 Welcome again to Privacy and Security. Paranoid, or are they really out to get you? My name is Becky Wiegand and I am the Webinar Program Manager here at TechSoup. I've been with the organization for six years and prior to that, spent about a decade in Washington, D.C. and Northern California working with smaller nonprofits. I was regularly the accidental techie where I had to figure out the security protocol and how to protect and how to safely work with our technology and data online. Also joining us today is Julian Engelstaff and he will be guiding us through a lot of today's presentation using a Prezi. So if you are looking at the slide deck that was sent out earlier, you won't see all of his presentation but we'll share a link to that later as well. He's been working in the software in IT industries for over 18 years and in 2003 he co-founded Freeform Solutions which is a non-for-profit organization with a mission for helping other nonprofits using technology and helping them use it more effectively. He's a lead programmer of Formulize, an open source software that lets non-programmers create database systems on their own website, CMSs and mobile devices. And he is based in Toronto, Canada. So for all of the Canadians joining us, we've got one of your own today. Also joining us is Emily Eklund. She has joined the National Cyber Security Alliance in 2011 as the managing editor of Digital Media. And today she serves instead as the Director of Digital Strategy and Awareness Campaign. In her role she leads the day-to-day management of Stop, Think, Connect, the National Cyber Security Education and Awareness Campaign as well as National Cyber Security Awareness Month. And we'll be hearing from her about some of the resources they have available as well as tips on how to secure yourself and your organization. We'll also have Kevin Lowe who's a Senior Program Manager for NET Squared which is a part of TechSoup Global. He is a prior tech analyst here and was our resident security expert for many years. He also recently authored our released 12 Tips for Being Safer Online Guide which is explicitly written for nonprofits and libraries to help them navigate online security. In the chat you will see Alibaz Dikian who's there to help you with any questions and any technical issues. So feel free to chat into us throughout the webinar. A look at today's agenda, I'll do a quick introduction to TechSoup. Then we'll have a poll where we want to hear from you which topics that we have listed out today are the ones you care most about because that will help guide us when Julian starts the Prezi on which topics we spend the most time on. So we really want your input on that and hope that you'll participate in the poll and also chat into us if there are areas that we're missing that you'd like to see us present more content on. He'll start off that Prezi with a not-so-tall tale of hacking that will illustrate how easy it is these days to bypass some security measures that might be lightweight because of your own behavior often. And then we'll talk about some practical privacy, security, and safety tips in a variety of those areas. We'll also talk about our online, safer online guide that's available that we'd love for you to use and distribute and share and remix for your own audiences. And then we'll have time for Q&A. Today's webinar is 90 minutes and we hope you'll be able to stay with us throughout. If not, again you'll get that recording later today so you can refer to any parts that you may miss. So TechSoup is a 501c3 nonprofit and we are working toward the day when every nonprofit, library, and charity can access the technology, resources, and knowledge they need to operate at their full potential. We do this in a variety of ways and we've been doing it since 1987. We have donation programs and partnerships that are more than a handful of technology vendors and corporations that donate their technology. And it's saved more than $3.75 billion in IT expenses and served more than 200,000 charitable organizations around the world. You can find more about our work at TechSoup.org. Now on to our survey. This live poll we're asking you to click on your top three priorities that you'd like to learn about today from this list. And if there's something not on this list that you'd like, go ahead and chat into us in the window. So do you want to learn more about how to tell what's a safe URL to click on? Do you want to know more about passwords and how to make them secure? How to make payments and transactions secure for yourself and for your audience via your website? Do you want to know more about privacy and maintaining security of yourself and your organization on social media? Protecting your computers, especially if you run public computing labs or have computers available to your community? How do you protect those? How do you protect your data on your computers? Do you want to know more about cookies and your anonymity online? What about email and spam? Is that a big issue for you? Would you like to learn more about how to protect your website and keep it secure? Are you considering or maybe already in the cloud with some of your organization's data? And how do you manage that and keep it secure in the cloud? Are you interested in learning more about public Wi-Fi and how to keep that locked down and secure when you're doing things using public Wi-Fi or making public Wi-Fi available to your community? So go ahead. I'm just going to give another moment for everybody to have a chance to respond. And then we will start off with that story I mentioned after we have our presenters introduce themselves a little bit. And then we will use the results of today's survey as a guide to help us navigate through the next 80 minutes now. So I'm going to give just 5, 4, 3, 2, 1, and show our results here. So it looks like the great majority of you are interested in top priority is protecting your computer. So how do we keep that hardware safe? 71% followed by security in the cloud, and then secure payments and transactions. Oh, did I miss one? Protecting your website. Sorry, that would be the third. So protecting computers, security in the cloud, and protecting your website are the top three. But we will hopefully be able to have time to touch on all of these topics. And again, if there are things that you have questions about or areas that we don't have listed here, go ahead and chat them to us. We have 80 minutes, so we will do our best to get through all of these sections to some degree. But in that time we are not going to be able to make any of us individual experts on security processes. But hopefully you will leave with some really practical tips to help yourself, your organization, and by extension your community that you serve. So I'd like to go ahead and bring our first speaker onto the line and welcoming Emily Eklund to introduce herself and the work that she is doing at Stop Sync Connect and the National Cyber Security Alliance. Welcome to the program, Emily. Hi, everyone. Good afternoon. As Becky mentioned, my name is Emily Eklund, and I am the Director of Digital Strategy and Awareness Campaigns at the National Cyber Security Alliance. We are a public-private nonprofit based in Washington, D.C., and our mission is to empower and educate people to stay safer and more secure online. And we do that through a couple different programs. I think the most applicable today is our Stop Sync Connect program, which as some of you hopefully know, is the Global Cyber Security Education and Awareness Campaign to help everyone stay safer online. And we are co-founders of the Stop Sync Connect campaign, which launched four years ago, and it was a collaborative effort between another nonprofit group called the Anti-Fishing Working Group and 25 private companies and seven federal agencies, including the White House. So we are kind of the smoky-the-bear type campaign, but for online safety. So we will be talking a lot about some of our Stop Sync Connect tips and messages throughout this webinar. And another one of our core programs, as you guys probably know too, is National Cyber Security Awareness Month. We co-founded that, and we operate all of the awareness activities throughout the month, all of our grassroots efforts, events around the country, Twitter chats, which will be happening later this afternoon, and all of the collateral that you see on our website. So I look forward to chatting with everyone today. Terrific. Thank you for that. And here's just an example of some helpful tips that they offer and resources that they offer across their organization. You know, the when in doubt throw it out avoid clicking on suspicious emails. It should seem obvious, but we know from research that is the primary way that people get infected computers is by clicking on links that really shouldn't be clicked on. So just a little tip there before we take it to Julian. So Julian is going to be sharing his desktop and a Prezi. If you're not familiar with those, it's just a more interactive type of presentation. And so he won't be able to see your chat questions or comments while he's presenting, but the rest of us will. The rest of us on the backend will. So feel free to keep chatting them in if there are any issues where things move too slowly or your screen isn't loading. Go ahead and let us know. Or if the size is funny, he'll be zooming in on lots of things with this Prezi. So even if something is difficult to read at first, he'll likely be zooming in on it so you can read it better. So just keep letting us know how it looks on your end so we can make sure that it comes through securely. And we'll also chat out the link to this Prezi. So if you have any trouble viewing it, you can also look along with us. Okay? Thanks so much. Julian, welcome to the program. Let us know a little bit more about the work that you do. And let's take it away. Thank you very much, Becky. Thank you all for being here. I'm