Friday, August 7, 2020

Racial Equity and Animal Advocacy?

During a recent All Hands virtual meeting there was a call to action to look at 21-Day Racial Equity Habit Building Challenge ©. I started to pursue this challenge by reading Peggy McIntosh’s White Privilege: Unpacking the Invisible Knapsack.

In the article, McIntosh lists 25 extraordinarily common things that identify the way white privilege operates in her life. It's often easy to identify when a person is the victim of racism. It is harder to recognize when your normal experience is a product of privilege. Privilege is not experienced consciously; racism is. I want you to read the article for yourself so I will only choose one of the 25 items she listed:


“I can go shopping alone most of the time, pretty well assured

that I will not be followed or harassed.” 


Although I may have recognized this as an issue for people of color, I absolutely didn’t think of how when I walk into a store the advantage of my racial identity doesn’t make me suspect. It has never been in question. It was the way the world saw me. I had no context of what any other experience was like, even though I knew it existed. 

McIntosh’s list was created in 1989 - more than 30 years ago - yet remarkably more than half of the 25 statements on the list provoked some new understanding on the ease of which I walk through the world. The article encourages readers to make their own list, so I started to think of aspects of my life experience and see what a list in the world around me would look like. It did not take long to find glaring examples.

Outside of my work at the state, I work with non-profits on animal welfare for homeless pets, and this challenge quickly revealed aspects of my life affected by racial equity. Once a week I attend an early morning call with animal welfare nonprofits from across the country. Although it is mostly animal-centric, the group leaders brought forth the conversation of how racism and diversity are handled in the animal sheltering world. And it came with a stark recognition. 

Animal sheltering and welfare is populated by people with infinite compassion for homeless pets. But I completely missed there was a lack of compassion and inclusion not afforded to a large part of the human population by this same seemingly compassionate group of people. Namely, animal welfare in the homeless pet industry is predominantly white. And not just from the staff and volunteers, but from the adoption and fosters we depend on to help us save the lives of homeless pets. Not for the disinterest from people of color, but from the standing homogeneity and current power structure that marginalizes people even in this kind hearted environment.

For instance, Pets for Life data states 3% of pet owners in underserved areas studied acquired a pet from a shelter/rescue. Nationwide, it is 30%. The perception of many in the field is that it is the people, not the system, that causes the low adoption rate. But we have learned that is not true through data and studies. The shelter community doesn't serve these areas populated predominantly by people of color. The discounting of this community not only is a disservice to the pets (the core mission), but it also represents the racism in the homeless pet community. The shelter industry does not equally engage people of color to help save lives.

In conversations with many people during and after that meeting, I realized the industry is rife with a passive, unrecognized racism. Not only are there few people of color as leaders, but there is a systemic issue that prevents people of color fostering or adopting pets. My list started with a simple corollary to the shopping item on McIntosh’s list:

“I can adopt or foster a homeless pet, pretty well assured

that I will not be rejected for the color of my skin.”

I could also say the same for volunteering in a shelter. My race allows me privilege in working in the world of animal advocacy.

Creating our own list exposes the way we pay attention to what is going on around us and the intersectionality of different power structures. In this case, I discovered the way the animal rights movement and racial equity movement intersect. It exposes everyday activities that I take part in have racist overtones, previously invisible to me, and most of my associates engaging in otherwise compassionate, charitable work.


I have continued to pursue the 21-Day Challenge, reading most of the material, watching videos, and listening to podcasts. I intend to continue increasing my list. It helps make the invisible visible. It’s not enough to understand where someone’s position puts them at a disadvantage. It is just as important, maybe more so, to recognize how your identity may put you at an advantage you never noticed.

This will be a difficult and uncomfortable place to go.  I encourage you to put yourself in this uncomfortable position. That’s why it is called a challenge. I highly recommend you push yourself to schedule time to take and pursue the 21-Day Racial Equity Habit Building Challenge.

Today's blog comes from Davyd Smith, OIT's IT Director supporting DNR & DOLA

Friday, July 31, 2020

I was approved for a $100K HELOC loan using the Colorado Digital ID™

Are you using your Colorado Digital ID™ for purchases and services requiring identification within our state? It’s a convenient, legal form of identification that’s with you all the time on your smartphone! As the myColorado project manager, I might be a little biased, but when I’m out and about, I take every opportunity possible to see which Colorado businesses are accepting the Digital ID. Below are just a few examples I discovered! 

