Ubuntu Security Notice 4201-1 - It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this issue to pass path matching what can lead to an unauthorized access. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could use this issue to cause a denial of service. It was discovered that Ruby incorrectly handled certain HTTP headers. An attacker could possibly use this issue to execute arbitrary code. Various other issues were also addressed.

This Metasploit module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The activeX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.

SunOS version 5.10 Generic_147148-26 local privilege escalation exploit. A buffer overflow in the CheckMonitor() function in the Common Desktop Environment versions 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

A potential vulnerability with LOGINOUT for OpenVMS (VAX & ALPHA) V7.1 software has been discovered.

Ubuntu Security Notice 3964-1 - Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed. It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations. Various other issues were also addressed.

Ubuntu Security Notice 3991-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, trick the user in to launching local executable binaries, obtain sensitive information, conduct cross-site scripting attacks, or execute arbitrary code. Various other issues were also addressed.

pArAnoIA is a toolkit designed to surf the Internet. It's a browser with TOR built-in, spoofing of user-agent and other functions, ensures strict use of TLS, and more.

Ubuntu Security Notice 4054-1 - A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass same origin restrictions, conduct cross-site scripting attacks, conduct cross-site request forgery attacks, spoof origin attributes, spoof the addressbar contents, bypass safebrowsing protections, or execute arbitrary code. Various other issues were also addressed.

Ubuntu Security Notice 4064-1 - A sandbox escape was discovered in Thunderbird. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass same origin restrictions, conduct cross-site scripting attacks, spoof origin attributes, or execute arbitrary code. Various other issues were also addressed.

Ubuntu Security Notice 4054-2 - USN-4054-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass same origin restrictions, conduct cross-site scripting attacks, conduct cross-site request forgery attacks, spoof origin attributes, spoof the addressbar contents, bypass safebrowsing protections, or execute arbitrary code. It was discovered that Firefox treats all files in a directory as same origin. If a user were tricked in to downloading a specially crafted HTML file, an attacker could potentially exploit this to obtain sensitive information from local files. Various other issues were also addressed.

Ubuntu Security Notice 4202-2 - USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading, Thunderbird created a new profile for some users. This update fixes the problem. It was discovered that a specially crafted S/MIME message with an inner encryption layer could be displayed as having a valid signature in some circumstances, even if the signer had no access to the encrypted message. An attacker could potentially exploit this to spoof the message author. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, bypass same-origin restrictions, conduct cross-site scripting attacks, or execute arbitrary code. A heap overflow was discovered in the expat library in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code.

Ubuntu Security Notice 4299-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the URL or other browser chrome, obtain sensitive information, bypass Content Security Policy protections, or execute arbitrary code. Various other issues were also addressed.

Ubuntu Security Notice 4294-1 - It was discovered that OpenSMTPD mishandled certain input. A remote, unauthenticated attacker could use this vulnerability to execute arbitrary shell commands as any non-root user. It was discovered that OpenSMTPD did not properly handle hardlinks under certain conditions. An unprivileged local attacker could read the first line of any file on the filesystem.

This Metasploit module exploits a shell command injection vulnerability in the libnotify plugin. This vulnerability affects Metasploit versions 5.0.79 and earlier.

Cyprus is ranked first in fDi’s Island Economies of the Future rankings, followed by the Dominican Republic and Sri Lanka. Cathy Mullan and Naomi Davies detail the results.

Russia remains fDi’s most diversified commodity economy, while second ranked Brazil has displaced Ukraine into third place. Cathy Mullan reports.

DA-WIN, a wireless IDS, provides an organization a continuous wireless scanning capability that is light touch and simple. It utilizes compact and discreet sensors that can easily be deployed reducing the total cost of protection and simplifying the effort required for absolute, categoric regulatory compliance. This archive includes a dd image to be used on a Raspberry Pi and a user manual.

DA-WIN, a wireless IDS, provides an organization a continuous wireless scanning capability that is light touch and simple. It utilizes compact and discreet sensors that can easily be deployed reducing the total cost of protection and simplifying the effort required for absolute, categoric regulatory compliance. This archive includes a dd image to be used on a Raspberry Pi and a user manual.

Ubuntu Security Notice 4059-1 - It was discovered that Squid incorrectly handled certain SNMP packets. A remote attacker could possibly use this issue to cause memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that Squid incorrectly handled the cachemgr.cgi web module. A remote attacker could possibly use this issue to conduct cross-site scripting attacks. Various other issues were also addressed.

