Noutați

A Timeline of the Solarwinds Hack: What We’ve Learned

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issued guidance explaining how the attack could affect its customers. The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds released a software fix. The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National […]

Read More

TMS VCL UI Pack v10.5 released

The New Year 2021 is still fresh and there is already a major update for TMS VCL UI Pack. As always, our updates focus on bringing the latest improvements and adding features to make your VCL Windows desktop applications built with Delphi & C++Builder shine. In this new version v10.5 we bring several new UI features: Emoji support in HTML engine For some time now, support for the use of emoticons is built-in standard in the Windows operating system. In the Windows operating system this is handled via a multi-color Truetype font Segoe UI Emoji. Regular Windows GDI API based controls (which most standard VCL controls are) cannot use multi-color Truetype fonts. To take advantage of this, for native applications, at minimum the Direct2D API needs to be used. We did the work for you, our HTML engine was updated with the capability to render multi-color Truetype fonts and with this the ability to render emoticons specified via HTML. The HTML standard prescribes a whole range of values for the various emoticons that exist. You can check the list here. In a nutshell, if you write in HTML 😜 I will display 😜 it will render as: 😜 I will display 😜 So, now you can add Emoji decimal values in your HTML used for our VCL components that can render it. This includes labels, listbox, combobox, grid, navigation controls, panels and so much more. New TAdvEmoticonPickerDropDown Offering an easy to use UI with which you can select such emoticon. The TAdvEmoticonPickerDropDown can directly return the HTML code for the selected emoticon via AdvEmoticonPickerDropDown.EmoticonHTML: string property. This new TAdvEmoticonPickerDropDown is used in the design-time HTML string property editor for controls that are enabled with HTML rendering. New web-style form input control validation In web forms, we are used to validation with clear indication on input controls where a value was not entered or was entered incorrect. In VCL Windows desktop applications, this is less common but it can add value to the user experience. While it is possible to do this all manually with showing extra labels with info on why an input entry is incorrect, we have created an easy to use concept for displaying validation feedback to users. This consists on one side of a centralized component (or multiple components) that hold the settings for the validation tooltip and in the TMS input controls like TAdvEdit, TAdvComboBox, TAdvSpinEdit, TAdvDateTimePicker, … and all their descendent classes there is the method control.ShowValidation() / control.HideValidation() added to easily show and hide a certain validation text. For standard VCL controls or other 3rd party controls, the generic method ShowValidator(Control, Text, ValidatorSettings) or HideValidator(Control) are provided. Combining this, you can easily create validation screens like in this example: Input control balloon hints Another helper for guiding users to make correct form entries, is via a balloon hint. We have also extended our input controls like TAdvEdit, TAdvComboBox, TAdvSpinEdit, TAdvEditBtn, … and their descendent classes with ShowBalloon() / HideBalloon() methods. With these methods you can give clues to users when he is not entering correct values as the user leaves the control or while typing. It offers 4 types : neutral, information, error or warning types. Get started TMS VCL UI Pack v10.5 is a free update for all active TMS VCL UI Pack, […]

