Posts Tagged: security

Geolocation and Geofencing

Filed Under: Development by midas — Leave a comment
April 13, 2023

We’re excited to announce Geolocation and Geofencing support for our MIDAS room and resource scheduling software.

What is Geolocation?

Geolocation support in MIDAS room booking systems

Geolocation is the process of determining the geographic location of a user’s device. It is used in a variety of applications, such as mapping, navigation, and weather forecasting. A device’s location can be determined using a variety of methods, including GPS, cell tower triangulation, and IP address location.

IP address geolocation is a method of determining the position in the world of an IP address. This can be done by using a variety of methods, including:

  • Reverse DNS lookup: This method involves looking up the IP address in a DNS database to determine the name of the domain that is associated with the IP address. The domain name can then be used to determine the geographic location of the server that hosts the domain.
  • Geolocation databases: These databases contain information about the geographic location of IP addresses. This information is typically collected from a variety of sources, such as ISPs and network operators.

It is important to note that IP address geolocation is not always accurate. The accuracy of IP address geolocation depends on a variety of factors. These include the quality of the geolocation database and the method that is used to determine the geographic location of the IP address.

What is Geofencing?

Geofencing is an extension of geolocation. Once a device’s geographic location can be determined through geolocation, “Geofencing” can be used by a website or application to ensure that devices outside of an authorized area are denied access.

IP geofencing works by creating a virtual radius at a set distance around a fixed point on the globe. By comparing the latitude and longitude coordinates of a user’s device, with this fixed point, the distance between them can be calculated. This calculation will determine whether the user’s device falls within the set virtual radius.

Access form any device which falls outside of a set radius of the central fixed location can then be blocked.

Geolocation applications within MIDAS

Initially, there are two main areas within our booking software where geolocation information can be shown.

First, is the Recent Activity Log. This audit log in MIDAS records all user activity and actions taking place in your booking system. Each entry in the log is time-stamped, and shows the user account and IP address which performed the action.

From MIDAS v4.33, the optional Geolocation addon can be configured to allow location information to be shown for IP addresses in the Recent Activity Log. This location information includes the city, region, and country that the IP address resides in.

The second application for geolocation in MIDAS accompanies the unfamiliar login notifications feature.

The unfamiliar login notifications feature alerts users when their account is signed in to from a new device or location.

These notifications typically include details of the user’s device / browser and their IP address.

Geolocation support now means that you can optionally configure these notifications to now also include the city, region, and country that the login occurred from.

Geofencing applications within MIDAS

Building on the new geolocation support, Geofencing can be used to further enhance the security of your MIDAS system.

It can be used to restrict account logins to certain countries. For example, if your organization only has offices within the United States and the United Kingdom, your colleagues are typically likely to only need to login to MIDAS from within either the US or the UK. You can use geofencing to block any login attempts originating from countries other than the US or the UK.

Restrict MIDAS logins to certain countries
Restrict MIDAS logins to certain countries

Geofencing can additionally (or alternatively) also restrict account logins to within a certain distance from your location. For example, if you run a radio station in Manchester, UK, you could restrict logins to your MIDAS system to within say a 10 mile radius of Manchester.

Restrict MIDAS logins to within a radius of a set geographic location
Restrict MIDAS logins to within a radius of a set geographic location

How to enable Geolocation or Geofencing in MIDAS

The new Geolocation and Geofencing features are available for MIDAS v4.33 (or later) via our optional Geolocation addon.

Existing customers with active subscriptions can obtain this addon via mid.as/upgrade.

If you’re new to MIDAS, you can subscribe with the Geolocation addon via mid.as/pricing.

Geolocation data accuracy

The accuracy of IP geolocation data depends on a number of factors, including the quality and freshness of the geolocation database, the method that is used to determine the geographic location of the IP address, and the type of IP address.

The IP geolocation data we use in the Geolocation addon for MIDAS is never more than 30 days old.

In general, IP geolocation data is most accurate for large geographic areas, such as countries or states. It can become less accurate for smaller geographic areas, such as cities or neighborhoods.

That’s why if you use the distance based geofence features of the Geolocation addon, you should always set a larger liberal distance than necessary, rather than a very small strict distance from your location. The Geolocation addon does include an instant IP lookup test tool, so you can check IP distances before you apply them.

