Security in the Tendenci SaaS Cloud at AWS

Kibana OSSEC Tendenci

Cyber Security is based on Prevention, Monitoring, and Incident Response

Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.

To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.

Network Monitoring with OSSEC Logstash ElasticSearch and Kibana

Cyber Security starts with Project Management

A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:

  1. Architecture – Start with Security In Mind
  2. Passive Cyber Defense – Systems that are in place
  3. Active Cyber Defense
  4. Cyber Intelligence Gathering
  5. Response

** Note: There is a longer explanation on our site at https://www.tendenci.com/security/

There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!

For the expanded full version of the basics of cyber security in the Tendenci SaaS cloud, view at https://www.tendenci.com/security

Keystroke Loggers are OS Agnostic

Keystroke loggers record every virtual keystroke you make. Have you run your security updates. (And Mac people? Windows people? I’m looking at you.)

From Microsoft:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
********************************************************************
Microsoft Security Update Summary for April 10, 2018
Issued: April 10, 2018
********************************************************************
This summary lists security updates released for April 10, 2018.
Complete information for the April 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.
Critical Security Updates
============================
ChakraCore
Microsoft Edge
Internet Explorer 9
Internet Explorer 11
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1709 (Server Core Installation)
Important Security Updates
============================
Excel Services
Microsoft Excel Viewer 2007 Service Pack 3
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Excel 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Wireless Keyboard 850
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Word Automation Services
Moderate Security Updates
============================
Internet Explorer 10
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
<https://technet.microsoft.com/security/dn753714>.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
<http://go.microsoft.com/fwlink/?LinkId=81184>.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwi zard.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAlrL6acACgkQEEiO2re1 
8ugDURAArw0n30Pv02dQJfwqf1VYnPG6BYdURT3TYf5QMMQweIG9y8aKnhCHJn55
JHmlNKsGcOOaEIid6On+ihUw0uHjx/Ct6XKtl/QDnZTt5AKt8Whj/8+LjPSQgPmF
+utXhqZBW/IeNgvtVaPLM55XXgao6IFt/UH0WKydV1AWdZ3/PuMR4hOIAwVHUBj9
z1MigLNkfWGUXZi02T7W4E/3Ea3nEdQnECvHsk/j2nF+k85FMPf1T3TOUE/sdNQI
F0m1za2FAU9E+GNLIyQ3hVdx/Zw2sI8WeqtL+48IZ1UNZ1XcwYUmZ/aN3x9hvqSj
MLbQXFTSmsXdV97eQYQmVEnkqC/KtYMnupXWULfTn6LnqqT17R10Zk94xVRFtMWo
ed1abogGO2x+UMulcrwrEjReQ3vhT1rJSvk7o/YbhbWo/D2o67oOzGx+Cz2ROXWt
CbLOie9q+UOXDjPBuTzPeG24f4AVKiIPr2VwTWY4IGjysENpSr+L1JPhL4KdO/yy
mLalrJmChPWuRR9y3sn3/hS9Blk7qMZEVWGGhizPbF68tXhnrTdz4lLj5d/gnWus
HXgm92RftfEjMEDp9SlWZZAMbKNzihMB8sgXJl52N8emhD4wsRqmh4E13TBHrBxk
h54mC77b1aWJqcIqo5b0RAyNW0BTmaikL3enEEriFtZQiZZzq5k=
=Dn1R
-----END PGP SIGNATURE-----

What a DDoS attack to an Association Looks Like

The following graphs show what a Distributed Denial of Service (DDoS) attack on an association looks like. The names, rates and volume of the association have been blurred for security reasons. We are thankful to AWS for their own defenses in front of ours, which  help us mitigate these issues.

responding to ddos attacks as best we can
active response to mitigate attacks

Note: The  graphic above, is filtered for a 24 hour span for one client. The infrastructure is in place, and highly redundant, so we can monitor and keep our clients safe. For clients in the US or hosted in other countries (we have multiple Tendenci clouds as needed.)

