Join The NonProfit Times: or Become a member

Subscribe: Print Publication or Newsletter

Stay connected.
Stay informed.

Nonprofit Databases Often Too Small For Heartbleed Hackers

By Patrick Sullivan - May 30, 2014

Have you changed your donor management system’s password lately? If you’ve heard about the Heartbleed bug, you probably did. If you haven’t changed your passwords, do it now. We’ll wait.

Heartbleed is a coding bug within the OpenSSL open-source web security software. A “heartbeat” is a signal that passes between the server and a user’s computer to check that a session is still active. The two entities ask each other to return a random phrase at a specific character length, such as “Good: 4 characters.”

A hacker can trick the server into returning much more memory by asking for “Good: 64,000 characters.” Hidden in that extra data can be usernames, passwords, encryption codes, credit card numbers, and a number of other sensitive bits of information.

Many of the most popular donor management systems, such as those made by Abila, Blackbaud, Softerware and Wild Apricot, do not use OpenSSL. “Our primary platform of choice is Microsoft-based,” said Grant Howe, vice president of research and development for Austin, Texas-based Abila. “Most of our web-based products are using Internet information servers with Schannel (Microsoft’s security analog to OpenSSL).”

Howe said that the most commonly affected are Apache servers. According to a survey by Internet services company Netcraft in Bath in the United Kingdom, an estimated two-thirds of web servers worldwide are open-source servers from Apache and nginx, both of which were affected by Heartbleed.

Big websites affected by OpenSSL’s Heartbleed include Facebook, Google, Instagram and Dropbox. “A lot of times, very large SaaS (software as a service) vendors are going to gravitate to open source,” said Howe. “As you scale an application wider, the expense of a license scales.”

Howe said it’s “a little bit of a crapshoot” as to what thieves can get when they exploit the Heartbleed bug. That’s why they have to return so much memory. The bug has since been patched with a line of code to check that the buffer is the same size as the word it’s supposed to return.

Your donor database software could have been affected by Heartbleed. But the good news is, even if it was, “Nonprofits would be pretty far down the list” of targets, said Steve Kirsch, founder and CEO of oneID, in Redwood City, Calif. When it comes to nonprofits, “there’s so many targets and so little time, people would go to the targets” with the greatest value.

“The information people typically give to a nonprofit isn’t super valuable compared to another web server,” said Kirsch. “The other thing is frequency. If you’re looking at donors, nonprofits have a fairly low rate of transactions per second compared to e-commerce sites. Those are much richer targets.”

Most organizations don’t store Social Security numbers in their databases. “I think donors would be hesitant to give that out,” said Howe. But information such as addresses, phone numbers and email address could be accessed, as well as staff usernames, passwords, and encryption keys.

“I think the obvious concern is that donor data is explicitly personally identifiable information, and it’s not something that can be changed, unlike the credentials to a website. It might also have credit card information stored or linked to it as well,” said Kevin Lo, senior program manager for TechSoup Global in San Francisco, Calif.

If Heartbleed isn’t quite the disaster for the nonprofit sector as it is to online retailers, there are plenty of other security threats. “A lot of attacks come internally,” said Howe. “You can get attacked from the Internet, but also by insiders.”

Security issues are the same for nonprofits with their own databases and for co-op databases. DonorBase, in Armonk, N.Y., works with more than 250 organizations and has approximately 60 million donor records, according to Bruce Demaree, vice president of cooperative data services. “You cannot get to our database through the open Internet,” he said. “You wouldn’t be able to find it. If there’s a really clever hacker who can identify it, good luck getting in.”

Howe advocates a defense-in-depth approach to database security. “Basically, defense-in-depth means you need to put in layers of security,” he said. “It’s like a filter or a sieve. You can never be completely secure, but you can reduce your risk with successive layers of security.”

Firewalls are an example of one layer of security. Howe advocates for what he calls a “demilitarized zone” on servers. “Next, you can apply vulnerability assessment tools,” he said. “That’s a good protection for Heartbleed. If your servers have Heartbleed, assessment tools will pick that up.”

If you’re part of a co-op, you probably don’t have to worry about technical exploits that allow your data to be accessed improperly, Demaree said. “Most fraud is committed on the human level,” he said. “This is not through technical malfeasance, it’s through bad intent: people entrusted with data who misuse it.”

Make sure your legal counsel reviews the contract you have with the provider. “Many agreements are ambiguous, and often when data is given on trust, it has the potential to be misused,” he said.

The contracts might “appear to be standard but you need to be aware of the nuances and be very clear about how your data is used in a co-op environment,” said Demaree. “The biggest vulnerability is to give your data to a co-op and then have that data resold without your overt knowledge.”

Defense-in-depth is “tried and true, and most certainly (a strategy) that nonprofits should think about,” said Lo. A periodic security audit is also good. Lo recommends security training as part of new staff and volunteer orientation. While security might seem to be an arcane or remote possibility in your organization, that shouldn’t be an excuse not to have proper safeguards in place.”

Complexity around data security is why Howe suggests moving to a cloud-based option. Hosting a database on a software company’s server can free you up to focus more on your mission and worry less about security concerns. It’s a question of scale and being able to take advantage of an IT company’s expertise.

Many nonprofits, said Howe, “have their servers unsecured right out in the open, or maybe they have a server room. They don’t have the capabilities to really secure it or manage vulnerability.” He said that if someone can get physical access to a server, they have free reign with the data.

“There’s a lot of stuff, a lot of skill sets” involved in a holistic approach to security, said Howe. “It’s hard to find one individual who is an expert in all of them. It kind of takes a village, and most nonprofits don’t have those resources.” Many potential SaaS clients have been wary of cloud security, but Howe said he finds himself having to justify the security benefits of the cloud less and less.