The Geolocation addon also includes “fallback” options for both country / distance geofence enforcement. For IP addresses where a country and/or latitude and longitude coordinates cannot be determined, you can configure MIDAS to either block or allow these connections.

It’s also worth noting that the accuracy of IP geolocation data can be affected by the use of proxy servers and VPNs. Proxy servers and VPNs can mask the true IP address of a device, making it difficult to determine the device’s geographic location.

Tags: , , , ,

The Importance Of Keeping Software Up-To-Date

Filed Under: Tech Insight by midas — Leave a comment
October 8, 2020

Last week it came to light that Public Health England (PHE) had “lost” nearly 16,000 COVID-19 Test Results.

The issue arose by the way the health agency compiled results from the various commercial firms paid by the UK government to analyze Coronavirus swab tests of the public, to discover who has the virus.

These private firms provided their data in the form of CSV (Comma Separated Values) files – essentially text files.

PHE had set up an automatic process to pull this data together into Microsoft Excel templates so that it could then be uploaded to a central system. From there it could be made available to the NHS Test and Trace team, as well as other government agencies.

The problem was that PHE’s own developers picked an old Excel file format to do this – XLS.

Excel’s XLS file format dates back to 1987, and was superseded by XLSX in 2007.

In the original XLS format, each file could only handle around 65,000 rows of data. The more modern XLSX format can handle one million-plus rows!

As a consequence of using the outdated XLS format, nearly 16,000 positive Covid-19 test results were “truncated” and not correctly recorded.

Whilst the 15,841 individuals who tested positive were themselves notified of their result and told to self-isolate, the people they’d been in recent contact with weren’t.

It’s estimated that in the region of 40,000+ contacts were not traced by the NHS’s Test & Trace team simply as a result of PHE using obsolete software.

Why were Public Health England using 13+ year old software?

There are many reasons why many organizations continue to use outdated software in their operations.

These may include;

Cost

One of the most common reasons for not updating software is the cost. For large organizations which may have thousands of workstations and devices, the cost to keep software up-to-date can be prohibitive. Good businesses will plan and budget for these large expenditures and take advantage of bulk discounts and site-wide software licenses.

Compatibility

Most businesses use multiple software products from different vendors. Often compatibility between these products is required. Not all software titles used by a business are regularly updated by their developers. Some may not have been updated for several years! Often a factor preventing organizations from updating software to more recent versions is when there’s a risk that doing so would break compatibility with other software they use that’s not been updated for years.

This is actually one of the reasons that Internet Explorer 6 and then 8 stayed around for so long. These were aging browsers, but many 3rd party web applications which hadn’t been updated in years wouldn’t run in more modern browsers. This effectively forced Microsoft to continue providing support for their fledgling browser for years.

Human Resources

Some organizations lack the in-house personnel or expertise to roll out company-wide software updates. Again, cost can be a key factor here.

Other organizations “outsource” their IT, and rely on a 3rd party provider to keep all their software up-to-date. Most IT providers will routinely do this. However, some take the attitude that if the customer doesn’t know – or isn’t asking – about updating software on their systems, then why do it?

Business Interruption

Some organizations are concerned that a large scale roll-out of a software update company wide could cause or “down-time” or other unintended issues. This may intern affect staffs ability to do their work.

A “phased” upgrade approach – rather than updating every device at the same time – may be more sensible. However, this approach could result in compatibility issues if some staff are using a newer version of certain software, at the same time that other staff are still using the older version.

We suspect in the PHE case, the key factor inhibiting upgrading from 13+ year old software was cost.

When it comes to publicly-funded health services, the general public would rather their taxes be spent on front-line services, rather than on back-end computer systems and software.

As this case has highlighted though, running obsolete software can potentially put peoples lives at risk!

Why keep your MIDAS system up-to-date?

We know many of our self-hosted customers continue to run obsolete and out-dated versions of our MIDAS room booking software.

We’ve been developing our software for over 15 years now, and regularly release software updates. Yes, we’re aware that there some very old MIDAS systems still in operation.

We strongly encourage all customers to keep their MIDAS systems up-to-date.

For our cloud-hosted customers, we do this for you! You’ll always be running the most recent version of our software, as we seamlessly keep your system updated.

For self-hosted customers, you can quickly check for updates with just a couple of clicks. Simply login to your system and go to MIDAS Admin Options → Manage MIDAS → Update.