Read More

TMS WEB Core v1.6 tips & tricks

We are pleased to share two more tips for using TMS WEB Core v1.6 Pesaro. The first tip is for how you could implement on the fly filtering on a TWebResponsiveGrid. The second tips concerns the dynamic creation and use of a TFrame. Let’s dive into the first tip right-away with showing filtering for the TWebResponsiveGrid. Filtering in a responsive grid TWebResponsiveGrid is a grid UI control that is responsive. This means that the number of columns will depend on the available window width in the browser. In this sample, we configured the TWebResponsiveGrid that about 200 pixels width is needed for a grid item and that the number of columns as such, will depend on how many items of width 200px fit in the browser window width. Each item of the TWebResponsiveGrid consists of a small snippet of HTML filled with data from a JSON HTTP GET request response. This JSON contains an array of JSON objects with information about cars. One such item is for example: { “Brand”: “BMW”, “Model”: “Z8”, “Hp”: 400, “Max speed”: 250, “City”: “Munchen”, “Country”: “Germany”, “Type”: “cabrio”, “Picture”: “bmw1.jpg”, “Year”: 2000, “Price”: 95000, “Cylinders”: 8 } The HTML template for the item is set to: ‘(%Brand%) (%Model%)(%Country%) Year:(%Year%)Price:(%Price%)€’; As you can see, it will fetch Brand, Model, Country, Year, Picture and Price from the JSON. When the JSON is loaded, all car items become visible in the responsive grid. Now comes the code to filter which car items will be visible. We will let the filter apply in this case on the car brand and car model. That means that when a value typed in the filter matches either brand or model, the item will be displayed. The code to perform this filtering becomes: var i: integer; f,s,a: string; begin if edFilter.Text = ” then begin for I := 0 to carlist.Items.Count – 1 do carlist.Items[i].Visible := true; end else begin f := Uppercase(edFilter.Text); for i := 0 to carlist.Items.Count – 1 do begin s := carlist.Items[i].JSONElementValue[‘Brand’]; a := carlist.Items[i].JSONElementValue[‘Model’]; s := Uppercase(s); a := Uppercase(a); carlist.Items[i].Visible := (pos(f, s) > 0) or (pos(f, a) > 0); end; end; end; As you can see, we extract the car brand and model via the JSON object attached to the item and when there is a match, the item is visible otherwise not. When the filter changes, we first set all items as visible again, ensuring that any previous filtering operation is undone. That’s it. There is nothing more to it. The display work is all handled automatically by the TWebResponsiveGrid. Dynamically creating, using and destroying a frame In TMS WEB Core, you can use a TFrame just like you can in a Delphi VCL Windows application. You add your UI controls + UI control logic to the frame and you can use this frame on other forms in the VCL application. In TMS WEB Core, the concept is exactly the same. Here we created a frame with a common UI pattern: two listbox where items can be moved from left listbox to right listbox and vice versa. This UI and its code is added to a frame. Now, to use this frame, we just need to add the unit of the frame to the uses list and the following code will from a single […]

Read More

Virtual CISO: Leveraging External Security Expertise

Published January 14, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated criminals; organizational growth, increased infrastructure complexity and expanding compliance requirements also require more time, people and technology to avoid becoming a victim of a cybersecurity breach. Security used to be focused on physical access to facilities and resources, or adding layers of logical controls to protect software and data. However, security concerns of the 21st century don’t fit into nice buckets anymore. Security concerns affect every aspect of an organization’s operations and should be an integral driver of strategic planning. Information security used to be a good idea to include “if there is time.” Then it became more important as cyberattackers became more sophisticated at leveraging vulnerabilities. Now, information security is an integral component organizational strategic viability. It is just as important as fiscal integrity and product quality. Executives have become acutely aware of the impact of poor information security on their organization’s profitability and longevity. A lack of security focus at the executive level could easily result in hefty fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. The risk of undervaluing information security is too great to ignore. To address the growing awareness of information security’s importance to strategic planning, many larger organizations now include a Chief Information Security Officer (CISO) in the executive suite. A CISO provides executive leadership guidance on keeping organizations secure and compliant. But with the average median salary for a CISO being over $200,000, many companies cannot afford their own CISO. The need is still there, but the budget doesn’t allow for a full-time person in that position. However, there is an attractive alternative. Organizations that lack the budget for a CISO are increasingly turning to an outsourced solution: the virtual CISO, or vCISO. Let’s look at what a vCISO does and how one can benefit small and medium-sized businesses. Benefits of a vCISO A vCISO is generally a cybersecurity professional who works part-time offering security services to multiple organizations, working for several throughout any year. This job-sharing approach gives organizations access to a CISO without having to hire one full time. The vCISO fills several needs through different types of services, including: Cybersecurity guidance to executives Security readiness assessment Compliance alignment recommendations (for HIPAA, GDPR, PCI-DSS, CCPA and dozens more) Remediation prioritization Security architecture guidance Incident response Governance Business continuity A vCISO helps organizations transition from viewing security as a tactical requirement to a strategic one. This transition isn’t an easy one without support from the top. That’s the most important role of a vCISO: to solicit and ensure ongoing support of security from the very top of the organization’s leadership. The strategic nature of a vCISO’s approach to security isn’t in contrast to existing security activities or other organizational goals. The vCISO should help ensure […]

