Tag Archives: Security

About security issues.

Looking out for suspicious links in Kerika

August 14, 2024KerikaSecurityKerika

We had some incidents recently where hackers stole the Microsoft credentials from some folks in Europe and North America (there’s been a lot of that lately), and then used these stolen credentials to sign up as Kerika users.

Once they signed up, they created Whiteboards that were made to look like they included official links from Microsoft to download documents. Here’s what one of them looked like (we have obscured some information):

The link in the image shown above led to a phishing site where people might inadvertently enter their Microsoft credentials in order to read this document, which would have looked like it came from a Kerika board that was owned by a trusted colleague.

To make this more convincing, they used a very old feature of Kerika’s Whiteboards that’s called VIEW AS WEBPAGE:

This feature was originally built to help nonprofits and open-source teams share their work with people who weren’t Kerika users: the Board Admin could create an ordinary Web page that contained everything that was on the Whiteboard. This page was then sent to the contacts of the person whose credentials were stolen.

To deal with this, we have made some important security updates throughout the Kerika app, on the desktop and on mobile devices:

Whenever you add a link to any task (card), chat, board, or canvas in Kerika, we will check if that link is known to be suspicious or malicious.
If so, you will be warned, and Kerika’s security team will be informed immediately. Your account will then be monitored to see if this behaviour continues.
Whenever you click on any link anywhere inside the Kerika app, we will check again if that link is known to be suspicious or malicious, and will warn you if that’s the case.
Please take this warning seriously!

We have disabled the VIEW AS WEBPAGE feature for Whiteboards while we evaluate the results of these security improvements. Once we feel confident we have dealt with this situation we will consider re-enabling that feature. (Let us know if this feature is important to you.)

We are using Google Web Risk service to help screen URLs entered by our users. Google has been dealing with malicious websites since they started, and we think they have some great resources that we can leverage to improve security for our own users.

Mr Bond, they have a saying in Chicago: 'Once is...

You have even more storage options now

January 19, 2024KerikaBox, Direct Sign Up, Document Management, Google Apps, Microsoft, Preferences, SecurityKerika

When we started, we made a big strategic decision to integration with the Google Apps platform: letting users sign in with their Google IDs — which meant they didn’t need to remember a password just for Kerika — and, more importantly, letting users store their files in their own Google Drive, where they remained under their own control.

This proved particularly popular with the IT departments of our users, because it meant that any corporate policies the IT folks were implementing on content management worked great on everything the users did with Kerika as well.

The ability to control how files were to be shared (e.g. not with anyone outside the domain), and how long files were to be retained (important for regulated industries) is super important to IT departments who are charged with guarding the corporate assets, and Kerika is the only task management tool that works seamlessly with a user’s existing Google Workspace.

We then implemented the same functionality for users of the Box platform: people could sign up with their Box IDs, and have their files stored in their own Box accounts. Once again, this means that the content management policies that their IT departments were implemented would remain respected thanks to Kerika being the only task management tool that works so well with Box.

To complete the range of options for our users, we now have Kerika+Microsoft as an option: you can sign up with your Microsoft ID and have your files stored in your own OneDrive account.

But we didn’t stop there: we recognize that there are some folks out there who would prefer to use a cloud service that’s different from the one they originally signed up with: for example, someone who signed up using a Google ID, or signed up directly using an email address, might want to switch to using Microsoft OneDrive.

That’s easy, free, and painless: go to your Manage Account page from inside the Kerika app on your desktop, and select the OTHER SETTINGS tab:

Click on the CHANGE button and you will see your storage options:

The above example shows the options available for a Kerika+Microsoft user: she can choose to have her files stored in her own Google Drive, in her own Box account, or use Kerika’s Google Drive.

Once you initiate this process it can take some time to complete, depending upon how many files you have in your account, and how large they are. There’s a file size limit of 200MB that’s imposed by the cloud service providers.

If you need help making a decision, or in making a switch, feel free to schedule a call with us.

Security Awareness for Distributed Teams

November 26, 2022Best Practices, TechnologySecurityArun Kumar

(Guest post from Cybernews)

According to researchers at Ladders, 25% of professional jobs in North America will be remote by the end of 2022. Remote jobs skyrocketed from under 4% in 2019 to 9% in 2020 alone. This means that working from home is here to stay.

With this change in the job market demand, distributed teams have become more common and will continue to be adopted by small and big businesses alike. The need to secure company and employee data is important given the rise of internet scams. It is advisable to have all team members engage in security awareness training to have them prepared against malicious hackers and phishing sites.

Here are measures distributed teams can take to protect themselves and the company from a security breach.

Public Wi-Fi

Avoid using public Wi-Fi, especially from unknown service providers. If you must connect to a public server ensure you have a VPN installed on your computer to prevent hackers from monitoring your internet activity.

Social engineering

Social engineering uses manipulative techniques to gain confidential information that can put an individual or company at risk of cyber-attacks. Hackers have gotten smarter over time creating the need to be cautious mainly when workers use their own devices for office duties. Here are tips to save you from falling victim to such scams.

Be suspicious if an unknown person asks you for information, they shouldn’t have access to it. All workers have team leaders they report to or team members that handle specific company data. If someone aside from the usual team member is asking for such data, be alarmed and report it to your team leader.
Pay attention to emails. It can be daunting to always have to check an email sender to be sure you’re not under a phishing attack, but it can save you from putting your company at risk. Look out for grammatical errors and the sender’s email address to be sure they aren’t impersonating your company’s or an employee’s email.
Beware of heightened urgency. Resist the rush to perform an action if you are feeling pressured to perform a certain action. Creating urgency is a common tool phishing scammers use to make their victims act fast. You should be more suspicious if the person is trying to make you ignore a mandatory security protocol.
Always hover over links to see where they lead. Don’t be quick to click links and open attachments sent to you from new contacts. Offerings of things that are too good to be true are not true. An example is an email congratulating you on an iPhone in a competition you never attended.
Never download unauthorised software or plug in an unauthorised drive or USB to your device.

Setting passwords

Most websites will tell you to create an 8-character password that contains uppercase letters, lowercase letters, numbers, and symbols that should be changed every 90 days. However, cybercriminals now use technology that allows them to crack an 8-character password in 4 hours. That’s why you should be using strong password management.

Instead, use a 12–16-character password with uppercase and lowercase letters, numbers, and special characters. You can create a passphrase using multiple small words like “tiNyTombSPoon.” Combining your passphrase with numbers and special characters is advisable for added difficulty. Complex passwords like this should be changed every two years.

Never save passwords to browsers. Never share your passwords with anyone or log in to your work accounts with public computers. Ensure you use a unique password for each account, you can use a password keeper if necessary.

Always use two-factor authentication for all your accounts. Never use the same passwords for your personal and work accounts. Make sure to separate your personal and work life.

Security awareness at home

In a world of distributed teams, it is normal for workers to spend more time at home than in an office. Here are measures that can be taken to stay safe when working from home.

Never grant anyone access to your desktop unless you sort the remote connection. Always be careful of remote desktop inquiries. Never give out your login details to anyone over email or phone without consulting your supervisor.
Don’t respond to non-company numbers or messages regarding an issue when you didn’t open a ticket.
If you will be filling your data into any websites while working, ensure they begin with https://
Ensure your Wi-Fi router is secured with a strong password. Always restart your router frequently.
Keep your working devices out of the reach of family and guests. Use a different internet network for work and family or guests.
Only use company-approved USB sticks. Never use unencrypted USB sticks to connect or charge your work device in public places.
Never leave your work device unattended. If you aren’t actively using your device ensure you exit your work screen and lock or close your device.

Security awareness in videoconferencing

All virtual meetings should be cyber-safe and not open to the public. Links to video meetings must not be shared on public sites. Ensure all meetings require passwords to join. Avoid starting a meeting without the host – rather create a meeting room.

Enable host-only sharing, accept one user at a time, and lock the meeting after all the participants are in.

Other security measures

Avoid using your personal computer or smart devices for work. Ensure your operating system, antivirus and apps are updated frequently.
Beware of phishing links sent to your email. Alert your family members on using your devices without your supervision.
Beware of pop-ups on free movie sites and apps asking you to install software from unverified sources.

Conclusion

Although it is impossible to be 100% secure, raising awareness of the cybersecurity risks and taking all security measures stated above is key to preventing a security breach that can lead to catastrophic events. Ensure each team member is properly oriented on security measures to employ and things to look out for to prevent getting hacked.

Guarding against XSS code injection

December 30, 2019Kerika, TechnologySecurityKerika

We had posted earlier about making sure that (malicious) users cannot inject code into Kerika, in any of the areas where user input is possible.

Here’s the complete list of user actions that we are checking for XSS injecton now:

Board Name
Board Description
Template Name
Template Description
Tag Name
Card Attachment Name
Board Attachment Name
Card Chat
Board Chat
Column Name
Task Name/Detail
Canvas Text
Canvas Attachment Name
Canvas Shape/Object Name
Account Name
Account Billing Information
User’s Name

Guarding against XSS/code-injection

December 3, 2019Kerika, TechnologyChat, Scrum, Security, Task Board, WhiteboardKerika

It’s possible to copy-paste text into a Kerika Chat message, and there are legitimate use-cases for this: for example, a developer may ask a question to a coworker who replies with a code snippet.

Kerika handles code in chat messages by storing two versions of the message: as plain-text, and as the original format. When a chat message is displayed, the original format is used but not executed, which means the embedded code is visible, but doesn’t run in the browser. This makes it easy and safe to share code snippets through chat messages.

While making this improvement, we went through all the places where a user can type in text, Card Title and Description, Board Name and Description, Tag, Attachment Name, etc. to make sure we are guarding against malicious code injection.

We will start to do IP blocking

July 8, 2019KerikaAWS, SecurityKerika

Regrettably, we will start doing IP blocking to stop persistent spammers from setting up Kerika accounts.

We have seen a consistent pattern of misuse that goes like this:

Someone signs up with a sina.com email address. Sina is one of the largest ISPs in China, but we don’t have any users in China for the simple reason that most of Google’s services are blocked by China’s Great Firewall, and Kerika has a tight integration with Google’s G Suite.
The spammer isn’t actually located in China; they are in Manila (Philippines) and come from IP addresses like 203.177.13.60
These spammers send out hundreds, sometimes thousands, of invitations for users from the qq.com domain to join their (spurious) Kerika team.
These recipients are all users of Tencent’s QQ messaging system, based in China. Again, none of them would be actual or potential Kerika users, since the recipients are all located in China.

The user impact of this spamming was relatively small: almost no one with a qq.com email address would reply to these invitations, but the conduct was a very clear misuse of Kerika and harmful to our reputation, quality and brand.

(Among other things, these spurious invitations would pile up in the thousands.)

We have decided, therefore, to start blocking IP addresses using Amazon’s VPC service (since we use Amazon AWS extensively on our back-end.)

This is a brute force method, and not ideal, but we were starting to get really annoyed with these folks. We hope this doesn’t impact any of our real users in the Philippines; if you are affected, please let us know!

Why we need your Billing Information (and what we do with it)

August 15, 2018KerikaAccount, Privacy, SecurityKerika

If you purchase subscriptions, or do other actions like request a refund, Kerika prompts you to update your Billing Information:

This information is needed to complete a transaction:

Your name or organization (school, college, nonprofit, company, government agency…) are used to ensure invoices and receipts are addressed to the correct person (the purchaser).
Your phone number is needed to handle any problems we face processing your invoices or purchases.
Your address is used to create invoices and receipts, and to check whether we need to charge you Washington State sales tax.

At the bottom of this screen you can optionally include Billing Contacts: people who need to get copies of all your transactions, such as your organization’s Purchasing Department or outside accountants/bookkeepers.

We store this information securely: as you may have already noticed, all access to Kerika servers is done using SSL/HTTPS, and within the Kerika virtual network, our servers communicate with each other using SSL as well.

We never ask for your credit card information: we use Stripe to handle all online payments, and we never see your credit card at any time.

If you pay by bank check or electronic funds transfer, this information is handled by Bank of America: details of these transactions, such as your bank information, are stored only at Bank of America and not stored on the Kerika servers.

We are adding ReCAPTCHA to our signup and login pages

July 12, 2018Kerika, UsabilityDirect Sign Up, SecurityKerika

We recently got hit by spammers signing up as Kerika users, using fake emails from domains like mailinator.com, which seems to exist principally to help people do bad things on the Internet.

After signing up, these spammers (who seemed to be based in the Philippines) would invite hundreds of people with accounts on Tencent’s qq.com service in China. This would result in invitations being sent to these qq.com people to join the spammers on their Kerika boards.

To avoid a repeat of this problem, we are using Google’s reCAPTCHA in “silent” mode, on our signup and login pages — for people who sign up directly with Kerika using their email addresses.

This doesn’t affect the majority of our users, since most people sign up using their Google or Box accounts. And because the reCAPTCHA works silently, it shows up only when Google has reason to doubt that the person at the keyboard isn’t human.

Managing the privacy of your Kerika boards

June 7, 2018Kerika, Team Collaboration, TechnologyPreferences, Privacy, Security, TeamsKerika

Kerika offers a great deal of control over how each board is shared:

A board can be made public to everyone. This makes sense for open-source projects and many nonprofit and advocacy groups, where the goal is to get maximum visibility and publicity rather than to hide the details of what the project is about.
Making a board public means that anyone who has the URL of the board can view it, even people who are not Kerika users. Note: we are talking about viewing the board; viewing doesn’t mean anyone who isn’t part of the board team can make changes.

If a board is viewable by the public, it can be found by anyone using Kerika’s search function.
A board can be viewable by everyone who is part of the account team. This is the default setting, and it makes a lot of sense for most organizations: you want your coworkers to be aware of what your team is doing, unless the project is particularly sensitive.
An account team consists of everyone who is a Team Member or Visitor on any board owned by the account.

As people get added to individual boards, they are also automatically added to the account team. When someone is removed from every board owned by an account, they are automatically removed from the account team as well.

As with public boards, described above, we are talking only about viewing, not changing: only people who are Board Admins or Team Members on a particular board’s team can make any changes to that board. (And, of course, the Account Owner who owns the board.)
If you use Kerika’s search function, you can find boards that are being shared with the account team, provided you are part of that particular account team.
A board can be kept private. This means that only the people who are listed on the board’s team — as a Board Admin, Team Member or Visitor — can view the board. (And, of course, the Account Owner who owns the board.)
This is appropriate for any sensitive projects, e.g. stuff related to personnel matters or confidential contracts.

Private boards can’t be found by Kerika’s search function either, and it doesn’t matter if you know the URL for the board: only the specific people listed on the board team can see anything related to that board.

For each board owned by an account, the Account Owner or Board Admins can manage the board’s team: decide who is part of the team, and what sort of role (Board Admin, Team Member, or Visitor) each person has.

Board Admins and Team Members can make changes to all the items on the board, including any documents attached to the board.
Visitors have read-only access to the board and all its documents.
A person’s role can be changed at any time by the Board Admin or Account Owner: the effect is immediate, and extends to all the documents associated with the board as well regardless of whether you are using Google or Box for your file storage, or whether you are storing your files with Kerika.

A board’s team and current privacy settings can be viewed by clicking on the Team button that appears on the top-right of the Kerika app, when viewing a board:

Clicking on this button brings up the Board Team dialog:

Each person who is part of the Board Team is listed in this dialog, in alphabetical order along with their role.

At the bottom of the dialog is the board’s current privacy setting: in the example shown above, the board is being shared with everyone who is part of this user’s account team. (We have obscured the URL in the screenshot for security reasons.)

If you are a Board Admin or the Account Owner, you can change the privacy of the board using the Change Privacy link that’s shown on the bottom of the dialog:

So, every board can have it’s own privacy settings: private, shared with account team, or public.

When you are viewing the boards in an account, Kerika shows clearly what the privacy setting is for each board:

If you are part of someone’s account, you will be able to create new boards in that account: you will automatically be a Board Admin on those new boards, but the owner will always be the account you are working in.

You can set your privacy preferences for each account; this will determine whether new boards you create are automatically shared with your coworkers or not:

All your preferences can be set at https://kerika.com/preferences. The default setting is Share with Account Team, which works well for most people, most of the time.

Switching to Let’s Encrypt for our SSL certificates

May 16, 2018Kerika, TechnologySecurityKerika

We have mentioned below the problems we had with GoDaddy’s SSL certificates; we have fixed this by switching to the open-source certificate authority called Let’s Encrypt.

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). It lets us host our own certificates, so we don’t have to rely upon third parties and can have better control over the quality of our service.

Get more done, with Kerika

Task Management for Remote Teams