The EU GDPR – the General Data Protection Regulation

Control your AMS with Open Source
RSA Conference in San Francisco
GDPR as seen by a vid from the RSA Conference

The European Union’s General Data Protection Regulation starts May 25, 2018. This is mostly an FYI as Tendenci “the Company” does not engage in cross site monitoring. It creeps us out a bit.

Yet while Tendenci does not do cross site tracking or individual tracking, it is possible that YOUR site does if you are using Google Analytics, DoubleClick or any number of third party add-ons and plugins.

It is up to YOU to reauthorize and comply with the data protection policies associated with third party add-ons on your site.

What DOES Tendenci do that might allow you to make a mistake in GDPR compliance?

If used as designed, it would be hard to become out of compliance as every site is in an isolated database and container. Yet there are security functions that log activity on your Tendenci site, that if you were to use it for tracking with AI or sell your data, it could potentially be against the GDPRs regulations. Talk to your attorney about this.

For example PCI best practices require dual logging and analysis of the logs for security reasons. There is no direct identifying data in web logs, but they would obviously include things like the IP address to block DDoS attacks.

These logs are never sold or accessed by anyone but our security team to trouble shoot the application and provide feedback to the administrators. Remember, you have the same user interface and front end functionality that our team does if you host with us. Zero difference. And the logs do not contain any identifying information such as an email or name.

We are NOT lawyers, Thus it is up to YOU to determine how you manage your data. We do not, nor have we ever, sold client data to third parties.

 

Security in the Tendenci SaaS Cloud at AWS

Kibana OSSEC Tendenci

Cyber Security is based on Prevention, Monitoring, and Incident Response

Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.

To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.

Network Monitoring with OSSEC Logstash ElasticSearch and Kibana

Cyber Security starts with Project Management

A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:

  1. Architecture – Start with Security In Mind
  2. Passive Cyber Defense – Systems that are in place
  3. Active Cyber Defense
  4. Cyber Intelligence Gathering
  5. Response

** Note: There is a longer explanation on our site at https://www.tendenci.com/security/

There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!

For the expanded full version of the basics of cyber security in the Tendenci SaaS cloud, view at https://www.tendenci.com/security

Keystroke Loggers are OS Agnostic

Keystroke loggers record every virtual keystroke you make. Have you run your security updates. (And Mac people? Windows people? I’m looking at you.)

From Microsoft:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
********************************************************************
Microsoft Security Update Summary for April 10, 2018
Issued: April 10, 2018
********************************************************************
This summary lists security updates released for April 10, 2018.
Complete information for the April 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.
Critical Security Updates
============================
ChakraCore
Microsoft Edge
Internet Explorer 9
Internet Explorer 11
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1709 (Server Core Installation)
Important Security Updates
============================
Excel Services
Microsoft Excel Viewer 2007 Service Pack 3
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Excel 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Wireless Keyboard 850
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Word Automation Services
Moderate Security Updates
============================
Internet Explorer 10
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
<https://technet.microsoft.com/security/dn753714>.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
<http://go.microsoft.com/fwlink/?LinkId=81184>.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwi zard.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAlrL6acACgkQEEiO2re1 
8ugDURAArw0n30Pv02dQJfwqf1VYnPG6BYdURT3TYf5QMMQweIG9y8aKnhCHJn55
JHmlNKsGcOOaEIid6On+ihUw0uHjx/Ct6XKtl/QDnZTt5AKt8Whj/8+LjPSQgPmF
+utXhqZBW/IeNgvtVaPLM55XXgao6IFt/UH0WKydV1AWdZ3/PuMR4hOIAwVHUBj9
z1MigLNkfWGUXZi02T7W4E/3Ea3nEdQnECvHsk/j2nF+k85FMPf1T3TOUE/sdNQI
F0m1za2FAU9E+GNLIyQ3hVdx/Zw2sI8WeqtL+48IZ1UNZ1XcwYUmZ/aN3x9hvqSj
MLbQXFTSmsXdV97eQYQmVEnkqC/KtYMnupXWULfTn6LnqqT17R10Zk94xVRFtMWo
ed1abogGO2x+UMulcrwrEjReQ3vhT1rJSvk7o/YbhbWo/D2o67oOzGx+Cz2ROXWt
CbLOie9q+UOXDjPBuTzPeG24f4AVKiIPr2VwTWY4IGjysENpSr+L1JPhL4KdO/yy
mLalrJmChPWuRR9y3sn3/hS9Blk7qMZEVWGGhizPbF68tXhnrTdz4lLj5d/gnWus
HXgm92RftfEjMEDp9SlWZZAMbKNzihMB8sgXJl52N8emhD4wsRqmh4E13TBHrBxk
h54mC77b1aWJqcIqo5b0RAyNW0BTmaikL3enEEriFtZQiZZzq5k=
=Dn1R
-----END PGP SIGNATURE-----

Equifax Breach via Apache Struts Framework

(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites. This is like Hurricane Harvey – it’s not even close to over.

Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

Our first transparency report

probably not a canary

We just posted the Tendenci government transparency report for January 1 to June 30, 2016 to our site. Nothing to report, but a new process put in place keeping with the values of the Tendenci community.

Why? Because all companies that store information, like electric companies, phone companies, email providers, search engines, etc, must respond to requests from the government. That includes us. The solution is transparency reporting because we think you have a right to know.

Tendenci Transparency ReportingWhy now? The (previous) absence of transparency reporting including a canary clause was brought up at a recent convention. We listened to you. We agree with you. So we fixed it. It’s pretty boring and let’s hope it stays that way.

Thank you to the client who asked about it! Tendenci is a community and we appreciate dialog that helps the community. Y’all rock!

You can find Tendenci’s transparency reports at https://www.tendenci.com/transparencyreporting/

What’s next? We would love to hear from you about your best practices for data retention. If you are willing to share, please post those in the Tendenci forums.

malicious stuff – it’s real

sguil_rocksOn our little company blog on our tiny corner of the Internet (relatively speaking I guess) this is the current reality. Mind you this is just our blog and not attacks on our site or on client sites.

Tendenci blog stats – blog.tendenci.com
132,055 Blocked malicious login attempts
282,058 Spam comments blocked by Akismet

#joy

Note that Tendenci is not a blog platform – it’s on Python and Django and open source https://github.com/tendenci – but our blog is on wordpress as my personal blog is. WordPress is doing an amazing job fighting hard against the constant php attacks.

The numbers above speak for themselves. I still think WordPress is the best blogging platform out there. But just WOW. I just don’t know that people understand what they are up against.

Yes I’ll share some of the data on attacks on our cloud infrastructure which aren’t that far off as a percentage. This is just me pointing out that the Internet isn’t a nice place. If you have a WordPress blog I HIGHLY recommend you install JetPack from WordPress (free) as well as Securi. It’s worth it.

Docker Server outage Sunday May 8th 11:10pm – May 10th 2:15pm

An automatic security update installed on one (1) of the Tendenci Docker servers in our AWS US-East data center on Sunday May 8th at approximately 11:10pm CST.

The update included changes to the file system to increase security. The automatic conversion took significantly longer than prior updates resulting in some sites being offline during this time period.

Reference the release notes on Dockers 1.11.1 here for more technical detail: https://github.com/docker/docker/releases/tag/v1.11.1

Security can not and will not be compromised. Our focus instead is on redundancy (multiple copies of sites/automatic fail over).

Our response will be explained further when our after-action incident review is complete.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Continued Configuration Changes on Windows Legacy Servers

Update: We will be doing a planned reboot of the Windows servers late this afternoon Wednesday January 21, 2014 to begin the process of restoring two of the remaining clients that are still offline.

Scope: This update applies to Tendenci 4 clients on Windows only. It specifically does NOT apply to Tendenci 5 or Tendenci 6 clients on Linux.

To give you an idea of the scope and velocity of hack attacks that continue, these are attempted crimes mind you, I’ve attached a 15 second video taken several days ago of actual attacks on one of our servers INSIDE the allowed ports.

15 seconds of network attacks

A further update on the 404 errors that the legacy Tendenci 4 clients have been experiencing intermittently. We have been measuring everything possible and tweaking the configuration settings as we see patterns in the logs. Each day generates over 1GB in security alerts across the data centers. All of these are either known attacks, or zero day attempts.

This is what we are fighting and it is relentless. The fact remains that we have protected the legacy sites by moving them from Windows 2003R2 IIS 6 to Windows 2012R2 IIS 8. But to make ASP classic run in IIS 8 we are running the servers in “compatibility mode” which is not an ideal configuration for any technology. And “secure” does not mean “functional” if your sites locked down to the point of not meeting functional requirements.

We have taken a step back and concluded that a technology platform started in 2001 is not up for the cyberwars of 2015. We will have a further update posted later today on possible paths forward for Tendenci 4 clients.

~ Ed