The Threat Within

A headshot of Chadwick Jason Seagraves with text overlay: 'Anonymous Comrades Collective - Doxer Gets Doxed: "Proud Boy" Chadwick Jason Seagraves of NCSU'

People sometimes ask what keeps privacy professionals up at night. What is that one “worst-case scenario” that we dread? Personally, one of the scenarios hanging over my head is insider threat – when a library employee, vendor, or another person who has access to patron data uses that data to harm patrons. A staff person collecting patron addresses, birthdays, and names to steal the patrons’ identities is an example of insider threat. Another example is a staff person accessing another staff’s patron records to obtain personal information to harass or stalk the staff member.

Last week, an IT employee at NCSU was doxed as a local leader of a white supremacist group. This person, who worked IT for the libraries in the past, doxed individuals, including students in his own university, to harass and, in some cases, incite violence toward the people being doxed. As an IT employee, this person most likely had unchecked access to students, staff, and faculty personal information. It wouldn’t be a stretch to say that he still had access to patron information, given his connections to the library and his IT staff position.

Libraries spend a lot of time and attention worrying about external threats to patron privacy: vendors, law enforcement, even other patrons. We forget that sometimes the greatest threat to patron privacy works at the library. Library workers who have access to patron data – staff, administration, board members, volunteers – can exploit patrons through the use of their data for financial gain in the case of identity theft or harm them through searching for specific library activity, checkouts of certain materials, or even names or other demographic information with the intent to harass or assault. The reality is that there might not be many barriers, if at all, to stop library workers from doing so.

The good news is that there are ways to mitigate insider threat in the library, but the library must be proactive in implementing these strategies for them to be the most effective:

Practice data minimization – only collect, use, and retain data that is necessary for business operations. If you don’t collect it, it can’t be used by others with the intent to harm others.

Implement the Principle of Least Privilege – who has access to what data and where? Use roles and other access management tools to provide staff (and applications!) access to only the data that is absolutely needed to perform their intended duty or function.

Regularly review internal access to patron data ­­– set up a scheduled review of who has what access to patron data. When an employee or other library worker/affiliate changes roles in the organization or leaves the library, develop and implement policies and procedures in revoking or changing access to patron data at the time of the role change or departure.

Confidentiality Agreements For Library Staff, Volunteers, and Affiliates – your privacy and confidentiality policy should make it clear to staff that patrons have the right to privacy and confidentiality while using library resources and services. Some libraries go further in ensuring patron privacy by using confidentiality agreements. These confidentiality agreements state the times when patron data can be access and the acceptable uses for patron data. Violation of the agreement can lead to immediate termination of employment. Here are some examples of confidentiality agreements to start your drafting process:

Regularly train and discuss about privacy  – ensure that everyone who is involved with the library – staff, volunteers, board members, anyone that might potentially access patron data as part of their role with the library – is up to date on current patron privacy and confidentiality policies and procedures. This is also an opportunity to include training scenarios that involve insider threat to generate discussion and awareness of this threat to patron privacy.

A note about IT staff, be it internal library IT staff or an external IT department (campus IT, city government IT, or another form of organizational IT) – Do not automatically assume that IT staff are following privacy/security standards and policy just because they are IT. Now is the time to discuss with your IT connections about their current access is and what is the minimum they need for daily operations. However, even if the IT department practices good security and privacy hygiene (such as making sure they follow the Principle of Least Privilege), any IT staff member who works with the library in any capacity must also sign a confidentiality agreement and be included in training sessions at the very minimum.

A data inventory is a good place to start if you are not sure who has access to what data in the library. The PLP Data Privacy Best Practices for Libraries project has several templates and resources to help with creating a data inventory, assessing privacy risks, and practical actions libraries can take in reducing the risk of an insider threat.

Libraries serve everyone. We serve patrons who are already at high risk for harassment and violence. Libraries must do their part in mitigating the risk that insider threat creates for our patrons who depend on the library for resources and support. Otherwise, we become one more threat to our patrons’ privacy and potentially their lives or the lives of their loved ones.

