Before we announce the new 2013 changes, we wanted to share some insight on online security. This information can help keep you safe in any application you may use – email, websites you visit, and so on.
Many users don’t give online security much thought. However, without knowing the basics, a person can be vulnerable when they are online. When we don’t make informed decisions about online security, many areas of our everyday lives (e.g. social networks, online financial records, email) are at risk from attackers.
Below are some common security attacks.
- Social engineering. This is when someone tricks you into giving them information they shouldn’t have, such as someone pretending they are from Icon Systems and asking you for your password. Another example is phone scams where people call you and tell you that you won something and they need your social security number to claim the prize.
- Password cracking. This can happen in a couple ways: either (1) you choose an easy password to guess, and someone programmatically runs code to break the password or just guesses it (this is easier than you think) or (2) an attacker compromises the computers where the passwords are stored, and then decrypts them. We encourage all users to use strong passwords.
- Cross site request forgery (CSRF) – a.k.a. “tricky links”. Be careful what you click on! CSRF is when you click a button/link on one web site, and it actually does an action on another website pretending to be you. For instance, say you are logged into IconCMO, and click in an email or website that says, “Look at my cat!” A successful attack could do anything that the user can do in IconCMO – including adding users so that the attacker can get into your account.
- Injection style attacks. This is when attackers of a system gain direct access to the back-end database by entering in database commands (malicious code) instead of the usual data through a text box on a website. This is one of the most common attacks on websites that are database driven and the chances of the person being caught is low compared to the high value of the information that can be taken.
- Secondary attacks. It’s easy to think, “I don’t worry about people getting into account ‘x’ of mine online because I don’t have anything important there.” The trick is that a chain is only as strong as its weakest link. If an attacker found out your password to an insecure site, and you used that same password for your email account, chances are they now have access to your email, too. And, if they have your email, perhaps they could use a password reset to gain access to your online banking account. This is how they work their way up from the weakest link in the chain to the strongest link and most important – your online financial accounts.
While we have always taken data security very seriously since IconCMO was publicly released in 2003, technology is always changing. Icon Systems must ensure necessary precautions are taken each year to protect our clients’ most valuable asset – their data. We have been especially busy behind the scenes improving the security in IconCMO over the past several months.
We are happy to announce the 2013 data security changes.
For user experience we improved the following:
- IconCMO will accept the login phone number formatted any way the user types it in, including special characters like dashes or parentheses. As long as the numbers, user ID and password are right, you can access your data. We ignore all special characters now.
- We improved some inconsistencies with exporting data in various modules across the system when a user has Read Only Access.
- We improved some of the messaging on the system’s screens that the users see if they have Read Only Access.
- To ensure system continuity, the system will notify you when your system is 3 days from expiration. This helps to ensure the system does not expire on you over a typical weekend.
For overall system security we improved the following:
- We improved the tracking of logging users that access the church’s database.
- IconCMO has added a time delay if a set number of log-in attempts have failed, which deters attackers who can guess thousands of possible passwords every second.
- We improved the storage of passwords by using a sophisticated algorithm. In the unlikely event someone gains unauthorized access to the database the hacker would not be able to decode the algorithm.
- With the improvements of password storage even Icon Systems employees cannot determine a user’s password. If the user loses their password, the only way for them to recover it is to use the forgot my password link that is will automatically generate an email.
- Important: Please keep your email address up to date on IconCMO in the Organization → Preference → Personal screen.
- We improved the method in which your digital footprint is cleared from the server when you log out.
- We improved the protection against CSRF-style attacks. (CSRF: Cross Site Request Forgery)
- We improved IconCMO security protocols to prevent SQL injection type attacks.
- All of these changes and many more are incorporated into the main IconCMO church software system, the support forum, the API’s for 3rd party add-ons, the parishioner’s module, and the multi-site church management systems. All of these improvements are in addition to our security protocols that are in place already which can be read here.
Below you will find some resources if you want to find out more about specific types of security attacks.
- Password Cracking – How to create strong passwords.
- Social Engineering – A story on how social engineering can work.
- CSFR Attacks – How these types of attacks are carried out and how to prevent it.
- SQL Injection – What is it and how to prevent it. (Keep in mind this is just one type of injection attack.)