Read More

TMS WEB Core v1.6 released

We’re thrilled to bring the quantum leap the pas2js v2.0 compiler brings to TMS WEB Core with the release of TMS WEB Core v1.6 Pesaro today. The new compiler has been in development for quite some time and brings the experience for Object Pascal developers to create web client applications from the Delphi or Lazarus IDE to a new level. Among the major new capabilities of the pas2js compiler are: Generics Attributes Class constructors Resource strings Async procedure decorator Await support JavaScript promises support Resource file support In a nutshell, this ensures you can bring your modern Object Pascal code to the web as well as take advantage directly from Object Pascal code from modern typical web paradigms such as await & promises for handling asynchronous code. All active registered users for TMS WEB Core can obtain the update after login on our website under “My Products”. Just as our team internally can now start taking advantage of the new compiler features to write new & enhanced framework code, you can apply this to your application level code. The new compiler features will also enable more of other TMS products that were already using generics and attributes for example to become a possible target for porting this to TMS WEB Core. TMS FNC Products ready for the new TMS WEB Core Note also that our entire TMS FNC components portfolio has already been prepared for compatibility with TMS WEB Core v1.6. The amazing array of cross-framework, cross-platform components from TMS FNC UI Pack, TMS FNC Chart, TMS FNC Cloud Pack, TMS FNC Maps, TMS FNC Blox, TMS FNC Dashboard Pack is ready for use in your web client applications now. Coming soon to Visual Studio Code As the same compiler and exactly the same framework code is used in TMS WEB Core for Visual Studio Code, you can expect shortly the release of TMS WEB Core for Visual Studio Code v1.2 that will bring all these enhancements to the Visual Studio Code IDE running directly on Windows, macOS or Linux. It doesn’t end here, it just continues With the new TMS WEB Core release, the path is now also open to start introducing new functionality and features at framework level. Our team has been very busy in parallel to develop new extensions to the framework, so, be assured that TMS WEB Core v1.7 is already in the pipeline. More about what is cooking in the labs for v1.7 will be detailed in the coming weeks. Get started now If you didn’t get your feet wet already with RAD component based Object Pascal based web client development, now is the time to enter this fast moving & fascinating world. The sheer amount of new possibilities and territories is staggering. You cannot only develop no-deployment cross platform rich web client applications, but also offline usable and installable PWA’s for use on mobile devices bypassing Apple or Google stores. Or you can use the Electron framework to create cross-platform desktop applications for Windows, macOS and Linux with a modern and fresh looking HTML/Web based GUI. And know that we have even more and exciting alternative targets for TMS WEB Core web client applications in the making! Learn here about the new generics support: Get the TMS WEB Core v1.6 trial or use TMS […]

Read More

WYSIWYG rich text editing in FMX

Intro The multi-device, true native app platform The FireMonkey® framework is the app development and runtime platform behind RAD Studio, Delphi and C++Builder. FireMonkey is designed for teams building multi-device, true native apps for Windows, OS X, Android and iOS, and getting them to app stores and enterprises fast. source: https://www.embarcadero.com/products/rad-studio/fm-application-platform FMX (FireMonkey) released in 2011 and shortly after we delivered a first set of components. Today, we want to show you the TTMSFNCRichEditor component, a light-weight WYSIWYG editor for formatted text. Features Below is a list of the most important features the TTMSFNCRichEditor has to offer. The features are not limited to this list, but this will give you a quick insight on what we offer to be able to edit and format rich text content in FireMonkey. Formatted text with bullets, hyperlinks, images, indenting and aligned paragraphs Functions for merging, highlighting text, undo/redo and clipboard operations Horizontal ruler support Stores its text natively in the .RTE file format Possibilities to load from .TXT, .RTF, .HTML and .RTE Export to .PDF, .TXT, .RTF, .HTML and .RTE Separate rich editing/formatting toolbars Emoticons support Support for BitmapContainer images Autocorrect: custom auto-correct actions Interface to TMS Spell Check engine Learn More! Want to learn more about what the TTMSFNCRichEditor can do? Here is a video that highlights some of the above features through a demo application. Download & Explore! The TTMSFNCRichEditor component is part of the TMS FNC UI Pack, which, on top of FMX, also offers the ability to write your code once and target other frameworks (VCL, LCL and WEB). You can download a full featured trial version of the TMS FNC UI Pack and start exploring the capabilities of the TTMSFNCRichEditor component. Coming up The TTMSFNCRichEditor is the first of a series of components that is covered to empower your FMX (FireMonkey) developments. We started the series with a general overview of the most important components that we have to offer. Next up will be the TTMSFNCPlanner component, a highly configurable planner / scheduler component for FMX (FireMonkey), so stay tuned for more!.

