Hey New York! Please join LACC and Seth Rao from SecReliant on May 8, 2019 for this breakfast seminar on cybersecurity. Including an overview of the most common forms of cyber threats, the presentation will introduce preventive strategies on how to protect your business and data.
Cyber Security is based on Prevention, Monitoring, and Incident Response
Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.
To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.
Cyber Security starts with Project Management
A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:
- Architecture – Start with Security In Mind
- Passive Cyber Defense – Systems that are in place
- Active Cyber Defense
- Cyber Intelligence Gathering
** Note: There is a longer explanation on our site at https://www.tendenci.com/security/
There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!
For the expanded full version of the basics of cyber security in the Tendenci SaaS cloud, view at https://www.tendenci.com/security
Keystroke loggers record every virtual keystroke you make. Have you run your security updates. (And Mac people? Windows people? I’m looking at you.)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ******************************************************************** Microsoft Security Update Summary for April 10, 2018 Issued: April 10, 2018 ******************************************************************** This summary lists security updates released for April 10, 2018. Complete information for the April 2018 security update release can Be found at <https://portal.msrc.microsoft.com/en-us/security-guidance>. Critical Security Updates ============================ ChakraCore Microsoft Edge Internet Explorer 9 Internet Explorer 11 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 10 version 1709 for 32-bit Systems Windows 10 version 1709 for x64-based Systems Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server, version 1709 (Server Core Installation) Important Security Updates ============================ Excel Services Microsoft Excel Viewer 2007 Service Pack 3 Microsoft Excel 2007 Service Pack 3 Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Excel 2016 Click-to-Run (C2R) for 32-bit editions Microsoft Excel 2016 Click-to-Run (C2R) for 64-bit editions Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 Service Pack 1 Microsoft Wireless Keyboard 850 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Word Automation Services Moderate Security Updates ============================ Internet Explorer 10 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at <https://technet.microsoft.com/security/dn753714>. ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at <http://go.microsoft.com/fwlink/?LinkId=81184>. If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: <https://profile.microsoft.com/RegSysProfileCenter/subscriptionwi zard.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>. These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: <http://www.microsoft.com/info/legalinfo/default.mspx>. This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAlrL6acACgkQEEiO2re1 8ugDURAArw0n30Pv02dQJfwqf1VYnPG6BYdURT3TYf5QMMQweIG9y8aKnhCHJn55 JHmlNKsGcOOaEIid6On+ihUw0uHjx/Ct6XKtl/QDnZTt5AKt8Whj/8+LjPSQgPmF +utXhqZBW/IeNgvtVaPLM55XXgao6IFt/UH0WKydV1AWdZ3/PuMR4hOIAwVHUBj9 z1MigLNkfWGUXZi02T7W4E/3Ea3nEdQnECvHsk/j2nF+k85FMPf1T3TOUE/sdNQI F0m1za2FAU9E+GNLIyQ3hVdx/Zw2sI8WeqtL+48IZ1UNZ1XcwYUmZ/aN3x9hvqSj MLbQXFTSmsXdV97eQYQmVEnkqC/KtYMnupXWULfTn6LnqqT17R10Zk94xVRFtMWo ed1abogGO2x+UMulcrwrEjReQ3vhT1rJSvk7o/YbhbWo/D2o67oOzGx+Cz2ROXWt CbLOie9q+UOXDjPBuTzPeG24f4AVKiIPr2VwTWY4IGjysENpSr+L1JPhL4KdO/yy mLalrJmChPWuRR9y3sn3/hS9Blk7qMZEVWGGhizPbF68tXhnrTdz4lLj5d/gnWus HXgm92RftfEjMEDp9SlWZZAMbKNzihMB8sgXJl52N8emhD4wsRqmh4E13TBHrBxk h54mC77b1aWJqcIqo5b0RAyNW0BTmaikL3enEEriFtZQiZZzq5k= =Dn1R -----END PGP SIGNATURE-----
The following graphs show what a Distributed Denial of Service (DDoS) attack on an association looks like. The names, rates and volume of the association have been blurred for security reasons. We are thankful to AWS for their own defenses in front of ours, which help us mitigate these issues.
Note: The graphic above, is filtered for a 24 hour span for one client. The infrastructure is in place, and highly redundant, so we can monitor and keep our clients safe. For clients in the US or hosted in other countries (we have multiple Tendenci clouds as needed.)
Note 2: Make no mistake – If a bad-actor has the budget – they can and will purchase enough bots to take a site down. This is well documented. Even our resources at AWS are limited in what they can handle. Budget (yes BUDGET) accordingly.
NOTE: This is a cross post. The original post is at: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/
To our clients. The above graph is a filtered subset of what is a *typical* day of network alerts. As the media has stated, the issue is quite real.
We greatly appreciate you and it is important to us that you remain safe. To further advance that objective in the current geopolitical environment, all hosted Tendenci sites will be encrypted going forward per our CEO.
Why? Because security. The Internet has changed and we must adapt.
Adapt? Remember when that Steve Jobs guy invented the iPhone and suddenly sites that were awesome the week before… well… they weren’t as awesome the next day? The. Next. Day. Technology is like that.
