Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Let’s Encrypt Passes 1 Million SSL Certs (thanks Shelly Palmer!)

Encryption is a good thing. You should if you don’t already, encrypt your website with SSL.

Excuses? Nope. As usual, we always learn something from Shelly Palmer’s Strategic Advisor newsletter. And today is was some wonderful news! The EFF‘s efforts with Let’s Encrypt is producing some great results.

letsencryptLet’s Encrypt just passed 1M SSL certificates issued for FREE.

That means anyone can get a secure site, the ones with the lock in the URL on the top left like your bank, without paying for the certificate itself. Pretty cool accomplishment!

letsencrypt1millioncerts

And a definite tip of the hat to Shelly for pointing it out!

 

HOWTO: Keep your cell phone safe and secure

Cell phone user thanks to Gwenflickr

Time to put the smart in smart phone!

With news updates of phone hacking scandals splashing headlines the world over, we’re hearing lots of cell phone security buzz – and for good reason too!

While a major news outlet may not be interested in your cell phone activities (or we sure hope not!), this is still a great time to make sure you are practicing some solid cell phone security practices.

Keep that cell phone close by!

You are far more likely to misplace / lose a cell phone than to get hacked, so be sure your little handheld buddy doesn’t stray too far.

  • Beware of keeping your phone on your table at busy restaurants, leaving your phone in the car (even just for a ‘second’), etc.
  • Find a ‘funky’ cover or skin to make it super easy to identify your iPhone – avoid an accidental mix up easily (I’m a big fan of the Infectious skins) when at a networking event or dinner with 7,000 other iPhone / Blackberry / Android users
  • Password protect your phone to keep your logins, contacts, email and notes safe from undesirables – also great for making sure any kiddos in your life don’t make random calls to Japan
    • For safety purposes, use an emergency app like smart-ICE to not only store your ICE info (‘In Case of Emergency’) for paramedics to be aware of medical conditions, insurance details and contact info, but add ICE info to your locked screen (in addition to your quirky-cool smart phone wall paper).
  • Install a phone location / security app on your phone, a few examples:

Beware of public Wifi + ‘Evil Twins’

Yay for public Internet access!  But boo for public Wi-Fi security.  Extra emphasis on that ‘boo’ when using a credit card or login, as not all Wi-Fi connections are as secure and innocent as they seem.  Learn more about the ‘Evil Twin’ phishing scam here.

As cumbersome and slow as it might be, opt for your 3G / 4G network connection over a public Wi-Fi connection to stay secure.  Or pick up your own piece of the Internet and invest in a MiFi card.

What’s up with hardware and software security?

Not all apps and phones are created equal.  As an iPhone user, Apple has a more stringent vetting process of apps that helps weed out *most* malicious programs.  Android’s app community is far more open and has had some security exploits in early 2011.

Use common sense when purchasing apps and accessing certain sites (like your bank account, for instance) on your smart phone.  Beware of ‘look alike’ apps that might be masquerading as a Chase banking utility and think twice about depositing checks using a phone app – and learn the safe ways to bank on your phone here..

Photo thanks to Flickr user GwenFlickr

Learn About Bullying at the Children’s Museum

If your a parent getting ready to send your kids back to school, the Children’s Museum is hosting a free 3-day boot camp dedicated to educating kids and adults about bullying. Anti-bullying training sessions will be held during the day, and local law enforcement and internet experts will teach parents valuable computer safety skills. While the event is free it’s import to register at the museum in order to ensure placement, spots are going fast! You can register for the August 12-14 sessions by picking up passes at the Children’s Museum from noon until 4 p.m. on Saturday, Aug. 7 or Sunday, Aug. 8th. You can find more information at KPRC Local 2.

We’re Giving Our Servers Some Love – Minor Outages Tonight (June 6th) May Occur

Our team is doing some server maintenance today in order to keep our servers running at their best. We love (and take very seriously) our job of keeping your web sites secure fast and happy and this will keep us doing just that,

You may experience some minor website disruptions around 6:00 PM CST, but these will only be temporary. We appreciate your business and look forward to many smooth and safe years of Web marketing your organization!

If you have any questions please call our support line at (281) 497-6567 EXT. 411 or email us at support@schipul.com.

Thank you!