Lo said there are some basic questions to ask of your security protocols. “Is the data redundant,” he asked rhetorically. “Is it encypted? Is two-factor authentication an option? For example, in the wake of Heartbleed, your provider should have audited their systems right away and notified you of any action you might need to take or passwords you should consider changing. Besides making sure your workstations are patched and updated, I always recommend drive encryption, which comes standard with many OS (operating systems) now.”

Another security risk is theft and data loss. “Your data may be leaked not because of some hacker, but due to a weak link in your staff,” said Lo. “I work under the assumption that all software has some sort of security flaw. It’s whether or not it’s been exploited. I would be more concerned about a volunteer having access to an online database using their own computer, and that computer being compromised, or in an on-premise scenario, an employee’s car gets broken into and a laptop or tablet is stolen and there’s a copy of the donor list on it,” said Lo.

A strategy that is gaining traction, and might be one of the better layers for a donor management system, is an intrusion detection system. “These are software or appliances that you first train as to what normal traffic is,” said Howe. “It learns, then you throw the training switch off and it looks for nonstandard traffic. It’s not looking for a particular vulnerability, it looks for something that’s odd. New attacks come out commonly, and there’s value in seeing when something’s not normal.” NPT


Sponsored Podcasts

Welcome to the Raise & Engage podcast, a filters-off series for nonprofit professionals hosted by Blackbaud's straight-shooting expert Danielle Johnson Vermenton. During this open-mic session, you’ll hear honest advice to help YOU do more for your cause.

Episode 6: The Power of ‘No’ at Work|| daniellejohnson-76

You have a job description, but on any given day, you're probably doing dozens of things outside the scope of that description. Combine that with the challenge of a fast-paced environment and the shifting priorities of funders, colleagues, and board members and it’s easy to fall short of doing your best. By being mindful of your limitations and capacity—and saying “no” when your plate is full—you can actually do more for your cause. In the sixth installment of the Raise and Engage podcast Danielle Johnson and Robin Anderson discuss the power of saying “no” at work.

Episode 5: Professional Development: Getting Un-Stuck|| daniellejohnson-76

In the most recent episode of Raise + Engage, Danielle is back with Brian Reich from little m media to discuss how nonprofit professionals can stay motivated and energized in their day-to-day roles. Brian shares his experience working with nonprofits and the lessons and tips he's learn from and shared with them over the years, including tips for avoiding a professional rut, creating forward momentum in your career and pushing yourself outside of your comfort zone. If you're considering making a career move or want to ensure you're on the right path, you won't want to miss this inspo-packed episode!

Episode 4: Apps and Hacks to Stay (Mostly) Sane || daniellejohnson-76

Episode 4: Apps and Hacks to Stay (Mostly) Sane, is all about tips, tricks and tools for sanity. Blackbaud’s own interactive product marketer, Julia Lenz, joins host Danielle Johnson to share some high tech. (and no tech.) productivity tips to help nonprofit professionals stay sane in the crazy world of philanthropy.

Tune in to hear:

  • Tips for how to spend the first 30 minutes of your day
  • The benefits of 15 minute meetings
  • Why notebooks are still relevant to a successful organization
  • Ideas for better managing your inbox
  • Why you should take lunch outside the box
  • ...and much more!
Don’t forget to visit the #NoFilterNonprofit Hub afterwards to download our newest tip sheet10 Productivity Hacks for Nonprofits.

Episode 3: Tech. Connection: Solutions, Strategy, and Staff || daniellejohnson-76

Episode 3: Tech. Connection: Solutions, Strategy, and Staff In episode 3 of the Raise + Engage podcast, Danielle Johnson is joined by Chris Geady and William DaSilva, two IT experts in the nonprofit space, to talk technology integration for NPOs: when you need it, when you don’t, and how to do it successfully.

Tune in to hear:

  • When to say NO to integration
  • How to set your strategic plan before even looking at technologies
  • Ways to get your entire team on board
  • The importance of identifying a project lead
  • The RFP process - how it should and should not go
And William shares a story about a nonprofit that may or may not have still been using a typewriter. You don't want to miss this one!

Episode 2: From Socially Awkward to Socially Awesome! || daniellejohnson-76

According to Danielle Johnson, straight-shooting host of the Raise + Engage podcast series, if your staff members aren’t the number one advocates for your cause on social media, you’re failing. In the most recent episode, Danielle is joined by Blackbaud’s own social media guru Madeline Turner to discuss overcoming social struggles and creating a social ambassador program at your organization. This entertaining and insightful duo dishes on the importance of making your social media presence human, making the case for a formal social program to leadership, how University of Michigan turned a one time social media campaign into a long term social program, and how Madeline's mom unknowingly became a social ambassador on #GivingTuesday.

Episode 1: Corporate Culture & Development: Shake It Up! || daniellejohnson-76

In the premiere episode of Raise & Engage, Danielle is joined by three straight-shooting nonprofit rock-stars: Jodi Smith of Sanford Health Systems, Veronica Brown of Chicago Public Library Foundation and Ali Burke of Southlake Regional Health Centre Foundation. The group talks organizational culture, problem employees, why its important to celebrate and how to shake things up this year and build a better more authentic team that gets stuff done!


Stay informed, catch latest trends in the nonprofit space.

Subscribe to Our Free Newsletter

No obligation, unsubscribe at anytime.

Success! Check your email inbox.

Follow Us On Twitter

NPT 2016 Buyers' Guide

Newsletter Sign-up

click here to return to the previous page