so excited to have this opportunity from TechSoup to speak to you all. This is a topic that I feel very passionate about. I spend most of my working time helping people build secure systems online. But there's just a huge universe of issues that cluster around that. And I love helping people understand more about that. So this is a presentation. The first version of this was prepared a few years ago and has been circulated in a few different places. And I've given up myself a few times. And all the material is created, commons licensed. If any of you are the tech people at your organizations and you wanted to repurpose this, then you can grab a copy of the Prezi off the Prezi website and feel free to use it yourselves. So a bit about me. I have worked in the computer industry for a while now. I co-founded Freeform Solutions. We help other nonprofits use IT, mostly through websites and databases online. But broadly speaking, our mission is to help other not-for-profit organizations use IT more effectively. So opportunities like this are a bit more of a direct, engaging way to meet our mission. So I want to start with the story of Matt Honan. He's two years old now, I believe, a little over two years old, this story. But some of you may remember it from that time if you pay close attention to these kinds of issues. Matt Honan was a writer, is a writer at Wired Magazine. For those of you who, well, we're speaking of the TechSoup audience, so most of you have probably heard of Wired Magazine. But for those of you who haven't, it's kind of like the Rolling Stone of the geek world. So this guy knows about technology and knows about security issues on the web. And he got massively hacked, as you might say, colloquially. And I want to look at what happened so that just to get a sense of what are some real-world threats that are out there that really happen and that many of us are potentially vulnerable to. So the first thing that happened is some people took a liking to his Twitter account. Because he worked at Wired Magazine and is up on these things, he was an early adopter of Twitter. And his Twitter account was at Matt, which is a pretty cool Twitter account. I mean, any normal, regular, single word or name, you just, you can't get anymore, right? So some people thought, that's pretty neat. We want that Matt name. So they started poking around to see if they could gain control of that account or steal it from him. So at this point, all that they know is at Matt. While looking at the Twitter profile, his account profile on Twitter, there was a link to his personal website. So now they have two seemingly innocuous bits of personal information. On his personal website, he disclosed his Gmail address, which again is not, you know, not too fancy, you know, not very risque. Lots of us, I'm sure, have exposed email addresses on different websites at different times. Mostly you're just worried about how much spam that might attract. Well, in this case, then the hackers took another step and they decided, we're going to try Google's Reset My Password page just to see what happens. Because they knew his Google email address. So let's try resetting the password on that. Maybe we can gain control of the Google account. What they were thinking was, maybe the Google account is the account that his Twitter password would be sent to. So if they could gain control of the Google account, maybe they could then gain control of the Twitter account. So when they tried to do the Reset My Password thing on the Google email address, Google helpfully disclosed that there's an alternate non-Google email that they would send a password recovery message to. And in that case, they put up on screen m slash slash slash n at me.com. Well, the guy's name is Matt Holman. So it doesn't take too much thinking to imagine what the full alternate email address might be. And they also have another implicit bit of information here. Me.com is a domain controlled by Apple. So he's probably got Apple accounts as well. So at this point, since they have figured an email address that he might have, and it's not hard to test that because you send a bunch of messages to a non-existent address, you're likely going to get a bounce back from the server saying, sorry, this message is undelivable, no known recipient at that address. So one way or another, they were able to deduce his me.com email address. At this point, they call Amazon. And after this incident, which was widely publicized, Amazon changed a bunch of their security practices. And Apple also reviewed and changed a bunch of things. But at this time, they basically played a trick on Amazon, and Amazon went along with it. This is what they did. They called Amazon and asked them to please add a credit card to my account. I'm Matt, please add a credit card to my account. And Amazon lets you do this, or at the time, they let you do this over the phone, because the person on the line knew the name on the account, the billing address on the account, and the email address associated with the account. And so Amazon would let you add a credit card to the account. Now, the reason this is important is because next, they called Amazon back. There's a bit of a hole in Amazon's policies at the time. They called back and said, hi, I'd like to add an email address to my account. And Amazon allowed them to do this because they knew the name on the account, the billing address on the account, and a credit card number that was on the account. Now, they knew the credit card number because they had just added one themselves. So now they had their own email address, some email address that they controlled attached to his account on Amazon. So this meant that they could log in to his Amazon.com account. They could do a password reset thing on his Amazon account. And now they can see in Amazon the last four digits of all the real credit cards that he has on his account, because Amazon will do that if you save account information. It'll show you the credit card information. And it doesn't reveal the whole credit card. It just reveals the last four digits. So now they know the last four digits of some real credit cards that are really his. And this is important because Apple, the next step on the chain is Apple. And Apple at the time, in order to verify people's identity, would ask for the billing address and the last four digits of the person's credit card. So they had just learned this from Amazon. And they called up Apple and said, I'm Matt Holman. This is my billing address. Presumably his address is publicly available. If you're in the phone book, your address isn't hard to find, of course. And they had had the last four digits of the credit card thanks to Amazon. So they let him basically do a reset on his Apple account because they had, to Apple's satisfaction, proved that they were him. So with the temporary password that they got from Apple, they were able to log into the me.com account, the Apple email address that Matt had. And if you remember way back at the beginning, the me.com address was the one that was attached to Gmail account. So they could reset his Gmail password now that they had access to his Apple email. So now this is getting serious because access to his Amazon account, his Apple account, and his Gmail account are now all compromised. The attackers have control over those accounts. They've been able to reset the passwords. Now they've been able to reset the Gmail password. And so once they've done that, they could reset the Twitter password and take over the Twitter account, which is what they originally wanted to do. Now the nasty part is, since they have access to all of this stuff now, as a last step to make it harder to find evidence of what they had done, they then used the remote wiping features of Apple's cloud infrastructure to remotely wipe his iPhone, his iPad, and his MacBook to try and cover their tracks. And Apple lets you do that for anything that you have associated with your Apple ID. They also deleted his Gmail account. So he lost a lot of stuff out of this. Apple later helped recover things off the hard drive of his laptop, but it's a pretty serious thing that happened to him. And he wrote about it extensively in Wired, and as I say, Amazon and Apple did make some changes. But I liked this story for a whole bunch of reasons. One was because was there some super programmer, evil genius person, wrote an unstoppable virus that took over everyone's computer, and there was no hope to stop it no matter what. Well, no, obviously that's not what happened. This whole attack was accomplished using social engineering, which has always been the most potent tool in any hackers arsenal. It's the way that people have broken into systems since there were systems to break into. A great example from last year that I read about, and this was so unbelievable, a particular person managed to steal $100,000 in Bitcoins just by asking politely, basically, if they could please have them. Now, you don't need to know what Bitcoins are to understand what happened here. You just need to know that you can convert Bitcoins into real money, and they're actually worth something when you do that. So this person had, well, as the quote there says, the Ottawa citizen newspaper got a text copy of a chat session between the attacker and the tech support person in this server space where the Bitcoins were being housed. And at no point in the two-hour-long conversation was the caller asked to verify his identity. Whatever he said and did on the call, the person on the tech support line at the other end just believed him, trusted that it sounded like he knew what he was talking about. He was the guy who he said he was. And so when asked, the technical support worker gained access to the locked server pen where the physical computers were located, plugged in a laptop to the server directly, and then manually gave this fraudster access to the servers of this organization