This Metasploit module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.

A FortiSIEM collector connects to a Supervisor/Worker over HTTPS TLS (443/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the client) connects to the Supervisor/Worker (the server), the client does not validate the server-provided certificate against its root-CA store. Since the client does no server certificate validation, this means any certificate presented to the client will be considered valid and the connection will succeed. If an attacker spoofs a Worker/Supervisor using an ARP or DNS poisoning attack (or any other MITM attack), the Collector will blindly connect to the attacker's HTTPS TLS server. It will disclose the authentication password used along with any data being relayed. Versions 5.0 and 5.2.1 have been tested and are affected.

This is a proof of concept exploit that demonstrates the Microsoft Windows CryptoAPI spoofing vulnerability as described in CVE-2020-0601 and disclosed by the NSA.

A git clone action can leak cached / stored credentials for github.com to example.com due to insecure handling of newlines in the credential helper protocol.

PTP-RAT is a proof of concept that allows data theft via screen-share protocols. Each screen flash starts with a header. This contains a magic string, "PTP-RAT-CHUNK" followed by a sequence number. When the receiver is activated, it starts taking screenshots at twice the transmission frequency (the Nyquist rate). When it detects a valid header, it decodes the pixel colour information and waits on the next flash. As soon as a valid header is not detected, it reconstructs all the flashes and saves the result to a file. To transfer a file, you run an instance of the Rat locally on your hacktop, and set that up as a receiver. Another instance is run on the remote server and this acts as a sender. You simply click on send file, and select a file to send. The mouse pointer disappears and the screen begins to flash as the file is transmitted via the pixel colour values. At the end of the transfer, a file-save dialog appears on the receiver, and the file is saved.

Project Open CMS version 5.0.3 suffers from cross site scripting and remote SQL injection vulnerabilities.

School ERP Pro version 1.0 suffers from a remote SQL injection vulnerability.

The Twitter 5.0 application for iPhone grabs images over HTTP and due to this, allows for a man in the middle attack / image swap. Proof of concept included.

Here is the short answer to the question of how many Microsoft products you can request: You can get 50 of each kind of product in a two-year period — but there are some exceptions.

See Microsoft products

What do you mean by "each kind of product"?

The Microsoft Donation Program divides products into categories called title groups. See the current list of 37. A title group contains products that serve essentially the same purpose, like PowerPoint and PowerPoint for Mac.

You can get products from 10 title groups in your two-year cycle.

When does this two-year cycle start and end? Is it the calendar year?

No. Your nonprofit has its own two-year cycle. Your first cycle started the day you requested your first Microsoft product through TechSoup. You can see when your current cycle ends on your Microsoft Donation Center page.

Outlook and PowerPoint are both title groups. Does that mean we can get 50 of each product?

That's right. They can be all the Windows version, all the Mac version, or a mixture of the two. And you will be able to request products from eight more title groups.

What are the exceptions you mentioned?

They have to do with servers. Microsoft offers two licensing models for its server products.

• Core-based licensing. This licensing is based on the number of cores in the physical processors of your server machines. The product page on TechSoup will tell you whether the server uses this type of licensing. You can request up to 50 of these products from each title group, the same as desktop products. But you might have to request more than one product to fully license all the processors in your server.
• Non-core-based licensing. You can request a total of five server products that do not use core-based licensing. They can be from a single title group or from different title groups, but the total cannot be more than five.

A lot of the title groups are for CALs and MLs. What are the limits for these?

You can get 50 from each title group.

CALs, or client access licenses, give you access to a server from a device like your desktop computer.

MLs, or management licenses, let your device be managed by a management server.

Where can I find out more?

This article goes into a lot more detail and gives examples of how the various allotments work together.

spanhidden

(Please visit the site to view this video)

What does it take to make a city greener? In San Francisco, it took a small group of motivated people to come together to create a nonprofit. After the city cut funding for urban forestry 36 years ago, seven individuals decided to take matters into their own hands. They created a nonprofit, Friends of the Urban Forest (FUF).

Starting with a Small Budget, FUF Plants Nearly Half San Francisco's Street Trees

The organization started off with just a small budget from a leftover city grant. Then it used grassroots efforts to rally neighborhoods throughout the city around urban trees. By empowering and supporting communities and homeowners to plant and care for their own trees, FUF has successfully planted 60,000 of the 125,000 trees in San Francisco. The group eventually even worked with the city to create San Francisco's first ever Urban Forest Plan.

FUF Harnesses the Power of Many Volunteers to Plant and Advocate for Trees

FUF is a member of TechSoup, and TechSoup's staffers were very excited to reach out for an interview to hear more about the group's impact. My team joined FUF early on a Saturday morning for its volunteer tree planting event in the Portola neighborhood, a part of the city that is lacking street trees. It was cold even by San Francisco standards, but there was an impressive turnout of volunteers present and ready to plant.