NaNoWriMo: Data Privacy Edition

A Siamese cat sitting in front of an open laptop computer.
‘Tis the season for all things writing. Your cat might have some opinions about that… Source: https://www.flickr.com/photos/cedwardmoran/4179761302/

Welcome to this week’s Tip of the Hat!

Today marks the second day of NaNoWriMo – National Novel Writing Month. For years many aspiring (and established) writers spend countless hours writing to reach the goal of a 50,000-word manuscript. If you do the math, you would have to write about 1700 words a day to reach the goal! Novels are the primary genre for NaNoWriMo, but that hasn’t stopped others from taking the idea of a writing month and using it for other genres. For example, this month is also AcWriMo, or Academic Writing Month, for academics who need to buckle down to write that research book or article.

With November being the month of writing, why not join in the fray with writing about data security and privacy? Our recent Cybersecurity Awareness Month posts discussed the importance of interactive and engaging training, so the question now is how you can build a data security and privacy training that won’t put staff to sleep, or worse, demotivate them from taking proactive privacy and security measures to protect patron data. One way to create engaging training is to use stories and scenarios. Drawing from real-world examples is a start, but the challenge is turning that example into a scenario where training participants are invested in addressing the problems presented in the story. Here are a few tips to help you with the writing process!

Characters – who are the major players in the scenario? Staff person, patron, vendor, random person who comes off the street, the cat who keeps sneaking into the library building? Once you have the characters, what roles do they play? What are their motivations? Why do they do the things they do or think the way they think?

So many questions, even for a short scenario! Take a page from User Experience (UX) and create personas to help with the character-building process. Even a shortlist of who they are, what motivates them, what they want, and what they know can help hone the scenario narrative as well as introduce common types of motivations, knowledge/skill levels, and different types of threat actors or people that might face additional privacy risks to training attendees. 

If you need more inspiration for characters, may I introduce you to Alice and Bob and their crypto-friends?

Story – Your real-world examples or the case studies you learn from others are two good places to start. That shouldn’t stop you from exploring building scenarios from scratch! Or perhaps you would like to modify the real-world examples into a scenario that would be a better fit for the training you’re developing. One concept to explore for your scenario is threat modeling, or identifying potential weaknesses at the library (systems, procedures, policies, etc.), who or what might take advantage of the weakness, and what can be done to either avoid or mitigate the threat. The threat modeling process can uncover a complex web of threats and vulnerabilities that interact with each other. On the other hand, it could lead to valuable conversations with trainees about how one vulnerability can create a ripple effect if exploited, or how a threat actor isn’t always acting with malicious intent. Sometimes the most dangerous threat actors are not aware that they are putting data privacy at risk such as a staff person with good intentions sharing patron data without knowledge of patron privacy procedures. 

Visual aids – What’s a story without visual aids? You might not have the resources or acting chops to create scenario videos, but there are always pictures to give life to your characters and scenarios. Luckily, there are several Creative Commons licensed resources to choose from:

You can also search for CC-licensed photos on Flickr and Creative Commons.

There are a lot more you can do with building scenarios for your data privacy and security trainings, but these three areas will hopefully get you started down the path of becoming an accomplished author… of training scenarios 😉 Enjoy your writing journey, and good luck!

Something You Have/Know/Are: Multifactor Authentication

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.

Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!

Multifactor authentication

Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?

Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:

  • Something you know, like your password
  • Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
  • Something you are, like your fingerprint, face, voice, or other biometric piece of information

(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)

MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.

While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.

This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!

As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.

Silent Fatigue

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete without a post about a current cybersecurity threat. This month we learned that Silent Librarian is making the rounds right on time for the start of the academic school year.