where the Bitcoins resided. And so the attacker was able to transfer those Bitcoins to himself, and then presumably convert them to cash later. And they were worth about $100,000. I'm pretty sure, although I haven't been able to confirm, that there's pending litigation about this, but yeah, it's a crazy story. Just with no, you know, not being asked for any verification at all seems so unusual these days, but it does happen even in 2013. There's a great book called Ghost in the Wires by Kevin Mitnick who once upon a time was on the FBI's most wanted list as the most dangerous computer hacker in the world, a little overblown probably, the assessment of him, but he has an amazing story to tell and he's written this book which explains a lot of what he did. And although he certainly is very technically competent, a lot of what he did was really through social engineering and he explains a lot about how he did that. It's a great read if you're interested in this kind of thing. So that's the preamble. Here's all the things we asked if you're interested, what you're interested in. So Becky, I think it's protecting your computer was the first thing? Yep, it's securing computers and I'm happy to read them off to you since you can't look back and see those. But securing computers followed by security in the cloud those were the first two. So let's start with that, protecting your computer. Now I know the most important thing about protecting your computer is backups in general, speaking at least of computers that say staff at your organization might be using. This sounds so mundane but backups are the most important thing, period. And anybody who's ever had to go to a backup knows this. Anybody who's ever had to go to a backup that they didn't have knows this even more. And if you have never had to use a backup yet and you're not doing backups regularly then one day you'll cost the line and become one of the converted and it won't be a happy day. So backups are definitely among the most important things. Keeping virus scanners up to date kind of goes without saying although what I hope you learned from a bunch of the things we talk about is just some general behaviors that will keep you one step ahead of the virus scanner. If the virus scanner has to kick in and stop the virus from doing bad things on your computer you've already tripped up somewhere along the line. So it's a good safety net to have but it's better if you can protect yourself. Software on your computer, this is a basic thing to understand about your computers. Software on your computer has access to what your computer is doing. Not just what that software might be doing but potentially that software can access lots of things on your computer. I want to give an example of this. There's a software called thepreproject.com. You can go to that website and download the software and install it on your computer or phone. And it's very useful software if you want to remotely monitor your device if it's not in your possession for some reason and you wonder where it is or what's going on. You can do this also for say iPhones if you log into Apple's iCloud service you can make them ping and make a noise so you can find out where they are. My kids do that all the time because they lose their iPod in the house and so there's this periodic pinging that goes on and you know they're looking for their iPhone. But that's more seriously if you're an organization on your laptops get stolen out of the backseat of somebody's car or what have you. Something like thepre software is useful. Now an example of what it can do, you install this software on your computer well what does that mean happens? Well this is an example of a report that Prey generates if you say my device has been stolen so tell me what's going on tell me if you can figure out where it is. So I installed this on my laptop and I ran a report pretending that it had been stolen. And what came up among other things was this map with a little pin saying we think it's right about here because it's connected to the internet and the Prey software was on the laptop was sending information back to the mother ship so to speak. Well so surprise my laptop has no GPS but even with no GPS you can often figure out where a device is in the world just based on its internet connection. Also the software had access to the webcam on the laptop and there's a screenshot there of suspicious looking individual that might be taking over your laptop. And screenshots of software that's running and other things like that. So the software on the computer can access all of the resources and information on the computer from the camera, the files that are on the computer and what you're typing on the computer. So Prey is doing this to help you find your computer phone but viruses is software on your computer as well. It's going to do that without your consent. That's exactly why you never want viruses anywhere near your computer. It's so bad. Another thing that's useful to know about computers that your own computer is how to protect them especially in the event that they're stolen is you want the information on the computer to not be accessible. So there's a program called TrueCrypt. You can install it on your computer and it is useful for scrambling the information on your hard drive or encrypting it, the technical term would be encrypting the hard drives so that the hard drive can't be read if the computer is stolen. Now this is a very good thing to do but we have to put a big asterisk on this because version 7.1 of TrueCrypt is okay for now but the people who are responsible for maintaining the software have basically stopped maintaining the software. There's no future versions planned. No one has it right now is going to be updating it for sure. There are some other things worth looking at. Some people in the internet community have basically taken on the role of hosting version 7.1 of TrueCrypt and that is still available through the link I give there. There's a similar program called DiskCryptor that you can use and there's also built-in tools in Windows, Mac, and Linux that you can use. So that's my rundown of protecting your computer in general but I know that some of you are interested in situations where you have a whole bank of computers that you might have volunteers using or in a library you might have public access to those computers. Backups are less important in that case. Virus scanners are obviously super important. There's software that I know you can get that will wipe everything on the device in between uses which is also a good thing. Unfortunately, I don't know any of that software specifically to recommend it or talk about it. I would also strongly recommend that in a case where you've got multiple volunteers using the same computer or logging into your systems, whether it's computers or logging into websites or whatever it is, every individual person ought to have their own account. This is something that I see organizations do all the time where people share accounts. It's like, oh, we have the volunteer login and username and password and everybody uses it and it's like on a sticky note beside the computer or whatever. I hope it's obvious why keeping passwords on sticky notes beside the computer is a bad idea but even just having everybody share an account is problematic down the line. It makes it very easy for the volunteers to do their thing. But what about when one volunteer has done something really bad and has to essentially be fired? Then you've got to change the password and you've got to tell everybody else what the password is and until that happens, that volunteer still has access. The whole point of everyone having individual accounts for these things is so that you can control their access when you need to because unfortunately for good and bad reasons you need to. It can be the good reasons or maybe that person gets promoted. They have more responsibilities. They need access to more software on the computer to do more things. If they have their own individual account, you can manage that kind of thing. If you're trying to share one account among everybody, then you're really hamstrung in what you can do. When I do this presentation I'm in a room and I can see what people are nodding their heads and what they're talking about. I would just keep talking until that happens and here I can't see that. So I want to stop for a minute and clear from the chairperson. I'll go ahead and jump in really. This is Becky. We had one question asking about whether is there any concern that the Prey software could be hacked and someone else could take over your computer? Is that something that you've heard of happening? I have not heard of any particular instance of that happening. The Prey software is a good point. Some people see what is possible there and then they think, well, I don't want that anywhere near my computer. For the same reasons you don't want any viruses anywhere near your computer. The Prey project software is open source software. So the source code is publicly available. Anybody who wants to review what the software is actually doing inside can do that. Therefore, I have a higher degree of trust in it than proprietary software that you buy but don't know what it's actually doing under the hood. If there was significant security holes like that in the Prey software, I'm sure some of the people who spend their days and nights focusing on this stuff would have found something wrong with it by now. In general, in terms of how it functions, it doesn't broadcast information until you have said this device is missing. Please track it down. So it's not constantly sending a stream of information anywhere. That's not a risk. But yes, it's generally important to know what software you're putting on your computer and it doesn't do what it says it's doing. So everything I've read about the Prey software and my own use of it, I haven't run into any particular