Monday, October 27, 2014

Citrix Mobility London 2014

Citrix Mobility 2014
At the start of the event there was a look back over the last 25 years of Citrix systems.  Lots of nostalgic images of previous versions of software including Client Access Suite.  It was an interesting introduction which reminded us all how far Citrix has come over the years.
Jason Tooley, Country Manager for Citrix in the UK was the host for the event.  He didn’t cover too much himself, but acted as the glue between other presenters.
Philip Redman, VP of Mobile Solutions & Strategy at Citrix, was the first main speaker on stage covering “enabling the mobile enterprise”.  His initial point was some things never change and included a quick dig at England’s poor performance at the World Cup in the summer, but then continued to say that the Enterprise Mobility spectrum is always changing.
 
 
Initially I wasn’t too impressed with the slide deck.  It seemed a bit slapdash with old icons for Twitter and the images had been crudely cut and pasted onto some generic template.  Not something I usually associate with the smooth presentation skills of Citrix’s top brass.
He mentioned how IT teams need to have quicker reaction times to businesses ever changing needs and provide the tools to empower staff.
He mentioned the old phrase which Citrix has done to death “Work is not a place” and mentioned that IT teams need to provide a “delightful experience” to their internal customers.  I understand his point, but really?  A delightful experience?
Simpleness and anyness (a term Citrix is using to describe the fact that anything can be accessed on any device, anywhere) is really important for a successful mobility strategy.
Citrix has made some interesting acquisitions including Virtual and Framehawk.  The former has the ability to virtualise iOS and Android environments for app development and the latter has the ability to improve performance over poor latent network connections.
One thing which demonstrates the shift in technologies that Citrix are pushing is their revenue stream.  Their core app and desktop virtualisation products revenue has moved from 75% to 52% of total revenue.  Networking has increased to 22% and SaaS (GoToMeeting, Podio etc.) has increased to 21%.  This leaves 5% for consultancy.
Citrix are the leader in 3 Gartner Magic Quadrants including EMM, Enterprise File Sharing and ADC. This proves that Citrix is a true platform.
Their view is that IT teams need to focus on Self Service and automation to help manage the increase of change.  They need to switch from builder to service provider, gatekeeper to secure productivity motivator.  He then mentioned that we should be providing an irresistible user experience.  Wow!
Phillip then introduced John Spencer (Director of Systems Engineering) to the stage to provide a demo.  Phillip surprised John with a brand spanking new HP Chromebook to configure.  This took John by surprise, but he configured it pretty quickly with Receiver downloaded from the Google Chrome store and connected to his GPU enabled Windows 7 machine in the datacentre.  He quickly switched over to his Mac (mainly due to the fact he couldn’t properly see his mouse whilst the Chromebook was in projection mode)
He then showed the Session Linger feature which has been reintroduced in XenApp 7.6 after being removed in 7.0.  This predicts when a user is going to open an application and “pre-launches” it.  This means the user clicks a published application shortcut in Receiver and it launches immediately.
John switched client device again, this time to the iPad.  What the demonstration did show is that Storefront, Netscaler and XenDesktop/XenApp 7.6 should remove the age old problem of reconnection to an active desktop which has plagued many businesses for a long time.
John then showed some intense graphics and flash animations on his Windows 8 machine through his iPad.  It looked very good overall. 
Phillip continued with his presentation and provided 3 steps to successfully introducing mobility into your enterprise.
Step 1
Introduce BYO
Step 2
Secure killer productivity apps such as email, contacts, calender
Step 3
Provide a Mobile app Platform (office editing, access to LoB applications)
Phillip then suggested that XenMobile can do this for you.  The latest version (9.0) uses 20% less battery for WorxMail than a native mail client.  9 also introduces WorxNotes which is like OneNote, WorxEdit which is a dedicated office editing application and WorxDesktop which is like GoToMyPC.  WorxDesktop is a really confusing product/feature release which seems to conflict with other areas which Citrix cover without explaining where it should sit.
John came back up on stage to introduce the work flow features on XenMobile.  He demonstrated that you can organise meetings through GoToMeeting in WorxMail without leaving the app.  You could also do the same for attaching files (through ShareFile) without leaving the WorxMail app.  This looked good, but does require you to be completely in bed with Citrix.

