PleaseTech blog

We aim to provide useful, pertinent and sometimes fun insights into the world of document collaboration and the workings of a technology company

Trials and tribulations of online security

Posted by Tim Robinson on 8. May 2014 14:45

CTO at PleaseTech


For most people working in IT, security is never far from the top of the priority list, and for PleaseTech we seem to get hit all ways because we’re an ISV but also a SaaS provider, our software often integrates with other applications (whether in the enterprise or the cloud), and we’re a distributed company that relies on many cloud and internet systems to get our job done.

We got off lightly with the Heartbleed virus because it does not affect Microsoft IIS, and by definition PleaseReview only works on IIS.

Heartbleed was a very interesting bug because it was such a simple coding mistake that could be understood, if not by everyone, then at least by non-programmers, whereas most attack vectors we see in software vulnerabilities are extremely sophisticated. Essentially what happens in a Heartbleed attack is that the client asks the server to “echo” back some data to show it’s still connected but, by lying about how much data it has sent, it can force the server to copy more data into the response than it should, and that extra data (which is just whatever happened to be stored in server memory at the time) could theoretically contain useful secrets.

Like many security glitches, this one comes down to the fact that C, the language used to implement SSL, allows a program to access blocks of “raw” memory rather than checking the start and end point of each variable being used. Because the attacker can’t choose which piece of memory to retrieve, he would have to rely on persistence and a large amount of luck to get anything useful, but the mass panic came because there was a theoretical chance of retrieving extremely sensitive information and nobody knew (or indeed still knows) to what extent it might have been exploited in the real world.

You can see that in this case, if you are a customer of, say, Dropbox, and a hacker uses the Heartbleed attack and happens to retrieve your password or credit card details, there is absolutely nothing you could have done to stop them.

Outside of direct PleaseTech business, I was affected by another internet security problem which is also quite simple and (hopefully) interesting to understand, and it is related to Hotmail hijacks.

If you’ve got friends or family that use Hotmail (which has recently been renamed Outlook, but let’s not confuse matters) you’ve probably received emails which appear to originate from them but are actually spam. Whenever this has happened to me in the past I have replied to the person in question saying that their Hotmail account may have been hacked and recommending them to change their password, but I’ve never really understood why this seems to happen with Hotmail (and less frequently Yahoo) but rarely or never to other providers. However, recently I was fortunate/unfortunate enough to witness a Hotmail hijack first-hand. Here’s how it works:

DISCLAIMER: I have described the nature of the attack to the best of my knowledge. I consider myself to be a pretty clever computer guy but there’s a chance I’ve gotten completely the wrong end of the stick about this whole thing. If you know better, let me know and I will happily withdraw this.

My girlfriend (who is emphatically not a computer geek) received an email apparently from a friend’s Hotmail account with a short piece of text and a hyperlink. Due to the format, I suspected it was spam but the text was something like “video of my recent holiday” so she had clicked on it before I could dissuade her. Up popped a video about a weight loss pill or something, so she realised it was spam and closed the window. Soon afterwards she noticed a lot of undeliverable and out-of-office replies coming into the inbox, so we checked the sent items and there were hundreds of them, all containing a short paragraph of text plus a hyperlink, and all sent during the few seconds she had the weight loss video on the screen.

This is called a "cross-site request forgery" (CSRF or XSRF). Basically because you are already logged in to Hotmail in one window, another window can also send requests to Hotmail which will automatically be executed under your Hotmail session. This was interesting to me because we have done work in PleaseReview to guard against exactly this type of attack.

There are well documented ways to guard against this kind of attack and recent versions of Microsoft’s own ASP.NET web development framework even have them built in. Why Hotmail doesn't use any of them is a mystery to me but it certainly explains why naïve users can have their Hotmail account hacked even when they have a secure password, whereas Gmail users don't suffer from the problem at all.

Hotmail detected the large amount of sent items, deduced there had been an attack and then made my girlfriend change her password and reset her security details. This might make the user feel like they have done something to counteract the spammers but as you can see, it doesn't make the slightest bit of difference to security because the attack doesn't depend on the spammer knowing your Hotmail password or any personal details, just on you clicking the link.

So how can you guard yourself against this kind of attack? This bug has been around for at least five years so don’t hold your breath waiting for Microsoft to fix it! Treat email hyperlinks that look like spam (i.e. where the text in the message doesn’t seem like the kind of thing your friend would normally write) with extreme suspicion and if you decide you want to click anyway just to find out, copy the URL and open it in another browser or in “private” browsing mode.