problems or heard of any issues. But the title of the talk is, it's not being paranoid if they're really out to get you. A certain level of paranoia is really important. So I'm glad you're thinking about that. Interestingly, there were two reports on the ride in on the radio this morning. One was about a woman who had driven off the side of a mountain here in the San Francisco Bay area in San Jose. She went missing and her family reported her missing. And they were able to locate her by getting on her iPad and connecting to her iPhone using the Find My Phone feature that many phones are now coming up with, not just Apple products. And they were able to find her 17 hours later trapped in a ravine and rescue her and save her. Not only can it save your phone, but some of these can be used to save yourself, which is kind of great. And I know in the Haiti earthquake, that was one of the areas of disaster response. They were able to locate people based on their Internet connectivity with various devices that people were holding on their persons and be able to find them under rubble days later. So it's kind of amazing and somewhat scary because the ability to track people that well is really nuts. And one of our participants just commented that interestingly OnStar could not find her, which yes, she had OnStar in her car and it could not locate her. But they were able to locate her by her cell phones Find My Phone signal. So pretty crazy and happy for her that she was able to be rescued and is recovering. But the other story that was interesting was about litigation that's going on right now where I think it's the Justice Department is potentially suing or maybe in suit with some companies around the lockdown features that are being introduced to help keep people from being able to see into your devices, whether it's a tablet or a cell phone. I think it was Samsung maybe that's being targeted for a newly released phone. I may be incorrect on that. But very interesting that there are government agencies that are also looking at the new device features that allow you to protect your devices and encrypt your devices that aren't happy about that because they want to be able to look in around some of the terrorist threats and things like that. And so I think there's going to be some legal issues finding the balance to that because it's becoming more and more regular issues in the news as we see that there is some necessity for that, but there's also a real privacy backlash for some justified reasons. So we'll have to watch those stories on the news pretty closely. So we have a couple of other topics up here, but I'm wondering related to all of the encryption and security. I would like it if we could go into the password and two-factor authentication discussion because I feel like it's really related to this. And then we'll move on to security in the cloud. Does that work for you, Julian? Absolutely. Passwords. Parts of this topic are kind of, there's a lot to know about passwords if you really want to know about passwords. I will try to cover things smoothly and quickly without too much techie detail, but the bottom line is this is what a secure password looks like. So I'm sure you all have passwords like that that you use every day and you've memorized them all, right? Well, of course not. It's ridiculous, but that's what the experts will tell you all. A secure password is totally random. Okay, well why is that? Why do we care about why does everybody tell you you should have these ridiculous passwords? The problem that they're trying to protect against is not people sitting down at the keyboard and guessing the password because passwords that are a lot simpler than the purely random password are good enough to protect against people just sitting there guessing. The problem is when you hear on the news about these password databases being stolen from company X or Y and the passwords are hopefully not just sitting there as plain text in the database, they're hopefully encrypted as what's called a hash. It's a particular type of encryption that you use for passwords and for other things. So what they do is they steal the list of hashes and then they use computers to basically guess what all the passwords are with enough guesses. They can basically compare their guesses against the list of hashes they've stolen and they can figure out which guesses match which hashes and then they deduce your password that way. So that's the reason you have these crazy suggestions for what a good password is, is to make it harder for the computer to guess. Now there's a famous cartoon on this topic in TechCircles that's right here from the XKCD comic and basically the top line is a typical kind of so-called strong password that people might use or you might have heard people suggest doing substitutions of numbers for certain letters like a zero for an O and a three for an E or something like that or just adding stuff on the end of a word and so on. So these typical patterns that we use to try and make a simple word into a stronger password but what he's saying here is that for a computer to guess that it's fairly easy and he's got some information there trying to explain why he thinks that's easy for a computer. He's trying to get to the right zoom level so you can see it all. There you go. But for a person it's hard to remember because was it trombone I started with or troubadour or where was the zero and we've all forgotten passwords like that if you've ever tried to make one. The bottom line he's got this alternate suggestion. Well let's just make really long passwords out of simple things. Correct horse battery staple, four common words and according to his analysis it's hard for the computer to guess mostly because it's so big. But it's easy for you to remember because you can make up some little imaginary story. The horse is looking at this thing and saying that's a battery staple. Correct, rather bizarre story. I don't make the comic but anyway there's a suggestion for something that's hard for computers to guess and easy for people to remember. And his punchline is through 20 years of effort we've successfully trained everyone to use these passwords that are hard for us to remember, easy for computers to guess. Well the truth of the matter now is that it's worse. Almost nothing is hard for computers to guess anymore because with current hardware attackers can make literally billions of guesses every second for a password that they're trying to learn what it is. There's a great link there if you're interested in the minutiae of this that I strongly suggest you read through. And their recommendation at this point is readers should take pains to make sure passwords are at least 11 characters long. Contain upper and lower case letters and numbers. And here's the kicker, are not part of a pattern. Like ideally, totally random. So yeah, how realistic is that? Interestingly what they've found and it's discussed in that article that when passwords are stolen from somewhere, the hashes are stolen and people are trying to break them. Users of a given system tends to follow the same kind of patterns when making their passwords because they like the same kinds of TV shows and they have kids that are sort of the same age and they were born in the same decades or what have you. And this tends to narrow the randomness of the choices they've made about their passwords. And the people who are trying to break the passwords feed that information back into their algorithms and are able to break more of the passwords. So yeah, you're totally screwed when it comes to passwords and what we'll get to the saving grace of that in a moment. If you are using a bottom line though is, if you're using a system that requires just a password for security, it's at least like 11 or 15 or as many characters long as you can possibly manage. That's what really counts. Be careful what you let your browser remember for you because we've often had, you know, your browser will help try to make it easy for you. Well, you know, maybe it shouldn't be remembering your banking password on your laptops that is out and about with you all over the place. Maybe it shouldn't ever remember anything. Don't use the same password everywhere. This is also super important. Your banking password should be used on your banking website and nowhere else because the first thing they'll do, if you remember the Matt Holman story, is they'll get some information about you or they'll figure out one password and then they're going to try that out everywhere else they can think of that you might have an account. So you want to use unique passwords in anywhere that's important. And here's the new hope for this kind of thing. Two-factor authentication or two-step authentication. A couple of years ago this was like nobody had heard of this and now it's starting to become more popular. But where that is available, you really want to use that. So what is two-factor authentication? Basically, besides entering your password, if two-factor authentication is involved, then the site or service will send a code to your phone and you'll have to enter that too. Or it might be something else through your phone or some other device. But basically, besides the password, there's something else that you have to provide. And that way, stealing the password is not enough. The attacker needs to get your unlocked phone. It's not just your phone, it's like your unlocked phone because just about everybody has some passcode or pattern or something for turning on the phone. And without that unlocked phone, they're not going to be able to get into your, say, Google account or whatever you've set up with two-factor authentication. So where can you do this? A bunch of places, but not everywhere. If Matt Honen had done this on his Google account, none of what happened to him would have happened. Or at least the bottom, the punchline part wouldn't have happened. Now interestingly