Posts Tagged: security

Improved Session Control

Filed Under: Development by midas — Leave a comment
December 14, 2015

The next update to our web based room booking and resource scheduling software is fast approaching. Throughout this month we’re giving you a “first look” at some new features and improvements coming in MIDAS v4.11.

We take a pro-active approach to security here at MIDAS, so we’re excited to provide you with greater control over your sessions in v4.11.

If the multi-session (Allow Multiple Logins By Users) feature has been enabled for your MIDAS system, you’ll be able to log in to your scheduling system from multiple devices simultaneously.

If this option has been enabled on your system, then whenever you log in, you’ll be able to click your name near the top of your screen to see a list of all devices/browsers you’re currently logged in from:

Session Control

The list will show when the last activity in MIDAS occurred from each device, as well as indicating the device’s IP and Browser/OS. The highlighted entry denotes your current session.

You can remotely log out any of these sessions by clicking/tapping the device’s adjacent “x” icon.

Other session improvements

We’ve also made a couple of other improvements in relation to sessions for v4.11:

Firstly, when changing your password, all other active sessions you’re currently logged into will automatically be logged out. This takes place across all your devices.

Secondly, we’ve provided a new administrative setting to force accounts to be logged out if they’ve been logged in for a lengthy period of time. This will happen regardless of whether any recent account activity took place. This setting complements the existing setting which allows sessions to automatically log out if they become “idle”. The new additional setting can be useful to combat situations where a user can effectively remain logged into MIDAS “indefinitely”. This can happen if they’re running a browser extension/addon which regularly refreshes their browser window. With this new setting, even if a user’s browser window is regularly refreshing so that they never hit the idle timeout period, the new “Always force logout after X hours” setting will still force their session to timeout if it’s been logged into for more than 1-24 hours.

This new setting can be accessed via MIDAS Admin Options → Manage MIDAS → Security. For more information, please see: Manage Security Settings

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?
Tags: , ,

New Two-Factor Authentication

Filed Under: Development by midas — Leave a comment
August 18, 2015

Two-Factor Security We take a very pro-active approach to the security of our customer’s MIDAS systems and data, and we always strive to provide administrators and users alike with a wealth of security features and settings within our software.

→ Read our Tips for keeping your MIDAS secure

We’re further enhancing the security options available in our web based room booking and resource scheduling software by introducing optional two-factor authentication in MIDAS v4.10.

Enable two-factor authentication in MIDAS

What is Two-Factor Authentication?

Traditionally, when you access a website/app/online service which requires you to “log in”, all you need to provide is your username (or email address) and a password in order to authenticate your access.

Unfortunately, many people use the same credentials (username/password) over and over again for multiple websites/apps/online services. This means that if one of those services gets “hacked” and has a data breach and user’s credentials are exposed, an attacker could potentially then access all other websites/apps/online services the user uses.

Two-factor authentication combats this, by employing a secondary means of authentication in addition to the traditional username/password combination in order to authenticate your access to the website/app/online service when you login. This means that even if your username/password were compromised, an attacker couldn’t then use these on their own to gain access to your account.

How does two-factor authentication work within MIDAS?

Without two-factor authentication enabled in MIDAS v4.10, users simply login using their email address and chosen password. (A wealth of other customizable security features however are already built-in to MIDAS help prevent “brute force” attacks)

However, with the new optional two-factor authentication feature enabled in v4.10, users enter their email address and password as normal, but then MIDAS then emails the user a security code and presents a web page for this code to the entered. Once the user enters the code they’ve received in an email, the two-step login process will be complete and they will be successfully logged into MIDAS.

Two-factor login authentication for MIDAS

This ensures that in order to gain access and login to MIDAS, a user needs to know their MIDAS credentials and also have access to their own email account to retrieve a special security code upon each login.

As such, for two-factor authentication to be an effective security tool, users should ensure that they use a unique password for their MIDAS account (i.e. one which isn’t the same as the password they use to login to their own email account!)

For more information on the existing security settings and features available within MIDAS, please see: //mid.as/help/manage-security-settings

Want to help shape and improve future MIDAS updates? Then why not consider becoming a Beta Tester? – it’s free, there’s nothing to install, and no technical knowledge is required!
Tags: ,

Our Response to “Heartbleed”

Filed Under: News by midas — Leave a comment
April 11, 2014

OpenSSL Heartbleed VulnerabilityAs many of you may already be aware, information was released on Tuesday this week about a major Internet vulnerability widely referred to as “Heartbleed”.

This vulnerability affected a common software library called “OpenSSL” which is a cryptography system built to encrypt passwords and other sensitive information on around two-thirds of all websites on the Internet.

Many popular websites, including Twitter, Yahoo!, Gmail and Facebook had been found vulnerable to Heartbleed, which if exploited could potentially reveal the contents of a server’s memory, including passwords and other sensitive information.

Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL“, reveals the website devoted to explaining the bug.

Whilst many of these websites have now this week been updated/patched against Heartbleed, the vulnerability itself has been present in the latest versions of OpenSSL for the past two years, but has only recently come to light and details publicly disclosed this week.

Our MIDAS servers run OpenSSL, however, we have no reason to believe that the vulnerability has been exploited to compromise the integrity or confidentiality of any of our services or of our users’ data. Even so, due to the hard-to-detect nature of the attack, we’re taking a very broad view of the potential vulnerability and have responded accordingly.

What has MIDAS done in response?

Our MIDAS servers run OpenSSL, and we’ve been proactive in making sure that our users’ data and accounts are kept safe. Specifically:

  • Our servers have been patched.
    As of Wednesday 9th April 03:33 UTC, all of our servers have been updated to use a newer, protected version of OpenSSL.

  • We’ve reset SSL keys and certificates for our public *.mid.as servers.
    As of Thursday 10th April 21:51 UTC all of our public servers are using newly-generated keys and certificates. Additionally, we’ve asked AlphaSSL to revoke our old certificates, just to be on the safe side.

What can you do?

We have no reason to believe that the Heartbleed vulnerability has been exploited to compromise the integrity of any of our services or of our users’ data. Even so, if we “host” your MIDAS and you want to be extra careful, you can change your MIDAS password at any time, once logged in via the “Change Password” near the top of your MIDAS screen.

Here’s some handy tips for creating better passwords:

MIDAS Password Security Settings

  • Avoid using the same password for multiple websites
  • Make your passwords at least 8 characters
    – In MIDAS, you can enforce a minimum password length for users via MIDAS Admin Options → Manage MIDAS → Security → Minimum Password Length

  • Include a mixture of numbers, upper & lowercase letters, and symbols in your password
    – MIDAS can randomly generate such passwords for users, via MIDAS Admin Options → Manage Users & Permissions → [select user] → Password → Random.

  • Avoid complete words
  • Avoid common passwords such as “123456” and “password”
Tags: , ,