Archive | April 2014

An update from our 2014 associates

Welcome to the second blog written by Computacenter’s 2014 intake of associates. The baton appears to have been passed to me after Charlotte kick-started the reinvigorated Associate Programme Blog last month.

“The weekend was a mixture of informative workshops and significant networking opportunities.”

I’m going to start by covering off the UK Kick Off at the Celtic Manor which was an early highlight for the new associates. What an experience and what an introduction to the sort of company that we have been lucky enough to join. The weekend was a mixture of informative workshops and significant drinking networking opportunities. It was great to see how Computacenter celebrates success and I know I speak for the entire 2014 intake of associates when I say that we are all itching to be on stage collecting a jacket as soon as possible. Some ambitious claims have been made so we will see if people can put their money where their mouth is over the next couple of years, watch this space! The end result was that we left the Celtic Manor feeling motivated and enthusiastic to get stuck into our rotations.

“We need to ensure that we retain our existing customers, while always looking to expand the scope and quality of the services that we provide to them.”

As Charlotte covered her rotation with Partner Management last month, I will focus on my first rotation which was into my Line of Business – Contractual Services. The key performance indicator for Contractual Services is the growth to our contract base. This year’s target represents significant growth on last year’s number. We clearly need some big wins to hit that target and there are numerous bids on the go to help us in that regard. On the traditionally less glamorous, flip-side of that coin, we also need to retain as much of our existing business as possible. My first month in Contractual Services was primarily spent sitting in on meetings with existing customers, where we were proactively looking to renew their contracts, even though there was often a year or two left to run on them. The key messages I took from these meetings were the importance of forward-thinking and proactive planning on the part of the account teams; working in conjunction with Sales Specialists, Service Delivery and Solution Design personnel. We need to ensure that we retain our existing customers, while always looking to expand the scope and quality of the services that we provide to them – Take care and take share.

That concludes this month’s instalment of the Associate Programme Blog. Next month we will be in the capable hands of Jack Parfitt, who is one of our Sales Associates aligned to the Public Sector.

Ben
Line of Business Associate

Security Matters – It’s currently all about “Heartbleed” but what else lies beneath?

At the start of the year I said to anyone who would listen (and that was a fair amount of people) that 2014 would be a milestone year for security and unified communications (UC). We will come back to UC another day, but security is really living up to the prophecy. 2014 is common to previous years with visible attacks, invisible attacks, well published breaches, hidden breaches and all of the above now carefully positioned under the Cyber Threat banner (the advanced persistent threat moniker of yesteryear now seems out of fashion).Security image 2

And already as we cross into quarter two of the year we face the first “cause for concern” security breach that isn’t just affecting the IT rich major corporates, but has the potential to affect anyone who uses the internet in earnest.  Heartbleed is that security breach and exposes vulnerabilities in OPENSSL, the security used to maintain secure encrypted conversations (passwords, usernames, etc.) by some web servers. OPENSSL gives informed users and laymen alike confidence to access the World Wide Web assured that a secure interaction is happening so a problem like Heartbleed potentially has major ramifications. We have always aligned with the view that the use of SSL, https, closed padlock signs on browsers, etc. should have signalled a “secure transaction” but sadly now that perspective is under scrutiny based on a vulnerability in OPENSSL that may have been evident for two years. That is two years when attackers “could” have been accessing hidden digital keys in those seemingly secure browsing or web interactions and “could” have been using those keys to hack the user/sites in question. A quick search across the web for a list of potentially vulnerable sites presents a “who’s who” of many of the biggest and best know destinations on the web.

Good news, the vulnerability was announced and highlighted last week (and most of the key sites have all but eliminated the vulnerability) – bad news, few know or are saying what or if the vulnerability has been used to attack to date.

So where does that leave us – thankfully informed and with that equipped with a “call to action” to ensure we are protected against the Heartbleed threat. But it shouldn’t stop there, if a threat of such magnitude has been hidden / secret for two years what else lies beneath your network, systems, and data – could that next “security threat alarm bell” ring for you. Do you know with confidence if your IT systems, company data, personal data are really secure? I rarely plug IT services and solutions on this blog but it may be time you gave us a call.

Until next time.

Colin W

Twitter: @colinwccuk

Heartbleed CVE-2014-0160

My original intention was to post on the much anticipated death of Microsoft Windows XP.  Though the arrival of the heartbleed vulnerability in OpenSSL seems to have rather trumped that.  Though this blog was never intended to be a news service, and many excellent such blogs already exist – this is a situation well worthy of comment.
CVE-2014-0160 was posted on the seventh of April 2014 and concerns the leakage of information from systems using some versions of the OpenSSL security and encryption library.  The problem started to appear at the beginning of 2012 and patches have only just become available.
What it does
This post is not designed to give full technical details; those are available at the links listed at the end of this article but rather to alert our customers and employees to the potential seriousness of this problem.  The basic problem is pretty simple, when a malformed read request is sent to a vulnerable system it responds with the contents of a 64k chunk of the victim machines’ memory.  That memory could contain all sorts of sensitive data and tests have confirmed that this could include the websites private encryption keys.  Thus, compromising the site completely.

The most important considerations that I can think of are:

  • It is an over simplification to say that Linux systems are vulnerable and Microsoft systems are not, but prioritising Linux and open source systems is reasonable
  • Many older builds of OpenSSL are not vulnerable, in particular those based on version 0.9.8
  • The attack appears to be silent, there will be nothing in the server logs and network IDS vendors are only now starting to provide signitures
  • Just patching does not cure the problem, as you cannot tell if a site has been previously compromised, the vulnerable keys (certificates etc) may need to be replaced
  • Once lost, such information can be used to imitate a site and trick users into accessing a rogue site
  • Proof of concept attack code has already been published
  • The Rapid7 Metasploit framework now has an openssl_heartbleed module
  • Responsible sites have already starting patching and renewing HTTPS certificates, and revoking the old ones
  • Checks for revoked certificates are not often ideal, leaving us with website spoofing problems
  • The attack is reported as by-directional, clients are at risk as well as servers
  • Don’t rely on the default package included in a distribution, check what is actually running on your systems.  An application (for example) may have replaced the default library with a vulnerable one.
  • Getting the precise version number of the OpenSSL library is not always obvious, please check carefully with the vendor
  • Vendors, testing services, applications, repositories etc are all racing to catch up, do not assume that no news is good news

The following are all external links, please treat them with the usual care.  This is still an emerging problem, it may be necessary to check back later as more information becomes available.

Getting more information:
CVE details:    http://www.cvedetails.com/cve/CVE-2014-0160 
Specialist site:     http://heartbleed.com a good place to start

Coverage report from netcraft:
http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html

Why revocation might not be enough:
http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html

The effect on TOR (those really needing Web anonymity are best advised to wait for things to calm down)
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

Test a public facing site (SSL from Qualys, expect this site to be rather busy just at the moment)
https://www.ssllabs.com

As for XP, perhaps we need to wait a few weeks to see what happens, I’m not alone in believing that the attacks against XP will come slowly but the attacks against this will come quickly