Equifax Breach via Apache Struts Framework

(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites. This is like Hurricane Harvey – it’s not even close to over.

Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Let’s Encrypt Passes 1 Million SSL Certs (thanks Shelly Palmer!)

Encryption is a good thing. You should if you don’t already, encrypt your website with SSL.

Excuses? Nope. As usual, we always learn something from Shelly Palmer’s Strategic Advisor newsletter. And today is was some wonderful news! The EFF‘s efforts with Let’s Encrypt is producing some great results.

letsencryptLet’s Encrypt just passed 1M SSL certificates issued for FREE.

That means anyone can get a secure site, the ones with the lock in the URL on the top left like your bank, without paying for the certificate itself. Pretty cool accomplishment!

letsencrypt1millioncerts

And a definite tip of the hat to Shelly for pointing it out!

 

HOWTO: Keep your cell phone safe and secure

Cell phone user thanks to Gwenflickr

Time to put the smart in smart phone!

With news updates of phone hacking scandals splashing headlines the world over, we’re hearing lots of cell phone security buzz – and for good reason too!

While a major news outlet may not be interested in your cell phone activities (or we sure hope not!), this is still a great time to make sure you are practicing some solid cell phone security practices.

Keep that cell phone close by!

You are far more likely to misplace / lose a cell phone than to get hacked, so be sure your little handheld buddy doesn’t stray too far.

  • Beware of keeping your phone on your table at busy restaurants, leaving your phone in the car (even just for a ‘second’), etc.
  • Find a ‘funky’ cover or skin to make it super easy to identify your iPhone – avoid an accidental mix up easily (I’m a big fan of the Infectious skins) when at a networking event or dinner with 7,000 other iPhone / Blackberry / Android users
  • Password protect your phone to keep your logins, contacts, email and notes safe from undesirables – also great for making sure any kiddos in your life don’t make random calls to Japan
    • For safety purposes, use an emergency app like smart-ICE to not only store your ICE info (‘In Case of Emergency’) for paramedics to be aware of medical conditions, insurance details and contact info, but add ICE info to your locked screen (in addition to your quirky-cool smart phone wall paper).
  • Install a phone location / security app on your phone, a few examples:

Beware of public Wifi + ‘Evil Twins’

Yay for public Internet access!  But boo for public Wi-Fi security.  Extra emphasis on that ‘boo’ when using a credit card or login, as not all Wi-Fi connections are as secure and innocent as they seem.  Learn more about the ‘Evil Twin’ phishing scam here.

As cumbersome and slow as it might be, opt for your 3G / 4G network connection over a public Wi-Fi connection to stay secure.  Or pick up your own piece of the Internet and invest in a MiFi card.

What’s up with hardware and software security?

Not all apps and phones are created equal.  As an iPhone user, Apple has a more stringent vetting process of apps that helps weed out *most* malicious programs.  Android’s app community is far more open and has had some security exploits in early 2011.

Use common sense when purchasing apps and accessing certain sites (like your bank account, for instance) on your smart phone.  Beware of ‘look alike’ apps that might be masquerading as a Chase banking utility and think twice about depositing checks using a phone app – and learn the safe ways to bank on your phone here..

Photo thanks to Flickr user GwenFlickr

Learn About Bullying at the Children’s Museum

If your a parent getting ready to send your kids back to school, the Children’s Museum is hosting a free 3-day boot camp dedicated to educating kids and adults about bullying. Anti-bullying training sessions will be held during the day, and local law enforcement and internet experts will teach parents valuable computer safety skills. While the event is free it’s import to register at the museum in order to ensure placement, spots are going fast! You can register for the August 12-14 sessions by picking up passes at the Children’s Museum from noon until 4 p.m. on Saturday, Aug. 7 or Sunday, Aug. 8th. You can find more information at KPRC Local 2.

We’re Giving Our Servers Some Love – Minor Outages Tonight (June 6th) May Occur

Our team is doing some server maintenance today in order to keep our servers running at their best. We love (and take very seriously) our job of keeping your web sites secure fast and happy and this will keep us doing just that,

You may experience some minor website disruptions around 6:00 PM CST, but these will only be temporary. We appreciate your business and look forward to many smooth and safe years of Web marketing your organization!

If you have any questions please call our support line at (281) 497-6567 EXT. 411 or email us at support@tendenci.com.

Thank you!

USB Flash- Don’t leave home without it, and leave one at a friends

Pink Tokidoki Flash  DriveFlash drives – cheap and easy backup can save on Vacation Stress

They fit in your pocket, on your key chain and just look cool. With all the phones and portable devices we carry these days, we forget about these flash drives at the bottom of our desk drawers. The USB drive still has a couple of great features for traveling. Even if you are settled in for a nice staycation, add this little packing and preparedness tip to your travel plans or todo list. Snag a USB drive on sale in a multi-pack as the prices continue to fall on these little jewels. Or, pick up one of Happy Katies favorite designer Flash drives by MimoBot. Now, get ready for some scanning.

Files, documents and every important document you would ever need, all in your pocket. Scan personal documents and records in case you lose your wallet or passport and you will have a digital image of all your registrations. But, but… WAIT! What if the wrong person finds it when it drops out of the pocket of your shorts? No worries, you should encrypt the contents with TrueCrypt or your favorite security feature.

These little tech toys have some crazy cool options besides just a backup. Don’t want to carry a laptop or computer with you? Portable Apps Platform ScreenshotCan’t spring for the iPad yet? You can save all your bookmarks, favorite email settings, and doc settings on a FlashDrive and launch your profile from any public computer without fear of leaving your crumbs all over the desktop. Portable Apps is an open source software platform you install on your flashdrive or other backup device, adjust your settings, then plug it into a computer and run your programs from your own drive. You have access to all your software and personal data just like on your own PC.

What to save on your USB Drive

Losing important documents can ruin what should be a happy vacation. A little safety and planning can eliminate much of the stress. Before you pack up and leave, take the time to scan copies of important documents and save the files on to a secure area of the flash drive. Here are some examples of important documents:

  • Vacation Plans: Itinerary, Maps and receipts of deposits for reservations.
  • Personal documents: Drivers license, passport, birth certificate, Insurance cards (health and auto), Credit Cards and CC phone numbers for lost cards.
  • Home Documents: Home Insurance, Auto Titles, Registrations, photos of big purchase items for insurance documentation, and documents that would be hard to replace if you came back home and they weren’t there. Yikes! My next plan is to scan old family photos for safekeeping before they detoriate or get wet in the next hurricane.
  • Medical Records: List of medications for each family member, immunizations, List of family doctor and dentist contacts.
  • School and Work Records: Nice to have everything in one place while you are at it. Include copies of your transcripts, diplomas, Resume, licenses, permits, Wills, and any other items you may want to keep all organized.

Now, your life is basically in one place if you ever have to recreate your history or need to hide it Bourne style. This is a cheap and easy way to travel light, backup photos off the camera while on vacation for processing later, and use software programs securely when on public machines. In fact, buy a couple of the drives, make copies of the drive and give one to a friend to put in their safe deposit box or mail one to a family member in another part of the country in case of emergency.

Enjoy your trip, be safe, and tell us how you use your Flash Drive for your vacation!