Archive for July, 2020

In these unprecedented times, many organizations were forced to suspend their operations for the past several months. However, some are now beginning to take the first tentative steps towards reopening.

For most businesses who manage and hire out their facilities, this means making some fundamental adjustments to the way they operate.

So we wanted to share some tips on how to get the most out of your MIDAS booking system as your business navigates the road ahead…

1. Allow more staff to work from home

One of the benefits of cloud-based software like MIDAS, is that it can be accessed from anywhere with an internet connection.

Access your hosted MIDAS system from home
Access your hosted MIDAS system from home

This means that your administrative staff can log into your organization’s hosted MIDAS system remotely from home, just as if they were in their office at work.

“Remote Working” or “WFH” (Work From Home) is fast becoming the new norm. Many businesses are actively encouraging their staff to do so for at least the rest of 2020.

A cloud-hosted MIDAS system helps make this possible by allowing your staff to securely access your booking system from wherever they are.

If you currently run a self-hosted MIDAS system behind a proxy/firewall, please contact your IT admins. They should be able to arrange remote access to your MIDAS system.

2. Limit venue (room) capacities

Maintaining adequate social/physical distancing prevents arguably one of the biggest challenges when it comes to hiring out rooms and facilities.

When first setting up your “venues” (rooms/bookable spaces) in MIDAS, your administrator will have defined a maximum occupancy level (capacity) for each. This is the maximum number of people that each space can safely accommodate at any give time. These limits are enforced by MIDAS whenever new bookings are added and when a number of attendees are specified.

Limit the number of persons allowed in each space
Limit the number of persons allowed in each space

In this new age of social/physical distancing, it’s likely you’ll need to review the number of people allowed in each space at any one time.

MIDAS makes it easy really to adjust the maximum capacity of each of your venues. You’ll find this setting via MIDAS Admin Options → Manage Venues → [select venue(s)] → Capacity:

Setting a maximum occupancy (capacity) for each venue
Setting a maximum occupancy (capacity) for each venue

For more information, please refer to the help documentation.

You may also wish to consider enforcing the entering of the number of attendees for every booking. By default, the “Attendees” field on the Add Bookings screen is optional (i.e. it can be left blank). To make this a required field, go to MIDAS Admin Options → Manage MIDAS → Fields → Booking Fields. On this screen, tick the “Required” box for the Attendees field:

Make the "Attendees" field mandatory
Make the “Attendees” field mandatory

For more information, please refer to the help documentation.

3. Limit overall site occupancy

In addition to being able to set maximum occupancy levels for each room/space, MIDAS also allows setting a “global” (site-wide) occupancy limit too.

MIDAS can warn you if the total number of people across all your facilities at any one time would exceed a threshold. It can also prevent further bookings if the total number of people on site exceeds a set threshold.

Keep track of the total number of people on your premises at any given time
Keep track of the total number of people on your premises at any given time

You’ll find these settings via MIDAS Admin Options → Manage MIDAS → Safety.

For more information, please refer to the help documentation.

4. Allow bookings (or booking requests) to be made online

Did you customers used to make bookings in person with your receptionist or office staff?

Did you know that MIDAS includes as standard both “Public Booking Request” and “Public Web Booking” features?

These public-facing features can help reduce face to face contact between your staff and customers.

Allow customers to check room availability and book/request online
Allow customers to check room availability and book/request online

The Public Booking Request feature allows your customers to check availability of your rooms and submit booking “requests” online from the comfort of their own homes. Received booking requests can then be quickly approved/rejected by an administrator with just a few clicks.

For more information, please see our “How to make public web requests” video tutorial.

The Public Web Bookings feature is similar to the Public Booking Request feature, but allows your customers to make direct bookings online (rather than just booking “requests”). They can also pay for their bookings directly at time of booking.

For more information, please see our “How to make public web bookings” video tutorial.

The Public Booking/Request features may be enabled via MIDAS Admin Options → Manage MIDAS → Public.

5. Allow clients to pay their invoices online

If you use the extensive Invoicing capabilities of MIDAS, how do you clients normally pay you? If it’s by physical cash, did you know that MIDAS supports online invoice payments?

Allow customers to pay their invoices online
Allow customers to pay their invoices online

This feature may be enabled via MIDAS Admin Options → Manage MIDAS → Invoicing → Online Payments.

For more information, please see our “How to pay an invoice online” video tutorial, or the help documentation.

6. Keep your clients and users informed

MIDAS allows you to edit and customize a wide variety of “templates”.

