YWAM Information Technology

Dear Donovan,

I think you are spot on with these security thoughts. The risk of theft is huge with a laptop. For example, how many YWAMers even have a security strap that they use with their laptops?

We have been writing about this on the KnowledgeBase (http://www.ywamkb.net/kb/index.php/Laptop_Security) and investigating encrypted filesystems etc. It is not impossible these days to buy completely encrypted Windows systems and to set up an encrypted filesystem running the latest Ubuntu is childsplay.

However, how on earth are we going to educate the GLT and senior leaders to take this seriously? You are talking about 10-40 hours of training to do it well. That is the most important question and one that leads us to ask other questions such as what really is our training ethos for leadership? (I mean in-house, not U of N) I personally think our training is wildly insufficient and leaders at all levels suffer for lack of it. I pray and rack my brains for solutions! Please add your thoughts the the KB article. I hope if we can write about it well enough we will have a resource to begin teaching from.

Cheers,

Kevin

PS WEP has been broken for a very long time. I only use WPA or WPA2.

By the way, if anyone wants to contact me regarding this project, you can get my public key from the address below.

http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x2731ABF2284005FE

Another good encryption tool I've found is TrueCrypt, which is an open source project. It supports Windows, Mac and Linux, and is very easy to use.

As far as the encryption built into Windows and Mac, I think caution is best where they are concerned. It is old news that Microsoft has given the keys to their encryption to the FBI. If that is a bad thing or not is the subject of a much more political conversation, but what other national governments might Microsoft made deals with? The same question goes for Mac. Regardless of one's opinion of if those systems are good or not, the fact remains that when it comes to the security of truly critical data, you cannot trust a technology that isn't transparent.

We have discussed that multiple times here, I believe. It's really an important topic and I think most people are seeing security mainly as a hassle or even as an assault on their ego. "What means I need more security measures, you think I can not take care of my laptop or am not careful enough with passwords or you think I would not realize an attack on my computer..." etc etc etc.
Of course no one says it exactly like that. But this is often the attitude of people. The problem is that most people don't have an understanding of that stuff. This is not because they are stupid but because there is not enough teaching around for the average non-techie. Techie magazines and web sites cover that topic pretty well and often and most techies like me have at least a basic understanding.

But IMHO the rest of the magazines etc. don't cover that topic really well. Talking about having good passwords, using a virus scanner and a firewall isn't quite enough. From my experience most people think that when you have a virus scanner and a firewall and you need to provide a password to log in to your computer you are safe. That, at least, is not safe in a terms of traveling with a laptop and connecting to unknown wireless hot spots and for sure not safe in terms of exposure of data in case of theft.
I mean, just put a hard drive in an external case and you can connect to it without needing a password. I guess most people are not aware of that. There is not even a need of hacking. Well, only a hardware hack, if you want to say so.

I guess, as techie we need to find ways to explain the reason for security, what kind of protection can prevent against what scenario, etc. But also what security measures does not really help or is insufficient for what reason. Well, everyone understands that you don't leave your bank card with the number on a sticker on it on the dashboard of your car and leave the door open when you "quickly" jump out of the car to get some goodies for morning tea in a bakery. Everyone would know that this is silly. Even that locking the door doesn't really prevent people from getting into your car to grab the card. Everyone would be aware of the potential dangers of that without further explanation.
We need to get to the same point with IT security. If, with all the gained knowledge and understood implications, people still decide to "leave the door open and place the bank card on the dash board" this is another problem. (Why do IT folks always come up with a car analogy???)

So, what I probably would do is something along the lines of the following:

• Use disk encryption, preferably TrueCrypt (http://www.truecrypt.org/). The simple reason is that it's FOSS, has up-to-date encryption methods and allows "plausible deniability". The built-in encryptions that come with OSX and Windows don't have plausible deniability, at least as far as I know. Please, correct me if I'm wrong. AFAIK same is true for hardware encryption.
• Email goes through VPN with SSL. Also all Base related email has to go through the Base email system. No Gmail, Yahoo, MSN, AOL, or what ever people use. As admin I only have control over my own stuff. In case it's needed I can't shut down Yahoo or what ever other service people might use. There might even be other/more reason for doing that.
  If someone needs an email address that doesn't indicate any sort of Christianity (e.g. someone who travels frequently or works in restricted and/or controlling countries) that is another matter, of course, and needs to be discussed separately. But then it's not enough to have just one email address for this person.
• Set up PGP for everyone. I'm looking into that myself a little bit at the moment. I bet it's nothing what non-techies would do themselves. So, therefore I, as admin, set it up for them, teach them how to use it and make sure everyone on Base has the key of everyone else.
• If not necessarily needed for the base email system get people to use something different then Outlook or Outlook Express. Like Thunderbird, Mozilla Suite, Opera, etc.
• Make sure that everyones virus scanner and firewall is up-to-date and configured correctly. For their own safety but also for the safety of their co-workers and base network.
• Try to get people on Firefox (http://www.mozilla.com/en-US/) instead of using IE. Also install and explain how to use the add-ons NoScript (https://addons.mozilla.org/en-US/firefox/addon/722 - which probably needs a bit explanation and help for first time non-techie users), Flashblock (https://addons.mozilla.org/en-US/firefox/addon/433) and Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865). I know that there are more helpful add-ons but that is not the topic right now. IMHO a handful of good add-ons is one of the main strengths of Firefox.
• If necessary look into using an anonymity service like TOR (http://www.torproject.org/).
• Teach people to not, under absolutely any circumstances, use public computers (e.g. internet cafe) for something important. Specially when it involves passwords. No one can really tell you whether there are key logger installed or not. Even if you think you are smart and use a Linux Live CD, how do you know that there isn't a hardware key logger hidden somewhere? So, just don't do it.
• Inform people about the potential risk of using the browsers and email clients capability to store usernames and passwords.
• While we are at it, teach people about using good passwords. Not using names, birth dates, dictionary words, etc. What is the password strategy on your base, anyways? Here a password is required to have upper and lowercase characters and other signs like numbers. Every 4 weeks a new password is required. That results in such secure passwords like "Pass01" which then changes to "Pass02" etc or "Ministryname+numberOfMonth" (e.g. "Kitchen01" in January). IMHO that defeats the purpose of a password. But I don't have the "perfect" solution for this issue. The real secure password that is written down on a sticky note on the screen isn't really better either.

Greetings from the MatriX,
neo