enough, a bunch of online services off of this only certain banks, financial sector is a little slow when it comes to this. They have a lot of legacy systems and there's lots of reasons the financial sector works the way it does. But as far as two-factor authentication goes, they are way behind the web services like Facebook and Google and so on. Various other online services use it and there's more coming online all the time I think in another few years. It's just going to be super well. Julie, I'd like to have Emily weigh in a little bit on this as well because that's an area where they really have a lot of expertise in helping people use two-part authentication or the variety of names for it. So Emily, tell us what you guys are doing at the National Cyber Security Alliance. Thanks Becky. Well we actually just launched a campaign earlier this summer called our Two Steps Ahead Campaign and it's a multi-pronged approach to educating people about adding layers of security to their online accounts and going beyond the password to protect their accounts. It's actually through our Stop and Connect program and we have a whole section on the Stop and Connect website dedicated to two-factor authentication, multi-factor authentication, two-step, two-FA, all the various terms that they use to describe this. And as Julie had mentioned, two-factor authentication is actually a security tool that uses multiple verification techniques to prove that the person attempting to log into account is really them. So some of these may include physical device like having a phone or an actual token or fob, something that you insert into your computer or it may be something like a password or passphrase or a pin that you have to access. So I encourage everybody to go and visit this section of the website. It's stopsinkconnect.org slash Two Steps Ahead because it really gives an overarching way of describing the situation because I think a lot of people are really concerned about, they know that it exists but they think it's a really technical program technical aspect of security and they don't really know about it. So we break it down, we tell you what it is, why it's important, how you can enable it, and we also have a list of step-by-step instructions on various platforms including social media, email. We do have some financial institutions and then also some platforms that you guys may use in your everyday life like WordPress and some other content management systems. We also have an instructional video and a tip sheet and some other infographs that would be good to distribute to your coworkers and your employees to let them know what this is so that they can implement it at work and also at home. So I will send that actual link out to everybody and I'm happy to actually have to jump off in about three minutes to moderate the Twitter chat for National Cyber Security Awareness Month but I'm happy to answer any questions that people may have regarding two-factor authentication and I will post the dedicated link to the campaign now. So thanks everyone. Thank you Emily, I appreciate that. And we will show some other resources from the National Cyber Security Alliance later on. I just don't want us to have to jump out of the Prezi at this point to do so but we will share those and you'll get those in the follow-up email as well later on. So Julien if you want to go ahead and continue and then we should move on to security in the cloud as the next topic after we finish this one. Thanks. Okay, if this was a face-to-face seminar you would have seen me nodding through all of what Emily was saying. It's such a great resource they've got there for people to use and it's such an important topic. Passwords are broken I think in general as a security method and it seems like two-factor authentication is going to replace that eventually. And the idea of mobile phones that everybody has with them, you know the story about the woman in the car is phenomenal and I think the idea that people have these little computers with them now so many people so much of the time, that is really that's what makes two-factor authentication possible for many services and I think the mobile itself is transforming everything about computing. In 10 years we won't recognize much. Another thing about passwords that is useful is some kind of password safe software. KeyPass is one, you install this on your computer and it is basically a special encrypted piece of software that you use to store all your passwords instead of say writing them all down. The nice thing about KeyPass is it will just automatically generate a totally random super long, crazy password you never remember and you can just click on it in KeyPass, paste it into the website and you don't even have to know what the password is but there you go. Now obviously you're then creating a single point of failure in your password security that if somebody gets a hold of your KeyPass then well that's really bad. But there are two-factor or three-factor ways that you can actually log into KeyPass so that people can't just sort of type in one password and there they go. You don't sort of have the master password that gets all the others. You can have two-factor and more kinds of authentication for getting in. So the cloud, the cloud, I have a whole other presentation just about the cloud but briefly the cloud, well what do we mean by the cloud? I should maybe define that first. I say here the cloud is probably more secure than local storage systems that you're using right now but that's true in the sense of cloud services that are storing things on your behalf like say Google Drive or Dropbox or something like that. But in general cloud systems because they're out there and they're maintained by these companies that are in the business of doing this all the time, they're probably more secure than say you have a computer in your organization under the boss's desk that's connected to the Internet and that's your file server. One was the last time somebody made sure that all the necessary security patches were on such box. So a lot of people are reluctant to sort of give up the local control over those kinds of things but there's actually some upsides to moving to the cloud for that. Yeah, as I just said, these cloud services are supposed to be always up to date with all the latest security patches, et cetera, and they're being backed up regularly. It should be if you're using anybody who's any good at this. It's also super convenient to have all of your stuff no matter where you are or what device you're using, mobile again, entering the picture because you can check not just your email but access files and other sometimes do actual work while you're on the road just because the cloud services are making that possible. But there's obvious privacy implications. They pledge never to look at your data but it's not on a computer you control anymore. We already talked about the whole NSA angle. So as with most of these things, there's trade-offs everywhere. The whole question of privacy and security I think boils down to how much convenience is worth how much risk. What I hope we give you a sense of from looking at some of these topics is what are the actual risks or where do the risks reside? And then you have to decide for yourself. I can't tell you if a cloud service is the right service. You should use Google Drive or not. But you could. It's good service. It's convenient. There are risks and then how those relate to your organization is something you need to assess for yourself or with the help of somebody who can talk to you in more detail about your particular situation. Are there other questions? That was a fairly high level look at the cloud. Are there other particular aspects that the cloud anybody wanted to get into? Sure. Well, we did have a question actually earlier on from Debbie asking about when we were talking about protecting your computers and you mentioned kind of if your file server is under the desk in a small office and nobody is really maintaining it or backing it up, then the cloud is probably safer. What if you have a lot of staff people that come in either with their own devices or whether you have a lot of volunteers that come in and out? Are there ways of administering that so that you can keep security for either your hardware systems or for your data if it's traveling around on people's personal devices? Do you have any tips on that that we could quickly share with her? Well, I don't work for Google and I'm not trying to shill for them, but we do use Google at Freeform. I know that there are some pretty specific access controls that you can put on files and folders, like entire folders in the Google Drive so everything inside there inherits the same access permissions. Those permissions can be everything from anyone on the Internet can access it to only these people with certain email addresses can access it or anyone who just has the link but you don't need a Google account. So there are particular, if someone is willing to put in the time and effort to maintain that, this kind of goes back to the earlier point about all your volunteers coming in and using a computer, one of your computers in your office, they should all have individual accounts. That's really ideally what should be happening. Somebody needs to be creating those accounts and shutting them off when the people are no longer volunteers, etc. All the people coming in with their mobile phone probably already have a Google account or a Microsoft account or something. So if somebody wishes to provide their email address with access to certain files on the Google system and I'm sure Dropbox or other services have similar ways of handling this then that would be one way to handle it in a robust and secure way. The whole bring your own device trend is certainly wreaking havoc on IT departments all over the place, but it's like a tidal wave. It's like everybody has all these devices