

Without policies, procedures, training, management, and ongoing attention, databases will become filled with inconsistent, unusable data, and data will be scattered hither and yon in spreadsheets, shadow databases, and desk drawers.

Some tips: Make sure someone is overseeing training and user support and watching for (and fixing) data entry errors. Pay attention to confidentiality and security: give staff and volunteers access to the data they need to do their jobs, but no more. Do all you can to prevent staff from downloading sensitive data to laptops and memory sticks. And run backups religiously.

NOTE: This post is part of a collaborative effort organized by Convio. Other participating blogs include:
• Judi Sohn www.momathome.com/
• Michael Cervino beaconfire.com/blog/
• Beth Kanter beth.typepad.com/beths_blog/
• Tad Druart www.connectioncafe.com
• Jeff Brooks www.donorpowerblog.com/donor_power_blog
• Roger Carr everydaygiving.typepad.com/
• David Neff www.fispace.org/
• Matt Wilson mcommons.com/blog/
• NTEN www.nten.org/blog
• Peter Deitz www.blog.socialactions.com
• Wendy Covey www.trewmarketing.com/spotlight/

The resolutions are collected at www.convio.com/resolve2009, where readers can vote on their favorites. And you can also link your own resolution posts to www.connectioncafe.com

However, Zac Mutrux countered that "it is far easier to secure a single centralized system than it is to secure a bunch of little storage devices or disks floating around somewhere" and added that "there must be a mechanism for key escrow and recovery. Else encrypted files may be lost when someone leaves the organization (or dies, for instance). This is why packages like TrueCrypt are suitable for personal use, but are not suitable for use in an organization." And Peter Campbell responded that "password protection on individual documents or thumb drives is an accident waiting to happen."

I'm with Zac and Peter. I think the best solution is to take steps to keep sensitive data off laptops and desktops. In particular, data like social security and credit card numbers should be in encrypted fields in a database in a locked server room. Only employees with a "need to know" should be able to decrypt/view these fields (and some systems don't let anyone decrypt them).

If this isn't possible at an organization, the sensitive data can be stored in a separate database or, even a password-protected file, without names — an ID number would link these records to the main database. In the case of credit card numbers, many vendors are storing them in a separate payment gateway and using tokens to link them to the original database record.

But if you can't take these steps, or really do need to store sensitive data on local machines or removable media, those devices should at least be encrypted.

Microsoft usually issues security patches on the 2nd Tuesday of the month (Patch Tuesday), so this must be serious.