What was interesting is the requirement for Netscaler for the majority of these features.  If you chose to implement XenMobile, Netscaler is a must especially around micro-VPN.
The next presentation was from Nathan Hill, a research director at Gartner.
He described how the modern workspace is fluid not rigid.  The work streams of communicating, consuming and creating content are best achieved on different devices (but not exclusively).
He presented a graph which showed the number of enterprise Windows apps are below 50% for the first time.  The increase of browser based apps and OS agnostic apps have pushed the Windows figure down consistently over the years.  He believed that enterprise Windows apps will remain hugely importantly through 2020, but IT teams need to understand that Windows is now becoming less important to enterprises.
A slide showed SBC (server based computing aka XenApp) has a far lower TCO than traditional VDI (XenDesktop).  DaaS (Desktop as a Service)  providers are increasing, but their scope is narrow. BYO is much more prevalent in North America than it is in EMEA.
IT teams should now focus on having different Support teams who focus on End user services instead of separate teams for network, desktop and mobile support.
The main interesting point he made was device diversity can only be truly achieved when we accept that devices are untrusted.  This creates a shift in philosophy from attempting the secure the device to securing the data.
IT teams should be non linear, focus on people things and data, seek to enable rather than prescribe and plan for constant change.
After the morning coffee break, John Spencer returned to the stage.  He covered some details around the MDX features for XenMobile.  He reiterated the importance of having Netscaler for the XenMobile product.
He covered the Tri Scale marketing for Netscaler which allows customers to scale in three different ways (surprisingly).  Scale Up, pay as you grow, increase scale by purchasing licences.  Scale Out, by introducing another appliance to a cluster, Scale In, by using virtual machines on the SDX platform.
He also mentioned how Citrix mobile application SDK provides ability for developers to reskin Windows XenApp applications to behave like native application on smart devices.  He showed a demo of a reskinned version of Outlook which looked like native mail on an iOS device.
Next a couple of representatives from Cancer Research UK came up on stage to discuss their journey into the mobility world with Citrix.  It was pretty interesting and they seem happy with what they have
We then had lunch which was very nice!
After lunch Thomas Zell, Director Field Readiness EMEA at Citrix covered the different methods of delivering apps to the mobile devices.  This included publishing (using XenApp), refactor (using XenApp SDK to deliver better UI for published apps), reform (using XenMobile to deliver secure wrapped apps) and replace (using native app developers to create something from scratch).
Interestingly he said there is no correct approach as they have their pros and cons.  Simply publishing an application is quick and requires little work on the backend, but the user experience maybe poor whereas wrapped apps in XenMobile will work online or offline and use all capabilities of the device if required.  This however costs a lot of money and will take a lot of time to create.  The sweet spot is using the SDK to make Windows apps delivered by XenApp to look native.  He described that there are many Windows developers out there but much fewer iOS and Android developers, hence the costs involved in reskinning a Windows app would be cheaper. 
There were 2 customer videos which were shown, one for the Swiss railway and the other was a Chilean Vineyard.
Next came a presentation from HP on a technology stack called “Moonshot”
Olivier Frank & Brian Duffy from HP described a common problem for enterprise IT teams where they build a system which doesn’t work for the users or is scoped incorrectly.  Moonshot is designed as a simple cartridge based system where IT teams can buy a specific cartridge for a task and simply insert into a chassis and have pre-defined hardware for a task.  No Hypervisor required!
The energy saving available is good because it is scoped accordingly to the software or task.  They showed ConvergedSystem 100 which is a cartridge which holds 4 machines each with a dedicated GPU.  These are designed for users who require 3D rendering applications.  Each chassis can hold 45 cartridges so 4U of rack space can provide 180 workstations with the ability to serve rich 3D applications like Photoshop or AutoCad.
They also presented a different cartridge which is designed for XenApp workloads with some GPU capability.  This is really interesting from user density perspective.  Each chassis could potentially provide 2,500 user sessions with GPU capability for playing server rendered videos.


http://blogs.citrix.com/2014/10/23/the-eagle-has-landed-citrix-xenapp-is-now-available-on-hp-moonshot-with-intel-graphics/
http://www8.hp.com/us/en/products/proliant-servers/product-detail.html?oid=7398911#!tab=features
After the afternoon break Craig Hinchliffe, Technology Evangelist, showed us what is coming up in the year to come.  He pushed the Flexcast terminology of being able to serve up Apps or Desktops in the same architecture.
He then showed a demo of connecting to Ubuntu VDA rather than Windows 7.  This is a really interesting development because it relaxes the requirement for Windows VMs to serve XenDesktop.  From a licencing perspective this will be attractive for many organisations.  The demo was very smooth.  This is currently in a closed Tech Preview.
He then showed us a video of Framehawk which is software which will counter poor network connections.  This is being baked into the Receiver platform to improve connectivity to the desktops and apps in the datacentre.  This video shows a connection over 250ms of latency and 5% packet loss vs VMware Horizon.  The results were pretty impressive.
It then showed watching a Flash video through a XenDesktop session with Framehawk enabled vs a laptop with the same Flash video in a local browser.  These both had latency of 250ms and packet loss of 5%.  Incredibly the XenDesktop session was smoother!
Lastly he showed us X1.  This is working title for the new Receiver.  This idea is that it can be rebranded for a company name.  It can contain app bundles (for Office etc.) and contain MDX apps too.  It also provides the ability for users to rate apps.  The video was pretty short, but looked very smooth.
Lastly Citrix finished with a Q and A panel which included the expert presenters from the day.  They answered questions that had been tweeted in during the day.  Personally I found this a waste of time as the questions presented on Twitter were pretty poor.
Overall the day was very useful and worthwhile attending.

Thursday, August 14, 2014

Password Security


  Password security

Over the last couple of years there have been quite a few instances of sophisticated hacking attempts on major companies.
These include (but not limited to)
When these events occur, it can raise any questions, such as
How does this kind of thing happen? 
What can people do with this information? 
What can you do to protect yourself?
Let’s try and answer these questions!
How does this kind of thing happen?
There are lots of different ways hackers use to access information they are not supposed to have access to.  The majority of these hacks are a result of Malware or a Virus being installed on a PC in the companies’ network.  This can be used to get access to company resources from the inside rather than directly from the Internet.   If the Malware can send information back its author, then this can be very successful for a hacker.  To get Malware onto a company PC it is usually attached via email, hosted on web links people might click or in extreme circumstances could be left on USB sticks in a companies’ car park.  The latter is extreme and usually a sign of a targeted attack, but has happened.
The other way hackers can get access to this information is by using a method called SQL Injection.  SQL is a type of database used to store website data and this technique attempts to inject code which generates a response.  This technique uses text entry boxes on a web page (for search etc.), the attacker will enter SQL commands which in theory can return far more information then it should allow.  Secure minded website providers will use Text Validation techniques to foil this attack.  This stops would be hackers from entering characters like | * + = and effectively ensures the commands fail.
What can people do with this information? 
Well it depends what information a company holds on you, typically this information will be Name and Email Address but could include Address, personal information or any data which has been collected. 
This information could be used in a number of different ways.  It could be used for Identity Theft, Spam lists or to attempt to login to other online services (internet banking etc.)
The Techie Bit
The majority of information is held in plain text on the server database.  This means if the database was stolen the data can be easily read.  Passwords are usually stored differently; they can be stored as plain text, be hashed or be hashed and salted.
Hashing is a mathematical calculation which changes your password to a fixed length value e.g. the MD5 Hash of 123456 is e10adc3949ba59abbe56e057f20f883e.  It is a one way function, so you cannot reverse the hash to show the initial password.  This is a good starting point; this ensures that if the database is stolen a hacker cannot read the password easily.
When you login to a website setup with Hashing, your password is converted to a Hash (either on client side or server side) and compared against the database.  If it matches, the website will provide you with the relevant access.
The downside of Hashing is that modern computing power allows hackers to generate Hashes for passwords and cross reference this Hash against the stolen database e.g.  A hacker has generated Hashes for 123456, 1234567 and 12345678.
Password
Hash Value
123456
e10adc3949ba59abbe56e057f20f883e
1234567
fcea920f7412b5da7be0cf42b8c93759
12345678
25d55ad283aa400af464c76d713c07ad

The hacker can cross-reference this against the stolen database and workout the user Bob has the password 1234567
User
Hash value of password
Sam
ec121ff80513ae58ed478d5c5787075b
Bob
fcea920f7412b5da7be0cf42b8c93759
Fred
daeccf0ad3c1fc8c8015205c332f5b42

