Is Your Website Vulnerable to Attack?
by Russel Neiss
A couple months ago, upon visiting one of my favorite Jewish websites (a well-known site), I was served with a warning that doing so would have potentially infected my computer with malware.
This malware could have caused identity theft, stolen my passwords, deleted files on my computer and otherwise generally caused havoc on my machine. This was a minor nuisance, but not the first time my security was imperiled by a Jewish organization not taking adequate security precautions.
About three years ago, the email address and password that I used to logon to a well-known Jewish educational listserv were (along with the credentials of more than 3,000 other Jewish educators) released online to various hacker forums around the web after that organization’s website was also attacked. You’d be surprised how many of these passwords work, to this day. Even more surprising is how many of these working passwords belong to technology-savvy leaders in our community.
The Jewish Federation’s Secure Communities Network recently issued an intelligence alert warning of potential “cyber-attacks.” This issue is not going away. Although most instances of “hacking” are basically the equivalent of spray-painted graffiti on an organization’s building, the truth remains that we are woefully unprepared.
Right now, more than half of the 50 “most innovative organizations” in the Jewish community, as labeled by Slingshot, are running a website with an outdated version of their content management system that is potentially vulnerable to automated attack tools easily bought on hacker forums. Angry attackers with an axe to grind have free open source tools available to them, and if a site is running outdated software with known security vulnerabilities then it’s almost trivial to gain control of it (this author’s best time is 3 minutes).
There’s a perception in the Jewish communal world that the hardest part of a technical project (an app, website design, etc) is finding the money to get it built. Once it’s built; that’s it, it’s done, no further action required. If something does go wrong, many of us have an external tech contractor who usually can solve the problem for us without too much trouble, so we don’t prioritize staffing for this internally. (This is an awfully unsexy $100,000 in capacity-building to raise.) This guarantees that no one is responsible for the day to day maintenance of our systems; sometimes we don’t even have the capacity to ascertain whether or not our contractor is adequately taking care of our systems for us … until it’s too late.
But our lack of investment in technical support for Jewish communal organizations doesn’t only hurt us when something goes horribly wrong. By not fully integrating technologists into our institutions, we’re missing out on innumerable opportunities to integrate creative technological approaches to our work. Yes, we need to “get serious about cybersecurity” but that’s not sufficient.
We must develop interesting and effective technical solutions to problems on the fly instead of creating RFP’s and sourcing vendors to build things slowly, expensively and with incomplete functionality. Some in civil society have begun to recognize this challenge and many forward-thinking cities are partnering with organizations like Code For America to provide them with a critical jolt of innovation, and infrastructure that were previous lacking in their organizations. The time has come for a Jewish equivalent.