Academic libraries encountered Silent Librarian last year, where several prominent universities were targeted by this phishing attack. Silent Librarian targets students and academic staff/faculty by sending an email that appears to be from the library, stating that their library account is going to expire and that the recipient needs to click on a link to reactivate it. If the user clicks the link and tries to log into the spoofed site with their university account, the attacker can then use this account to gain access to the university network and other sensitive systems.

Last week, Malwarebytes reported the first round of attacks for the 20/21 academic year. The attack follows roughly the same pattern from previous years; however, this year is a bit different due to the current chaotic state that many universities are in due to the pandemic. The attackers can take advantage of the confusion and disorder caused by the rapidly changing plans of on/off-site teaching, access to academic resources, and changing restrictions and guidelines set by campus officials. 

The fatigue caused by all of these changes can change how a person behaves and potentially lower the person’s ability to protect their digital security. This fatigue is a boon for attackers because the behavior changes lead people to be less diligent about cybersecurity – people may not be checking email messages before clicking on a link in a phishing email, for example. It’s difficult to prevent this fatigue with everything going on in the world and harder to recover from once fatigue sets in. 

This year’s Cybersecurity Awareness Month comes at a time where information security and privacy folks have to be mindful about over-relying on individual responsibility. Advice to combat this security fatigue usually center around what the individual should do, but what happens if the individual is already overwhelmed? This fatigue is not new – research has shown that users mentally check out when they are presented end-user agreements and privacy policies. The user can only do so much if they are distracted and overwhelmed by, well… everything that’s going on in 2020.

Users have a part to play in protecting data, but solely putting the burden of security on the end-user can create a vulnerability that is hard to fix in an organization when fatigue sets in. For libraries, this would be a good time to check what cybersecurity measures are in place and where the organization can alleviate some of this fatigue in staff. In the last two weeks, we explored different types of cybersecurity training – it might be a good time to create reminders or training that use positive reinforcement and motivate staff to be proactive in securing the library’s data. It’s also a good time to check firewalls, spam filters, and other email and network security settings to identify and block phishing emails, particularly repeat attackers such as Silent Librarian. Creating checklists for staff using personal devices for work purposes, as well as checklists for staff doing remote work, can help already overwhelmed staff in ensuring that they are not putting library data and networks at risk. Even smaller actions such as a checklist can go a long way in reducing data security and privacy risks. Providing any assistance to users at this time will not force users to spend all their energy (or, in some cases, spoons) trying to do all the things to protect data on their own, quickly leading to burnout and increased risk to data security.

Roll for Initiative! Gaming in Cybersecurity Training

Welcome to this week’s Tip of the Hat!

We learned last week that cybersecurity training is not as simple as choosing a particular training and rolling it out – training methods, goals, and context all determine the effectiveness of the training. While interactive training engages trainees and helps with understanding and motivation, the type of interaction matters. Simulations such as the phishing simulation test can backfire if not planned and deployed with care, but other types of interactive training engage users in a more controlled space and minimize unintended consequences… and you might level up in the process.

Games in training are not new, but turning training into a game by incorporating game elements or using existing games to teach particular concepts has grown in popularity in the last couple of decades. You’ve encountered gamification in other areas of your life – badges, leaderboards, and point systems, to name a few. These elements play into common human desires and motivations, such as collaboration/competition and accomplishment, which in turn can boost morale and knowledge retention. When combined with story elements and a positive reinforcement approach, training with game elements have a better chance overall of being more effective than traditional lecture-based training.

Libraries are no stranger to gamification. Academic, school, and public libraries use gamification for instructional sessions as well as patron programs. ALA has a Games and Gaming Round Table, as well as several resources for libraries, including two new books published this year about gamification in academic libraries and ready to use gamified programs for libraries of all types. It wouldn’t be a big stretch, therefore, for libraries to incorporate game elements or entire games into a training program, including cybersecurity training.