Modern computing power is great, but it can be difficult to calculate complex passwords or passwords with more characters using this method, because it requires power not only to generate Hashes, but to compare them with the stolen database.
There are tools called Rainbow Tables which take this a step further.  These databases have the most commonly used passwords and their relevant Hash value.  This can save a hacker a lot of time because they do not have to generate a Hash for every character and length combination to cross reference against a password.
The last tool a hacker can use is a Dictionary File.  This is will contain a dictionary and common substitutions e.g. @ instead of a, ! instead of I.  If the Hash is not something which is in the Rainbow Table the hacker will need to generate Hashes to compare the data with.  Using a Dictionary file will allow hackers to generate Hashes from words which might be used in password to expedite the process.
A Salt is an extra piece of data which is used in combination with the password to create a more unique Hash value .  This extra piece of data is automatically added to the password before the Hash is created, e.g. a user’s password of 123456 could be amended by adding the word “Salt” to end.  When a user logs in, the word “Salt” will be added to 123456 and a Hash generated.  This will be compared to the server database and if correct it would allow access to the website. 
Password
Hash value of password
123456
e10adc3949ba59abbe56e057f20f883e
123456Salt
7c7dd7e00f2bd6ba637009f35e05b3e8

A Salt changes the Hash value a significant amount and will significantly slow down the use of Rainbow Tables to crack passwords.
Even if the value of the Salt is public knowledge, a separate Rainbow Table would need to be created with generated Hashes to compare against a stolen database. 
What about Credit/Debit Card information?
This information is usually held in a separate database which has extra security controls applied.  This is required to comply with PCI rules regarding storing financial information.  In the vast amount of security breaches hackers do not get access to this data because it is harder to access, but there are rare circumstances where this data has been stolen.
What can you do to protect yourself?
Ok, it is difficult to protect your data when it is being stored by someone else, but here a few things that can help you.

1.  When you sign up for a new web based service or login, ensure that the service uses HTTPS.  
2.  HTTPS shows that data transmitted between you and the website is encrypted.  This is will not protect your data which is stored on the server by itself, but it is a good indicator that the website is security conscious.

3.  If you need to reset your password to access an online service, ensure that they do not send your forgotten password in an email in plain text.  If the password can be sent to you in an email, it is being stored as plain text in the server database.

4.  Use different passwords for different services.  Ok this one is difficult because you will have lots and lots of passwords.  A compromise is to have tiers of passwords, so something simple for services which do not hold much information on you, but use something completely different for services which hold financial information on you.

5.  Protect your email password!!!! Ensure the password used to access your email is the most secure and is different to anything else.  If a hacker gets access to your email password, it is likely they can get access to any of your other online services by using automated password reset routines.

6.  Do not use passwords which are mentioned here!

7.  Use long passwords.  One technique is to use words connected together which are unrelated.

8.  If a service provides some kind of 2 factor authentication, try it out.  Gmail can send you an SMS code if you logon from a computer you haven’t logged onto before.  This means that if a hacker gets your password, they cannot login without physically having your phone.
If you would like to read more on the topic I recommend the following article.  This covers an analysis of data which was stolen from Sony and Gawker.
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

****UPDATE****

9.  This is an extension of point 4 which is to get yourself a password manager.  This could be 1Password, LastPass or KeyPass.  These tools will help you maintain a separate password for each service and will allow you to limit the impact of a data breach without having to manually remember a different password for every service.

Monday, June 30, 2014

My first Uber

There has been a lot in the news recently about the new taxi offering in London called Uber.  The concept is that Uber have a community of vetted drivers who are hailed using a smartphone app.  The app is used as a meter to calculate the charge of the journey. 
This unique offering is a slight loophole between 1. Having a physical office taking bookings aka Minicabs 2.  Having a physical meter in the car rather than a prebooked far aka Black Cabs.

Personally I loved the sound of the idea and was keen to try it out.

So how did it go?

I was in Shoreditch on Saturday night and instead of struggling for the last train back we decided to use Uber for the 9 mile journey.

The Good
Booking was extremely simple!  Click and done.  The driver arrived in about 3 minutes.  His car was immaculate and very comfortable.  The journey was super smooth and not having to have money on my person was much better than having the struggle under the interior car light looking for those pound coins buried in your pockets.

The Bad
Surge Pricing.  Uber has a concept where costs go up where demand is increased.  It makes sense, but it isn't clear until you try to book a taxi.  This meant the journey was 1.75x as expensive.  There are two options here

1.  Go to a less congested area
2.  Travel at a different time

For the most clear information about Surge Pricing, check out this blog post on the Uber website.

http://blog.uber.com/uber-nye-2014

Conclusion

I would definitely ride with Uber again.  It was simple and now knowing that Surge Pricing is a "thing" I would work around it by leaving earlier or later.

If you want £10 free credit to test Uber, use the promotional code below when you sign up!!

dpdba

Wednesday, May 21, 2014

Pre-Approve ActiveSync devices

Hi

Recently we have enabled ActiveSync quaratine rules in our organisation.  This was to stop a member of staff using their own device to access corporate data.

