OpenConcept’s sites have mostly been served from Canada. Like many others, we were concerned when the 2002 Homeland Security Act was put into place. Lots of organizations adopted our concern about what access the CIA, FBI, NSA would have on sites on American soil. This was an issue for us, but we certainly didn’t feel like these agencies would respect Canada’s border and indeed there might have additional restrictions within their territory.
Despite our concerns, we decided to move our infrastructure to the cloud and chose Amazon Web Services (AWS) as they were clearly the leader at the time...
Security
By Mike Gifford
on 13/02/2015
With the cost of computers dropping we are seeing them in places most people don't recognize. It is totally amazing the computing power that's been built into the $35 Raspberry Pi and they are also in our cars, TVs and many other products that could never afford to be "smart" before. One of the most common devices that people don't see as computers is their router. Most organizations now have several routers to make it more convenient to access the Internet. Although they don't look much like computers, they are.
OpenConcept is a web development shop and doesn't offer security advice on...
OpenConcept is a web development shop and doesn't offer security advice on...
By Mike Mallett
on 15/10/2014
On October 14, 2014 Google announced that SSLv3 (Secure Socket Layer, version 3) was vulnerable to an attack which has been given the cute name POODLE (Padding Oracle On Downgraded Legacy Encryption).
OpenConcept has previously recommended the removal of support for SSLv3 in our Drupal Security Guide. Fallback to SSLv3 has been disabled on OpenConcept's servers. All HTTP servers providing encrypted service (HTTPS) should be forced to drop SSLv3 and support only TLS (Transport Layer Security). See the guide for instructions on how to do this.
It is important to note that everyone who uses SSL...
OpenConcept has previously recommended the removal of support for SSLv3 in our Drupal Security Guide. Fallback to SSLv3 has been disabled on OpenConcept's servers. All HTTP servers providing encrypted service (HTTPS) should be forced to drop SSLv3 and support only TLS (Transport Layer Security). See the guide for instructions on how to do this.
It is important to note that everyone who uses SSL...
By Mike Mallett
on 10/04/2014
What is "Heartbleed"?
"Heartbleed" is the common name being used to refer to a critical security vulnerability found in the OpenSSL TLS Heartbeat system. OpenSSL is a very popular encryption library in widespread use across the Internet. It is considered to be a critical piece of software infrastructure to countless organizations worldwide. It is the library in use on most Open Source systems to enable encryption, such as with HTTPS.
The nature of the vulnerability allowed anyone to retrieve chunks of system memory from a web server with an affected OpenSSL package. This did not require any...
"Heartbleed" is the common name being used to refer to a critical security vulnerability found in the OpenSSL TLS Heartbeat system. OpenSSL is a very popular encryption library in widespread use across the Internet. It is considered to be a critical piece of software infrastructure to countless organizations worldwide. It is the library in use on most Open Source systems to enable encryption, such as with HTTPS.
The nature of the vulnerability allowed anyone to retrieve chunks of system memory from a web server with an affected OpenSSL package. This did not require any...
By Mike Gifford
on 31/10/2013
It is really, really embarrassing that a kid in elementary school could hack into any government computer system, however a 12 year old boy has pleaded guilty to doing just that in 2012. I'm not sure how much is known about how he did this, and no doubt he is a very bright and curious child, but this really needs to be a glaring warning about a systemic problem with how governments in Canada manage security.
In my dealings with government IT, I find far too often that departments go only so far as to apply a CYA approach security. Far too often this comes down to choosing a big vendor, and...
In my dealings with government IT, I find far too often that departments go only so far as to apply a CYA approach security. Far too often this comes down to choosing a big vendor, and...
By Mike Gifford
on 25/09/2013
We've been doing a lot of work recently building a best practice guide on security and wanted to be able to send our clients a simple list of principles that are written in plain language.
There is Safety in the Herd: Leverage large, well maintained open source libraries (packages) with a critical mass of users and developers. Use compiled packages and check data integrity of downloaded code. Start with OpenBSD, Debian/Ubuntu or RedHat/CentOS WITHOUT cPanel.
Order Matters: Don’t open up services to the Internet before your server is properly secured.
Limit Exposure: Only install and...
There is Safety in the Herd: Leverage large, well maintained open source libraries (packages) with a critical mass of users and developers. Use compiled packages and check data integrity of downloaded code. Start with OpenBSD, Debian/Ubuntu or RedHat/CentOS WITHOUT cPanel.
Order Matters: Don’t open up services to the Internet before your server is properly secured.
Limit Exposure: Only install and...
By Mike Gifford
on 25/06/2013
There are lots of ways to set up a enterprise server environment for Drupal, but in dealing with IT folks who are coming from other Content Management Systems (CMS) or worse static sites, there is an asumption that for an organization to have control, that they need to have a completely isolated server.
Many organizations historically have not had a CMS which had the workflow structure and level of interactivity that Drupal comes with. Historically, the staging server has been used as the final Quality Assurance (QA) environment for new content. It was also used as a barrier between the...
Many organizations historically have not had a CMS which had the workflow structure and level of interactivity that Drupal comes with. Historically, the staging server has been used as the final Quality Assurance (QA) environment for new content. It was also used as a barrier between the...
By Mike Gifford
on 21/06/2013
OpenConcept believes in the importance of community & the power of open source. Drupal is a great software product, but the community behind it is bigger and better than the software itself. Open source approaches are really disruptive when they are applied properly because they can disrupt the producer/consumer mindset which has been drilled into our heads over the last 50 years. When we realize that we can contribute something which helps others and by making the community stronger also helps ourselves.
Sadly there are a few process in place which really hinder that participation....
Sadly there are a few process in place which really hinder that participation....
By Mike Mallett
on 04/06/2013
"$1 Hosting Sale - Reliable, Secure & 99.9% Uptime"
"Only $3.95/month + $10 Off Today!"
"$1/mo 30GB Space 100GB Traffic, PHP, 100 Databases, 40+ Site/Blog Apps"
"Cheap Web Hosting Canada from $1/mo Web Site Hosting"
... These are just some of the offers being made for bottom-line hosting solutions on today's World Wide Web. Offers that seem almost too good to be true. Often times things that seem that way end up being exactly that. It's not that they should be avoided completely, but when deciding what you need from your personal, organization, or corporate web site it is important to...
"Only $3.95/month + $10 Off Today!"
"$1/mo 30GB Space 100GB Traffic, PHP, 100 Databases, 40+ Site/Blog Apps"
"Cheap Web Hosting Canada from $1/mo Web Site Hosting"
... These are just some of the offers being made for bottom-line hosting solutions on today's World Wide Web. Offers that seem almost too good to be true. Often times things that seem that way end up being exactly that. It's not that they should be avoided completely, but when deciding what you need from your personal, organization, or corporate web site it is important to...
By Mike Gifford
on 16/05/2013
This is was originally titled What Communications Managers Should Know (and Do) About Web Security, but that was just way too long a title.
Security is something that everyone needs to understand on a basic level in our modern society, but staff need to know more as their organizational mission can also be jeopardized. For people in management it is especially important as they set the tone for everyone else. IT security simply cannot be left to the techies to take care of. The risks are huge, it’s complicated, and unfortunately if management ignores it, it won’t just go away.
Most modern...
Security is something that everyone needs to understand on a basic level in our modern society, but staff need to know more as their organizational mission can also be jeopardized. For people in management it is especially important as they set the tone for everyone else. IT security simply cannot be left to the techies to take care of. The risks are huge, it’s complicated, and unfortunately if management ignores it, it won’t just go away.
Most modern...