Tag Archive: security

Disabling TLS 1.0 in early 2017

TLS stands for “Transport Layer Security” and is a cryptographic mechanism used to facilitate secure connections and communications over the internet. Several incarnations of the TLS protocol have been developed over the years (1.0, 1.1, and 1.2), with 1.0 being the oldest and now approaching the ripe old age of 18!

TLS 1.0 is now considered a “legacy protocol” and “weak” by today’s cryptographic standards, as it is susceptible to several vulnerabilities. Modern web browsers automatically default to preferring TLS 1.2 or TLS 1.1 over legacy TLS 1.0 connections, however some older browsers do not support the more modern and secure TLS 1.1/1.2 protocols.

As part of our ongoing commitment to security, in early 2017 we intend to drop support for legacy TLS 1.0 connections to our client servers. The vast majority of users will be unaffected by this change, but if you’re using an older web browser/operating system, you may need to update.

The minimum browser requirements for MIDAS v4.14 (and later) have also been updated accordingly.

The following table of web browsers provides additional guidance as to any action you may need to take to ensure you can continue to access our site/your hosted MIDAS system in 2017:

Browser Version Comments
Microsoft Internet Explorer 11 OK (If you see the “Stronger security is required” error message, you may need to turn off the “Use TLS 1.0” setting via Internet Options → Advanced)
9-10 OK (When running Windows 7 or newer, however you’ll need to enable TLS 1.1 and TLS 1.2 in Internet Explorer by selecting the “Use TLS 1.1” and “Use TLS 1.2” boxes via Internet Options → Advanced)
Upgrade Required (Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2 – Please update your operating system)
8 (or lower) Please update to a more recent version of Internet Explorer
Microsoft Edge All Versions OK – No action required
Mozilla Firefox 27+ OK – No action required
23-26 OK (Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2)
22 (or lower) Please update to a more recent version of Firefox
Google Chrome (Desktop) 38+ OK – No action required
22-37 OK – No action required (Provided you’re running Windows XP SP3, Vista, or newer, OS X 10.6 (Snow Leopard) or newer)
21 (or lower) Please update to a more recent version of Chrome
Google Chrome (Mobile) Android 5.0+ (Lollipop) OK – No action required
Android 4.4.x (KitKat) Device Dependent (Some Android 4.4.x devices may not support TLS 1.1 or higher. Please refer to your device manufacturer if unsure)
Android 4.3 (Jelly Bean) (or lower) Please update to a more recent version of Android
Apple Safari (Desktop) 7+ OK – No action required
6 (or lower) Please update to a more recent version of Safari
Apple Safari (iOS) iOS 5+ OK – No action required
iOS 4 (or lower) Please update to a more recent version of iOS

Important Information For Hosted API users:

If you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API, please ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.1/1.2 connections. For instance Java 6 (1.6) (and lower) and .NET 3.5 (and lower) languages don’t support TLS 1.1/1.2.
If your applications/programming languages do not support at least TLS 1.1, your MIDAS API calls will begin to fail in early 2017 once we disable TLS 1.0.
Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.1/1.2, or for assistance enabling such support in your development environment.

UPDATE: April 2017

In advance of dropping TLS 1.0 support across our entire network this year, we’ve initially dropped TLS 1.0 support on our dedicated Service Status site. If you’re not sure whether or not you’ll still be able to access your hosted MIDAS system once TLS 1.0 support is dropped in the near future, please visit https://midas.network. If you’re able to visit this site without issue, then you’ll still be able to access MIDAS going forward.

Security Enhancements in MIDAS v4.13

If you’ve been following our blog, you’ll already know that we’ve been busy putting the finishing touches to the next update to MIDAS. Whilst each new version of our world class room booking and resource scheduling software includes exciting new and improved features and functionality, we’re also proactively committed to providing a secure scheduling solution for your organization.

To that end, MIDAS v4.13 includes a number of security enhancements which we’ll outline below…

15-Point Security Audit

We’re including an on-demand security audit with v4.13, which administrators may access via MIDAS Admin Options → Manage MIDAS → Security. The audit, when run, will test a number of key metrics of your MIDAS system (including your MySQL setup, MIDAS files, and recommended MIDAS settings) and provide a detailed report with appropriate advisories for improving the security of your MIDAS system:
15-Point Security Audit

Password “Blacklist”

MIDAS v4.13 includes an list of passwords that are considered banned/blacklisted and therefore cannot be used by users when specifying a new password or changing an existing password. By default, the blacklist contains the Top 1000 most common passwords of 2016. Passwords such as “123456”, “password”, “qwerty”, etc.
For our self-hosted customers, the list of banned passwords is also editable (via the “bannedpw.dat” file within your MIDAS installation), allowing you to add/remove banned passwords.