The executive director of FUF, Dan Flanagan, joined us and told us about his work. "We get to get out in the city and make it greener. We advocate for trees; I always call ourselves the Lorax of San Francisco. We are the only organization in San Francisco that is speaking for the trees."

FUF Gets the Chance to Plant Even More Trees … in Neighborhoods That Really Need Them

Dan was excited about a recent accomplishment for the organization. San Francisco just passed Proposition E, which opens up major opportunities for the nonprofit. As he said, "It changes the responsibility from street trees and sidewalks away from the homeowners and to the city. As a result, homeowners are no longer responsible, and now we actually get a chance to make the city more green than ever before by planting more trees in neighborhoods that couldn't afford it before."

This policy makes the city responsible for maintenance, but it will still require FUF to continue its work of planting the trees. FUF hopes to plant 1,700 trees this year and ultimately hopes to plant 3,000 trees every year.

FUF Puts Technology from TechSoup to Work

I was curious to find out how FUF was using technology to further its mission. Jason Boyce, individual gifts manager, said: "Here at Friends of the Urban Forest, a lot of our field staff tend to be out in the field all day; technology really needs to be out of the way to allow us to plant. So, as a result, the relationships we build with our community tend to be stronger because we use technology to enable our work, but it doesn't get in the way of our work."

Jason explained, "We have been working with ArcMap for years, ... GIS software that TechSoup has provided for us. We use it to plant trees, to figure out where we are going to plant. When we do our plantings, we actually dole out the maps that our volunteers use to do the plantings, and all that comes through ArcMap. We use Adobe Acrobat to put together our tree manuals for our new tree owners and volunteer manuals. We use AutoCAD to put together the permit drawings for our sidewalk gardens. Technology plays a really important role in doing our plantings and making San Francisco more green."

FUF Partners with the City to Calculate the Environmental Benefits of Trees

Jason also recently worked with the city on the Urban Forest Map, which is an interactive online map that tracks every tree in San Francisco. The map helps calculate the environmental benefits the trees provide, including stormwater mitigation, air pollutants captured, and carbon dioxide removed from the atmosphere. This platform has increased the visibility of the city's urban forest.

As Jason said, "We are now at the forefront of cities worldwide that are building software to manage their urban forests. … [This] really gives a lot of benefit to the people living in San Francisco."

TechSoup is proud to support organizations like Friends of the Urban Forest by enabling them with the technology they need. That support gives them more time to focus on their impact, like planting trees, or to build the communities that help them thrive.

spanhidden

Fall has arrived, and with it comes fundraising season. More than one-third of charitable giving happens in the last three months of the year, and the emergence of Giving Tuesday (on November 28 this year) makes the year's end even more critical for charities.

Feeling overwhelmed? Your local NetSquared group is here to help with free, in-person events being held across the U.S. and the globe.

Naples, Florida, is hosting a meetup on tools for effective email fundraising; Chippewa Falls, Wisconsin, is hosting a series of Giving Tuesday brainstorming sessions; and Chicago, Illinois, will explore how your CRM can save end-of-year fundraising plans.

With more than 75 events scheduled for October, there's probably an event scheduled for your community, so RSVP now for one of our meetups.

Join us!

Upcoming Tech4Good Events

This roundup of face-to-face nonprofit tech events includes meetups from NetSquared, NTEN's Tech Clubs, and other awesome organizations. If you're holding monthly events that gather the #nptech community, let me know, and I'll include you in the next community calendar, or apply today to start your own NetSquared group.

Jump to events in North America or go international with events in

• Africa and Middle East
• Asia and Pacific Rim
• Central and South America
• Europe and U.K.

North America

Monday, October 2, 2017

• Vancouver, British Columbia: Photojournalism for Nonprofits and Small Businesses #Storymakers2017

Tuesday, October 3, 2017

• Portland, Oregon
  • Happy Hour with Nonprofit Tech Luminaries
  • NTEN Presents: Oregon Nonprofit Tech Roundup
• Montréal, Québec: Développer une Présence Web Efficace
• Naples, Florida: Tools for Effective Email Communication
• Mason, Ohio: Connecting Nonprofits and Techies in Cincinnati

Wednesday, October 4, 2017

• Pittsburgh, Pennsylvania: Bagels and Bytes — Allegheny
• Baltimore, Maryland: WordPress 101 and Tech Help and Consultations
• San Francisco, California: Code for America Civic Hack Night (Weekly)