and they're getting more and more and more used to using them themselves in the way that they're used to using them. And they just kind of expect things to be a certain way. There are on Android, there is software that you can use to actually connect to a file server on a local network. If you actually have a file server on a local network you could actually extend access on that network to the file server to their Android devices. The app that I prefer for that is called ES File Explorer, I believe. But there's a variety of different apps that will let you do that kind of thing. So that's sort of a whole other way of doing it. Just avoid the cloud entirely and just connect their devices directly to your system. I hope that's enough. Great. I think that's really helpful. We have a few other questions but I'd like us to move forward. Excuse me, what's the next topic? And we will get to those other questions whether through chat or verbally. So the next section that people were most interested in was Protecting Your Website which we've touched on a little bit here and there. But let's go ahead through that section. Thanks. I'll tell you what I have to say about that, Protecting Your Website. This is what you don't want to have happen. This is like the home page of some organization that magically one day you hacked by a Punisher. And this was like only a few years ago. And I got a real kick out of this because it's so quaint. I mean nobody hacks websites to just put up crap like this anymore. But well I guess some people do. This did actually happen. It was actually this particular organization that first contacted me to talk about these issues. They were motivated. So the thing about websites is there's a lot to know about websites. So really you want to have somebody who knows what they're doing keeping it up to date with security patches. Most of the attacks that are made against websites are automated. It's not some person they're typing into the keyboard trying to hack into your website. They've written some program that is just hitting site after site after site after site trying to run a certain command to try and get access to the site. They're automated attacks that are trying to take advantage of known holes that exist. Those holes have known fixes that if you apply the security patches the holes go away. And this is a never ending arms race in the world of websites. So you need somebody who knows what they're doing just applying those updates on a regular basis. Drupal is one of the most common website systems out there. I would guess that a certain percentage of you have Drupal websites. If you're using Drupal 7, Drupal 7.32 has just been released like yesterday I think because there is actually a very major security hole in Drupal 7 that has been found and a patch has been released. And you had better apply that because this is a really bad one. People can basically reset the password of your Webmaster account and then log into your website and do who knows whatever with it. So if you're using Drupal you totally want to take care of that ASAP. You also really want to make sure that all the computers that anybody uses to make any changes to the website are totally clean and secure. So if you have a bunch of computers in your workplace and volunteers are coming and using one of those computers to do a bunch of stuff make sure that nobody's updating the website from that computer because chances are that's the computer that's least likely to be clean most likely to have a problem of some kind. The reason this is important is because a lot of viruses, a lot of bad things, malicious software that can get installed on your computer they try to steal passwords. One of the things they do is they look for when you connect to a website and type in a username and password and then they go, aha, I got it. I'll send this back to my mothership wherever that is. And then the person who's in control of that software now has the password for your website. That can be like for the FTP program for just sending things up and down to the website or actually logging into the website or whatever it is. So you want to make sure the computers that you're using are as clean as possible because that is one of the most common ways that websites actually get infected. If it's not through a known hole that has a known fix and you just haven't applied the security patch, the second most common thing is it's one of your computers itself is compromised. Your website might be totally locked down and 100% secure but the computer you're using is not so then there's a problem. Strong passwords, important. We talked about that. We want to use them wherever possible. Make sure that the people who are actually building your website understand. These are the terms. If you want to call up your website technical providers, people who help you with your sites and gives them a little quiz, ask them what XSS, SQL injection and CSERF mean. They should know what those things mean. They really should know exactly how they work and what measures you take to defend against them. I'd be happy to explain that later in more detail if people want. Basically, the people building the site, they ought to be more than just, hey, yeah, we know how to build WordPress sites because it's really easy. You download WordPress and you install it and that's it. It's so easy. But if they're not actually website developers, well, then you're just relying on hope it's patched and up-to-date and they haven't done anything else that opens up any other holes. The bottom line is maintaining websites' cost, time and money and you're going to get what you pay for. Now there may be other aspects of protecting your websites if you have specific sites or other technologies that people might have quick questions about. My basic premise about websites is it's not something that's totally in your control. These are the things you should think about. Great, Julian. Actually, Kevin Lowe here on our end, one of our other presenters wants to chime in a little bit here with some other tips and resources on this topic. Hi everyone. I just want to add that we have a blog post talking about cross-site scripting and SQL injection. So I will talk more about the resources we have on TechSoup but just hang in there for those who may be feeling that the subject may be only too technical. We'll be sharing more resources for a variety of levels. So for getting started we have a lot of that on TechSoup and so does the National Cyber Security Alliance. So we're covering these at different levels we understand but we hope that either way you'll walk away with a lot of things that you can do today, some things that maybe you'll have to plan out and do in six months, and some things you maybe have to just plan out and budget for longer term and bring in some external support to help you manage. So we're giving you kind of the full package of as much as we can in the course of this 90 minutes. So with that I'd like us to go ahead and move on to one of our next topics. So we kind of had a three way tie here between public Wi-Fi, email and spam, and payments and transactions. So since we were talking about websites why don't we go with payments and transactions and just that process since that's very related to websites and not only how you use other people's websites but how you can help ensure that your own website is secure if you process sensitive client data or financial data on your website or through your website, what to look out for. So take it away, do you believe it? Thank you. Thank you. The critical thing is HTTPS or the little lock symbol you get in your browser. Web browsers come a long way because it used to be just the HTTPS versus HTTP in the address line. And then they started showing lock symbols on the address line or in the corner. And like now modern browsers will actually like highlight the company that they think the website belongs to beside the address. So there's a lot of cues to help you understand where the site is coming from and if it's secure you want to know what those cues are in the browsers that you're using but the bottom line is if you look at the actual address, is it HTTPS? Because the S parts means it's secure and there's no S, it's not secure. So yeah, that's what I just said. If there's no HTTPS you're not on a secure connection. So when you're connecting to your bank, when you're buying something online and you're putting in a credit card number, you want to make sure that that's on a secure connection. What that means is the information between you and the server is supposed to be encrypted and people are not supposed to be able to eavesdrop on that. And of course if you are, as Becky said, offering things on your own website for sale or people are registering for events and they're putting in their credit card number to register for that or signing up for memberships, then the people who are maintaining your website or setting it up, they ought to be helping you make sure your website has HTTPS because you don't want to be asking your visitors to not do the best practice here. My recommendation is don't ever store credit card information on any website. You hear all these stories about Target and other people to get hacked and all this credit card information gets stolen. And the case of Target is pretty nasty because apparently it was the point of sale terminals that were made vulnerable in that case. But when it's just a plain website, you can protect yourself by not actually storing card information on that site because if they don't have it, it can't be stolen, right? Now, exception there maybe for PayPal? PayPal is in the business of online transactions and it's very convenient to be able to pay through PayPal and not provide your credit card to a given online store but just pay through PayPal. But then you have to accept that PayPal has your credit card information. And this kind of highlights for