Colorado Digital ID Use Case


My husband and I were sitting on the patio of a German restaurant here in beautiful Colorado enjoying a couple of pilsners when we heard a small commotion across from us. The server was asking a young man to provide his ID to serve him alcohol. He was seated at the table with what appeared to be his older brother and their parents, and they were telling the server that he was over 21 years old. After several minutes of back and forth, the frustrated young man stood up, grabbed his phone, and stomped off to his car in search of his wallet and physical driver license. I wanted to sprint over and let him know all about the Colorado Digital ID that’s stored in the myColorado™ mobile app Wallet. It’s simple to set up and use, and it’s an official form of identification backed by Executive Order B 2019 013, signed by Governor Polis on October 30, 2019.


I had an experience similar to my friend at the German restaurant - I had left my wallet at home, but the Digital ID came to my rescue. Our washing machine had given up after 15 years and the dryer was holding on by a thread. My husband and I headed to a major hardware store in the area in search of replacements. After we chose what we wanted, the store clerk offered us a 12-month interest-free option for current customers. My husband had never set up an account with them, so they had to use my profile to take advantage of the offer. Often, I don’t bring my wallet when shopping with my husband, and this was the case on that day. Therefore, I showed my Digital ID to help the store clerk find my account and he didn’t flinch! The clerk diligently verified the information on my Digital ID with his computer records and within minutes I was approved to purchase a brand new washer and dryer. 


Next, loaded with confidence, I decided to put a bank to the test. My husband and I had applied for a $100,000 home equity line of credit, or HELOC. When the time came to close on the loan, we were directed to a conference room at the bank to sign documents and present our IDs. While this time I had my physical ID tucked away in my purse, I was not going to pull it out unless absolutely necessary. (Note: The Executive Order states that merchants may accept the Digital ID, but are not required to at this time.) The bank official asked us for our IDs to take a photocopy of them. I showed my Colorado Digital ID on my iPhone. A bit puzzled, the banker called a notary public into the conference room to validate our identity and proceed with loan execution. I realized that by presenting a Digital ID, no hard copies of my physical ID would be taken. Therefore, this was a more secure process to protect my identity since a hard copy of my physical ID would not end up in a folder in the bank's files.


A digital form of identity is here to stay, grow, and evolve. In the last couple of years, I have noticed that friends and family members are increasingly leaving their wallets behind and carrying only their smartphones since many financial transactions can be conducted digitally without a physical debit or credit card. The same goes for providing proof of age, address, and identity here in Colorado! When ordering a drink at a local bar or restaurant, making big purchases, or applying for a loan, you can rely on the Digital ID.

Download myColorado and set up your Colorado Digital ID today! For more information, visit


How to set up your Colorado Digital ID:

  • Download the myColorado app on your smartphone from the Apple App or Google Play store
  • Scan the PDF 417 barcode of the back of your physical driver license or state ID card
  • Create an account and get authenticated to access your Digital ID
  • Start showing your Digital ID as proof of identity, age, and residency within Colorado

Note: Because the Digital ID is new and is not accepted everywhere yet, be sure to carry your physical driver license or state ID card wherever you go.

Today’s blog comes from Olga Klinger, Project Manager with OIT’s Customer Office.

Friday, July 24, 2020

The Great Toilet Paper Cyber Hack of 2020: Part 2 - Lessons Learned

Stop! Before proceeding, check out Part 1 of the Great Toilet Paper Cyber Hack of 2020 - posted on July 10, 2020.

Lessons Learned

When I reached out to Hal several weeks later to ask all the questions that kept nagging me about this activity, I learned that Hal had taken several actions to ensure this would never happen again. Hal and I agreed that we should share those as lessons learned.

1) Shop From Known Merchants

As mentioned in Part 1, it’s always best to be suspicious of unsolicited advertisements on social media sites, in emails, and anyplace encountered. No doubt, many of these sites are legitimate with legitimate products to sell; however, as Hal experienced, many of these are created for malicious purposes. Some of these purposes might include:
  • obtaining your credit card, your password, or other personal information;
  • enticing you to donate to a fake charitable cause;
  • or to download malware onto your system.

In Hal’s case, he got a double dose - the site he accessed sold him a fraudulent product and downloaded malware onto his system.

Another point - pay attention to where the items are coming from and where the business is located. Unless you specifically desire a foreign-made product, it’s probably safer to buy from U.S. suppliers.

2) Use Two-Factor Authentication

Use two-factor authentication on all accounts where it is offered, such as social media, bank, shopping, and - most importantly - email accounts. This will help prevent access to your accounts should your credentials be stolen. Additionally, never reuse your passwords across multiple accounts. If the account credentials for one site are obtained, you don’t want them to be used to compromise other accounts.