Here is the short answer to the question of how many Microsoft products you can request: You can get 50 of each kind of product in a two-year period — but there are some exceptions.

See Microsoft products

What do you mean by "each kind of product"?

The Microsoft Donation Program divides products into categories called title groups. See the current list of 37. A title group contains products that serve essentially the same purpose, like PowerPoint and PowerPoint for Mac.

You can get products from 10 title groups in your two-year cycle.

When does this two-year cycle start and end? Is it the calendar year?

No. Your nonprofit has its own two-year cycle. Your first cycle started the day you requested your first Microsoft product through TechSoup. You can see when your current cycle ends on your Microsoft Donation Center page.

Outlook and PowerPoint are both title groups. Does that mean we can get 50 of each product?

That's right. They can be all the Windows version, all the Mac version, or a mixture of the two. And you will be able to request products from eight more title groups.

What are the exceptions you mentioned?

They have to do with servers. Microsoft offers two licensing models for its server products.

• Core-based licensing. This licensing is based on the number of cores in the physical processors of your server machines. The product page on TechSoup will tell you whether the server uses this type of licensing. You can request up to 50 of these products from each title group, the same as desktop products. But you might have to request more than one product to fully license all the processors in your server.
• Non-core-based licensing. You can request a total of five server products that do not use core-based licensing. They can be from a single title group or from different title groups, but the total cannot be more than five.

A lot of the title groups are for CALs and MLs. What are the limits for these?

You can get 50 from each title group.

CALs, or client access licenses, give you access to a server from a device like your desktop computer.

MLs, or management licenses, let your device be managed by a management server.

Where can I find out more?

This article goes into a lot more detail and gives examples of how the various allotments work together.

spanhidden

I am often asked what I see as the biggest potential game-changers in tech — particularly as it relates to social good. Mobile, social, the cloud, and analytics continue to emerge as key themes. However, analytics is emerging as the true game changer — catalyzed by advances in open architecture.

Let me unpack what I mean by "open architecture." Open means that anyone can access it, contribute to it, and innovate on top of it. At Blackbaud, where I serve as chief technology officer, one of our core tenets has been to design an open, cloud-based software and data architecture. We're cultivating a technical community of partners, customers, and engineers (inside and outside of the company) who are innovating in different ways and contributing to this ecosystem.

From this vantage point, I see the way that openness accelerates the velocity of innovation. Looking at it from a different angle, open ecosystems also yield data and analytics that enable everyone who is part of them to gain more insights and intelligence.

This data can power intelligent software solutions, surface actionable events, maintain accurate and current data assets, and generally drive more results for users. In other words, an open cloud-based architecture elevates usage, which in turn generates more and more data and intelligence that make the system even more powerful.

With data, analytics, and intelligence in mind, the following capabilities emerge as candidates to have a great positive impact.

The Internet of Things

Internet of Things (IoT) technology is cheap and accessible and can transform normal household items into network devices that generate data. In my house, the lights, thermostats, appliances, cars, doors, and windows are all connected devices. These connected devices generate data and intelligence (such as trends in usage, optimization of electricity consumption, and so on). Much like a household, there are many IoT possibilities for nonprofits and other players in the social good space to generate valuable, actionable data.

Instrumentation

Instrumentation provides us with the ability to understand what's happening within our software. As Blackbaud ships features and capabilities within solutions, we monitor usage. We do so to understand if our customers can easily discover the new capability (do they use it the first time they log on?) and to determine if our customers find it valuable (is their use ongoing?). This data-driven approach is an extremely effective way of measuring both the quality of the user experience and the overall value of the work we're doing.

We can learn a lot about our customers just by observing what they do. Across the software industry, instrumentation is driving advances in understanding that enable more targeted solutions to users' challenges.

Usage Information

Like instrumentation, usage data enables us to understand the leading indicators that yield the best, most effective outcomes. For example, through usage data, we were able to understand that nonprofits who proactively thank donors within one week of giving have an advantage. They were much more effective at converting those individuals to longer-term supporters and recurring donors.

Predictive Intelligence

Predictive analytics showcase some of the most stunning and innovative applications of data. At Blackbaud, we think of predictive analytics as a kind of "self-driving car." It guides and sometimes fully automates tasks for our users, enabling them to gain much greater results. A few examples of predictive analytics scenarios that we're working on include

• Extending the most compelling message to a specific person at just the right time via the best channel, to keep them engaged, generate a donation, invite them to an event, or simply share a story.
• Intelligently connecting nonprofits, corporations, individuals, foundations, faith-based organizations, schools, and other stakeholders across the ecosystem we serve. That action enables us to more efficiently coordinate efforts and services and drive greater good together.
• Leveraging social information, an understanding of a person's network, geographical context, and other analytics to help connect an advocate with a nonprofit, school, or foundation, in just the right way.

We leverage the correlation of many different, disparate data sources to drive true intelligence and to power new, predictive user experiences across our applications. Our data platform is what powers this intelligence. This platform drives value across our solutions in other ways, including

• Correcting, appending, and de-duplicating data across the system
• Business intelligence and reporting that shows trends in data
• Real-time data pipelines that spark events across the system based on changes to the data

I’ve included only a few examples of technology capabilities we're researching that we believe will have a strong positive impact. The central theme of these capabilities is providing more actionable data and intelligence. Our commitment to delivering a robust, scalable, and flexible data architecture as well as open, cloud-based software enables us to take advantage of this technology. It also enables us to harness these capabilities to drive greater value for the customers we serve.

This blog post was written by Mary Beth Westmoreland.

spanhidden

(Please visit the site to view this video)

What does it take to make a city greener? In San Francisco, it took a small group of motivated people to come together to create a nonprofit. After the city cut funding for urban forestry 36 years ago, seven individuals decided to take matters into their own hands. They created a nonprofit, Friends of the Urban Forest (FUF).

Starting with a Small Budget, FUF Plants Nearly Half San Francisco's Street Trees

The organization started off with just a small budget from a leftover city grant. Then it used grassroots efforts to rally neighborhoods throughout the city around urban trees. By empowering and supporting communities and homeowners to plant and care for their own trees, FUF has successfully planted 60,000 of the 125,000 trees in San Francisco. The group eventually even worked with the city to create San Francisco's first ever Urban Forest Plan.

FUF Harnesses the Power of Many Volunteers to Plant and Advocate for Trees

FUF is a member of TechSoup, and TechSoup's staffers were very excited to reach out for an interview to hear more about the group's impact. My team joined FUF early on a Saturday morning for its volunteer tree planting event in the Portola neighborhood, a part of the city that is lacking street trees. It was cold even by San Francisco standards, but there was an impressive turnout of volunteers present and ready to plant.

The executive director of FUF, Dan Flanagan, joined us and told us about his work. "We get to get out in the city and make it greener. We advocate for trees; I always call ourselves the Lorax of San Francisco. We are the only organization in San Francisco that is speaking for the trees."

FUF Gets the Chance to Plant Even More Trees … in Neighborhoods That Really Need Them

Dan was excited about a recent accomplishment for the organization. San Francisco just passed Proposition E, which opens up major opportunities for the nonprofit. As he said, "It changes the responsibility from street trees and sidewalks away from the homeowners and to the city. As a result, homeowners are no longer responsible, and now we actually get a chance to make the city more green than ever before by planting more trees in neighborhoods that couldn't afford it before."

This policy makes the city responsible for maintenance, but it will still require FUF to continue its work of planting the trees. FUF hopes to plant 1,700 trees this year and ultimately hopes to plant 3,000 trees every year.

FUF Puts Technology from TechSoup to Work

I was curious to find out how FUF was using technology to further its mission. Jason Boyce, individual gifts manager, said: "Here at Friends of the Urban Forest, a lot of our field staff tend to be out in the field all day; technology really needs to be out of the way to allow us to plant. So, as a result, the relationships we build with our community tend to be stronger because we use technology to enable our work, but it doesn't get in the way of our work."

Jason explained, "We have been working with ArcMap for years, ... GIS software that TechSoup has provided for us. We use it to plant trees, to figure out where we are going to plant. When we do our plantings, we actually dole out the maps that our volunteers use to do the plantings, and all that comes through ArcMap. We use Adobe Acrobat to put together our tree manuals for our new tree owners and volunteer manuals. We use AutoCAD to put together the permit drawings for our sidewalk gardens. Technology plays a really important role in doing our plantings and making San Francisco more green."

FUF Partners with the City to Calculate the Environmental Benefits of Trees

Jason also recently worked with the city on the Urban Forest Map, which is an interactive online map that tracks every tree in San Francisco. The map helps calculate the environmental benefits the trees provide, including stormwater mitigation, air pollutants captured, and carbon dioxide removed from the atmosphere. This platform has increased the visibility of the city's urban forest.

As Jason said, "We are now at the forefront of cities worldwide that are building software to manage their urban forests. … [This] really gives a lot of benefit to the people living in San Francisco."

