Today, I had an interesting experience “hardening” my Macbook’s security by implementing Common Criteria. Basically, Common Criteria is an international standard for computer security. As implemented by Apple on OS X 10.5, it’s a small download and install (103K), followed by a series of system settings changes provided in a PDF file. Basically, I followed a series of steps which, among other things, changed the way logins happen, changed how the computer appeared on the network, password protected the BIOS, etc. It took about an hour, but I was left with a less “hackable” Mac. This type of process is not for everyone, but for security conscious computer users, this is the way to go.
In the movie Star Wars – The Empire Strikes Back, Carbonite was the compound Darth Vader used to freeze Han Solo. In the world of Web 2.0, Carbonite is an online backup system for PC computers. Basically, with the purchase of a one year subscription for $50 (or only $10 with this great rebate at Amazon.com), you can securely encrypt and backup as much of your hard drive as you would like. The beauty of an online backup is that, even if your house burns down, you will still have your critical documents, photos, life’s work, etc. After creating hundreds (if not thousands) of educational documents over the years, it’s about time that I secured them. The Carbonite installation process is very simple, and the user interface is very well designed. Now my encrypted documents are safely backed up “off site” waiting to be restored if needed.
Sometimes in education, we are moving so fast, we fail to see that the playing field has changed beneath us. I believe now is one of those times where things are rapidly changing under our feet, but at times we fail to notice. Online security is rapidly changing, and I’m not sure education in general is ready for that change.
Today I read a great blog entry on Email Policies, which suggests that you have an email policy whether you know it or not! The basic theory of the article is that each company (ie school district) has gone with ease of use OR security… but not both. A nice short read that brings home subtle, sometimes hidden choices we make when providing web services to staff.
In a related vein, banks are making significant changes to login security as a result of 2005 paper entitled “Authentication in an Internet Banking Environment” put out by the government. The bottom line of this article is reached rather quickly with the statement:
“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services.”
Now simply replace the statement “access to customer information” with “access to district employee or student information”. Basically, these same changes being made by financial institutions in the near term will be coming to a school district near you in a few years! Single factor authentication (userid and password only) is on it’s way out and is being replaced by more robust security measures.
We have all run into CAPTCHAs (those little squiggly words we must type to access web services). You might also know there are multiple projects under way with the goal of scanning books and documents into digital form. Now imagine combining these two concepts!
Enter reCAPTCHA, whose goal it is to provide login security AND help digitize thousands of books. Every time a user uses reCAPTCHA to log into a website, they are also asked to decrypt a “hard to read” word from one of the book digitizing projects. So as you log in to a website, you are helping digitize a book. Check out THIS ARTICLE discussing reCAPTCHA in more detail.
Two-factor authentication is a very popular term in security these days. Basically, the idea here is that, instead of providing just “something you know” such as your userid and password, it is much safer to also provide something else. That is, provide an additional FACTOR before you are allowed to enter a secure area, such as an online bank account.
One of the smarter ways of doing this is to provide something unrelated to your password, for example “something you have“. Among the coolest “something you have” devices is the new PayPal Security Key device. Basically, it is a little electronic display that generates a new 6 digit number every 30 seconds. When you log into PayPal or Ebay, you simply enter this special number along with your userid and password.
I think the time will be soon when public school districts adopt something like this to help secure sensitive student data. These key creation devices have been available in the business world for years, and it’s about time that school districts took data security seriously!
One of the major problems with the Internet in general is the number of logins each user must have to navigate the net. Currently, I have over 50 registrations or passwords to websites that I use in one way or another. There have been many attempts in the past to have one login/password for all “identity management”.
Even giants like Microsoft have failed in this area with their Microsoft Passport system (now Microsoft Live ID). The newest contender in this race toward “one password to rule them all” OpenID. Where others have failed, OpenID may actually succeed. One reason OpenID has a fighting chance is it’s Open Source origins. Because of this, OpenID is not owned by anybody in particular. This allows anybody, including industry giants like AOL to use OpenID. Here’s hoping that OpenID (or something like it) finally takes hold.