Month: April 2018

Posted on

Security in the Tendenci SaaS Cloud at AWS

Kibana OSSEC Tendenci

Cyber Security is based on Prevention, Monitoring, and Incident Response

Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.

To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.

Network Monitoring with OSSEC Logstash ElasticSearch and Kibana

Cyber Security starts with Project Management

A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:

  1. Architecture – Start with Security In Mind
  2. Passive Cyber Defense – Systems that are in place
  3. Active Cyber Defense
  4. Cyber Intelligence Gathering
  5. Response

** Note: There is a longer explanation on our site at https://www.tendenci.com/security/

There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!

For the expanded full version of the basics of cyber security in the Tendenci SaaS cloud, view at https://www.tendenci.com/security

Posted on

Keystroke Loggers are OS Agnostic

Keystroke loggers record every virtual keystroke you make. Have you run your security updates. (And Mac people? Windows people? I’m looking at you.)

From Microsoft:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
********************************************************************
Microsoft Security Update Summary for April 10, 2018
Issued: April 10, 2018
********************************************************************
This summary lists security updates released for April 10, 2018.
Complete information for the April 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.
Critical Security Updates
============================
ChakraCore
Microsoft Edge
Internet Explorer 9
Internet Explorer 11
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1709 (Server Core Installation)
Important Security Updates
============================
Excel Services
Microsoft Excel Viewer 2007 Service Pack 3
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Excel 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Wireless Keyboard 850
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Word Automation Services
Moderate Security Updates
============================
Internet Explorer 10
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
<https://technet.microsoft.com/security/dn753714>.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
<http://go.microsoft.com/fwlink/?LinkId=81184>.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwi zard.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAlrL6acACgkQEEiO2re1 
8ugDURAArw0n30Pv02dQJfwqf1VYnPG6BYdURT3TYf5QMMQweIG9y8aKnhCHJn55
JHmlNKsGcOOaEIid6On+ihUw0uHjx/Ct6XKtl/QDnZTt5AKt8Whj/8+LjPSQgPmF
+utXhqZBW/IeNgvtVaPLM55XXgao6IFt/UH0WKydV1AWdZ3/PuMR4hOIAwVHUBj9
z1MigLNkfWGUXZi02T7W4E/3Ea3nEdQnECvHsk/j2nF+k85FMPf1T3TOUE/sdNQI
F0m1za2FAU9E+GNLIyQ3hVdx/Zw2sI8WeqtL+48IZ1UNZ1XcwYUmZ/aN3x9hvqSj
MLbQXFTSmsXdV97eQYQmVEnkqC/KtYMnupXWULfTn6LnqqT17R10Zk94xVRFtMWo
ed1abogGO2x+UMulcrwrEjReQ3vhT1rJSvk7o/YbhbWo/D2o67oOzGx+Cz2ROXWt
CbLOie9q+UOXDjPBuTzPeG24f4AVKiIPr2VwTWY4IGjysENpSr+L1JPhL4KdO/yy
mLalrJmChPWuRR9y3sn3/hS9Blk7qMZEVWGGhizPbF68tXhnrTdz4lLj5d/gnWus
HXgm92RftfEjMEDp9SlWZZAMbKNzihMB8sgXJl52N8emhD4wsRqmh4E13TBHrBxk
h54mC77b1aWJqcIqo5b0RAyNW0BTmaikL3enEEriFtZQiZZzq5k=
=Dn1R
-----END PGP SIGNATURE-----
Posted on

Tendenci Transparency Report – Why isn’t Wild Apricot Posting One?

red bird

Yup, AMS transparency reporting is critically important. And perhaps also equally a bit boring. After all, you are looking for what is MISSING.

In Tendenci – the Open Source AMS’ latest transparency report, yup, nothing has changed. Yea!

And given Tendenci AMS is fully open source and still building for the future , well, it’s pretty clear what our position is. We believe in open source and transparency.

What other MAJOR AMS can you self deploy on the servers of your choice? In the data center of your choice? In the country of your choice? With the encryption and firewall restrictions of YOUR CHOICE. That’s the beauty of open source.

And the price starts at zero. It. Is. Fully. Open. Source.

What is Wild Apricot’s transparency report? After all, they are recently touted as the new kid on the block. Welcome! Yet what is their position on transparency?

Disclaimer in defense of Wild Apricot – in all fairness, AMS systems take a solid 10 years to write. They really are doing a great job catching up, I’m only addressing transparency in this post.  Plus at Tendenci, we love a good strong new competitor adding value for NPOs/NGOs and Associations. We love that they are leveling up. All we’re saying is, let’s see their transparency reports? Why not be open source?

And yes, that is a challenge. Step up people!

Regarding Open Source – hey, why not support local: Tendenci pricing starts at ZERO ($0.00). Many people host in the Tendenci Cloud at AWS because we’re a good fit. Yet, our hosting pricing might not work for you in your country, right?

If so, then why not support a local developer in your community? Help build your home country’s tech sector by supporting your local developers!

Back to the business stuff – we have updated our latest transparency report. No changes. (check mark in the “no changes=good” column folks!)
https://www.tendenci.com/transparencyreporting/

Even though the competition is (mostly) NOT truly free and open source, that doesn’t mean they can’t be responsible and tell you if they have turned over your data. It does mean that any proprietary vendor offering free services is selling your data.

Is your AMS handing over, or monitoring, all of your data? Perhaps to the highest bidder or to the country of origin? You have a right to know.

Seriously, if any sector in the world needs responsible disclosure, it’s the association and non-profit/NGO sector.

Truly AMS (association management systems) / association management software in our opinion. Thus, the small team, and the large community at Tendenci, challenge our competitors to be transparent!

Yes, we understand that warrant canaries aren’t completely cut and dried. But at least a good faith effort? Why are other AMS systems not posting transparency reports?

If the FBI stated that NGOs/NPOs/Associations were the first target of the Russian propaganda campaign to influence the US elections, then I personally take issue with this.

NOTE: Propaganda and motives of foreign countries does NOT mean collusion. Collusion, and hopefully there wasn’t any, is not a topic we are addressing at all. (That’s for the politicians and the courts to figure out. We’re just programmers trying to do good.)

Thus the CHALLENGE to other AMS SaaS providers: Post your Transparency Reports!

Really, we call on all of the alternatives to Tendenci to adopt a transparency reporting policy.

Why not? Even proprietary companies can be transparent, right?

Why hide anything from your clients, open source or not? We don’t get it. End users don’t have to, and shouldn’t, tolerate hidden data disclosure.

Transparency reporting is just one more reason we’re passionate about helping associations and non-profits with their causes! We try to take the high road. Yet now, it’s not just about data collection, data mining, cross site tracking, Russian to popular AMS systems, it’s about just having integrity to tell people what is going on.

Associations, and therefore association management software, is important in every country. That’s why Tendenci is Open Source and currently supports 75 languages!

Yes, stay with your trusted local developer. Just please fast check them and demand access to your code, access to all of your data, demand access to your rights. And yes, demand transparency.

That’s how we roll at Tendenci – brutally open and honest, full access, association management. You know, kind of like WordPress is for blogs and CMS. Open!

At Tendenci, we recognize the value of the work you do. And we believe you deserve OPEN. In fact, we think open is baseline.

We hope you do too. Because Associations matter. You matter. #rockon #demandTransparency #ams #associationmanagement #asae #associationchat