TechSoup is proud to support organizations like Friends of the Urban Forest by enabling them with the technology they need. That support gives them more time to focus on their impact, like planting trees, or to build the communities that help them thrive.

spanhidden

In 2015, the state of Louisiana consumed more energy per capita than any other state, according to the U.S. Energy Information Administration. Although this may not come as a complete surprise — the state's warm, muggy climate makes air conditioning a must — it's clear that Louisiana's energy-use profile needs a drastic transformation.

The Energy Wise Alliance (EWA), a small nonprofit based in New Orleans, is determined to do just that. Along the way, the organization has gotten a boost from Microsoft's MileIQ app.

MileIQ is a mobile app from Microsoft that automatically tracks the miles you've traveled and records all of your tax-deductible and reimbursable mileage. It's kind of like using a Fitbit, except you're tracking your driving. You can report your business drives on demand and claim your reimbursements or maximize your tax deductions. The average MileIQ user is logging $6,900 per year.

Building a More Energy-Efficient Community

EWA works to make energy efficiency more accessible to everyone. The organization works primarily with low-income families, tenants, and others who would otherwise be left out of the green energy revolution. EWA accomplishes its goals through both workshops and equipment upgrades at homes and businesses.

Its Energy Smart for Kids program teaches students throughout the state how to lead a more energy-efficient lifestyle. These hourlong sessions cover the pitfalls of nonrenewable energy and detail more sustainable alternatives. At the end of each session, EWA volunteers hand out energy-efficiency starter kits so students can apply what they learned at home.

Much like the rest of EWA's programs, Energy Smart for Kids serves underserved and underprivileged communities. In fact, many of the schools that EWA serves are Title 1 schools — schools whose students generally come from lower-income households.

Aside from schools, EWA also helps nonprofits become more sustainable.

Making Nonprofits Greener and More Cost-Efficient

Nonprofits can benefit from EWA's work by way of simple but effective power-saving retrofits. EWA also provides volunteer labor and donates the materials for the retrofits, which means added cost savings. And as we all know, cost-saving programs are like gold dust for nonprofits.

For example, volunteers from EWA revitalized the Victorian-era headquarters of the Alliance Française, a nonprofit dedicated to preserving Francophone heritage in the New Orleans community, with sustainable retrofits. As part of these upgrades, EWA sealed cracks, gaps, and openings; installed additional insulation; and programmed new thermostats.

In addition, EWA gave the Alliance Française's volunteers a hands-on demonstration of behavioral changes so that they could bring this knowledge back home. EWA anticipated that the Alliance Française would save a total of $2,000 to $3,000 as a result of these green improvements.

EWA's staff members also actively save money and operate more efficiently through the use of the mile-tracking app MileIQ.

Saving Time and Money with MileIQ

This method, as you can imagine, was time-consuming, and it brought with it the risk of human error. Most people can't possibly remember every single trip they make with their car, after all.

"MileIQ is super accurate and takes the forgetting out of the equation," said Jamie Wine, executive director of EWA.

For Kevin Kellup, education coordinator at EWA, MileIQ has been a game-changer. Jamie explained, "Kevin drives like crazy from school to school," racking up miles on his personal car. Now, thanks to MileIQ, Kevin can get more fairly and accurately reimbursed for his constant traveling.

The most important benefit of Microsoft's MileIQ for Jamie is that his staff can be correctly reimbursed for mileage. He wants to show staff members that he values their time and effort spent traveling, which MileIQ really helps him achieve.

For nonprofits, particularly small ones like EWA, it's always great when the team can receive fair compensation for its hard work. "The staff doesn't get paid much," Jamie said. And considering how important staff members' work is to the community, every penny matters. That's also where TechSoup comes in.

TechSoup's Role: "Essential"

Through TechSoup, eligible nonprofits can get MileIQ at 80 percent off the subscription rate. "Without TechSoup," Jamie noted, "this huge step up in technology" would not have been possible. The MileIQ discount program from Microsoft has made acquiring MileIQ way easier on the nonprofit's pocket.

Having also previously obtained Microsoft Office 365 and QuickBooks Online through TechSoup, Jamie said, "TechSoup is a great equalizer." He mentioned that TechSoup helps a small nonprofit to grow into a technologically advanced organization. He added, "The super discounted products from TechSoup are like the pot of gold at the end of the rainbow."

Getting MileIQ Premium

Eligible nonprofits can get MileIQ at 80 percent off the individual subscription rate through TechSoup and can request an unlimited number of individual subscriptions. In addition to individual subscriptions, MileIQ is now included with an Office 365 Business Premium license. Nonprofits who currently do not have an Office 365 license can visit Microsoft's Office 365 for nonprofits page to register.