me what is the essence of this whole entire topic, how much convenience is worth, how much risk. I think it's convenient enough to leave your credit card information inside PayPal and I trust that if anybody secures that kind of stuff, they can because their whole business is online payments. So is that convenience, is the risk there worth the convenience and vice versa? And I think a lot of these things come down to that when it volunteers logging into the computer inside your office. It's convenient for them to just all use the same account. But what are the risks there? They can snoop on each other's files on the computer whereas if they had separate accounts, they presumably could be separated from each other and not necessarily see what other volunteers are doing. Maybe that matters, maybe that doesn't in your case. Any questions or jumping into Wi-Fi? Let's go ahead and jump into public Wi-Fi and then email and spam if we can since we've got only about 20 minutes left. I want to make sure we get through as much as we can. Thanks. Wi-Fi. So this should look familiar to people who have phones. And it says, not in range. All these accounts, all these Wi-Fi networks, not in range. How does it know that I'm not at Stanford right now or Starbucks? Well, because it's checking all the time to see if it can find that network. So what you don't know is who around you is listening to see what your phone or your laptop is looking for. Your device is revealing information about itself and about you just by being there in the world. It's checking for these different networks that it knows. And it will automatically connect to a network if it thinks it has connected to that network before. It's looking and it finds Starbucks and it says, yeah, I'll make a connection. But here's the kicker. It's not that hard to spoof network names to pretend to be another network if you have the right hardware and you're sitting there in the corner of the Starbucks. Then are you sure that the Starbucks network you're connecting to is the real Starbucks Wi-Fi or is it some fake Wi-Fi called Starbucks that somebody else has set up? Now, that might sound really crazy, but you can buy stuff off the good old Internet. You can buy stuff off the Internet for about $80, $90, and you can do this too. Go down to your Starbucks and try it. So this is a problem with public Wi-Fi as with a lot of security issues. It's really about trust and authentication. How do you know what is true and what is fake? So for example, when you connect to a normal Starbucks connection, you probably have seen, if you've done this, that you open up your web browser and then it comes up with a page that says, welcome to Starbucks. And then you check the box that says, yes, I accept the terms and conditions. Please connect me to the Internet already. Okay, if you connect to Mr. Fake Starbucks, it's probably not going to have that exact page. It's not actually the Starbucks Wi-Fi, right? So it's not going to put you through the same hoops that normal Starbucks does. Maybe Mr. Fake Starbucks is really smart and he's set up that whole thing too. But for example, you might connect to something and not get a page like that which you would be expecting. At least I hope you're expecting it because I hope you're being very paranoid and very aware of the situations you're in and you go, why didn't Starbucks ask me to accept their terms and conditions? Something strange is going on here. I am not going to do anything else on this Wi-Fi. So that's an example of where the paranoia can save you. But it's true that whoever controls the network, even if it's Starbucks, can listen to all the information you're sending back and forth. Even if it's encrypted with HTTPS and you're logging into your bank and you're doing who knows what, the fact is all the information that you and the bank exchanged in order to make the connection encrypted had to pass over that Wi-Fi network. So anybody who's in control of the Wi-Fi network, in theory, could have all the information they need to unencrypt your connection and see what you're doing. So even if it is the real Starbucks, you really want to think hard about what you're broadcasting out to the world. And again, like I said before, how much convenience is worth, how much risk? I can't tell you don't use public Wi-Fi, but you can think carefully in your case about what is actually important and valuable to you about that kind of service. Good, good points. So next would be email and spam. Email and spam. Can I just jump into URLs first actually, because there's sort of a little bit of a… Sure, it's related. Yeah, piggyback on that. A prerequisite there a little bit. So URLs, which we also think of as links or addresses or site names, in these days it's possible to use the Internet and not even really use URLs at all. So not everyone might be totally familiar with that. But basically URL is this old thing that you probably have seen before, at different points in time, and you go to Google on its Google.com slash a bunch of stuff. So I just want to quickly show you a bit about how to read these things. Because in my opinion, reading URLs is one of the most basic bits of online literacy you can have. And it can help you with the email and spam situation a bit sometimes. So here's the thing with URLs. You ignore everything after the first slash. It's just, it doesn't matter. Anything after that slash is irrelevant to determining if this is what this URL really is. Then going backwards from the first slash, you've got the top level domain is what that's called. And there's a whole bunch, .com but also .org, .net, .ca, .gov, etc. There's a whole bunch now. In fact I think for $186,000 you too can set up your own top level domain if you want to. It's going to become the Wild West as if it wasn't already. So then there's the domain name, the actual name of the thing like Google, Twitter, etc. If we think about as the name of the thing, that's the domain name. And then the subdomain comes next if you're going right to left. The subdomain mostly doesn't matter. It really does like what counts as the domain name and the top level domain. You could also have multiple subdomains. You probably may have seen website addresses like this that are like something, .something, .something, .name, .com. Some organizations like to use subdomains because you might have the main website and then you'd have a couple sort of satellite websites that would be under a subdomain. So you'd serve and then subdomain and then .your own name. And then the protocol, HTTPS for banking stuff hopefully, but it's often hidden. So here's two real addresses. These are real addresses. One is the real TD Canada Trust website login. And one is a genuine spam address that came out of spam message that I got. And normally when I do this face to face I then ask people to put up their hands. Who thinks the top one is the real TD.com address? Who thinks the bottom one is the real one? And who just has no idea? It's totally confused. Well, the top one is the real one. The bottom one is not. And here's how you can tell. There's the top level domain and the domain itself. And that's the one that belongs to TD Canada Trust. If you're not sure about that, you open up a web browser, you type in TD.com, see what happens. In the bottom one, the domain name is Banksite. The TLD is .cc, whatever that is. Probably some Pacific Island nation. So yeah, just run away. Don't click on that at all. So with that in mind, it's a little easier to understand what to do with email. So as was discussed earlier in one of the slides, don't open those suspicious attachments. Haha, everybody says that. Everybody talks about that. And we all think that we're smart enough not to open suspicious attachments. But I think there's a little more to it than this because really what counts as suspicious? Because here's the situation. Your friend is going to get a virus. And that virus is going to look through their address book and send everybody a message. And it's going to be some message from your friend that says, Hey, I found this really funny website. You should check it out. Click here or something like that. Or download this file or whatever. And it's from somebody you know. And maybe that person sends you a lot of junk all the time anyway. I hate people who send me junk all the time because it screws up your paranoia sensors. How can you tell when it's for real or not? So suspicious messages aren't just from the Nigerian Prince. Suspicious messages can be from anywhere, frankly. My advice is if a message does not contain information that only the sender would know, then it is suspicious. If it's saying, Hey Joe, here's this great site you'd like to buy. There's nothing about that message that proves to you that your friend actually sent it. If they say something like, Hey Joe, looking forward to seeing you at dinner Thursday. And by the way, I thought you might like this link. It reminded me of your daughter. Okay, now that's information that I'm pretty sure that message is not created by a virus. So anyway, that's my pitch for getting even more paranoid about suspicious messages. Now as for how to read them or where do the URLs come in? You may or may not know the TechSoup audience, so you're probably some of you fairly technical. And you know that email has headers. If you didn't know that email has headers, now you do. What's headers? If you look in your email program, Outlook or Thunderbird or whatever you might be using, there's probably some way to get it to show you like the full message or the message source or the message headers. And they'll look something like what I've got here. And the message headers show you the history of the message. So if you're not sure what's actually going on, you could look in the headers. These are real headers from a message that I got. And I've highlighted here some of the URLs. So it's saying this is received from the University