Following on from this, just last week there was an Internet Explorer vulnerability which could allow a hacker to access a user’s PC and run his own code. This was considered so serious by Microsoft that they even broke their rule of “XP support ends on April 8th” to release an immediate fix for XP. This isn’t quite so straightforward to explain but it basically comes down again to the fact that the software was written in C and so has no memory protection.

Similar to the Hotmail attack, this one means the attacker has to lure the user to a malicious web page but as we’ve seen, for many users that’s not difficult to do.

For all of us, both as suppliers and users of IT, it’s clear that online security is going to be an ever increasing part of our world. Even though bugs like these can be resolved, it would be extremely naïve to think we’ll ever solve them all when software is being produced at an ever increasing rate.

Plus of course, there are plenty of attacks that don’t rely on faulty software at all. In my own case I had to cancel my cell-phone account with EE because someone else was repeatedly calling up their support line claiming to be me but to have forgotten their password, then they would change their home address and order a new phone to be charged to my account. Even though this happened around 10 times in the course of a single month, EE seemed unable to put in place even the most basic measures to stop it (like calling me on me mobile phone which would have quickly enabled them to ascertain that the “me” trying to change the account details didn’t even have access to the phone connected to the account).

So the only lessons here for suppliers as well as customers are to be continually vigilant, understand what security threats exist and do your best to mitigate them, but don’t rely on any “silver bullet” to resolve your security issues..

 

PleaseTech and Oracle® introduce WebCenter Content’s new collaborative document review capabilities

Posted by Sarah Holden on 24. January 2014 10:10

Half of the PleaseTech marketing team.


It’s been a couple of weeks since we announced our PleaseTech integration with Oracle’s WebCenter Content ECM platform. We are now following that up by hosting a brief webinar to demonstrate both what this partnership brings and how it works.

Oracle’s WebCenter Content allows businesses to not only consolidate and manage their documents and content from a central platform, but now has the added capability to address a very specific, yet prolific business issue. How to collaboratively edit, review and co-author a document at the same time as others, whilst maintaining control over the document, management over the process and adherence to corporate compliance requirements. Oh, and making it easy to do, too!

The webinar will be presented by PleaseTech CEO, Dave Cornwell and Senior Principal, Product Management, Oracle.

So simply sign up! LINK to webinar page.

Webinar: Collaborative document review within Oracle WebCenter Content

Thursday January 30th, 2014: 12 noon, EST / 9am PST / 5pm GMT

Duration: 30 minutes

 

We look forward to you joining us next week.

Integrating PleaseReview with Oracle WebCenter Content

Posted by John Tanner on 22. January 2014 11:06

Our PleaseTech integration expert


When setting out on developing the integration of WebCenter Content with PleaseReview, our primary aims were the same as with other PleaseReview document management integrations. We wanted to develop a seamless solution which would allow all of the controlled collaboration benefits of PleaseReview to be available from within WebCenter Content without the user having to log into a separate system.  In addition, we wanted to make it possible for existing PleaseReview users already familiar with the User Interface, to be able to log into it using their WebCenter Content Credentials and carry out reviews using WebCenter documents and WebCenter Users as Participants.

In order to achieve these aims it was necessary to develop three separate components, which together work hand-in-hand to join WebCenter Content and PleaseReview....

Firstly a custom WebCenter Content Component was created in order to update the WebCenter Content user interface to include new PleaseReview menu items and custom inbox pages in the style of the WebCenter Content instance, for users with the appropriate permissions.  The result was a custom component that can easily be deployed and configured to work with PleaseReview by a WebCenter Content administrator.

Next, a custom PleaseReview extension (or System Connector) specific to WebCenter Content was built to enable users to log into the PleaseReview UI using their WebCenter Credentials and to enable PleaseReview to be able to interact with WebCenter Content via its APIs, for purposes such as accessing documents, selecting users etc. This was built using the standard PleaseReview system connector structure, so as to simplify the deployment process.

Finally, in order to enable PleaseReview to obtain details of the PleaseReview specific users and groups administered from within WebLogic Admin Console, a WebLogic PleaseReview Connector was developed, which can simply be deployed as a Web Application on the WebLogic server on which WebCenter Content resides using the WebLogic AdminClient.

Putting these three components together we now have a solution which offers everything we initially set out to do, making a seamless collaborative review process possible from within WebCenter Content.  

For anyone interested in finding out more about this integration and the collaborative document review capabilities within WebCenter Content, please join us for our complimentary webinar on January 30th- just sign up here

 

PleaseReview continues to be a product that stands alone in its functionality and power...

