Nonprofit Databases Often Too Small For Heartbleed Hackers
May 30, 2014 Patrick Sullivan
Have you changed your donor management system’s password lately? If you’ve heard about the Heartbleed bug, you probably did. If you haven’t changed your passwords, do it now. We’ll wait.
Heartbleed is a coding bug within the OpenSSL open-source web security software. A “heartbeat” is a signal that passes between the server and a user’s computer to check that a session is still active. The two entities ask each other to return a random phrase at a specific character length, such as “Good: 4 characters.”
A hacker can trick the server into returning much more memory by asking for “Good: 64,000 characters.” Hidden in that extra data can be usernames, passwords, encryption codes, credit card numbers, and a number of other sensitive bits of information.
Many of the most popular donor management systems, such as those made by Abila, Blackbaud, Softerware and Wild Apricot, do not use OpenSSL. “Our primary platform of choice is Microsoft-based,” said Grant Howe, vice president of research and development for Austin, Texas-based Abila. “Most of our web-based products are using Internet information servers with Schannel (Microsoft’s security analog to OpenSSL).”
Howe said that the most commonly affected are Apache servers. According to a survey by Internet services company Netcraft in Bath in the United Kingdom, an estimated two-thirds of web servers worldwide are open-source servers from Apache and nginx, both of which were affected by Heartbleed.
Big websites affected by OpenSSL’s Heartbleed include Facebook, Google, Instagram and Dropbox. “A lot of times, very large SaaS (software as a service) vendors are going to gravitate to open source,” said Howe. “As you scale an application wider, the expense of a license scales.”
Howe said it’s “a little bit of a crapshoot” as to what thieves can get when they exploit the Heartbleed bug. That’s why they have to return so much memory. The bug has since been patched with a line of code to check that the buffer is the same size as the word it’s supposed to return.
Your donor database software could have been affected by Heartbleed. But the good news is, even if it was, “Nonprofits would be pretty far down the list” of targets, said Steve Kirsch, founder and CEO of oneID, in Redwood City, Calif. When it comes to nonprofits, “there’s so many targets and so little time, people would go to the targets” with the greatest value.
“The information people typically give to a nonprofit isn’t super valuable compared to another web server,” said Kirsch. “The other thing is frequency. If you’re looking at donors, nonprofits have a fairly low rate of transactions per second compared to e-commerce sites. Those are much richer targets.”
Most organizations don’t store Social Security numbers in their databases. “I think donors would be hesitant to give that out,” said Howe. But information such as addresses, phone numbers and email address could be accessed, as well as staff usernames, passwords, and encryption keys.
“I think the obvious concern is that donor data is explicitly personally identifiable information, and it’s not something that can be changed, unlike the credentials to a website. It might also have credit card information stored or linked to it as well,” said Kevin Lo, senior program manager for TechSoup Global in San Francisco, Calif.
If Heartbleed isn’t quite the disaster for the nonprofit sector as it is to online retailers, there are plenty of other security threats. “A lot of attacks come internally,” said Howe. “You can get attacked from the Internet, but also by insiders.”
Security issues are the same for nonprofits with their own databases and for co-op databases. DonorBase, in Armonk, N.Y., works with more than 250 organizations and has approximately 60 million donor records, according to Bruce Demaree, vice president of cooperative data services. “You cannot get to our database through the open Internet,” he said. “You wouldn’t be able to find it. If there’s a really clever hacker who can identify it, good luck getting in.”
Howe advocates a defense-in-depth approach to database security. “Basically, defense-in-depth means you need to put in layers of security,” he said. “It’s like a filter or a sieve. You can never be completely secure, but you can reduce your risk with successive layers of security.”
Firewalls are an example of one layer of security. Howe advocates for what he calls a “demilitarized zone” on servers. “Next, you can apply vulnerability assessment tools,” he said. “That’s a good protection for Heartbleed. If your servers have Heartbleed, assessment tools will pick that up.”
If you’re part of a co-op, you probably don’t have to worry about technical exploits that allow your data to be accessed improperly, Demaree said. “Most fraud is committed on the human level,” he said. “This is not through technical malfeasance, it’s through bad intent: people entrusted with data who misuse it.”
Make sure your legal counsel reviews the contract you have with the provider. “Many agreements are ambiguous, and often when data is given on trust, it has the potential to be misused,” he said.
The contracts might “appear to be standard but you need to be aware of the nuances and be very clear about how your data is used in a co-op environment,” said Demaree. “The biggest vulnerability is to give your data to a co-op and then have that data resold without your overt knowledge.”
Defense-in-depth is “tried and true, and most certainly (a strategy) that nonprofits should think about,” said Lo. A periodic security audit is also good. Lo recommends security training as part of new staff and volunteer orientation. While security might seem to be an arcane or remote possibility in your organization, that shouldn’t be an excuse not to have proper safeguards in place.”
Complexity around data security is why Howe suggests moving to a cloud-based option. Hosting a database on a software company’s server can free you up to focus more on your mission and worry less about security concerns. It’s a question of scale and being able to take advantage of an IT company’s expertise.
Many nonprofits, said Howe, “have their servers unsecured right out in the open, or maybe they have a server room. They don’t have the capabilities to really secure it or manage vulnerability.” He said that if someone can get physical access to a server, they have free reign with the data.
“There’s a lot of stuff, a lot of skill sets” involved in a holistic approach to security, said Howe. “It’s hard to find one individual who is an expert in all of them. It kind of takes a village, and most nonprofits don’t have those resources.” Many potential SaaS clients have been wary of cloud security, but Howe said he finds himself having to justify the security benefits of the cloud less and less.
Lo said there are some basic questions to ask of your security protocols. “Is the data redundant,” he asked rhetorically. “Is it encypted? Is two-factor authentication an option? For example, in the wake of Heartbleed, your provider should have audited their systems right away and notified you of any action you might need to take or passwords you should consider changing. Besides making sure your workstations are patched and updated, I always recommend drive encryption, which comes standard with many OS (operating systems) now.”
Another security risk is theft and data loss. “Your data may be leaked not because of some hacker, but due to a weak link in your staff,” said Lo. “I work under the assumption that all software has some sort of security flaw. It’s whether or not it’s been exploited. I would be more concerned about a volunteer having access to an online database using their own computer, and that computer being compromised, or in an on-premise scenario, an employee’s car gets broken into and a laptop or tablet is stolen and there’s a copy of the donor list on it,” said Lo.
A strategy that is gaining traction, and might be one of the better layers for a donor management system, is an intrusion detection system. “These are software or appliances that you first train as to what normal traffic is,” said Howe. “It learns, then you throw the training switch off and it looks for nonstandard traffic. It’s not looking for a particular vulnerability, it looks for something that’s odd. New attacks come out commonly, and there’s value in seeing when something’s not normal.” NPT