3) Don’t Store Account Credentials in Your Browser

This one is challenging, I know, but refrain from allowing your browser to store your account credentials. It may seem a convenience but as Hal experienced, if an attacker gains access to your computer, it’s relatively easy to extract and decrypt those credentials out of your browser. Even a rookie can do it! Use a password manager to safeguard your passwords, and ensure you authenticate to that tool using two-factor authentication.

4) Lock Your Computer

Additionally, Hal mentioned that he now locks his computer when he isn’t using it, and for good measure, he never leaves his browser windows open and logged in to his accounts.

5) Backup Your Files

Reloading his computer didn’t concern Hal at all because he had a regular backup schedule and was confident he wouldn't lose any important pictures, documents, or other data. I know many people who back up their data to a cloud service, and many others who use a USB-connected drive. Either of these will work as long as you appropriately safeguard access to your backups. This means two-factor authenticated access to your cloud provider, or ensuring that you disconnect the USB drive and store it somewhere safe. Do not keep it connected to your computer or in your laptop bag once you are done with the backup!

A Happy Ending

Hal assured me that his reloaded computer is working better than ever and that he’s confident this will not happen to him again. Additionally, his cabinets are now stocked full of Charmin Ultra Soft Mega rolls - the authentic product! He committed to never allow his supply get low enough during a global crisis to be tempted to order from any previously unheard of Chinese site! Oh, and subsequently, we learned that Charmin makes their product right here in the U.S.A., so there is no need to send away to China to get this essential product!

Today's blog comes from State of Colorado Chief Information Security Officer Debbi Blyth.

Friday, July 10, 2020

The Great Toilet Paper Cyber Hack of 2020: Part 1

A friend of mine told me this story about how his computer was hacked in his search for toilet paper. This occurred in late March 2020 - when toilet paper was non-existent in stores across the nation. My friend “Hal” (not his real name) told me that he found some Charmin Ultra Soft toilet paper available for purchase online. He did some price comparison and found it to be a fair price - not gouging and not cheap, but reasonably priced. There was nothing unusual to indicate that it might not be authentic, so he ordered it. He was expecting a package of 60 Mega rolls, which should last a while.

Within a day his credit card company informed him that he had attempted to make a purchase from a company in China - it was the toilet paper purchase! Hal authorized it, figuring that is probably where Charmin is made or that it might simply be the only company or warehouse where Charmin was still in existence. And realizing at that point, that the Charmin was coming from China, Hal prepared to wait for his toilet paper. Note: Being the good friend that I was, at this point, I brought him a package of toilet paper!

A couple of weeks later, Hal was out shopping - probably for toilet paper - and kept receiving unrequested second-factor access codes from his bank and retirement account providers. That was a clear tip-off that someone was attempting to access those accounts. He came home to discover some very unusual activity had occurred on his computer while he was out. He noticed that several browser sessions were open using a browser that he didn’t typically use, and that these browser windows were logged into a few of his accounts! He immediately took the computer to his local computer center to have it reloaded; they confirmed that malware was present on the system.

Over the next several weeks, Hal worked with his credit card company, Amazon, and PayPal to have fraudulent charges reversed, and with his bank and retirement account providers to change account information and reset credentials. Additionally, he changed all the passwords saved in his browser and implemented two-factor authentication on all of his accounts. The total charges to be reversed were in excess of $1,000 and this consumed almost two full weeks of Hal’s time! Fortunately, the world had recently gone into quarantine-lockdown, so Hal didn’t have a lot of other things to do.

Adding to the time, delay, and frustration was the fact that most merchant and bank employees had become remote and were not immediately reachable by phone. Almost all of these inquiries and transactions had to be done by email, with return calls by phone, adding hours and days of delay.

Sometime during account cleanup, the long-awaited toilet paper arrived! It came in a box about the size of a shoebox. 60 Mega rolls of toilet paper fit in a box the size of a shoebox!!! So much for lasting a while! So Hal taped the package back together and sent it back to whence it came!

Hal realized that his computer hack and the fraudulent “Charmin” toilet paper from China were related, and he’s confident that when he visited the site to order the toilet paper - or when he returned to check the status of his order - he also received malware. What is interesting is that a few weeks had elapsed from when Hal ordered the toilet paper and when the attacker became noticeably active on Hal’s computer.

Digging A Bit Deeper

When I asked Hal how he came upon this site from which he ordered the toilet paper he said that he saw an advertisement on social media. Ah-ha! One lesson learned: never click on advertisements you see on social media sites. Always shop from known and reputable sources. A typical indicator of fraud is that the item is priced significantly lower than its alternatives. In other words, if the price seems too good to be true, be wary. In this case, 
that particular warning flag was not present.