Thursday, October 5, 2017

• Calgary, Alberta: Evening on Data Ethics

Friday, October 6, 2017

• Seattle, Washington: King County Executive Director Forum

Monday, October 9, 2017

• Chippewa Falls, Wisconsin: Giving Tuesday Brainstorming

Tuesday, October 10, 2017

• Columbus, Ohio: Nonprofit IT Forum
• Decatur, Illinois: Free and Low-Cost Resources for Nonprofit Software
• Ottawa, Ontario: Review Progress on Data Analysis Projects

Wednesday, October 11, 2017

• Mason, Ohio: Help Create an App for Homeless to Manage Money More Effectively
• San Francisco, California: Code for America Civic Hack Night (Weekly)
• Boston, Massachusetts: Tech Networks of Boston Roundtable: Building an Effective Data Culture at Your Nonprofit
• O’Fallon, Missouri: Learn How to Apply for a $10,000 per Month Google AdWords Grant
• Phoenix, Arizona: Website Building 101: Quick and Easy Web Presence for Nonprofits
• Los Angeles, California: Nonprofit Volunteer Management
• Chicago, Illinois: Net Neutrality

Thursday, October 12, 2017

• Chicago, Illinois: It's Never Too Late: How Your CRM Can Save End-of-Year Fundraising
• Seattle, Washington: What You Need to Know About Board Governance

Saturday, October 14, 2017

• Saint Paul, Minnesota: Minnesota Blogger Conference | by Get Social Events, the Social Media Breakfast Folks ($25)

Monday, October 16, 2017

• San Francisco, California: Social Impact in Tech: Panel Discussion with LinkedIn, Lyft, and Salesforce
• Chippewa Falls, Wisconsin: Giving Tuesday Brainstorming
• Seattle, Washington: Fall Nonprofit Technology Speed Geek

Tuesday, October 17, 2017

• Buffalo, New York: Essential Data Management
• Orlando, Florida: Tech4Good Orlando October: Search Engine Optimization and Strategy

Wednesday, October 18, 2017

• San Francisco, California: Code for America Civic Hack Night (Weekly)
• Houston, Texas: NetSquared Houston
• Research Triangle Park, North Carolina: Crowdsourcing Change: The Social Web to Nonprofits

Thursday, October 19, 2017

• Monroeville, Pennsylvania: TechNow 2017 Conference
• Sweet Briar, Virginia: Using Data to Reach Your Audience

Friday, October 20, 2017

• West Chester, Ohio: Southwest Ohio Give Camp
• Boston, Massachusetts: Tech Networks of Boston Roundtable: Can Appmaker Help You? A Free Database Tool from Google

Monday, October 23, 2017

• Chippewa Falls, Wisconsin: Giving Tuesday Brainstorming
• Austin, Texas: Engaging the Millennial Donor

Tuesday, October 24, 2017

• Vancouver, British Columbia: How Delivering Webinars Can Benefit Your Mission

Wednesday, October 25, 2017

• Baltimore, Maryland: Salesforce 101 for Nonprofits and Free Tech Help and Guidance
• San Francisco, California: Code for America Civic Hack Night (Weekly)
• Seattle, Washington: Recruit, Engage, and Retain a Great Board

Monday, October 30, 2017

• Chippewa Falls, Wisconsin: Giving Tuesday Brainstorming

Tuesday, October 31, 2017

• Seattle, Washington: Bolder and Wiser: Nonprofit Advocacy Rights (Part 2)

Central and South America

Wednesday, October 4, 2017

• Guatemala City, Guatemala: Pechakucha Guatemala — Historias Digitales Vol. 15

Africa and Middle East

Sunday, October 1, 2017

• Cotonou, Benin: L'Utilité des Logiciels de TechSoup dans la Progression d Nos ONG dans le Monde
• Kampala, Uganda: Digital Storytelling for Nonprofits Workshop

Monday, October 2, 2017

• Ouagadougou, Burkina Faso: Monthly Meeting of Local Members

Saturday, October 7, 2017

• Matloding, South Africa: Technology for Rural Development
• Bunda, Tanzania: Microsoft Cloud Computing
• Morogoro, Tanzania: Role of ICT for Farm Management

Wednesday, October 11, 2017

• Bamenda, Cameroon: How to Create Digital Stories

Friday, October 13, 2017

• Katabi, Uganda: Using Social Media Applications for Development
• Pangani, Tanzania: Storymakers Campaign

Saturday, October 14, 2017

• Bunda, Tanzania: Microsoft Cloud Computing

Sunday, October 15, 2017

• Cotonou, Benin: Les Logiciels Mis en Don par Techsoup.org pour les ONG et Association au Benin

Saturday, October 21, 2017

• Bunda, Tanzania: Microsoft Cloud Computing

Saturday, October 28, 2017

• Bunda, Tanzania: Microsoft Cloud Computing
• Morogoro, Tanzania: Technology for Livelihood Improvement

Asia and Pacific Rim

Tuesday, October 3, 2017

• Taipei, Taiwan: NGO要怎麼搞群眾募資？- 綠盟經驗談

Wednesday, October 4, 2017

• Singapore, Singapore: DataJam!

Tuesday, October 10, 2017

• Wellington, New Zealand: Set Your Email Newsletter on Fire | Net2Welly Oct '17 Meetup

Sunday, October 15, 2017

• Jakarta, Indonesia: Web Hosting

Europe and U.K.

Tuesday, October 3, 2017

• Paris, France: AdWords Express — Grands Débutants

Wednesday, October 4, 2017

• Puidoux, Switzerland: 7ème Journée Pédagogique ESV-SPV (AVMES/AVMD)

Friday, October 6, 2017

• Carouge, Switzerland: 12h de Hackaton pour Afficher les Termes et Conditions, Que Vous Ne Lirez Jamais

Saturday, October 7, 2017

• Genève, Switzerland: LINforum3 Partage Idée, Réflexion, Projet, Startup, Service … Responsables!

Wednesday, October 11, 2017

• Cambridge, United Kingdom: Social Media Surgery — Hands-on Help with Social Media

Thursday, October 12, 2017

• Paris, France: La Data pour Vous Renforcer

Saturday, October 14, 2017

• Pully, Switzerland: Intergen.Digital à Pully

Monday, October 16, 2017

• Birmingham, United Kingdom: Social Media Session

Tuesday, October 17, 2017

• Dublin, Ireland: Smart Cities for Good

Wednesday, October 18, 2017

• Paris, France: Forum National des Associations et des Fondations
• Bordeaux, France: Les Personas pour Optimiser Votre Conversion

Thursday, October 19, 2017

• Bath, United Kingdom: Tech for Good Community Mapping
• Paris, France: Brainstorming, Plans d'Actions sur Internet

Wednesday, October 25, 2017

• Manchester, United Kingdom: Tech for Good: At the BBC
• Paris, France: AdWords – Initiation
• Paudex, Switzerland: RdV4–0.ch: 3. Solutions Informatiques — Cloud — SaaS — Services en Ligne

Thursday, October 26, 2017

• Barcelona, Spain: ¡Relanzamos NetSquared Barcelona! ¡Te Esperamos!
• Paris, France: Analytics — Initiation

Tuesday, October 31, 2017

• Renens, Switzerland: OpenLab: Visite du Fablab de Renens

Left photo: Gregory Munyaneza / NetSquared Rwanda / CC BY

Center photo: Chrispin Okumu / NetSquared Kenya / CC BY

Right photo: Chrispin Okumu / NetSquared Kenya / CC BY

spanhidden

In this age of increasing hacks and cybercrime, the Norman Rockwell Museum has a lot of digital assets, museum operations data, and private patron data that need to be protected. Find out why Frank Kennedy, IT manager at the Rockwell museum, chose Veritas Backup Exec to be a key part of the museum's security strategy.

About the Museum

Norman Rockwell is one of the great iconic painters and illustrators of American life in the 20th century. His hundreds of covers for the Saturday Evening Post magazine alone are a national treasure. The Norman Rockwell Museum is located in Stockbridge, Massachusetts, where Rockwell spent the last part of his celebrated life. The museum started two years before Rockwell's death in 1978 and houses over 100,000 of his works and also those of other illustrators.

The museum now has 140,000 annual visitors, and 220,000 people view its traveling exhibitions each year. It also has an active website with more than 600,000 worldwide unique visitors per year.

The Museum's IT System

IT Manager Frank Kennedy is an IT department of one (plus an occasional contractor). He supports 90 staff and volunteers and is responsible for critical information security and data protection for the museum.

The museum's IT network consists of several large physical servers and many single-purpose virtual machines. The single-purpose virtual machines allow for emergency service without disrupting other departments.

Frank says, "Most of our enterprise software is procured via TechSoup, which makes it affordable to license so many servers! We do not have to make do with weak, low-budget software."

Digital Assets: Preserving Art over the Long Term

Frank Kennedy explains that digital assets are of increasing importance in the work of museums. There are high-resolution images or copies of art works that must be carefully stored to preserve work in its best condition. He says that digital versions are often irreplaceable, as when the original object is disintegrating or would be damaged by further handling.

The digital versions keep a faithful record of the art in its best state. The most sensitive objects of this museum include a collection of Rockwell's cellulose nitrate film negatives, which deteriorate over time.

The museum also has analog audio and video tape and motion picture film that deteriorates, as well as works on paper that degrade with exposure to light. Other crucial data for the museum includes databases for collection management, point of sale records, donor management, and email.

Frank's backup system is designed to be redundant on purpose. He says, "Protecting this data means keeping many copies in many places. Doing so becomes a big challenge when the size of the data becomes several terabytes. I use many layers of redundancy."

The Backup Crisis

As the museum's data got bigger and bigger, and server patches piled on, the museum's previous backup solution eventually became unstable. Frank reports that his backups were failing constantly and causing him stress in his careful, risk-based management approach. When he first went to get a new backup solution from TechSoup, he discovered that what he needed was not available.

He says, "The cost for the options I use would have been over $4,000 per year, unbudgeted. TechSoup responded to users' desperate cry and worked with Veritas to bring Backup Exec back to TechSoup! I can't even describe my relief. Veritas Backup Exec is better than ever. It is so stable that I get suspicious and have to go look just to be sure it's really working!"

Why the Norman Rockwell Museum Chose Backup Exec over Other Options

Frank told me that the license he gets from TechSoup includes every option his museum needs. These options and features include

• Exchange Server backup
• Unlimited media server backups
• Unlimited agents for specific applications like VMware, Windows, Linux, and so on
• Simplified disaster recovery
• Protection against accidental deletion, damage, or overwriting
• Storing backups to disk, network share, tape (any type), or cloud — or all four at once
• Virtual machine snapshots that are viewable directly from the host's agent
• A deduplication engine so backed-up data is as clean as possible
• Backup retention periods that can be defined per job and per media server
• An excellent graphical user interface
• The status of every backed-up resource available at a glance
• Sending an email to the admin when anything goes wrong
• Running several jobs simultaneously (depending on server horsepower)

Advice for Museums and Other Organizations Considering Veritas Backup Exec

• Backup Exec is powerful software geared toward backing up an entire network. It requires some study to do the installation and learn the software.
• You don't get phone support with the charity licensing, so you need to be comfortable Googling for answers and working in the Veritas community support forum.
• Frank recommends dedicating a strong server for running the software. He likes eight cores and 32 GB of RAM; hot-swappable, hot-growable RAID-5; fast network connectivity; and a very large uninterruptible power supply (UPS).
• Avoid the temptation to install other services or applications on what seems to be a machine that is often idle.

In a Nutshell

Frank's experience is that "Veritas Backup Exec is the best, most reliable, most flexible, and versatile backup software you can get. Commit the needed resources to operate it, and you will be rewarded with peace of mind and business continuity. Your donors will be pleased that you are protecting their investment so carefully."

Image: Norman Rockwell Museum / All rights reserved / Used with permission

spanhidden

In 2015, the state of Louisiana consumed more energy per capita than any other state, according to the U.S. Energy Information Administration. Although this may not come as a complete surprise — the state's warm, muggy climate makes air conditioning a must — it's clear that Louisiana's energy-use profile needs a drastic transformation.

The Energy Wise Alliance (EWA), a small nonprofit based in New Orleans, is determined to do just that. Along the way, the organization has gotten a boost from Microsoft's MileIQ app.

MileIQ is a mobile app from Microsoft that automatically tracks the miles you've traveled and records all of your tax-deductible and reimbursable mileage. It's kind of like using a Fitbit, except you're tracking your driving. You can report your business drives on demand and claim your reimbursements or maximize your tax deductions. The average MileIQ user is logging $6,900 per year.

Building a More Energy-Efficient Community

EWA works to make energy efficiency more accessible to everyone. The organization works primarily with low-income families, tenants, and others who would otherwise be left out of the green energy revolution. EWA accomplishes its goals through both workshops and equipment upgrades at homes and businesses.

Its Energy Smart for Kids program teaches students throughout the state how to lead a more energy-efficient lifestyle. These hourlong sessions cover the pitfalls of nonrenewable energy and detail more sustainable alternatives. At the end of each session, EWA volunteers hand out energy-efficiency starter kits so students can apply what they learned at home.

Much like the rest of EWA's programs, Energy Smart for Kids serves underserved and underprivileged communities. In fact, many of the schools that EWA serves are Title 1 schools — schools whose students generally come from lower-income households.

Aside from schools, EWA also helps nonprofits become more sustainable.

Making Nonprofits Greener and More Cost-Efficient

Nonprofits can benefit from EWA's work by way of simple but effective power-saving retrofits. EWA also provides volunteer labor and donates the materials for the retrofits, which means added cost savings. And as we all know, cost-saving programs are like gold dust for nonprofits.

For example, volunteers from EWA revitalized the Victorian-era headquarters of the Alliance Française, a nonprofit dedicated to preserving Francophone heritage in the New Orleans community, with sustainable retrofits. As part of these upgrades, EWA sealed cracks, gaps, and openings; installed additional insulation; and programmed new thermostats.

In addition, EWA gave the Alliance Française's volunteers a hands-on demonstration of behavioral changes so that they could bring this knowledge back home. EWA anticipated that the Alliance Française would save a total of $2,000 to $3,000 as a result of these green improvements.

EWA's staff members also actively save money and operate more efficiently through the use of the mile-tracking app MileIQ.

Saving Time and Money with MileIQ

This method, as you can imagine, was time-consuming, and it brought with it the risk of human error. Most people can't possibly remember every single trip they make with their car, after all.

"MileIQ is super accurate and takes the forgetting out of the equation," said Jamie Wine, executive director of EWA.

For Kevin Kellup, education coordinator at EWA, MileIQ has been a game-changer. Jamie explained, "Kevin drives like crazy from school to school," racking up miles on his personal car. Now, thanks to MileIQ, Kevin can get more fairly and accurately reimbursed for his constant traveling.

The most important benefit of Microsoft's MileIQ for Jamie is that his staff can be correctly reimbursed for mileage. He wants to show staff members that he values their time and effort spent traveling, which MileIQ really helps him achieve.

For nonprofits, particularly small ones like EWA, it's always great when the team can receive fair compensation for its hard work. "The staff doesn't get paid much," Jamie said. And considering how important staff members' work is to the community, every penny matters. That's also where TechSoup comes in.

TechSoup's Role: "Essential"

Through TechSoup, eligible nonprofits can get MileIQ at 80 percent off the subscription rate. "Without TechSoup," Jamie noted, "this huge step up in technology" would not have been possible. The MileIQ discount program from Microsoft has made acquiring MileIQ way easier on the nonprofit's pocket.

Having also previously obtained Microsoft Office 365 and QuickBooks Online through TechSoup, Jamie said, "TechSoup is a great equalizer." He mentioned that TechSoup helps a small nonprofit to grow into a technologically advanced organization. He added, "The super discounted products from TechSoup are like the pot of gold at the end of the rainbow."

Getting MileIQ Premium

Eligible nonprofits can get MileIQ at 80 percent off the individual subscription rate through TechSoup and can request an unlimited number of individual subscriptions. In addition to individual subscriptions, MileIQ is now included with an Office 365 Business Premium license. Nonprofits who currently do not have an Office 365 license can visit Microsoft's Office 365 for nonprofits page to register.

This blog post was written by Nicholas Fuchs.

spanhidden

Many nonprofits handle sensitive personal information belonging to community members — whether it's names or email addresses or payment information. But are you handling this data properly to prevent a data breach?

This post is by no means exhaustive — after all, every nonprofit handles different sorts of data, and each organization has different security needs. That said, these are some practical things to think about when you review your handling of sensitive personal information.

#1 Risk: Malware and Software Vulnerabilities

The Problem

This one may seem obvious, but with so many other security risks out there, it's easy to forget that malware still poses a major threat to your organization's data.

How You Can Mitigate It

To start, make sure you have antivirus software installed, and that it's up to date. In addition, you'll want to make sure your operating system and any software installed are also up to date, with all security patches installed.

Beyond that, be careful what you click on. Don't download and install software from sites you don't trust. Be careful of the email attachments and links you click on — even from people you know. If you aren't expecting a file or link, click with caution.

#2 Risk: Ransomware

The Problem

Ransomware is an especially insidious form of malware that holds your computer or data hostage unless you pay a sum of money to a criminal actor. Oftentimes, ransomware will encrypt your data, preventing you from accessing it. And according to Symantec's Director of Security Response Kevin Haley, some forms of ransomware will threaten to publicly release your data.

How You Can Mitigate It

Aside from up-to-date antivirus software and taking steps to avoid infection in the first place, there isn't a ton you can do to deal with a ransomware attack once your data's been encrypted.

In that case, according to Haley, keeping up-to-date backups of your data is your best bet. That way, you'll be able to get back up and running quickly with minimal data loss. (TechSoup offers backup and recovery solutions from Veritas.)

#3 Risk: Public Wi-Fi

The Problem

Public Wi-Fi is generally fine for some things, such as browsing cat videos on YouTube, or catching up on the headlines. However, for anything involving sensitive personal information, it's a security disaster waiting to happen. Bad actors could potentially eavesdrop on what you're doing while using public Wi-Fi, leaving your data and work open to prying eyes.

How You Can Mitigate It

First off, avoid using public, unsecured Wi-Fi when handling sensitive information — whether it's internal organizational data or your own personal banking information. Using a wireless hotspot, like those from Mobile Beacon (offered through TechSoup), instead of public Wi-Fi is an easy way to keep your data more secure.

If you can't avoid public Wi-Fi, a virtual private network (VPN) is a good option — VPNs secure data between your computer and the website you're visiting. Not all VPNs provide the same level of security, though, and you'll need to make sure your VPN of choice conforms to any data security regulations that your organization may be subject to. See our previous overview of VPNs for more.

#4 Risk: Inappropriate Sharing of Sensitive Information

The Problem

Sharing sensitive information via email, messaging apps, or similar means is a risky proposition.

Email is a notoriously insecure method of communication. Email accounts are often the target of data breaches and phishing attacks. (A phishing attack is where an attacker tries to steal your account information by tricking you to enter your account information on a phony login page.)

And whether it's through email or messaging app, it's all too easy to accidentally leak data by sharing it with the wrong person.

How You Can Mitigate It

Avoid sending sensitive information to colleagues via email. It's easier said than done, we know. Maybe you need to share a list of donor contact information with your marketing department, for example. Consider uploading it to a secure file server on your network that can only be accessed by others in the office.

If your organization uses a cloud storage service like Box, consider using that instead — so long as it meets your organization's security needs. These cloud storage services usually encrypt data you upload to prevent it from getting stolen. You may also want to consider using constituent relationship management (CRM) software, a tool designed specifically to store and manage your organization's contacts.

In addition, pay attention to access permissions. If you can, restrict access to sensitive information to only those who need it. Revisit your permissions settings regularly and update them as needed.

To prevent your user accounts from being compromised in the first place, practice good account security hygiene. Use strong passwords and require your staff to use two-factor authentication.

#5 Risk: Handling Credit Card Data

The Problem

A breach involving credit card data can be embarrassing for your organization, but it could wreak financial havoc on your members and supporters. All it takes is for hackers to grab a few pieces of information to rack up credit card debt in your supporters' names.

How You Can Mitigate It

Securing credit card information is important, but you don't have to make it up as you go. Make sure your organization conforms to payment card security standards. The Payment Card Industry Security Standards Council, as well as banks and credit card issuers, provide guidelines on how to best handle credit card information to prevent breaches.

Has your nonprofit recently encountered any other notable risks? Tell us about it in the comments!

spanhidden

4

In Week 1 of National Cybersecurity Awareness Month (NCSAM) we looked at spoofed emails, cybercriminals' preferred method of spreading malware. Today, in an effort to provide you with the best information out there to keep you safe online, we're hitting you with a double dose of cybersafety news.

Let's take look at the topics for Week 2 and 3 of National Cybersecurity Awareness Month: malware and password security. They're separate but related issues in the world of Internet crime prevention, and a better understanding of each is key to protecting your property and personal information in today's digital world.

Malware

Malware is an umbrella term used to describe software that is intended to damage or disable computers and computer systems. If you'd like, you can take a moment and watch this video on malware from Norton Security. But the best way to begin protecting yourself against this stuff is to learn about all the different types of malware that can affect your computer. There are tons, so we'll just go over the broader categories for now.

Viruses: Malicious bits of code that replicate by copying themselves to another program, computer boot sector, or document and change how a computer works. Viruses are typically attached to an executable file or program and spread once a user opens that file and executes it.

Worms: They're like viruses, but are different in terms of the way they're spread. Worms typically exploit a vulnerability or a weakness that allows an attacker to reduce a system's information assurance. Missed that last Windows update? You might be more vulnerable to worms.

Trojans: These look like legitimate pieces of software and are activated after a user executes them. Unlike a virus or a worm, a trojan does not replicate a copy of itself. Instead, it lurks silently in the background, compromising users' sensitive personal data.

Ransomware: This refers to a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking or threatening to erase the users' files unless a ransom is paid. You may recall the WannaCry attack that affected users across the globe this summer, only to be thwarted by the accidental discovery of a "kill switch" that saved people from the malicious software.

Spyware: This malware collects your personal information (such as credit card numbers) and often passes this information along to third parties online without you knowing.

You can check out more descriptions and examples of the types of malware that exist today at MalwareFox, a malware detection and removal software program.

Tips for Protecting Yourself Against Malware

Staying malware-free doesn't require an engineering degree. You can greatly reduce, if not completely eliminate, your chances of falling victim to malware by following these easy tips.

• Keep your operating system current.
• Keep your software up to date, particularly the software you use to browse the Internet.
• Install antivirus and security software and schedule weekly scans. At TechSoup, we're protected by Symantec Endpoint Protection. At home, there are dozens of solutions you can use to protect yourself (PCMag lists many here).
• Mind where you click. Think twice before you download torrent videos or free Microsoft Office templates from some random website.
• Avoid public, nonpassword, nonencrypted Wi-Fi connections when you can. Use a VPN when you cannot.