What does gamification look like in security and privacy training? Here are a few examples that you can use for both staff and patrons:

  • Tally Saves the Internet – This browser extension turns the Internet into a turn-based RPG where you fight an invisible enemy – online trackers. Players not only gain points and badges for fighting these online tracker monsters but also actually blocks trackers 😊
  • Cybersecurity Training for Youth Using Minecraft: A Field Guide – You can use existing games to teach cybersecurity, too! This field guide provides ways in which library staff can use Minecraft to teach patrons threat modeling in a way that doesn’t require prior knowledge of cybersecurity concepts but instead uses an environment the patrons might already be familiar with in their daily lives.
  • Tabletop exercises – unlike the other two examples above, tabletop exercises (TTE) have been around for a while in the cybersecurity world. One common TTE in cybersecurity is incident response, going through how an organization would respond to a particular scenario, such as a data breach. Think of it as a one-shot TRPG, but you role play as yourself, and your abilities and inventory consist of whatever policies, procedures, and resources you have in your organization at that moment. You can include other gaming elements and methods within TTE, such as Lego Serious Play, for additional collaborative/competitive opportunities in the scenario.
  • Cybersecurity games – There are several off-the-shelf cybersecurity games that you can use in existing training or at game night at your library!

There are many paths to incorporate game elements into cybersecurity training, so the best approach to take is to, well, play around and find which ones best fit your training audience. Don’t forget to have fun in the process, and may the dice roll in your favor!

Friendly Phishing, or Should You Phish Your Own Staff?

Welcome to this week’s Tip of the Hat!

October is a very important month. Not only does October mean Halloween (candy), it also means Cybersecurity Awareness Month. This month’s TotH posts will focus on privacy’s popular sibling, security. We start this month by focusing on one common “trick” – phishing – and why not all cybersecurity training is created equal.

A hooded middle aged white man wearing sunglasses laughs as he holds a fishing pole with a USB drive at the end of the line.
This is also the month where we get to use our favorite phishing stock photo. Image source: https://www.flickr.com/photos/hivint/36953918384/.

We wrote more about phishing in a previous post if you need a refresher; the tl;dr summary is that phishing is a very common attack method to gain access to a variety of sensitive systems and data by pretending to be an email from a trusted source (business or person). Phishing can be very costly on both a personal level (identify theft) and an organizational level (ransomware, data breach, etc.), so it’s no wonder that any digital security training spends a considerable amount of time on teaching others on how to spot a phishing email and what to do to prevent being phished.

It turns out that this type of training, for the amount of time spent in covering avoiding phishes, might not be as effective, and in some cases, can actively go against the goal of the training itself. A good portion of cybersecurity training comes in the way of lectures or an online web module, where users listen/read the information and are then tested to assess understanding. While that has been the main mode of training in the past, lecture/quiz style training, trainers realize that interactive training that goes beyond this model can be more effective in knowledge retention and understanding.

A growing number of organizations are using another type of security training – sending out phishing emails without warning to their employees. The phishing email, created by an external cybersecurity training company or by the local training team, would be sent out to spoof ether an organizational email or an email from a trusted source. This live test, theoretically, would more accurately assess employees’ knowledge and awareness of phishing methods and provide on-the-spot results, which could include corrections or remedial training. There are a variety of vendors offering both free and paid tools and services, such as KnowBe4 and PhishingBox.

Simulated phishing tests appear like a great addition to your organization’s training approach; however, these simulated tests can backfire. One way it can backfire is turning staff against the organization. One recent example of this comes from a simulated phishing email sent to Tribune Publishing staff, promising staff a chance of a company bonus if they clicked on the enclosed link. This email was sent out after staff went through furloughs and other drastic budget cuts, and the staff reaction to this email led to further erosion of trust between employees and administration. The debate extended to the security field, questioning the ethics of using content that otherwise is used in common phishing emails in an organization where employees went through considerable stress due to budget cuts. 

