How to keep your start-up safe?

When building a start-up company, it might be tempting to overlook some important security aspects. For example, do you commonly use public WiFi networks when you’re on the go? Do you enter your PIN securely? These are just some of the questions. This post aims to give you some basic ideas to think about and potentially to implement in your company. But remember: no matter how strong cryptography you are using – even if it unbreakable – the weakest link is the end user. So, it’s worthwhile to continuously educate the end users (eg. employees) about potential threats, as well as promote an open atmosphere that encourages communication between IT and the end users.

SKM does everything to keep your app as safe as possible, but it’s equally important to keep in mind things you can do to increase security. Remember – in case of uncertainty – always ask!

Office Guidelines

Depending on your office place, you may be exposed to various threats. For example, unauthorized people (eg. visitors, cleaning service, people from other departments) may pass by your desk, and if you happen to have confidential information on the desk, it may no longer be a secret. Or, what if you forgot to lock your PC…?

  • Lock Office & Computer: Always lock your PC when you leave your place. If it is possible, lock the office too.
  • Clean Desk Policy: Don’t leave stuff on your desk, for example, during a lunch break.
  • Personal Devices: Don’t set up your own WiFi or use personally owned devices.
  • Wear Security Badge: Always wear your security badge. When you spot people without one, walk them to security.
  • Never Let Unknown in: Never hold the door for people you don’t know. Be careful with tailgaters, i.e. people that get in right after someone else with access.
  • Printing Confidential Information: Do not print confidential information. Keep in mind that some printers store everything you print.

Password Guidelines

A common mistake is to use the same password on multiple websites. If one website gets compromised, all your other accounts will be endangered.

  • Unique for Critical Services: Although it’s a good practise to keep a unique password for all your accounts, not all websites might be critical to protect. You should, at the very least, have a unique password for your email, banking, and other accounts that contain sensitive information about you or your organization.
  • Two Factor Auth: For those websites that support two factor authentication (2FA), consider using it. Should your password be compromised, there is another level of authentication, one that is not as easily compromised as the password itself (unless you lose your phone, etc).
  • Password Design: The password should contain upper/lower case letters, numbers and symbols. It should not contain words from the dictionary (or their derivative). Eg. Pa$$w0rd is a bad password.

Smartphone Guidelines

A smartphone contains more sensitive information than we think: our email messages, passwords, documents downloaded from the cloud, pictures, personally identifiable information, and more. Therefore, it’s important take great care of it.

  • PIN: Lock the phone with a PIN or a password
  • Encryption: Encrypt the phone and any additional SD storage, if applicable.
  • Remote Wipe: Set up remote wipe and device tracking (eg. Android Device Manager, Exchange).
  • Shoulder Surfing: Prevent shoulder surfing. When entering the PIN, take some distance from others. Think of it as the PIN to your credit/debit card. Would you want people behind you to see it?

On the Go – Traveling Securely

By travelling, you are exposed to many more risks than in the office. Using public WiFi and shoulder surfing are just some of the examples that pose a threat.

  • Public WiFi: Public hotspots are usually not encrypted, which means everyone can see your activity. It’s better to use cellular connection, if applicable, or a secure network. But, always assume everything you do is being tracked.
  • VPN: Use VPN to encrypt all web traffic (eg. when you use a browser).
  • You are being Watched: Any time you are online, assume that you are being watched all the time: all the websites, the passwords, etc are scrutinized by a hacker. When visiting websites, ensure that you only use secure connections, i.e. those starting with https://.
  • Confidential Documents in Hotels: Always keep important documents close to you and don’t leave them openly on the desk. Think ‘clean desk policy’.
  • Your Neighbours: Keep in mind that people around you may intercept your conversations.
  • Unattended Device: Best rule of thumb, ‘don’t leave your device unattended’. This reduces the risk of theft. If you need to leave it, hide it (eg. in a car).
  • Shoulder Surfers: Be careful and take distance from people when entering you PIN, especially if it is used to encrypt the device.

Email Guidelines

A common misconception is to assume that emails are private. That’s far from reality. Emails you send across the internet are in plain text, readable by anyone. Note, internal email communication may or may not go through the internet (i.e. it might stay within the company), however, check this with IT dept.

  • Emails are Insecure: Assume everything you send by email can be read by everyone. Sensitive information should be sent in an encrypted form, for instance using PGP.
  • Security may be Dissolved: Even if you assume that emails don’t leave your company’s server, keep in mind that your colleagues may have their emails on their phones, tablets, etc. It’s enough for the hacker to compromise one of the devices to be able to intercept the communication. Therefore, always encrypt emails.
  • PGP Pitfalls: If you’ve come this far, ensure that you check the fingerprint of the certificate.

New License Key Panel

Today we’ve released a new license key overview panel, which you can access by clicking on a license key on the “product page”. It is a replacement of the page were you would normally be redirected when selecting a key and the “Advanced Key Details” page.

The current page uses our new Web API 3, which means that everything you can do on this page can be achieved in your code. Please keep in mind that it requires a ‘standard’ subscription (‘premium’ won’t work unfortunately).

A unique feature of this new license key panel is that is supports labels that can help you to distinguish between various properties of a license key. For example, you might already use ‘feature 1’ as a way to mark a license key as a trial key. You can specify this here. Our intention is to build on top of this idea and bring support for labels to the product page, etc. More labels are coming later this month.

This panel is still a work in progress, so if you would have any suggestions or questions, please let us know! Here’s our feedback form.