of Toronto. And then another server in the University of Toronto was part of the chain that this message went through. And then another server at the University of Toronto and then Google is involved as well. But that actually makes sense because this is a message from someone at the University of Toronto to me at work. And our work email goes through Google. And then Google handed it off to me at Freeform. So that's the message history here. So that looks like a whole lot of indecipherable mess. But if you take a few minutes to review the URL stuff and know how to read them, then you can look at a suspicious message, look at the headers, and see if it actually jives or not. Even the headers can be faked. The bottom line is those links. If you hover over links and messages, and the link is – your email program should give you away to figure out what the source of the link is. It might display the link at the bottom of your window or something as you hover the mouse over it. And if you can read the URL, you can tell is it going to like tg.com or is it going to banksite.cc? And if you know that, then this is why you don't need your virus scanner to save you if you know about those kind of things. So yeah, hover over the links. Mail programs should help you figure out what the destination really is. And if the domain and TLD is suspicious, then yeah, don't click it. Great advice. And with that, I'm going to go ahead and take us out of the Prezi even though we didn't get to the last couple of categories. They are in there. And so when you get that email later today, you can look at the other couple of sections we didn't get to. I think it was mostly the social media one, and maybe that was the only one because we're just running out of time at this point. But I want to go ahead and show a couple of slides that Emily provided for us. So earlier we talked about two-step authentication. And so these are some places to get more resources on that. And she already shared that link out in the chat. We'll include it in the follow-up email as well. And then also we have some tips on ways to keep your organization safe that she wanted to share with you, how to take an inventory to assess your risks, tips on creating a cybersecurity plan. And so again, some of these things, maybe you can start implementing today. Other things, maybe you need to plan out as part of a prevention strategy, and how to resolve any problems that might come up from some of these things, and how to get restitution from them. If you are victimized by any of the various cyber attacks out there, things like how to protect your customers and members, audience, or stakeholders. So she's got great tips on all of these things specifically geared toward businesses. So we know nonprofits aren't companies so much, but they are very similar in operation to a lot of businesses and have stakeholders and communities that you serve. So they have a whole section with great tips and resources and printables that you can use. And we'll share the links to these in the follow-up. And then also things like how to keep your employees and family safe. What kinds of resources, posters that you can print out if you run public computing labs or if you have a room that employees frequent or you can hang in the kitchen with tips on how to encourage them to stay safer. All of these kinds of things are on their site that you can print off and use for your purposes. And then she also shared some contact info on how to get in touch with her and the National Cyber Security Alliance. Quickly I want to have Kevin come on and just talk about our guide that we recently created and share a little bit about that. And then I'm going to chat out something about a contest that we're running right now to help you win a Surface Pro tablet. So watch for that and we'll talk about it in just a moment as well. Welcome Kevin. Kevin Thanks Becky, and thanks Julian for providing us with such great tips and for all of you sticking around. We want to tell you about our new guide that we publish in the National Cyber Security Awareness Month. Our new guide provides 12 tips to being safer online and they fall into four main areas, how to be secure in your office, how to use social media safely, what to be aware of when you're away from the office and using the cloud safely. So these actually fall into the earlier topics that you chose during the poll and if your area was not covered, it probably is in our guide. And also we wrote several blog posts for this month such as I think To Protect Privacy and ABCs on online security threats, whose link we tweeted out and we added in the chat earlier. So a lot of resources on text this month. So look for it on our website. And as Becky mentioned, we have a contest going on. Share your security story and when they tablet this contest is available to US organizations. The link is there and it's available as well. And lastly we have a live expert Q&A on our forums on October 29th. So if you have questions that you want answered that we couldn't cover in this webinar, please feel free to go to the website on that date. The link on that last bullet is actually on the content that we've created for safer online which includes actually the more notes on the actual Q&A on that date. And lastly, as Emily mentioned, she is conducting live tweets and a lot of content on Twitter. So if you look for hashtag NC SAM or hashtag chat STC on Twitter, you'll find a lot of great tweets from experts like from Microsoft, Google, and the National Cyber Security Alliance of course. Today's tweet chat actually is about the Internet of Things I believe. So if you're interested in that, you can check it out online on Twitter. Great, thank you. I just also wanted to mention that for people who have been asking about different products available to help them manage their security, we do have a whole section on TechSoup's website, TechSoup.org, slash security, that is dedicated to bringing together technology articles and blog posts, webinars, and product donations. And you can actually see down here at the bottom of the screen where it says product solutions. And there's a little drop-down box there. That drop-down box has categories like the one you see on screen, virus, and malware protection. But it also has backup and recovery and I believe other security products that you can look at. And so those are available depending on the program and the donor who's distributing it. Some of them are donated. Some of them are discounted for nonprofits and public libraries. But you can find a lot of different options there if you're looking for new installed security software, or even if you're looking for security software that you would install on a server that can then distribute that to your network of computers if you have a whole network, or if you have a bank of computers that are running off of that server. So we have actually covered most of the questions in the chat, and I know people are still responding to them. But since we're just a moment away, I do want to once again point you to join us in our community forums. Go to TechSoup.org slash community where you can ask more questions and you can participate in conversations there anytime as well as on the 29th when we have 29th or 24th. Did I get the date wrong? On the 29th, sorry about that. In our forums we will have that event to specifically talk about your security needs, but anytime you can go there and talk about, ask questions, and share your own expertise on this topic to help encourage and promote more awareness of how to stay safe online. This is National Cyber Security Awareness Month, so we will be doing a variety of events and resources for you to help you become more secure. In addition to that topic, we are having a host of other events later this month. So if you're in the Bay Area, we would love it if you'd join us. Next Wednesday in the evening we have the Storymakers Gala. So for those of you who have participated in our digital storytelling campaign this year, we will be awarding those $5,000 grand prizes at this event. And it's a free party to join us in the evening if you'd like. We also have a webinar next week on Making Sense of Financial Literacy. And this is primarily geared toward libraries and organizations that teach and instruct and have programming on financial literacy, so perhaps homeless shelters, domestic violence shelters, community centers, and of course our public libraries who are joining us today. Then on Friday next week we'll have a webinar on Choosing Your QuickBooks Adventure where we will be tackling your topics of QuickBooks to help you get better at financial management for your own organization. And on the 30th we'll be talking about how to crowdfund your way to year-end success. There are many more to come and you can find these and other events and archives at this link below. I just want to mention that today's webinar was supported by Microsoft with a generous grant from them. And that we as SexyGlobal, we are a champion of the National Cyber Security Awareness Month. And so we would encourage you to take what you've learned and your own expertise and experiences and share them at the Do One Thing campaign and also in those National Cyber Security Awareness Month chats to learn and share your experiences. Lastly I'd like to thank our webinar sponsor ReadyTalk for providing the use of the platform for today's event. They provide ReadyTalk 500 for us to use which is also available for donation in our catalog. And you can find that at TechSoup.org slash ReadyTalk. With that I'd like to just thank Julian and Kevin and Emily for their participation in today's event. And I'd also like to thank Allie and Ariel who provided some chat resources on the back end. Expect an email from me later today with those resources. And thank you all so much for joining us. We hope you'll join us again very soon. Take care and have a terrific day. Bye-bye.