These templates may be customized via MIDAS Admin Options → Manage MIDAS → Templates.

Customizable Templates in MIDAS
Customizable Templates in MIDAS

Here’s a few useful templates to highlight:

The “Welcome Note” template can be used to provide information or a custom message to users on their MIDAS login screens. This is a great way to let your staff know of any important changes.

The “Public: Web Requests” and “Public: Web Booking” templates can be used to provide information or updates to your customers on Public Booking/Request screens.

The “Email: Booking Reminder” template can be used to include important information for your customers in advance of their next visit. For instance, if they are required to wear a face covering/mask on your premises, you could let them know via email before their bookings take place.

You can enable and configure how far in advance Booking Reminder email notifications are sent to customers via MIDAS Admin Options → Manage MIDAS → Scheduled Tasks.

For more information on customizing templates in MIDAS, please see our “How to customize templates” video tutorial, or the help documentation.


We hope the above tips are useful in helping your organization to adapt and adjust going forward.

Remember, that if your business operations are still adversely affected by the current situation, we’re here to help!


Introducing our new Security Center

We take a transparent and pro-active approach to the security of our infrastructure and software. In fact, earlier this month we published details of how user passwords are stored within MIDAS following a data breach at one of our competitors. We also implement regular security enhancements to our software.

No technology is perfect, but here at MIDAS we believe that working with skilled security researchers across the globe is crucial in helping identify potential weaknesses in our software and infrastructure.

That’s why this week, we’re pleased to launch our new dedicated Security Center at security.midas.network

From this dedicated portal, you can …

Report a security concern or vulnerability

We work alongside researchers who responsibly disclose security issues, to address such concerns and vulnerabilities in a timely manner. Our Reporting Guidelines page offers guidance for security researchers wishing to raise a concern with us.

Contact our Security Team

Our security contact page provides methods of getting in direct contact with our security team to raise a security concern in our software or infrastructure.

Read the latest Security Advisories

If a serious concern within our software or infrastructure is identified, we may issue a “Security Advisory” containing advice for customers and end-users. We will publish Active Security Advisories here: https://security.midas.network/advisories.

View our latest Security Audits

As part of our transparent approach to security, we’ve included a “Security Audits” section in our Security Center. Here you’ll find reports and results from both internal and external security audits on our software and infrastructure.

View our Security Changelog

Until now, we’ve been publishing two “change logs” (or “Release Notes”). One for significant major updates to our software, at https://mid.as/changelog. The other details interim “bug fix” updates, and may be found at https://mid.as/updates.

Avid readers of these change logs may notice on occasion the entry “Security Enhancements“. These are improvements we make to the security of our software, but which we typically don’t publish details of.

However, more information on these “Security Enhancements” will now be published in the Security Changelog in our Security Center. The log will also include details of security updates and improvements to our network and server infrastructure too.

View our Security “Hall of Fame”

We appreciate the time and effort that security researchers contribute. So we’ve set up a “Credits” page where we gratefully acknowledge and thank those who help keep MIDAS and our users safe.


MIDAS v4.25 Out Now!

If you’ve been following our blog in recent weeks, then you’ll know that we’ve been busy during the UK lockdown. We’ve been hard at work at our next update to MIDAS v4.25, which is out now! For this update we’ve added dozens of new features and improvements, which we’re really excited about!

Highlights of MIDAS v4.25 include:

How To Get MIDAS v4.25…

New To MIDAS?

We continue to be committed to fair and accessible pricing for all organizations regardless of size.

We’re totally upfront and transparent about our pricing structure, and you can purchase MIDAS v4.25 securely through our website and be up and running in no time!

“Self Hosted” Customers:

Self-Hosted customers with active Support Subscriptions will be able to update to v4.25 in the coming weeks. It only takes a couple of clicks – simply log in to your MIDAS system and go to MIDAS Admin Options → Manage MIDAS → Update.

If no update is available, please check back again in a few days time, as we are staggering updates for self-hosted customers over the next few weeks.

“Cloud Hosted” Customers:

Cloud-Hosted customers don’t need to do anything! – All our active Cloud-Hosted MIDAS customers were automatically updated to this latest version of MIDAS this past weekend (4-5th July)

Important Information For Existing Customers Regarding Invoicing in v4.25

We’ve made some changes to invoicing in MIDAS for v4.25, and we’d like to draw your attention to one specific change;

If you’ve previously manually created or modified invoices in your MIDAS system, and in doing so altered totals with the auto-recalculation option disabled, then your previous invoices may look slightly different after being updated to v4.25.