You’ll need an active Support Subscription in order to obtain updates. If you don’t have a subscription, or your subscription has elapsed, you can quickly purchase/renew at mid.as/renew.

Updating means that you’ll have access to all the very latest new and improved features. More importantly, ensuring you’re running the most recent version means you’re not missing out on any important security patches and updates to keep your MIDAS system safe & secure.

We’d therefore like to encourage all self-hosted customers to take a few moments to check your MIDAS system is up-to-date.

Tags:

Improved Password Hardening

Filed Under: Development by midas — Leave a comment
September 28, 2020

For MIDAS v4.26 we’re improving the password change process for users, with the introduction of a new “Disallow Known Breached Passwords” admin setting:

Disallow Known Breached Passwords in MIDAS
Disallow Known Breached Passwords

With this setting enabled, whenever a user changes their password MIDAS checks that it doesn’t appear in any known online data breaches.

Have I been Pwned?

This feature utilizes the popular 3rd party “Have I Been Pwned” service. This is a database of more than half a billion passwords which have previously been exposed in various data breaches.

Don’t worry though, your actual password is never sent to the “Have I Been Pwned” service. Here’s how it works;

  1. You enter a desired new password in MIDAS.
  2. MIDAS creates a cryptographic “hash” (SHA-1) of the password you entered. The first five characters of this hash are sent to the Have I Been Pwned service.
  3. If hashes with the same first five characters are found in the Pwned Passwords repository, the Have I Been Pwned service responds with all these hashes.
  4. MIDAS sifts through the received hashes to see if there’s a complete match with the full SHA-1 hash of your new password.
  5. If a match is found, your desired password has appeared in at least one public data breach. MIDAS will then display an alert and ask you to enter a different password.
The Change Password Dialog in MIDAS
The Change Password dialog in MIDAS
Chosen Password appears in other online data breaches
The chosen password isn’t considered secure as it appears in other online data breaches

The new “Disallow Known Breached Passwords” setting in MIDAS will be enabled by default. It can readily be enabled/disabled via MIDAS Admin Options → Manage MIDAS → Security.

We’re passionate about security, and this latest improvement is just one of the ways we help keep your account and MIDAS system secure.

Interested in learning more about security in your MIDAS system? Try these links…

Tags: , ,

Introducing our new Security Center

Filed Under: News, Tech Insight by midas — Leave a comment
July 16, 2020

We take a transparent and pro-active approach to the security of our infrastructure and software. In fact, earlier this month we published details of how user passwords are stored within MIDAS following a data breach at one of our competitors. We also implement regular security enhancements to our software.

No technology is perfect, but here at MIDAS we believe that working with skilled security researchers across the globe is crucial in helping identify potential weaknesses in our software and infrastructure.

That’s why this week, we’re pleased to launch our new dedicated Security Center at security.midas.network

From this dedicated portal, you can …

Report a Security Concern or Vulnerability

We work alongside researchers who responsibly disclose security issues, to address such concerns and vulnerabilities in a timely manner. Our Reporting Guidelines page offers guidance for security researchers wishing to raise a concern with us.

Contact our Security Team

Our security contact page provides methods of getting in direct contact with our security team to raise a security concern in our software or infrastructure.

Read the latest Security Advisories

If a serious concern within our software or infrastructure is identified, we may issue a “Security Advisory” containing advice for customers and end-users. We will publish Active Security Advisories here: security.midas.network/advisories.

View our latest Security Audits

As part of our transparent approach to security, we’ve included a “Security Audits” section in our Security Center. Here you’ll find reports and results from both internal and external security audits on our software and infrastructure.

View our Security Changelog

Until now, we’ve been publishing two “change logs” (or “Release Notes”). One for significant major updates to our software, at mid.as/changelog. The other details interim “bug fix” updates, and may be found at mid.as/updates.

Avid readers of these change logs may notice on occasion the entry “Security Enhancements“. These are improvements we make to the security of our software, but which we typically don’t publish details of.

However, more information on these “Security Enhancements” will now be published in the Security Changelog in our Security Center. The log will also include details of security updates and improvements to our network and server infrastructure too.

View our Security “Hall of Fame”

We appreciate the time and effort that security researchers contribute. So we’ve set up a “Credits” page where we gratefully acknowledge and thank those who help keep MIDAS and our users safe.

Tags: