A DLL side loading vulnerability was found in the NPS Datastore server DLL that ships with Windows Vista. This issue can be exploited by loading the affected DLL as an embedded OLE object. When instantiating the object Windows will try to load the DLL iasdatastore2.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

This Metasploit module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.

IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

I am often asked what I see as the biggest potential game-changers in tech — particularly as it relates to social good. Mobile, social, the cloud, and analytics continue to emerge as key themes. However, analytics is emerging as the true game changer — catalyzed by advances in open architecture.

Let me unpack what I mean by "open architecture." Open means that anyone can access it, contribute to it, and innovate on top of it. At Blackbaud, where I serve as chief technology officer, one of our core tenets has been to design an open, cloud-based software and data architecture. We're cultivating a technical community of partners, customers, and engineers (inside and outside of the company) who are innovating in different ways and contributing to this ecosystem.

From this vantage point, I see the way that openness accelerates the velocity of innovation. Looking at it from a different angle, open ecosystems also yield data and analytics that enable everyone who is part of them to gain more insights and intelligence.

This data can power intelligent software solutions, surface actionable events, maintain accurate and current data assets, and generally drive more results for users. In other words, an open cloud-based architecture elevates usage, which in turn generates more and more data and intelligence that make the system even more powerful.

With data, analytics, and intelligence in mind, the following capabilities emerge as candidates to have a great positive impact.

The Internet of Things

Internet of Things (IoT) technology is cheap and accessible and can transform normal household items into network devices that generate data. In my house, the lights, thermostats, appliances, cars, doors, and windows are all connected devices. These connected devices generate data and intelligence (such as trends in usage, optimization of electricity consumption, and so on). Much like a household, there are many IoT possibilities for nonprofits and other players in the social good space to generate valuable, actionable data.

Instrumentation

Instrumentation provides us with the ability to understand what's happening within our software. As Blackbaud ships features and capabilities within solutions, we monitor usage. We do so to understand if our customers can easily discover the new capability (do they use it the first time they log on?) and to determine if our customers find it valuable (is their use ongoing?). This data-driven approach is an extremely effective way of measuring both the quality of the user experience and the overall value of the work we're doing.

We can learn a lot about our customers just by observing what they do. Across the software industry, instrumentation is driving advances in understanding that enable more targeted solutions to users' challenges.

Usage Information

Like instrumentation, usage data enables us to understand the leading indicators that yield the best, most effective outcomes. For example, through usage data, we were able to understand that nonprofits who proactively thank donors within one week of giving have an advantage. They were much more effective at converting those individuals to longer-term supporters and recurring donors.

Predictive Intelligence

Predictive analytics showcase some of the most stunning and innovative applications of data. At Blackbaud, we think of predictive analytics as a kind of "self-driving car." It guides and sometimes fully automates tasks for our users, enabling them to gain much greater results. A few examples of predictive analytics scenarios that we're working on include

• Extending the most compelling message to a specific person at just the right time via the best channel, to keep them engaged, generate a donation, invite them to an event, or simply share a story.
• Intelligently connecting nonprofits, corporations, individuals, foundations, faith-based organizations, schools, and other stakeholders across the ecosystem we serve. That action enables us to more efficiently coordinate efforts and services and drive greater good together.
• Leveraging social information, an understanding of a person's network, geographical context, and other analytics to help connect an advocate with a nonprofit, school, or foundation, in just the right way.

We leverage the correlation of many different, disparate data sources to drive true intelligence and to power new, predictive user experiences across our applications. Our data platform is what powers this intelligence. This platform drives value across our solutions in other ways, including

• Correcting, appending, and de-duplicating data across the system
• Business intelligence and reporting that shows trends in data
• Real-time data pipelines that spark events across the system based on changes to the data

I’ve included only a few examples of technology capabilities we're researching that we believe will have a strong positive impact. The central theme of these capabilities is providing more actionable data and intelligence. Our commitment to delivering a robust, scalable, and flexible data architecture as well as open, cloud-based software enables us to take advantage of this technology. It also enables us to harness these capabilities to drive greater value for the customers we serve.

This blog post was written by Mary Beth Westmoreland.

spanhidden

Many nonprofits handle sensitive personal information belonging to community members — whether it's names or email addresses or payment information. But are you handling this data properly to prevent a data breach?

This post is by no means exhaustive — after all, every nonprofit handles different sorts of data, and each organization has different security needs. That said, these are some practical things to think about when you review your handling of sensitive personal information.

#1 Risk: Malware and Software Vulnerabilities

The Problem

This one may seem obvious, but with so many other security risks out there, it's easy to forget that malware still poses a major threat to your organization's data.

How You Can Mitigate It

To start, make sure you have antivirus software installed, and that it's up to date. In addition, you'll want to make sure your operating system and any software installed are also up to date, with all security patches installed.

Beyond that, be careful what you click on. Don't download and install software from sites you don't trust. Be careful of the email attachments and links you click on — even from people you know. If you aren't expecting a file or link, click with caution.

#2 Risk: Ransomware

The Problem

Ransomware is an especially insidious form of malware that holds your computer or data hostage unless you pay a sum of money to a criminal actor. Oftentimes, ransomware will encrypt your data, preventing you from accessing it. And according to Symantec's Director of Security Response Kevin Haley, some forms of ransomware will threaten to publicly release your data.

How You Can Mitigate It

Aside from up-to-date antivirus software and taking steps to avoid infection in the first place, there isn't a ton you can do to deal with a ransomware attack once your data's been encrypted.

In that case, according to Haley, keeping up-to-date backups of your data is your best bet. That way, you'll be able to get back up and running quickly with minimal data loss. (TechSoup offers backup and recovery solutions from Veritas.)

#3 Risk: Public Wi-Fi

The Problem

Public Wi-Fi is generally fine for some things, such as browsing cat videos on YouTube, or catching up on the headlines. However, for anything involving sensitive personal information, it's a security disaster waiting to happen. Bad actors could potentially eavesdrop on what you're doing while using public Wi-Fi, leaving your data and work open to prying eyes.

How You Can Mitigate It

First off, avoid using public, unsecured Wi-Fi when handling sensitive information — whether it's internal organizational data or your own personal banking information. Using a wireless hotspot, like those from Mobile Beacon (offered through TechSoup), instead of public Wi-Fi is an easy way to keep your data more secure.

If you can't avoid public Wi-Fi, a virtual private network (VPN) is a good option — VPNs secure data between your computer and the website you're visiting. Not all VPNs provide the same level of security, though, and you'll need to make sure your VPN of choice conforms to any data security regulations that your organization may be subject to. See our previous overview of VPNs for more.

#4 Risk: Inappropriate Sharing of Sensitive Information

The Problem

Sharing sensitive information via email, messaging apps, or similar means is a risky proposition.

Email is a notoriously insecure method of communication. Email accounts are often the target of data breaches and phishing attacks. (A phishing attack is where an attacker tries to steal your account information by tricking you to enter your account information on a phony login page.)

And whether it's through email or messaging app, it's all too easy to accidentally leak data by sharing it with the wrong person.

How You Can Mitigate It

Avoid sending sensitive information to colleagues via email. It's easier said than done, we know. Maybe you need to share a list of donor contact information with your marketing department, for example. Consider uploading it to a secure file server on your network that can only be accessed by others in the office.

If your organization uses a cloud storage service like Box, consider using that instead — so long as it meets your organization's security needs. These cloud storage services usually encrypt data you upload to prevent it from getting stolen. You may also want to consider using constituent relationship management (CRM) software, a tool designed specifically to store and manage your organization's contacts.

In addition, pay attention to access permissions. If you can, restrict access to sensitive information to only those who need it. Revisit your permissions settings regularly and update them as needed.

To prevent your user accounts from being compromised in the first place, practice good account security hygiene. Use strong passwords and require your staff to use two-factor authentication.

#5 Risk: Handling Credit Card Data

The Problem

A breach involving credit card data can be embarrassing for your organization, but it could wreak financial havoc on your members and supporters. All it takes is for hackers to grab a few pieces of information to rack up credit card debt in your supporters' names.

How You Can Mitigate It

Securing credit card information is important, but you don't have to make it up as you go. Make sure your organization conforms to payment card security standards. The Payment Card Industry Security Standards Council, as well as banks and credit card issuers, provide guidelines on how to best handle credit card information to prevent breaches.

Has your nonprofit recently encountered any other notable risks? Tell us about it in the comments!

spanhidden

Here's a simple way to keep your data safe from potential bad actors in one easy step. Are you ready? Here it is: Log out and lock your computer whenever you're not in front of it.

That's right, it's so simple it can almost be seen as an analog approach to cybersecurity. But make no mistake, all those in-depth disk encryption efforts can be rendered pointless. If you step away from your computer while it's on and unlocked, anyone passing by can access it.

Working Remotely Promotes Data Vulnerability

What's perhaps most insidious about someone gaining physical access to your computer is the fact that the attacker doesn't need any advanced technical know-how to steal sensitive information. A momentary lapse in vigilance at work or a coffee shop can result in a data breach of epic proportions.

Let's say you're working remotely at your favorite café down the street from your apartment and you get up to put in an order for a late breakfast, forgetting to lock your laptop. During that brief moment, a low-key cybervillian could easily stick a USB drive into your computer and copy any sensitive files about you — or your organization — and leave undetected.

Furthermore, if you were logged in to Gmail, your medical records, or your bank account, that malefactor could wreak havoc on your personal and professional life in a matter of minutes.

Tips for Protecting Yourself

The good news about all of this is that warding off these types of would-be data plunderers is really, really easy — it's simply a matter of using your operating system's screen locking functionality. If you don't want to do this, then at the very least you should log out of any sensitive online accounts whenever you step away from your machine.

For each of the following options, be sure you are aware of the password connected to your user login before locking yourself (or anyone else) out.

Screen Locking in Microsoft Windows

• Press Ctrl+Alt+Delete and select Lock this computer
• Press Windows+L

Either of these will lock your computer and require a password to log back in. You can choose Control Panel > Personalization > Screen Saver Settings and set up a screen saver that provides a login screen to get back in once it's been initiated.

Screen Locking in macOS

• On an external keyboard or older laptops, press Ctrl+Shift+Eject
• On a MacBook Air or Pro Retina, press Ctrl+Shift+Power

You can also go to System Preferences > Security & Privacy > General and select Require password immediately after sleep or screen saver begins (provided you have already set up a screen saver by clicking System Preferences > Desktop & Screen Saver).

Additional Cybersecurity Resources

• Find out how to recognize suspicious emails and protect yourself against malware through better password security
• Check out our recent post on the future of security threats

Get more security tips from the National Cyber Security Alliance. National Cyber Security Awareness Month — observed every October — was created as a collaborative effort between government and industry to ensure that all Americans have the resources they need to stay safer and more secure online. Find out how you can get involved.

Image: National Cyber Security Alliance

spanhidden

According to an analysis by the SUN DAY Campaign of data just released by the Federal Energy Regulatory Commission (FERC), U.S. electrical generating capacity by renewable energy sources (i.e., biomass, geothermal, hydropower, solar, wind) has now - for the first time - surpassed that of coal.

Alphabet Inc.’s Google said it would invest 1 billion euros ($1.1 billion) to expand its data center infrastructure in the Netherlands.