Improved clean-up of Temporary Logs

MIDAS has included a “Keep temporary logs for x days” setting for many years. This setting has previously defined how long entries persist in the “Recent Activity” log (an audit log which records all user activity within MIDAS). For v4.13 we’ve extended the functionality of this setting to also cover the persistence of log files which MIDAS may create from time to time – for instance a log file is created if there are issues upgrading MIDAS from a previous version, or issues when importing data from another application, or when logging of API calls is enabled, etc. Whilst these log files would be retained until manually removed, the “Keep temporary logs for x days” setting will now ensure that these files are also removed after a specific period of time.

“Minimum” Minimum Password Length

MIDAS has also included a “Minimum password length” setting since its inception. This setting allowed administrators to set a minimum password length for all user passwords. Starting with v4.13 it will no longer be possible to set this value less than 5 characters.

Password Strength Indicator

Password Strength IndicatorOur password strength indicator has been a feature for administrators creating new user accounts since v4.07. For v4.13, we’ve also made this useful visual indicator available whenever an end-users changes their password. The visual indicator classifies the password as either “Very Weak”, “Weak”, “Fair”, “Good” or “Strong” as you type, with a corresponding color to match (i.e. Red = Very Week, Orange = Fair, Green = Strong). This classification is based upon a number of factors including the length of the password, the presence of upper and lower case letters as well as numbers and special characters, and whether the password has been blacklisted/banned.
We hope the addition of this visual indicator for end-users will help promote the use of strong passwords.

MIDAS v4.13 is expected to be made available to Beta Testers in the next few weeks, with a general release shortly after. We’re always looking for additional testers to help test and provide feedback/bug reports on pre-release versions of our software, like v4.13. Becoming a tester is free and no experience is required, and what’s more we’ll reward you for your participation! Find out more about becoming a MIDAS Beta Tester here.

If you would like to be notified when v4.13 is fully released, then why not join our Mailing List?

As part of our ongoing commitment to security, you may notice that “Security Enhancements” often appears in the changelog when we release new builds.

In this blog post we’ll shed some light on some of these “security enhancements” that were recently introduced in MIDAS v4.11 and v4.12.

IP Change Detection

Starting with MIDAS v4.12, If a logged in user’s IP address changes whilst they are logged in, then the system will automatically log the user account out, forcing the user to login again.

It’s rare that a user’s IP address would legitimately change mid-session, and so this additional security enhancement will not be noticed by the majority of our users.

What it does do however is strengthen user sessions against a “session hijack“. In general terms, a “session hijack” is when a malicious attacker takes over a user account by gaining access to the unique identifying token (or cookie) of an active user session.

With the new IP Change Detection implemented in MIDAS v4.12, should a user fall victim to a session hijack, the session would be immediately invalidated as the originating IP address would suddenly change from the valid user’s IP address, to the IP address of the attacker.

→ Tip: User’s IP addresses are also logged in each MIDAS system’s Recent Activity Log

Shorter Cookie Persistence

We’ve all come across website with “Remember Me” or “Keep Me Logged In” tick boxes on login screens, meaning that you don’t have to remember your username & password for the site each time you come to login. When you select this box, information is stored in a browser “cookie” and retrieved the next time you visit.

MIDAS has included a “Remember Me” tickbox on the login screen since v4.07 (September 2014). Previously, the cookie saved by your browser would persist until 1st January 2020 – some 4 years in the future!

This meant that if you were to login to MIDAS today, you could come back to the same browser in a few years time, and still login without needing to remember your credentials.

We felt this was a little too long for your browser to be retaining such data, and as such from MIDAS v4.12 the “Remember Me” option will only remember your details for a period of 90. If you do not login to MIDAS again within that period, you’ll have to manually enter your email address/password again.

Why is this better? Well, it ensures that “dormant” user accounts (i.e. accounts not logged into for over 90 days) don’t have lingering login details persisting in client-side cookies.

→ Tip: MIDAS Administrators can choose to disable the “Remember Me” option completely (via MIDAS Admin Options → Manage MIDAS → Security)

Improved Session Control

In MIDAS v4.11, we introduced a new security setting (MIDAS Admin Options → Manage MIDAS → Security → Session Control) to automatically log out any users that have remained logged in for more than a set number of hours.

This is different to existing “inactivity” logout setting, which causes users to be logged off after a period of no activity. The additional “Always force logout after…” setting will automatically log users off after a set period of time, regardless if they are “active” or not.

Why is this useful? Well, web browser extensions/addons exist which allow you to “reload” a web page (or part of a web page) on a recurring interval. This could potentially allow a user account to remain logged in indefinitely, even if the “Inactivity forces logout after…” setting was set.

