The recent unpleasantness

Back on October 11, 2015, this website was “hacked” by some random group of miscreants.

The hack placed new index.html and index.php pages in every folder, I learned upon further inspection of my hosted files via FTP. It made cleaning things up a bit tedious, but not difficult.

I think the problem was that I had several old WordPress installations hanging around on the server, which had vulnerabilities left unpatched by updates to newer versions. For example, I had an install from years ago where I just played around with new themes.

Before replacing/removing the added or changed index files, I first had to uninstall all the old WordPress sites, leaving only this one (which had always been kept updated).

I have learned some lessons, suffice it to say, about being diligent about security.

  1. WordPress updates – Always update to the latest version right away!
  2. Remove old WordPress installations that are no longer being used (and kept up to date)
  3. Backups – Make them regularly

It did have one benefit, however: It forced me to become reacquainted with my blog and all the files on the server. I’ve been neglecting this place over the past few years. I aim to change that going forward.

How Bruce Schneier secures his laptop

On the heels of this recent story out of the UK about the government losing 25 million citizens’ personal data, IT security guru Bruce Schneier provides his tips on securing your laptop, especially critical for those us with client data on our drives:

Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Strong passwords are the first step to protecting your firm’s and your clients’ information assets. Assigning a strong password using a combination of lower and uppercase letters, numbers and special characters is far more important than changing your password frequently. It has been my experience, however, that strong passwords just aren’t being enforced as well as they should be.

There are several whole-disk encryption products on the market. […] The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.

I love the idea of simplying this process in the way described above. Making it easy for non-technical users to implement security measures makes it more likely they will get implemented effectively. And being able to tell your manager or the partner that the client data has not been compromised would help me sleep at night.

Bruce also mentions that the product he uses can encrypt USB drives, which are an essential tool for the modern auditor. I keep mine secure by wiping data from it immediately after transferring to the laptop, but that may not always be immediately possible.

Whole-disk encryption means that anyone at your computer has access to everything. […] I recommend a two-tier encryption strategy. Encrypt anything you don’t need access to regularly — archived documents, old e-mail, whatever — separately, with a different password.

This is a sound strategy for older files, although I prefer his final point:

Minimize the amount of data on your laptop. Do you really need 10 years of old e-mails [sic]? Does everyone in the company really need to carry around the entire customer database?

This is a better strategy for me as an auditor. The only files I need on my laptop is the client I’m working on at the moment. That audit that wrapped up last week? It’s on the network, where security isn’t my responsibility! As for email, I try to clear out old stuff annually to keep the hard drive usage up but also to remove potentially sensitive information.

Follow those simple tips and your portable client, employer and personal data will have a much greater chance of remaining out of the wrong hands.

Twitter for accounting professionals?

Dennis wrote a post a few days ago about Twitter within “a business context” entitled “The pain of disruption“:

I want to DO something with Twitter. The more I think about what Twitter might deliver, the more scary it becomes. Twitter challenges my ingrained notions of how services and value are delivered.

In case you haven’t heard of Twitter, it is basically like group instant messaging. You create your own account and start making small (144 characters is the max) posts about what you’re doing or thinking about. Other Twitterers “follow” you and receive your postings on their home page.

For whatever reason the post really ignited something within me and I found myself commenting right away, although with an idea that sort of just fell out of my brain half-baked:

Off the top of my head, how about Twitter channels for large, distributed groups working together (I’m thinking specifically of audit teams but there are obviously other applications) to aid communication. Group IM seems useful as long as it can be secured for sensitive business.

I continued to ruminate on the issue and hoped some more ideas could be generated.

How about for Twitter for an entire accounting firm office? I could throw out a question to the entire firm, like “Does anyone have a GST reconciliation schedule template handy?” or “Why is the capital gains exemption limited to only qualified small business corporation shares?”

Being able to ask those sorts of questions is helpful since I’m rarely in the office unless it’s busy season (and even then it’s just evenings and weekends). Being able to ask my more senior colleagues technical questions when I’m in the field would be great, but not too different from using email. The difference I guess would be not having to enter all their addresses.

How about using Twitter to communicate with clients? This has some possibilities as well. Being able to communicate with clients about new accounting standards coming into effect, or relevant changes to tax law would improve client service and provide timely updates that blows the current model away.

Any other ideas for using Twitter within a business context or specifically for accountants?

Vista not even out yet but still pirated

Microsoft’s upcoming operating system, the successor to XP, isn’t out yet but it has still managed to be cracked (in a sense). Vista will be out Jan. 30, 2007 to consumers, earlier for Microsoft’s preferred big business clients.

With Windows Vista only just going “gold” … the first cracked versions have already hit the pirate boards. [It’s] called Vista BillGates. It doesn’t feature any activation cracks itself, and the supplied product key is just for the installation. The activation crack is a separate download, and works by replacing the licensing components with components from beta builds. Then using a product key from Beta 1, Beta 2, RC1 or RC2, the Gold version of Vista can be activated online. In this sense, it’s not a true crack.

It’s going to be a lot harder this time around to crack Windows and continue running the cracked version for any extended period of time, because Microsoft has tightened up their activation requirements. Windows XP got increasingly more difficult to maintain if you were running an illegal version, and I have a feeling Vista will carry the trend.

A full version of Office 2007 Enterprise was released on the boards a few hours after Vista. Unlike Vista, Office 2007 uses Volume Activation 1.0 (no activation required), so it’s unclear how Microsoft is going to be able to counter its dissemination in future.

It looks like Microsoft’s problems with piracy aren’t going to go easily. Not only do they have the lion’s share of users, making for a nice big target, but the software still doesn’t seem airtight. Not to mention all the features they scrapped just to bring it to market. Not like they have anything to worry about at my firm – we’re still tightly wedded to the Windows regime.

Auditor laptop stolen, confidential data included

The auditor for Hotels.com is Ernst & Young, and one of their staff working on the audit had their laptop stolen from their car, compromising the credit card data of approximately 243,000 customers.

These things will happen, but what I don’t understand is whether they’re just assuming whoever stole the laptop is going to be able to crack the password that is no doubt protecting it. I have to enter two different passwords just to get into my work laptop, one to boot up and one to log in.

Am I missing something here? Are passwords not enough to protect the data? Can you just rip the hard drive out of the laptop somehow and extract the data that way? Is any data truly safe, then?

EY has pledged to encrypt sensitive data such as this in the future, so maybe that holds the key to safeguarding the intangible assets of audit clients.