Activation Format Updated

The newest release of the SKM Platform (since 2016.06.27) is now supporting the new LicenseKey format, which is the default format of the Web API 3. This change has two implications: on Activation Forms and on the activation files on the product page.

  • Activation Forms – only new activation forms will be affected
  • Activation Files – the default is the new format.

To make this work in your application, please upgrade to SKM Client API (v.4.01). A good migration guide can be found here.

You are always welcome to ask us questions by contacting us!

A sample format of the new activation files is shown below:

{
  "productId": 3349,
  "id": 2,
  "key": "MTMPW-VZERP-JZVNZ-SCPZM",
  "created": "2015-08-27T00:00:00",
  "expires": "2016-07-27T00:00:00",
  "period": 30,
  "f1": true,
  "f2": false,
  "f3": false,
  "f4": true,
  "f5": false,
  "f6": false,
  "f7": false,
  "f8": false,
  "notes": "awdawd123",
  "block": false,
  "globalId": 24964,
  "customer": null,
  "activatedMachines": [
    {
      "mid": "foo",
      "ip": "10.1.1.2",
      "time": "2016-06-27T11:43:10.167"
    }
  ],
  "trialActivation": true,
  "maxNoOfMachines": 4,
  "allowedMachines": "",
  "dataObjects": [
    {
      "id": 61,
      "name": "artem",
      "stringValue": "",
      "intValue": 1337
    }
  ],
  "signDate": "2016-06-27T11:43:13",
  "signature": "RpFDLKvfv8fJHjpZ7xnFDtUPY8xbxVNzha8jDiYeZaz57d9V9URC8IBynFUky5w4Y2HmhjDQ6uxKh8nMJnivMkNQXmsGl8GFEN2tG4tMKie9KRFmOULh+rE4lCV2Ot1Aj9DT+m/+K0kqAzMfHIY+cMdulCxOdYmMafuP1tyxgUsSAVP04ax/pbHI9ps7YwPYMqAvCmrWKL+J4ITyA7CdnQkwDnEcTX6gTK0atJA2pk2fZMPW9RpCLYIVgrMa8nfc7x2mxIYDX7nN9GWZi+jdipbHFgc91KcmgSi7WzEl4gWRVk9aKsBDe+taolNst0uruCBKZiL+BNV84gG2mDBWzg=="
}

 

Activation files, de-activations and coming features

Activation Box

This week we’ve finished the “activation file box” that can be found on the product page. Here’s an overview:

The advantage of using it that you can easily add and remove new devices, as well as get an activation file that can be sent to users with no Internet access. The activation box consists of several ideas suggested by our users, so it feels great to add support for it!

Where we are moving

Many of us have experienced that since the last year, the core interface has remained unchanged. However, under the hood, many new functionalities have been added. Our primary focus has always been on the new Web API 3, which, in contrast to Web API 2, gives you more power and customization. Now that we have the foundation up and running, the new changes to the interface are going to occur much faster. Here, our aim is to move to a single-page design that allows you to stay on the same page without having to refresh the page. The goal is to increase productivity by reducing page loading time.

Another point worth mentioning is that we are going to expand the capabilities of the SKM.dll (aka SKGL Extension). Many of us use KeyInformation objects to store license information. However, many things have changed since it was first introduced, and keeping adding new things to it won’t be good from both a design perspective and a usability perspective.Therefore, we plan to add an entirely new class of representing license key information, with fields for customer information, data objects (aka additional variables), etc. Unfortunately, this will require some migration for those of us would like to adapt the new way. But, we will do our best to make it as simple as possible.

This is really exciting and I hope to be able to share some updates with you in the coming weeks! 🙂 You are always able to see the progress here.

Improvements to Payment Forms

Automation of software licensing and distribution greatly reduces the time needed to process orders, and thus allows you to focus on building great products. SKM Payment Forms allow you to easily achieve that automation.

Here are some of the improvements we’ve made in the last couple of weeks:

  • TutorialDesigned a new, comprehensive tutorial about Payment Forms.
  • Receipts: Enabled support for sending receipts on a successful transaction.
  • EmailAdd a requirement to enter an email during for each transaction.This was done to make it easier for you to identify the customers for each transaction, which is good in case something went wrong.
  • PayPal: Allow the IPN to be used with multiple payment forms. Now, you only need to specify one IPN address, i.e. https://serialkeymanager.com/Form/IPN/.

Easy Way to Update Licenses

One of the requested features is the ability to update licenses (see previous post about extending licenses). Today, we’ve released two new methods that make it easier to update the state of any given feature. The methods are:

In addition to that, there is now an option to create Access Tokens that have a feature lock. That is, not only is it possible to restrict the scope of the access token to a product or a key, but also to features.

Both of these are now a part of the new version of the client API (SKGL Extension).

Offline Activation

As many of you might know, when SKGL Extension does not have access to the Internet, the TimeLeft field will not be updated.Therefore, please always use DaysLeft method in those cases.

Feedback

Web API 3 is constantly being improved. Please let us know how we can make it even better!

SKGL Extension 2.0.9 available

A new version of the client API for Serial Key Manager is now available. You can get it from GitHub or NuGet (in Visual Studio):

Here are some of the new capabilities:

* Allow the username (current logged in user) to be included in the getMachineCode method.
* Ability to save and load key information data in JSON format.
* Add ExtendLicense method.
* Add general interface to communicate with Web API 3.