Spread the Word

Let people know that TechSoup is helping you become more #CyberAware by sharing a message on your social media channels. If you tag @TechSoup on Twitter, we'll retweet the first two tweets. Remember, we're all in this together.

Password Security

Now that we've covered the nasty stuff that can make your life miserable if it ends up on your computer, let's go over some password security tips to help prevent malware from getting there in the first place. Using best practices when it comes to protecting your passwords is a proven way to protect your personal and financial information. Curious how knowledgeable you already are? Watch this video and take this quiz to enter a drawing for a $25 Amazon gift card!

First, let's go over some facts.

• Passwords are the first line of defense to protect your personal and financial information.
• A weak password can allow viruses to gain access to your computer and spread through TechSoup's or your family's network.
• It's estimated that 73 percent of users have the same password for multiple sites and 33 percent use the same password every time. (Source: Digicert, May 2014)
• Despite a small sample size of 1,110 U.S. adults, a recent YouGov survey still found that 28 percent of adults use the same passwords for most of their online accounts. (Source: Business Insider, October 2017).

Best Practices for Effective Password Protection

One great way to better protect yourself is by opting for a passphrase, which is much more difficult to crack than a single-word password. Here are some guidelines to creating one.

• Pick a famous quote or saying and use the first letter of each word.
• Add a number that you can remember.
• Capitalize one letter.
• Make it unique by adding the first letter of your company's name to the beginning or end of the passphrase.
• Make it between 16 and 24 characters.

You should never write your password down, but if you must, never store user IDs and passwords together. Finally — even though it might seem unwieldy — you should always use a different password for each site that requires one. In today's world, everything is connected. A savvy hacker can easily breach your bank account, email, and medical records in one fell swoop if you're using the same password for all three.

Additional Cybersecurity Resources

In case you missed it, take a look at last week's post on recognizing suspicious emails.

Need a little inspiration? Find out how TechSoup and Symantec are making a difference in the lives of at-risk teens.

Get more security tips from the National Cyber Security Alliance. National Cyber Security Alliance Month — observed every October — was created as a collaborative effort between government and industry to ensure that all Americans have the resources they need to stay safer and more secure online. Find out how you can get involved.

spanhidden

Bradford has been rated as the most improved city by the Good Growth for Cities 2019 index, while Oxford remained the highest performing UK city.

Authorities in the US, the EU and across the developed world are stepping up efforts to scrutinise foreign investment on the grounds of both national security and tech sovereignty.

Sustainability is gaining traction in the creative industries, with the Italian region of Trentino designing a film production rating protocol that is being considered by the EU.

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

Bangladesh minister for ICT Zunaid Ahmed Palak talks to Jacopo Dettoni about the government’s ambitious Digital Bangladesh programme designed to reach village level. 

Despite its thriving automotive sector, Gothenburg is vulnerable to global economic pressures. However, local authorities are confident that their strategies will see the city ride out the uncertainties related to Brexit and the US-China trade wars.

German chemical giant BASF has begun construction of its $10bn mega project in southern China, which will be the country’s first wholly foreign-owned chemical complex. 

Kyrgyzstan is trying to stabilise a volatile business environment by diversifying its economy away from gold and remittances, and employing an ombudsman to reassure investors. 

Canada's Atlantic Ocean-bordering provinces are making the most of their coastal resources, using decades of knowhow to balance economic growth with sustainability.

GE Renewable Energy announced the shipment of the four tower sections that will be part of GE’s Haliade-X 12 MW prototype to be installed later this summer in Maasvlakte-Rotterdam (NL). The four segments at tower manufacturer GRI’s site in Seville, will be arriving in the Netherlands before the end of the month.

Eos Energy Storage is manufacturer and supplier of the zinc-based Aurora 2.0 battery system for Duke Energy's McAlpine substation and as a behind-the-meter solution at the University of California, San Diego. 

Jose Maria Romay, general manager of Corani (a subsidiary of Ende), has announced the company is seeking financing from Latin American development bank CAF and French development agency AFD for the 147-MW Banda Azul hydro project.

Vermont joined the ranks of other New England states that provide incentives for electric vehicles with Gov. Phil Scott’s signature on June 14 on a yearly transportation bill.

Nigerian distributed utility company, Arnergy, announced it has raised $9 Million in a Series A round of funding led by Breakthrough Energy Ventures with participation from the Norwegian Investment Fund for Developing Countries (Norfund), EDFI ElectriFI and All On.

8minute Solar Energy, NV Energy and the Moapa Band of Paiutes announced that NV Energy selected 8minute to develop the largest solar plus storage project ever built in Nevada and one of the largest in the world.