For example, if “Inactivity forces logout after…” setting in MIDAS was set to “1 hour”, then usually 1 hour after a user’s last interaction with MIDAS, they will be automatically logged off. However, if an addon/extension were setup to “reload” part of MIDAS every 30 minutes, this would look like “user activity” to MIDAS, and so the account would never be automatically logged out.

To combat this, the new additional “Always force logout after…” setting was introduced for v4.11. If your business usually runs 9am-5pm, you could set this setting to 8 hours. This will mean that no user account can remained logged in for more than 8 hours in total. So if a user was to login at 9am and use a browser addon/extension to effectively remain logged in all day, they will still be automatically logged out of MIDAS at 5pm.

New Session Manager

MIDAS can be configured to allow concurrent logins to user accounts from multiple browsers/devices. When enabled, this would allow a user to be logged into MIDAS from their laptop, phone, and tablet all at the same time.

MIDAS v4.11 introduced a new “Session Manager” allowing users to see other devices they’re currently logged in from (including IP address and browser) and remotely log each of them out!

Improved Password Change Behavior

Given that MIDAS provides the ability (if enabled) to allow multiple concurrent logins to the same user account, In v4.11 we’ve enhanced security and made it so that if a user changes their MIDAS password, then all other devices they’re currently logged into from will be automatically logged out. Previously, changing a password from one device wouldn’t take affect on other devices a user was logged into until the next time they logged in.

Cryptographically-secure Random Number Generation

MIDAS stores passwords which are SHA512 hashed and randomly “salted”. The “randomness” of this “salt” has been improved starting with v4.11. Now, if the Perl module “Math::Random::Secure” is available on the server where a MIDAS system resides, then MIDAS will utilize this module to generate Cryptographically-secure random numbers.

You might also be interested in:
Tips For Keeping Your MIDAS Secure

The next update to our web based room booking and resource scheduling software is fast approaching, and throughout this month we’re giving you a “first look” at some of the new features and improvements coming in MIDAS v4.11…

Perhaps one of the most powerful, yet overlooked, tools in MIDAS for administrators is the Recent Activity Log.

The Recent Activity Log records all recent actions that have taken place within your MIDAS system. It records the date, time, IP address and user who initiated the action.

We’re making a couple of improvements in this area for v4.11 to help you better understand and keep track of how your scheduling system is being used.

In v4.11, the Recent Activity Log now also records all failed login attempts, including those on locked or suspended user accounts:

Audit Log - Failed Login Attempts

Additionally, as the Recent Activity Log can become large, we’ve added a filter so that you can quickly filter the log by different event categories. The 8 categories available cover the following areas: Bookings, Clients, Email, Invoices, Printing, Settings, System, and Booking Requests.

For example, filtering the Recent Activity Log to only show events in the “Bookings” category will then only show log entries relating to the addition, modification, deletion, and restoration of bookings. Similarly, filtering the log by the “System” category will only show system-related log messages, including successful & failed login attempts, password changes, logouts, backup generation and system updates.

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?

The next update to our web based room booking and resource scheduling software is fast approaching, and throughout this month we’re giving you a “first look” at some of the new features and improvements coming in MIDAS v4.11…

We take a pro-active approach to security here at MIDAS, and so we’re excited to be able to provide you with greater control over your MIDAS sessions in v4.11.

If the multi-session (Allow Multiple Logins By Users) feature has been enabled for your MIDAS system, you’ll be able to login to your scheduling system from multiple devices simultaneously.

If this option has been enabled on your system, then whenever you login, you’ll be able to click your name near the top of your screen to see a list of all devices/browsers you’re currently logged in from:

Session Control

The list will show when the last activity in MIDAS occurred from each device, as well as indicating the device’s IP and Browser/OS. The highlighted entry denotes your current session.

You can remotely log out any of these sessions by clicking/tapping the device’s adjacent “x” icon.

We’ve also made a couple of other improvements in relation to sessions for v4.11:

Firstly, when changing your password, all other active sessions you’re currently logged into from other devices will automatically be logged out.

Secondly, we’ve provided a new administrative setting to force accounts to logout if they’ve been logged in for a lengthy period of time (regardless of activity). This is in addition to the existing setting which allows sessions to automatically logout if they become “idle”. This new additional setting can be useful to combat situations where a user can effectively remain logged into MIDAS indefinitely if they’re running a browser extension/addon which regularly refreshes their browser window. With this new setting, even if a user’s browser window is regularly refreshing so that they never hit the idle timeout period, the new “Always force logout after X hours” setting will still timeout their session if it’s been active for more than 1-24 hours.

This new setting can be accessed via MIDAS Admin Options → Manage MIDAS → Security. For more information, please see: Manage Security Settings

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?