Another way simulated phishing tests can backfire is when the tests focus on shaming or negative outcomes. Some phishing tests focus on those who do not spot the phish, providing on the spot corrective training or assigning the employee to a future training. However, research has shown that focusing on shaming to correct behavior doesn’t work in the long term and might lessen the chance of someone reporting a possible phishing email or other cybersecurity issues to the organization. Negative reinforcement serves to create a more insecure organization by creating an environment where staff either are not motivated to or fear reprimand if they report a cybersecurity issue.

The use of simulated phishing tests will be the topic of debate for some time, but this debate presents two takeaway points to consider for any type of cybersecurity training:

  1. Context and methods matter – simulated tests can be effective, but the test’s logistics – including timing and content – can work against the desired outcomes of the trainers. Trainers should also consider the current state of the organization, such as staff morale and major crises/events in the organization, in choosing and developing cybersecurity training for staff. Another thing to consider is the effectiveness of training methods, including how often training has to be repeated to keep staff current on cybersecurity threats and procedures.
  2. Positive reinforcement – positive reinforcement, such as awarding staff members who do not click on the test phish email, can help with creating a more security-conscious organization. 

Next week we will dive into another type of cybersecurity training that is a simulation of another kind – stay tuned!

Black Lives Matter

Hello everyone,

Black Lives Matter.

If your library or archive is thinking about collecting photographs, videos, or other materials from the protests around George Floyd’s death caused by Minneapolis police, what are you doing to protect the privacy of the protesters? Black Lives Matter protestors and organizers, as well as many protesters and organizers in other activist circles, face ongoing harassment due to their involvement. Some have died. Recently Vice reported on a website created by white supremacists to dox interracial couples, illustrating how easy it is to identify and publish personal information with the intent to harm people. This isn’t the first website to do so, and it won’t be the last.

Going back to our question – if your response to the protests this weekend is to archive photos, videos, and other materials that personally identifiable information about living persons, what are you doing to protect the privacy and security of those people? There was a call made this weekend on social media to archive everything into the Internet Archive, but this call ignores the reality that these materials will be used to harass protesters and organizers. Here is what you should be considering:

  • Scrubbing metadata and blurring faces of protesters – a recently created tool is available to do this work for you: https://twitter.com/everestpipkin/status/1266936398055170048
  • Reading and incorporating the resources at https://library.witness.org/product-tag/protests/ into your processes and workflows
  • Working with organizations and groups such as Documenting The Now
    A tweet that summarizes some of the risks that you bring onto protestors if you collect protest materials: https://twitter.com/documentnow/status/1266765585024552960

You should also consider if archiving is the most appropriate action to take right now. Dr. Rachel Mattson lists how archives and libraries can do to contribute right now – https://twitter.com/captain_maybe/status/1267182535584419842

Archives, like libraries, are not neutral institutions. The materials archivists collect can put people at risk if the archives do not adopt a duty of care in their work in acquiring and curating their collections. This includes protecting the privacy of any living person included in these materials. Again, if your archive’s response is to archive materials that identify living people at these protests, how are you going to ensure that these materials are not used to harm these people?

Black Lives Matter.

#dataspringcleaning, Home Office Edition

Welcome to this week’s Tip of the Hat!

The trees outside the LDH office are now covered in leaves, the tulips and daffodils are blooming, and the grass has started growing again. All of which means one thing – allergy season Spring Cleaning Season! Or, as we at LDH like to call it, #dataspringcleaning season.

We covered the basics of #dataspringcleaning in a previous newsletter; however, determining if your data sparks joy might be a challenge this year given the state of current affairs. For this year’s #dataspringcleaning season, here’s a short cleaning list for your newly minted home office to help you in your data cleaning efforts.

Paper documents

Shred! If you don’t have a shredder at home, you have a couple of options:

  • Store documents for shredding at the office in a secured place in your home away from housemates.
  • Buy a shredder for your home. Look for a shredder that can shred at or above Level P-4. Having a shredder at home not only helps you protect patron privacy but also your privacy now that you have a convenient way to shred your personal documents and files.