USB Flash- Don’t leave home without it, and leave one at a friends

Pink Tokidoki Flash  DriveFlash drives – cheap and easy backup can save on Vacation Stress

They fit in your pocket, on your key chain and just look cool. With all the phones and portable devices we carry these days, we forget about these flash drives at the bottom of our desk drawers. The USB drive still has a couple of great features for traveling. Even if you are settled in for a nice staycation, add this little packing and preparedness tip to your travel plans or todo list. Snag a USB drive on sale in a multi-pack as the prices continue to fall on these little jewels. Or, pick up one of Happy Katies favorite designer Flash drives by MimoBot. Now, get ready for some scanning.

Files, documents and every important document you would ever need, all in your pocket. Scan personal documents and records in case you lose your wallet or passport and you will have a digital image of all your registrations. But, but… WAIT! What if the wrong person finds it when it drops out of the pocket of your shorts? No worries, you should encrypt the contents with TrueCrypt or your favorite security feature.

These little tech toys have some crazy cool options besides just a backup. Don’t want to carry a laptop or computer with you? Portable Apps Platform ScreenshotCan’t spring for the iPad yet? You can save all your bookmarks, favorite email settings, and doc settings on a FlashDrive and launch your profile from any public computer without fear of leaving your crumbs all over the desktop. Portable Apps is an open source software platform you install on your flashdrive or other backup device, adjust your settings, then plug it into a computer and run your programs from your own drive. You have access to all your software and personal data just like on your own PC.

What to save on your USB Drive

Losing important documents can ruin what should be a happy vacation. A little safety and planning can eliminate much of the stress. Before you pack up and leave, take the time to scan copies of important documents and save the files on to a secure area of the flash drive. Here are some examples of important documents:

  • Vacation Plans: Itinerary, Maps and receipts of deposits for reservations.
  • Personal documents: Drivers license, passport, birth certificate, Insurance cards (health and auto), Credit Cards and CC phone numbers for lost cards.
  • Home Documents: Home Insurance, Auto Titles, Registrations, photos of big purchase items for insurance documentation, and documents that would be hard to replace if you came back home and they weren’t there. Yikes! My next plan is to scan old family photos for safekeeping before they detoriate or get wet in the next hurricane.
  • Medical Records: List of medications for each family member, immunizations, List of family doctor and dentist contacts.
  • School and Work Records: Nice to have everything in one place while you are at it. Include copies of your transcripts, diplomas, Resume, licenses, permits, Wills, and any other items you may want to keep all organized.

Now, your life is basically in one place if you ever have to recreate your history or need to hide it Bourne style. This is a cheap and easy way to travel light, backup photos off the camera while on vacation for processing later, and use software programs securely when on public machines. In fact, buy a couple of the drives, make copies of the drive and give one to a friend to put in their safe deposit box or mail one to a family member in another part of the country in case of emergency.

Enjoy your trip, be safe, and tell us how you use your Flash Drive for your vacation!

Facebook as a phone book? #FBFAIL

Facebook_3screenshot

A recent (and much heralded) update to the Facebook iPhone 3.0 app brought some much needed functionality to the Facebook junkie on the go – access to Facebook events, the ability to ‘like’ content, notes and zoom in on photos.  Yay!

What many did NOT anticipate, however, was the contact update that allows you to call your Facebook friends that list their phone number(s) directly from the updated app.  That’s right, if you have your phone number(s) posted in your profile accessible to your friends/contacts, they can CALL you all easy-like.

Last night, scrolling through the updated Facebook contacts on my iPhone and saw a blue phone icon next to a very famous publisher’s contact info. Assuming it would just go to an office line and an answering machine, I gave it a call – and what do you know…. it was his cell phone. And we chatted. He was a little surprised, as was I.

Facebook_contactphone

Lesson learned here – Facebook privacy settings are your friend.  This morning, as you surf the Web, take a look at your ‘Contact Information’ settings and double check who sees what.  Want to share all of your contact info with close friends or family only?  Select the appropriate Friend List and you’re done.

Don’t want anyone seeing your information at all? Keep your settings to private or hey, just keep them blank… unless you’d like a late night phone call from one of the Schipulites too. Talk to you soon?

Facebook_mobilephoneedit

Facebook_blankcontactinfo