Read More

Thanking the Community for their Contributions—StackOverflow Winner Announcement!

Happy 2021! As we press on into the new year, we’re doubling down on our efforts to provide our amazing developer community with the product best practices, do’s and don’ts, and tips and tricks that they need to be successful with our framework. While our commitment to providing valuable content to Ext JS devs is unwavering, we realize that sometimes the best advice comes directly from you, the users who have been developing groundbreaking applications with our framework.  With this in mind, we want to reward our top contributor on StackOverflow for leading the charge in supporting Sencha users in our various StackOverflow communities (Ext JS, ExtReact, ExtWebComponents). For their dedication to bettering the Ext JS developer community, we’re awarding the user sra with a $100 Amazon gift card—congratulations! Going into 2021, we’re going to be handing out awards to our top monthly contributors at multiple random points throughout the year—keep up the good work and thanks again for your contributions.  We look forward to another awesome year with our developers! Start Contributing Get started with a free Ext JS trial.

Read More

Secure Remote Access: Keeping Employees and the Organization Safe

Published May 19, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this age of lockdowns, social distancing and working from home, organizations must think carefully about how to extend their networks and services across the internet and into employees’ and contractors’ homes. This makes remote access security management both a timely and an imperative topic, because it has become the norm for many companies and organizations this year. If we are to believe even the most optimistic of vaccine deployment scenarios, our pandemic situation is likely to persist for at least another six to nine months. That said, many experts think that working from home is the new normal, so even once it’s safe for us all to be together in an office again, there may be no office to go back to. The old ways of working mostly within a secure organizational perimeter are on the way out, so we need to update our security operations for the new reality. How does remote access work? In the simplest of terms, remote access requires that users employ a remote device of some kind to establish a connection to an organizational service. The connection is a communication link that spans the internet from the client or user side to a server or service inside the firewall. For example, Microsoft includes both an old-line application, Remote Desktop Connection, and a new-style Universal Windows Platform (UWP) app, Remote Desktop, in Windows 10. Both use Microsoft’s Remote Desktop Protocol (RDP) to establish a remote connection between a client PC (user device) on one side and a host PC or server (server device) on the other side. Thus, the elements of remote access include the following: A remote access client or application that lets the end-user request access to a remote resource of some kind A remote connection that connects the end-user to the resource, and vice versa A remote host or service to which an end-user can connect, and from which they can request information, services, resources and so forth Securing remote access means securing all elements For a company or organization to meet best security practice requirements for remote access, all elements involved in remote access must be secure. Here’s a checklist of items and capabilities that fall under this large and far-ranging umbrella: Before users obtain remote access, they must be identified and authenticated. The best form of security for identity and authentication nowadays relies on two-factor authentication (2FA) or better, where a user’s cellphone serves admirably to provide a separate channel for ID and authentication traffic, as well as providing a tangible token of identity in and of itself. The client software that users employ for remote access should themselves be secure and free from known technical vulnerabilities or susceptibilities to attack through social engineering. Users working remotely need basic security awareness training to keep them from inadvertently disclosing what the organization wants kept confidential – namely, their account and password information, among other sensitive data. The client software must also be scanned for vulnerabilities (preferably at high frequency, if not continuously) […]