We have only enabled AS for users with corporate devices, but some people have worked out that this allows you to use AS on your own device.  This is far from ideal, especially considering that our IT department now have full wipe access on their personal device!  Enabling this quaratine rule will stop people from taking advantage of this setting, unless someone from IT approves their device.

On the whole this works pretty well.  The difficulty is that it slows down the process of provisioning multiple devices, especially when you are attempting to complete workshops with users during a handover period.

I found a way to pre-approve devices using powershell.  First of all you need to find the deviceID.  On an Apple device you go to Settings > About > Serial Number.  The deviceID is applserialnumber

The difficulty is that using the following powershell command will replace the multivalued property "ActiveSyncAllowedDeviceIDs"

set-casmailbox username -ActiveSyncAllowedDeviceIDs "deviceID"

How do you append?

I looked around the internet and found this page.

http://www.windowsinfo.eu/?p=105

So changing the command to the following would append the value

$update=Get-Casmailbox username
$update.ActiveSyncAllowedDeviceIDs += "deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs

This is great, but it is not very scalable.  How do you use this to enter 50-100 deviceIDs?

Create a CSV file as following and save as devices.csv

name,deviceID
user1,111111111111
user2,222222222222
user3,333333333333

Then run the following script

$users = import-csv c:\devices.csv<
foreach ($item in $users)
{
$update=Get-Casmailbox $item.user
$update.ActiveSyncAllowedDeviceIDs += "$item.deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs
write-host $item.user has been updated.
}
That's it. 

Good Luck

Friday, May 02, 2014

InfoSecurity Europe 2014

InfoSecurity Europe 2014 was held this week in London.  This 3 day event was designed for security professionals to network and for companies to display their security wares.

Unfortunately the first 2 days were marred by a tube strike in London.  I believe this put many people off visiting Earl's Court for the event until the last day, it certainly did for me!




So what did I see?

Eric Cole

I watched a keynote seminar inducting Dr Eric Cole into the InfoSecurity Europe hall of fame.  He had some wonderful insight into security issues of the day and what areas security professionals should focus on.  He discussed the switch of security from inbound threats to outbound threats.  Many attacks require an outbound connection to allow data to be sent externally and this is an area to focus monitoring on.  Among many things he shared with the audience he issued the Eric Cole challenge.

Get a usage report of outbound internet connectivity by host IP.

Check the top 10 largest bandwidth used by each host
Check the top 10 longest established outbound connection by each host
Check the top 10 hosts with most blocked outbound connections

If a host is on all three lists.....it has probably been compromised.

He also made the analogy that our networks are like our bodies.  We do not expect to never get sick, it is about how we can reduce the likelihood of it occurring and how quickly we can recover.  Our networks are the same these days, it is not a question of IF you will be compromised, but WHEN and HOW you get over it.

It was a fascinating session which did really make me think.  You can even see me thinking intently during the highlights video of the day.



(skip to 1:10 to see me!)

Egress

I met up with the Egress team at their colourful stand.  They have a product which allows companies to securely share data with customers.  Their products even stops people from taking screenshots using Snipping Tool and watermarks the screen to make it easy to determine if someone has leaked information using a physical camera.  Their technology stack looks really interesting and seems to have overcome the barrier of providing secure email, without requiring the end customer requiring funky software or exchanging certificates.

They also had a buzzwire game which someone miraculously completed in under 12 seconds!  I was rubbish and couldn't even complete it!!!

www.egress.com

Good

My company use the Good Technology stack for BYOD.  Our staff have found it really useful, but the user experience isn't the greatest, especially when using dynamics apps.  I spoke to a couple of the Good team and they explained that this is a big focus for them in the next 12 months.  They have an event (Good Exchange) which I am going to, hopefully I will see the fruit of their labour.

Good Exchange

F5

I spoke to F5 about their product stack, it was great to see a stand with whiteboards and markers.  There is nothing I like more than drawing a scenario on a whiteboard and being able to visualise someone else's ideas.

https://f5.com/

Pen Test Partners

These guys had a great demo presentation where they described how hackers can use the JTAG interface on mobile phones to hack information.  Their stand was mocked up to look like a kitchen and the presenters were dressed as chefs.  It was a bit gimmicky, but the information and presentation material were second to none.

www.pentestpartners.com/

Overall it was a cracking day and I will definitely try to attend again.