Your Data Is As Safe As Ever

With Tendenci, your data is as safe as ever. All of our clients are now running on our latest software version T12.0. To stay on the loop and learn how our version bumps work, please visit  Tendenci Lifecycle. For our Tendenci Community, please upgrade to our newest and polished version. 

Check our Github changelog for updates and cool new features on your Tendenci site.

Stay in the now with news about Tendenci and about our latest software projects. Get inside information on release dates, software features and other happenings. Security is our top priority which is why your email will be kept confidential, and you’ll only receive a message when we have something cool to say. Much love and appreciation to our Tendenci Community.
Subscribe to our newsletter at https://www.tendenci.com/forms/newsletter-signup/

The puppy keeps your data safe. 

https://github.com/tendenci/tendenci

SuperUsers Reset on Tendenci Sites Today as a Precaution

Norton Data Breach Report

All super users / admins on all Tendenci hosted sites will need to reset your passwords today. This can be done at <your site> /accounts/password/reset/

Why? People reuse passwords. You shouldn’t, and you know that, but you probably do. Therefore, in an overabundance of caution given the large number of data breaches on the Internet this year, we are resetting all superuser passwords to a long randomized string unique to each. I’d also like to emphasize that:

  1. We have not had a data breach,
  2. Your site has NOT been hacked to our knowledge (every site has it’s own “silo” meaning your site is isolated from all others in it’s own containers.)
  3. A LOT of other companies have reported breaches and humans tend to reuse passwords.

A quick visit to https://haveibeenpwned.com/ will show you how pervasive the problem is.

Next step: go to your login page and click “reset password” and pick a unique password hopefully with a space ” ” in it. Tendenci accepts spaces in passwords so USE THEM!

To make passwords easier to remember, use sentences or phrases. For example, “breadandbutteryum”. Some systems will even let you use spaces: “bread and butter yum”.

From: https://www.it.ucsb.edu/password-best-practices

Security is our top priority. Security is an inconvenience. Security best-practices are far better than the alternative. We apologize for the inconvenience but it is, after all, what we are paid to do.

This decision was made by me, Ed Schipul, the founder and CEO. And it was done without advance notice specifically to prevent bad-actors from knowing about it in advance and sending phishing emails to you. The Internet is unfortunately a rough place right now. Stay safe out there!

WhatsApp Zero-Day Vulnerability

WhatsApp has patched a vulnerability that allowed attackers to install spyware on victims’ phones.

Though the exact number of targeted WhatsApp users is not yet known, WhatsApp engineers did confirm that only a “select number” of users were targeted by the NSO Group spyware using this vulnerability.

Read The Hacker News here.

Photo by pixabay.com

Ubuntu 14.04 Reaches Its End Of Life

There is a new Ubuntu LTS release. Ubuntu 14.04 LTS ‘Trusty Tahr’ transitions to Extended Security Maintenance (ESM) today on  April 30th, 2019. Tendenci is now on Ubuntu 18.04

Every Tendenci product has a lifecycle as well.  Read more here.

 A release of Ubuntu is made through several different channels. What you consume will depend on where you are and what your interests happen to be.

The EU GDPR – the General Data Protection Regulation

Control your AMS with Open Source

RSA Conference in San Francisco
GDPR as seen by a vid from the RSA Conference

The European Union’s General Data Protection Regulation starts May 25, 2018. This is mostly an FYI as Tendenci “the Company” does not engage in cross site monitoring. It creeps us out a bit.

Yet while Tendenci does not do cross site tracking or individual tracking, it is possible that YOUR site does if you are using Google Analytics, DoubleClick or any number of third party add-ons and plugins.

It is up to YOU to reauthorize and comply with the data protection policies associated with third party add-ons on your site.

What DOES Tendenci do that might allow you to make a mistake in GDPR compliance?

If used as designed, it would be hard to become out of compliance as every site is in an isolated database and container. Yet there are security functions that log activity on your Tendenci site, that if you were to use it for tracking with AI or sell your data, it could potentially be against the GDPRs regulations. Talk to your attorney about this.

For example PCI best practices require dual logging and analysis of the logs for security reasons. There is no direct identifying data in web logs, but they would obviously include things like the IP address to block DDoS attacks.

These logs are never sold or accessed by anyone but our security team to trouble shoot the application and provide feedback to the administrators. Remember, you have the same user interface and front end functionality that our team does if you host with us. Zero difference. And the logs do not contain any identifying information such as an email or name.

We are NOT lawyers, Thus it is up to YOU to determine how you manage your data. We do not, nor have we ever, sold client data to third parties.

 

Security in the Tendenci SaaS Cloud at AWS

Kibana OSSEC Tendenci

Cyber Security is based on Prevention, Monitoring, and Incident Response

Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.

To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.

Network Monitoring with OSSEC Logstash ElasticSearch and Kibana

Cyber Security starts with Project Management

A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:

  1. Architecture – Start with Security In Mind
  2. Passive Cyber Defense – Systems that are in place
  3. Active Cyber Defense
  4. Cyber Intelligence Gathering
  5. Response

** Note: There is a longer explanation on our site at https://www.tendenci.com/security/

There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!

For the expanded full version of the basics of cyber security in the Tendenci SaaS cloud, view at https://www.tendenci.com/security