Read More

Show a PDF from a TMS WEB Core app

This is a frequently asked question from TMS WEB Core users how a PDF file, typically a generated report, can be shown from a TMS WEB Core app. The good news is that it is simple as browser technology has us covered. There are basically two options: Show the PDF file in a new browser window (tab) Show the PDF embedded in the application window So, let’s just do this and provide a project that shows this. To show the PDF file in a new browser window, all we need to do is call Application.Navigate(URL, ntBlank), where URL is the link to the PDF file. To show the PDF file embedded in the application window, we can drop a TWebBrowserControl on the form and set its URL to the link to the PDF file. So, in a nutshell, the code behind becomes as simple as: procedure TForm2.WebButton1Click(Sender: TObject); const URL = ‘https://download.tmssoftware.com/download/manuals/TMS%20Async.pdf’; begin if WebRadioButton1.Checked then WebBrowserControl1.URL := URL else Application.Navigate(URL, TNavigationTarget.ntBlank); end; For your convenience, you can download the test project here Needless to say that this exact code works in TMS WEB Core for Delphi, TMS WEB Core for Lazarus and TMS WEB Core for Visual Studio Code. It can be applied in a classic web client application, a PWA and also an Electron based cross-platform desktop application. Not using TMS WEB Core yet? Get your free & fully functional trial version download from our website and benefit from the Holiday Season holidays to explore and get excited.

Read More

This was 2020 at TMS

There is a lot to say about this year 2020 and for sure, we at TMS had our challenges as well. But to end the year and look back at it, we prefer to stick to the positive things that happened this year. New products Looking back, it is actually amazing how many product releases we did and what significant new products were introduced. I think like most software developers, you can relate to the feeling how sometimes painfully slow and difficult software development can be. But in hindsight, we can look back at fantastic achievements. It is with this feeling I’m looking back at our year 2020 especially about two new products that were released: TMS FNC Maps We took our FNC concept on steroids with this new product. TMS FNC Maps is not only supporting 4 different development frameworks, 5 operating systems, all major browsers but also 8 different mapping services. Take the best mapping features at the best prices and combine these to integrate powerful mapping functionality in your VCL, FMX, LCL and TMS WEB Core web applications. TMS WEB Core for Visual Studio Code Another tour de force was bringing our TMS WEB Core framework to Visual Studio Code. Visual Studio Code is like a natural fit for TMS WEB Core. It is the beloved IDE for web developers, it runs on Windows, macOS and Linux, it is built with web technology, it has a large ecosystem and it is free. It foremostly enables to render your pages and its controls live in the designer, even taking responsive design in account. We even released already a major update in 2020 with support for PWA and Electron cross-platform desktop application development support. Upcoming is the release of v1.2 with support for pas2js v2.0 compiler that introduces generics, attributes, await, promises and many more new capabilities. Product updates Many products got constant updates mainly driven by your feedback, needs, requests. There are too many updates in 2020 to cover all in detail but I’d like to highlight a few ones that personally excited me. TMS Flexcel TMS Flexcel for VCL/FMX and TMS Flexcel for .NET got frequent updates this year. The major new features that were added are support for .NET Core v5.0 and an API for adding charts to .XLSX files. TMS VCL UI Pack Formerly known as TMS Component Pack, TMS VCL UI Pack has an almost bi-weekly update scheme. Countless new features and enhancements were added all the time. But for me, the major one is the introduction of the new TAdvWebBrowser component that is a wrapper for the new Windows Edge Chromium browser. TAdvWebBrowser permits modern and secure integration of web functionality in your VCL applications. Further, we focused a lot on polishing VCL styles support, TMS styles support and multi-monitor high-DPI support. TMS FNC UI Pack Be it for cross-platform FireMonkey applications, VCL Windows applications, TMS WEB Core web applications or free Lazarus IDE based cross-platform applications, TMS FNC UI Pack is a bundle of UI controls including grid, planner, rich editor, treeview, object inspector, … and much more. Several new components were added to this pack this year: TTMSFNCWaitingIndicator, TTMSFNCSplitter, TTMSFNCRating, TTMSFNCRichEditorHorizontalRuler, TTMSFNCProgressBar and also here our cross-framework, cross-platform browser component was updated to Edge Chromium on the Windows platform. We also […]

Read More