Note 2: Make no mistake – If a bad-actor has the budget – they can and will purchase enough bots to take a site down. This is well documented. Even our resources at AWS are limited in what they can handle. Budget (yes BUDGET) accordingly. 

SSL Encrypting all Tendenci Hosted Sites

NOTE: This is a cross post. The original post is at: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/

Encrypt All The Things

To our clients. The above graph is a filtered subset of what is a *typical* day of network alerts. As the media has stated, the issue is quite real.

We greatly appreciate you and it is important to us that you remain safe. To further advance that objective in the current geopolitical environment, all hosted Tendenci sites will be encrypted going forward per our CEO.

Why? Because security. The Internet has changed and we must adapt.

Adapt? Remember when that Steve Jobs guy invented the iPhone and suddenly sites that were awesome the week before… well… they weren’t as awesome the next day? The. Next. Day. Technology is like that.

FAQs

Continue Reading: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/

 

Equifax Breach via Apache Struts Framework

(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites. This is like Hurricane Harvey – it’s not even close to over.

Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Let’s Encrypt Passes 1 Million SSL Certs (thanks Shelly Palmer!)

Encryption is a good thing. You should if you don’t already, encrypt your website with SSL.

Excuses? Nope. As usual, we always learn something from Shelly Palmer’s Strategic Advisor newsletter. And today is was some wonderful news! The EFF‘s efforts with Let’s Encrypt is producing some great results.

letsencryptLet’s Encrypt just passed 1M SSL certificates issued for FREE.

That means anyone can get a secure site, the ones with the lock in the URL on the top left like your bank, without paying for the certificate itself. Pretty cool accomplishment!

letsencrypt1millioncerts

And a definite tip of the hat to Shelly for pointing it out!

 

HOWTO: Keep your cell phone safe and secure

Cell phone user thanks to Gwenflickr

Time to put the smart in smart phone!

With news updates of phone hacking scandals splashing headlines the world over, we’re hearing lots of cell phone security buzz – and for good reason too!

While a major news outlet may not be interested in your cell phone activities (or we sure hope not!), this is still a great time to make sure you are practicing some solid cell phone security practices.

Keep that cell phone close by!

You are far more likely to misplace / lose a cell phone than to get hacked, so be sure your little handheld buddy doesn’t stray too far.

  • Beware of keeping your phone on your table at busy restaurants, leaving your phone in the car (even just for a ‘second’), etc.
  • Find a ‘funky’ cover or skin to make it super easy to identify your iPhone – avoid an accidental mix up easily (I’m a big fan of the Infectious skins) when at a networking event or dinner with 7,000 other iPhone / Blackberry / Android users
  • Password protect your phone to keep your logins, contacts, email and notes safe from undesirables – also great for making sure any kiddos in your life don’t make random calls to Japan
    • For safety purposes, use an emergency app like smart-ICE to not only store your ICE info (‘In Case of Emergency’) for paramedics to be aware of medical conditions, insurance details and contact info, but add ICE info to your locked screen (in addition to your quirky-cool smart phone wall paper).
  • Install a phone location / security app on your phone, a few examples:

Beware of public Wifi + ‘Evil Twins’

Yay for public Internet access!   But boo for public Wi-Fi security.   Extra emphasis on that ‘boo’ when using a credit card or login, as not all Wi-Fi connections are as secure and innocent as they seem.   Learn more about the ‘Evil Twin’ phishing scam here.

As cumbersome and slow as it might be, opt for your 3G / 4G network connection over a public Wi-Fi connection to stay secure.   Or pick up your own piece of the Internet and invest in a MiFi card.

What’s up with hardware and software security?

Not all apps and phones are created equal.   As an iPhone user, Apple has a more stringent vetting process of apps that helps weed out *most* malicious programs.   Android’s app community is far more open and has had some security exploits in early 2011.

Use common sense when purchasing apps and accessing certain sites (like your bank account, for instance) on your smart phone.   Beware of ‘look alike’ apps that might be masquerading as a Chase banking utility and think twice about depositing checks using a phone app – and learn the safe ways to bank on your phone here..

Photo thanks to Flickr user GwenFlickr