This blog post was written by Nicholas Fuchs.

spanhidden

Many nonprofits handle sensitive personal information belonging to community members — whether it's names or email addresses or payment information. But are you handling this data properly to prevent a data breach?

This post is by no means exhaustive — after all, every nonprofit handles different sorts of data, and each organization has different security needs. That said, these are some practical things to think about when you review your handling of sensitive personal information.

#1 Risk: Malware and Software Vulnerabilities

The Problem

This one may seem obvious, but with so many other security risks out there, it's easy to forget that malware still poses a major threat to your organization's data.

How You Can Mitigate It

To start, make sure you have antivirus software installed, and that it's up to date. In addition, you'll want to make sure your operating system and any software installed are also up to date, with all security patches installed.

Beyond that, be careful what you click on. Don't download and install software from sites you don't trust. Be careful of the email attachments and links you click on — even from people you know. If you aren't expecting a file or link, click with caution.

#2 Risk: Ransomware

The Problem

Ransomware is an especially insidious form of malware that holds your computer or data hostage unless you pay a sum of money to a criminal actor. Oftentimes, ransomware will encrypt your data, preventing you from accessing it. And according to Symantec's Director of Security Response Kevin Haley, some forms of ransomware will threaten to publicly release your data.

How You Can Mitigate It

Aside from up-to-date antivirus software and taking steps to avoid infection in the first place, there isn't a ton you can do to deal with a ransomware attack once your data's been encrypted.

In that case, according to Haley, keeping up-to-date backups of your data is your best bet. That way, you'll be able to get back up and running quickly with minimal data loss. (TechSoup offers backup and recovery solutions from Veritas.)

#3 Risk: Public Wi-Fi

The Problem

Public Wi-Fi is generally fine for some things, such as browsing cat videos on YouTube, or catching up on the headlines. However, for anything involving sensitive personal information, it's a security disaster waiting to happen. Bad actors could potentially eavesdrop on what you're doing while using public Wi-Fi, leaving your data and work open to prying eyes.

How You Can Mitigate It

First off, avoid using public, unsecured Wi-Fi when handling sensitive information — whether it's internal organizational data or your own personal banking information. Using a wireless hotspot, like those from Mobile Beacon (offered through TechSoup), instead of public Wi-Fi is an easy way to keep your data more secure.

If you can't avoid public Wi-Fi, a virtual private network (VPN) is a good option — VPNs secure data between your computer and the website you're visiting. Not all VPNs provide the same level of security, though, and you'll need to make sure your VPN of choice conforms to any data security regulations that your organization may be subject to. See our previous overview of VPNs for more.

#4 Risk: Inappropriate Sharing of Sensitive Information

The Problem

Sharing sensitive information via email, messaging apps, or similar means is a risky proposition.

Email is a notoriously insecure method of communication. Email accounts are often the target of data breaches and phishing attacks. (A phishing attack is where an attacker tries to steal your account information by tricking you to enter your account information on a phony login page.)

And whether it's through email or messaging app, it's all too easy to accidentally leak data by sharing it with the wrong person.

How You Can Mitigate It

Avoid sending sensitive information to colleagues via email. It's easier said than done, we know. Maybe you need to share a list of donor contact information with your marketing department, for example. Consider uploading it to a secure file server on your network that can only be accessed by others in the office.

If your organization uses a cloud storage service like Box, consider using that instead — so long as it meets your organization's security needs. These cloud storage services usually encrypt data you upload to prevent it from getting stolen. You may also want to consider using constituent relationship management (CRM) software, a tool designed specifically to store and manage your organization's contacts.

In addition, pay attention to access permissions. If you can, restrict access to sensitive information to only those who need it. Revisit your permissions settings regularly and update them as needed.

To prevent your user accounts from being compromised in the first place, practice good account security hygiene. Use strong passwords and require your staff to use two-factor authentication.

#5 Risk: Handling Credit Card Data

The Problem

A breach involving credit card data can be embarrassing for your organization, but it could wreak financial havoc on your members and supporters. All it takes is for hackers to grab a few pieces of information to rack up credit card debt in your supporters' names.

How You Can Mitigate It

Securing credit card information is important, but you don't have to make it up as you go. Make sure your organization conforms to payment card security standards. The Payment Card Industry Security Standards Council, as well as banks and credit card issuers, provide guidelines on how to best handle credit card information to prevent breaches.

Has your nonprofit recently encountered any other notable risks? Tell us about it in the comments!

spanhidden