You may see the addition of balancing items or balancing credits listed on previous invoices. These may be added in some instances to ensure that the items appearing on each invoice match the invoice’s total.

For more information on this, please see our KB article: What are balancing items or credits on invoices?

If you have invoices where you’ve modified line totals without allowing MIDAS to correctly recalculate the grand total, and you wish to retain these invoices their current state (without balancing items/credits being applied), we suggest that you print these invoices prior to updating to v4.25.

It is important to note however that the presence of balancing items or credits on previous invoices will not affect an invoice’s total.

Should you have any questions or concerns in this regard, please don’t hesitate to reach out to us, and we’d be happy to help!


Thank you for your continued support of our software during this unprecedented period of global uncertainty. Please remember that if you’re an existing customer affected by the current situation, we’re here to support you!


Earlier this week one of our competitors revealed that they had suffered a significant data breach. As part of this breach, “hashes” of their user’s stored passwords were obtained. The vendor asserts that user passwords were hashed using “an irreversible hashing algorithm based on SHA256“. Some security experts question just how secure SHA256 is by today’s modern security standards. Indeed, SHA256 hasn’t been considered “best practice” for password storage for some time.

So in light of the recent breach at one of our competitors, we thought we’d provide an in-depth look into how own approach to password storage has continuously evolved over the years…

December 2005

We first began work on our MIDAS room booking software back in 2005. In those days the threat of passwords being stolen was relatively low. The majority of websites and web applications simply stored passwords in plain text. It was also common place to allow a user to “recover” a password that they’d forgotten. In order to achieve this, passwords needed to be stored in a simple manner (such as plain text) which allowed them to be easily retrievable.

In those early days of our software, this is also how user’s passwords were initially stored within a MIDAS system. Passwords were stored in plain text, in files with a .dat extension. The “.dat” extension was chosen as back then, most web servers didn’t know how to handle these files. As such, .dat files were typically not accessible through a web browser. This provided a certain degree of security, in that the only way to view the contents of these files would be for a hacker to gain unauthorized server access.

September 2009

A few years later (for MIDAS v2), we improved password storage by instead “encoding” passwords in these .dat files. No longer were passwords stored in “plain text” but were instead stored in an “obfuscated” way. This made them difficult for humans to read, but still allowed MIDAS to “decode” and “un-obfuscate” them. In turn, this allowed user’s to recover their original password if they forgot it.

The process for validating passwords in v2 was essentially: Does the raw password entered by the user match the decoded/un-obfuscated stored password?

August 2012

Now, “encoding” is not the same as “encryption”. Consequently, in keeping with the times, in 2012 with the release of MIDAS v4, we completely overhauled password storage in our software.

We implemented a cryptographically secure and randomly salted one-way “hashing” algorithm, named “SHA-512“.

A “salt” is a generated string added to each password as part of the hashing process. A random salt means an attacker would need to crack hashes one at a time using the respective salt, rather than being able to calculate a hash once and compare it against every stored hash. This makes cracking large numbers of hashes significantly harder, as the time required grows in direct proportion to the number of hashes.

“Hashing” passwords in this way was far more secure, as the passwords themselves were never stored, only their resulting “hashes”. This made it technically impossible to “retrieve” an original password from a password “hash”. As such, the ability for users to be able to “retrieve” a forgotten password was lost. Instead, if a user forgot their password, the only option now would be to reset it. Their original password couldn’t be recovered.

In 2012, SHA-512 was widely considered “best practice” as one of the most cryptographically secure ways of dealing with passwords.

The process for validating passwords in v4 was essentially: SHA-512 hash the raw password entered by the user and compare this with the previously stored password hash to check they match.

Version 4 of MIDAS also introduce further enhancements in relation to password security; the ability for user accounts to be automatically locked after several failed login attempts.

This was important, as it helped prevent “brute force” password attacks.

A “brute force” attack is when a large number of passwords are tried until the correct one is found. Sometimes referred to as a “dictionary attack”, a malicious hacker would apply a “word list” of thousands if not millions of words and word combinations to login forms.

By limiting the number of incorrect login attempts that are allowed before a user account becomes automatically “locked out”, the threat of “brute force” attacks on a user’s account was mitigated.

September 2015

With the release of MIDAS v4.10, we introduced optional two-factor authentication (2FA) to the login process.