Posted by Sarah Holden on 26. November 2013 13:56

Half of the PleaseTech marketing team.


An article featuring a recent independent evaluation of PleaseReview has just been published by DM Magazine, a UK publication specializing in document and enterprise content management technologies. The article covers the product's newest enhancements following its major v5.0 release and also the strategy behind its development. In my opinion, it make for good reading, and so have included it verbatim here!

Written by Dave Tyler, Editor, Document Manager Magazine

We first looked at PleaseReview a couple of years ago, at which time it was already on its way to becoming established as a unique and powerful tool: whether reviewing or co-authoring documents within a department, across the enterprise (inside or outside the firewall) or with customers, partners and suppliers, PleaseReview expedites the process within its secure, structured and controlled environment. .

The product is now effectively the de facto standard 'tool for the job' in the Life Sciences marketplace. The company claims that what it describes as 'document-centric collaboration' is set to grow steadily over the next few years, driven by a combination of tightened economic strictures and an increased need for better collaboration.

The newest version of PleaseReview, v5.0 boasts a significantly enhanced interface, with a far cleaner look and feel that fits neatly into the current Windows environment - including tight integration with SharePoint 2007/2010/2013. Support for mobile users has been present since 2011, but the new version also includes a useful offline mode, which enables users to review documents while on a plane, for instance, using a zero-footprint client that works as well on tablets as on laptops.

PleaseTech has a clear strategy for the development of this product which they describe as 'Beyond Review', a key element of which is to better support enterprise rollout. The enhanced mobile/flight mode is part of this, as is the excellent SharePoint integration and improved user interface. Users are now presented with a window that looks much more like a Word document (which is of course the office tool that most will be using on a regular basis). Other minor but thoughtful enhancements include a countdown timer to remind users of when a document needs to be reviewed by, and nicely modernised toolbars that suit the current Windows user experience.

Another important innovation is the introduction of Feedback management, allowing the capture of high level feedback on a document (or document sets): this gives a whole new level of functionality to those who utilise PleaseReview on bids, proposals and similar documents. The reporting capabilities of the software have often been a key selling point according to PleaseTech, and the Feedback improvements can only help their cause, as well as helping them address their desire to move across the enterprise.

Another enterprise-class enhancement is in the configurability of the product itself. Intuitive administrator menus allow for the setup of different views and capabilities for different levels of user. For example, casual users can have a more simplified interface than regular users. There have also been improvements to ReviewZones which control who can comment where in Word documents. Less senior staff might only be able to view and comment on specific paragraphs that are relevant to their business unit, for instance, while project managers are given far more control and wider access.

Version 5 is a major step forward from the software we looked at just a couple of years ago in terms of configurability, user interface and reporting and management. V5.1, promised for early 2014, is intended to take PleaseTech's stated aim of 'Beyond Review' even further, with more specialist review tools and unique functionality. 
More info: www.pleasetech.com 


VERDICT
PleaseReview continues to be a product that stands alone in its functionality and power, while broadening its appeal to additional market sectors and presenting itself as an enterprise-ready tool - mobile enhancements are a particularly nice touch.

 

 

PleaseTech announces PleaseReview integration with Oracle WebCenter Content

Posted by Sarah Holden on 14. November 2013 16:09

Half of the PleaseTech marketing team.


We are very pleased to announce that after lots of hard work we can safely say that PleaseReview™ now brings its specialist collaborative review and co-authoring capabilities within reach of Oracle® WebCenter Content customers.

Following on from our earlier announcement that we had achieved Oracle PartnerNetwork gold level partner status, we have successfully completed PleaseReview's integration with Oracle's WebCenter Content ECM platform. This extends our current partner portfolio with other leading document and content management systems, and more integrations are underway.

PleaseReview is a natural fit with Oracle WebCenter Content as it brings its specialist collaborative review and co-authoring capabilities to those organizations who chose Oracle's ECM platform to help lower costs, reduce risks and improve business productivity. Indeed, as PleaseReview is proven to deliver significant cost and time savings and is easy to use, the ROI becomes quickly obvious. 

Additionally, as PleaseReview seamlessly accesses Oracle WebCenter Content's document repository, users can easily locate and participate in reviews from their WebCenter Content interface. Simultaneous access to the review, control over who can do what to where, comment and change reconciliation, automated consolidation of proposed changes and comments, owner management and control and comprehensive reporting are some of the features  they will benefit from.

For more information, please visit our website, read the news release or contact us.

 

 

header bg