Continue Reading: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/
(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)
As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:
- Equifax data leak could involve 143 million consumers
- PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
- Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?
From the second article on the Equifax breach linked above, this portion really galls me:
… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.
It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.
Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.
The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:
The wording is such that anyone signing up for the product is barred from suing the company after.
Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:
(Editor: well ya, duh!?)
(Editor: but did you fire the person who did it in the first place?)
I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.
What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!
This boggles the mind of a PR Professional.
The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.
I hate to say it folks, but we are playing whack-a-mole with your identity and money. It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.
As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites. This is like Hurricane Harvey – it’s not even close to over.
Why Tendenci doesn’t support epub uploadS through the standard ui.
We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.
Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.
Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!
As for the upload restrictions in Tendenci, here is why we are cautious:
While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).
A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.
For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity
Two screen shots from the epubzone.org site are pasted below.
To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.
And again – there are alternatives.
- Upload it to a different location and link to it <– RECOMMENDED!
- Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
- Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED
PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.
Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.
The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.
The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.
I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.
Encryption is a good thing. You should if you don’t already, encrypt your website with SSL.
Excuses? Nope. As usual, we always learn something from Shelly Palmer’s Strategic Advisor newsletter. And today is was some wonderful news! The EFF‘s efforts with Let’s Encrypt is producing some great results.
That means anyone can get a secure site, the ones with the lock in the URL on the top left like your bank, without paying for the certificate itself. Pretty cool accomplishment!
Late last month we had two Macbook Air laptops stolen out of our Houston office. There were several things we learned from the experience. We’ve outlined a few specifics below that we think could help other companies or organizations avoid a similar situation. Some of these we had in place prior to the theft, and some we learned the hard way.
First: Thank You for Sharing!
First I want to say a big THANK YOU to everyone in the community who shared our story.
We posted a photo of building security footage of the suspect on our website and about 200 people shared the information on Facebook, Twitter, and other social networks.
We got some good tips from the community that we’ve shared with the police. Another business owner had a similar issue with a suspect fitting the same description – we’ve turned that information over to the police and hope they are able to take some action with it.
The Good News: No Data Loss
The good news is that no one was hurt and the Macbooks were brand new so there was no client data on them at all.
Why it Matters: We Want to Do Better
We take security seriously – in the Schipul office we use automatic locks, security cameras, key cards, and train our people to be vigilant. This was a failure on multiple levels and we recognize how lucky we are to just be out a few laptops. We were not happy that the incident happened not only because of the loss of equipment, but also because we want to do better to protect our people and our clients.
5 Security Tips for Businesses
#1. Talk to Strangers!
This goes against what you were taught as a small child. Train your employees that if they see an unescorted stranger – say something to them. You don’t have to come across as rude; politely say hello and offer to help them find what they are looking for.
Don’t ignore people who look like they shouldn’t be there – acknowledge them. If they are considering causing trouble, this is often enough to make them think twice.
#2. Look for Security Holes
If you were looking to steal from the company, how would you do it?
Think about doors that are unlocked or out of sight, times of day that are easier targets, new guys who don’t know the protocol, etc. In our case, the laptops were stolen when the front desk was unoccupied during lunch – this is something we could have avoided.
Be vigilant about locking doors and computers. Make it a habit to secure rooms with valuable equipment – post a sign as a reminder on the door or make it one person’s responsibility to double check.
#3. Keep Inventory, Password Protect
Keep inventory of your equipment, including serial numbers and who it is checked out to. Password protect immediately – and make sure your default password is complex. If a default password is easy to remember like “changeme,” chances are the person won’t change it. If you need ideas for passwords – Random.org has a great random password generator.
Our laptops had already been set up with passwords and registered – so we were able to report the serial numbers to Apple to help us track them down.
#4. Know Who to Call
Many small businesses have offices in a building shared by other companies. Know your property management and security guards – including their phone number. Educate every employee on what to do if something happens.
Often security footage deletes after a few days, so be sure you know how to see and save the footage as quickly as you can.
#5. Build Your Social Network Before You Need It
We are extremely thankful to everyone who shared our photos to help us get to the bottom of our theft.
Build your online network by connecting with them online & provide interesting content to keep them coming back. In the event that you need your network to help you spread a message like we did, you have a built in base of people who can help!
But be ready for more surprises.
While most feedback we got was supportive, we were surprised by some negative comments that alleged that we were profiling our suspect based on his race. Our intention by posting the photos of the suspect was simply to identify him so the police can get to the bottom of the issue, and even though we make a living encouraging companies and nonprofits to take an open stance and embrace criticism online, we found ourselves getting defensive. A special thanks to the members of the community who responded to the negative comments on our behalf. The negative comments were a reminder that the social media conversation doesn’t always go the way you expect it to, and you need to be able to respond quickly and openly to whatever unexpected direction the conversation takes.
Thank You Again!
Thank you again to everyone for your support. We continue to work to keep security our #1 priority to protect our employees and clients.
If you do recognize this suspect (photo here), please notify the City of Houston police at (713) 884-3131 with case #081613612.