April 2016

As mentioned earlier, SHA-512 hashes introduced with MIDAS v4 were “randomly salted” to further increase their security. In order to generate these random salt, MIDAS utilized the built-in “rand()” function of Perl (Perl is the coding language which MIDAS is written). “rand()” generates random numbers, but these random numbers in themselves cannot be assumed to be sufficiently random for use in cryptographic applications.

So for MIDAS v4.11, we improved the “randomness” of these “salts” by utilizing a Perl module named “Math::Random::Secure”. If this module was installed on a server where a MIDAS system resided, MIDAS would use this module to generate Cryptographically-secure random numbers for use as SHA-512 salts.

July 2016

In July 2016 to coincide with the release of MIDAS v4.13 we introduced a password “block list” in MIDAS. The top 1000 most common passwords in use around the world are now banned from being used in MIDAS.

In addition, we also prevented using passwords considered “very weak”.

April 2017

The world of cryptography is changing all the time. Whilst our software has been in active development for over 15 years, we’ve continued to take a pro-active approach to security, including password storage.

That’s why in April 2017 (starting with MIDAS v4.15) we migrated from using SHA-512 to the more the modern and even more secure “bcrypt” for password storage.

Why did we do this?

Well, even though SHA-512 was still considered “secure”, its hashing algorithm is designed to be fast.

But surely faster is better?!

No! When it comes to password hashing, slower is actually better! We’ll explain why…

As hashing is “one way”, original passwords can’t be “recovered” from a resulting password hash. Instead, in order to validate a password it must itself first be hashed and the resulting hash compared to the stored hash.

Let’s assume that a malicious hacker were to obtain a password hash. If the hashing algorithm used was computationally “fast”, it would allow a computer to potentially compute the hashes of hundreds or thousands of passwords every second. It therefore wouldn’t necessarily take a powerful computer that long to “find” the original password if the user used a weak password.

“bcrypt” is different. It is computationally expensive. That means it takes a significant length of time to compute each hash.

As technology improves, computing power generally doubles every 18 months. This is known as Moore’s Law.

bcrypt takes this into account by allowing control over how “computationally expensive” its hashing is. This is know as its “work factor”. MIDAS v4.15 introduced a bcrypt work factor of 10, as this was widely considered by security expects to be sufficient at the time.

July 2020

Three years later, and the current accepted “best practice” has evolved as computers have become more powerful. A “work factor” of 12 is now recommended.

The time taken to compute a bcrypt hash effectively doubles with each increase in work factor – so a work factor of 11 would take twice as long to compute a hash for than a work factor of 10.

As such for MIDAS v4.25, we’re transparently increasing the bcrypt work factor from 10 to 12. User’s won’t see any difference, as stored password hashes will be automatically migrated.

For v4.25 we’re also banning passwords considered “weak” in addition to “very weak”.

We’re also dropping usage of the “Math::Random::Secure” Perl module introduced with MIDAS v4.11 in 2016. MIDAS has been utilizing the “Math::Random::Secure” module where available to ensure that random numbers generated by MIDAS were cryptographically secure.

Whilst the module still functions, its developers haven’t updated it in over three years. “Math::Random::Secure” also depends upon another module (Crypt::Random::Secure), which itself depends upon another module (Any::Moose) which has since been deprecated.

So for this reason, and also for performance reasons, MIDAS v4.25 now defaults to using the more modern module “Crypt::PRNG” where available instead.

Summary

We take a very open and pro-active approach to security.

As you can see from the timeline we’ve outlined above, password storage and security has significantly evolved over the past decade and a half within our software. It will continue to evolve in the future too. What’s considered “cryptographically secure” in today’s world may not still be so in a few years time. We’ve moved with the times and we’ll continue to do so.

If you’re considering a new room booking system, or indeed any other web/cloud based software or service; make sure you ask the vendor about their approach to password security and storage!

If the vendor won’t tell you how passwords are stored… for “security reasons” – challenge them! (or run a mile!) “Security through obscurity” simply isn’t good enough! If a vendor is storing passwords correctly and securely, they should have no concerns outlining the method by which they are doing so.

If a vendor is still storing passwords using “Legacy Algorithms” (like SHA-256) – challenge them to move to modern algorithms instead!

Data Breaches are sadly an increasingly common part of life. The best thing software vendors can do (aside from taking steps to prevent breaches in the first place) is to ensure sensitive data like passwords are securely encrypted in ways that would make the data worthless to hackers were it ever to be obtained.