But this issue nagged at me for several weeks as I thought about how the attacker used a completely separate browser on Hal’s computer, a browser that Hal does not use, to access Hal’s accounts. So I reached back out to Hal and asked a few more questions…

Of course, all my questions would have been easily answered if we could have obtained a forensic examination of Hal’s computer. But Hal had already dropped it off at the computer center and his computer had been reloaded before he told me about the issue.

I determined two potential scenarios in which access to Hal’s accounts may have occurred... 

Scenario #1: Keylogger

The attacker may have installed keylogger software on Hal’s computer and simply captured passwords when he logged in to his accounts. This could certainly explain why there were a few weeks of dormancy before the attacker became active - he had to wait for Hal to log in to collect account credentials.

But Hal told me that he typically saves his password in his browser, and uses those saved credentials when accessing his accounts so he doesn’t have to remember the password. So while a keylogger may have been installed, it wasn’t likely the source of the password collection.

Scenario #2: Browser Password Extraction

A scenario started to form in my mind that somehow Hal’s passwords were extracted from the browser he typically uses. I could see this in a physical scenario in which I might be logged in to my computer with my preferred browser open, and then walk away without locking my computer. Someone (officemate or housemate) could potentially get on my machine, navigate to Amazon, and log in as me since the credentials would be automatically populated by my browser (assuming I had them saved). However, they would have to use the browser that I typically use. This scenario would not work if they attempted to access Amazon using a completely different browser. Was the attacker just showing off?

Another thought. If my officemate or housemate wanted to know what my Amazon account password was, they could access the security setting on my browser and “see” my password! But as I chatted with Hal about this, he reminded me that the attacker would have to know my master password in order to see the passwords saved for each account.

All of the components of the scenario I described above are related to a person attempting to access the computer physically, in person. Similarly, in the virtual world, the attacker would have to remotely access the system, pose as Hal, and either use the currently running browser or launch a new instance of Hal’s favorite browser. This would have likely worked with the remote access the attacker had, but Hal saw no evidence of the attacker having used the browser he left open. And if the attacker did take over the running browser, why would he go to the trouble of using a completely separate browser to log in to Hal’s accounts? It would be a silly and unnecessary step!

It occurred to me that this attacker was a one-trick pony. He had a tool that he liked to use to extract the passwords out of the most common types of browsers, including the one that Hal typically uses. And like Hal, this attacker had a preferred browser too, and it was a browser that Hal doesn’t use. In fact, that browser application didn’t even exist on Hal’s computer before the attack, so the attacker actually installed it!

When Hal visited the toilet paper advertising site, unbeknownst to him, he downloaded malware, which was executed using Hal’s privileges. This malware was likely a remote access program, and since it was running with Hal’s permissions, it looked to the system as if it was Hal. This attacker then loaded his own toolkit onto Hal’s computer. The toolkit consisted of a piece of software designed to retrieve and decrypt passwords from specific types of browsers, and it also included the browser application that the attacker likes to use.

The attacker’s software allowed him to issue a command, posing as Hal, to run a process extracting all the valuable information out of Hal’s browser, including his browsing history, bookmarks, and web browsing cookies. Most damaging, this software also retrieved all of the encrypted account data out of the browser, and decrypted it into a plaintext file. This file, now accessible to the attacker, contained a list of all of the sites (URLs) for which Hal had stored access credentials in his browser, including his username and password for each!

A Rookie!

I’m convinced that this attacker was a rookie, not a professional hacker. Here are a couple of reasons why...

Obvious Actions

The attacker used the browser he loaded on Hal’s system to attempt to get into Hal’s accounts. This activity could have been observed at any time, by Hal! A professional hacker would have retrieved the file containing the decrypted account credentials and moved it to another system. Professional hackers often automate many of these actions so they can retrieve as many account credentials from as many people as possible, in the shortest time duration. And whether or not they use the data themselves, it often ends up for sale on illegal sites. 

Didn’t Hide His Tracks

Most likely Hal caught the attack in action, which is why he saw the browser, and why the malware was observed by the computer center. A professional attacker typically erases all tracks of his existence to lessen the risk of detection and give him more time to make money or purchases using the stolen data.

Daytime Activity

Had the attacker waited until typical North American “sleeping” hours, Hal might not have caught the activity for a while and the attacker would have had more time to access more accounts. 

Triggering Fraud Detection Systems

The attacker kept attempting to get into Hal’s bank and retirement accounts, even though the authentication process kept prompting for the two-factor authentication code. This alerted the account providers that the accounts were being attacked, and they took immediate action to safeguard the account. This also tipped off Hal that someone was attempting to access his accounts.

Stay tuned for "Lessons Learned" in Part 2, coming next week.....

Today's blog comes from State of Colorado Chief Information Security Officer Debbi Blyth.