Shredded paper should not go into your recycling bin – it’s most likely that your recycling center cannot accept shredded paper. In King County (where LDH is located) residents are instructed to use shredded paper for composting. You can also take a few handfuls of shredded paper to top off any garbage cans before closing up the garbage bag when you take the garbage out. Check with your local solid waste and recycling departments in your local area for more guidance about disposing of shredded paper.

Electronic equipment

  • Store patron data on work storage or equipment when necessary. Do not use personal hard drives, flash drives, or other personal storage devices to store patron data.
  • Do a quick data inventory of any personal cloud storage services you use, such as Google Drive or Evernote.
    • What patron data do you have stored in those services?
    • Can you migrate that data to work storage?
    • What data do you need to keep, and what data can be deleted?
  • If you have your work computer at home, now would also be a good time to do a data inventory of what’s stored on the local drive.
  • Remember, deleting a file doesn’t mean that the file is deleted! There are many programs available to help you permanently delete files.
  • If you do end up having to retire a physical disk or drive that held patron data, what tools do you have in your home toolbox? You most likely have a hammer, but you can also get creative depending on what’s available… we’ve mentioned power drills before, but perhaps you might want to try out the nail gun. Remember – safety first!

#dataspringcleaning at home is a good way to spend the time between meetings or to begin or end your workdays at home. A little bit of cleaning each day adds up to help protect patron privacy 🙂 Happy cleaning!

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

  • Uses strong encryption to store and to sync data in and between clients and apps
  • Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
  • Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.

More Zoom Updates and Free Webinar About Remote Work and Data Privacy

Welcome to this week’s Tip of the Hat!

Zoom has had one of those weeks. Since we last wrote about Zoom’s privacy issues last week, the number of additional privacy issues has skyrocketed. It’s gotten to the point where there are news articles just trying to keep track of all these updates. Even those articles are struggling to keep up. On March 31, TechCrunch published an article that listed the known privacy issues at that time, including the misleading advertising of true end-to-end encryption for voice chats, but the article came out a day before an article about zero-day bugs found by an ex-NSA hacker that could allow access to passwords and webcam/mic control if someone had physical access to the computer. Then the next day we learned that Zoom leaked LinkedIn data to other users. Additional reports suggest that Zoom is a very good target for intelligence gathering and interceptions for various governments.

Like we said – it’s hard to keep up with all the updates! Security expert Bruce Schneier’s writeup on Zoom is the most up to date list at the time of this writing.

The best option, in this case, is not to use Zoom, right? Unfortunately, it’s not that clear cut. A conversation on Twitter about Zoom brought up the point that Zoom fairs better than other web conferencing software in terms of screen reader access. While Zoom might be a hot mess when it comes to privacy, it still provides access to those who otherwise wouldn’t have it with other options. Workplaces complying with privacy and accessibility regulations find themselves in a tightrope act with trying to protect employee and patron privacy while at the same time provide tools that their staff can use. Zoom announced that they are addressing the privacy and security issues, which if the company follows through on their promise would solve the issue in the short term. The longer-term issue remains, however, with web conferencing software that have better privacy practices are not accessible for users, including for library workers.

For now, the best you can do is to lock down your Zoom meetings as much as possible and to review user and administration settings to ensure that all privacy and security settings are enabled. Some universities have created publicly accessible guides to more secure Zoom meetings, such as this guide from the University of Washington, as well as FAQs on privacy and security, that can help you formulate messaging to library staff about using Zoom.

Webinar on remote work and data privacy, April 9th

LDH Consulting Services is proud to sponsor this week’s LITA webinar “A Crash Course in Protecting Library Data While Working From Home”. This free webinar will provide strategies and actions in protecting patron privacy for library workers working from home, as well as some of the longer-term implications to patron privacy with libraries moving all essential operations and patron services online for the foreseeable future. Attendees will have the opportunity to share what they are doing to protect data privacy while working from home. Register today!