Companies & Sectors
IT companies may get a good start in the first half of the FY14

Nomura is optimistic on HCL, TCS, Tech Mahindra

Global Outsourcing ACV of $5.7bn was up by 14% on year-on-year (y-o-y) basis, according to a Nomura Report. The IT sector also reported a better y-o-y traction of Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC), while USA tractions showed decline. Although the ACV of restructuring deals was down by 15%, its momentum was up by 24% y-o-y.

The IT sector report stated that the Information Technology Outsourcing (ITO) sector was doing well. It said “ITO 1Q ACV of USD4.3bn was up 29% y-y on substantial new scope ACV. The number of ITO contracts awarded also increased significantly, registering 21% y-y growth. Within ITO deals, the highest delta has come from Infrastructure services outsourcing where the value of the contracts was nearly double the average for the past 8 quarters, while ADM, Network services and ADM + Infrastructure remained flat.”

According to the report, the five main IT companies in India, Infosys (IFO), Tata Consultancy Services (TCS), Wipro (WPRO), Cognizant (CTSH) and HCL Technologies (HCLT) were among the top ten global providers in both ITO and Business Process Outsourcing (BPO).

The reports stated that while the ITO was rising, the ACV of the BPO was declining. It said “BPO 1Q ACV of USD1.4bn was down 16% y-y. Even on trailing 12 months, the total ACV of USD5.1 is down ~37% from the previous 12 month period. The outlook for BPO continues to remain weak with human resources outsourcing (HRO) and procurement not performing, while finance & accounts (F&A) remains tepid. Cloud and SaaS are having a bigger impact on BPO demand.”

Reports about the geographical sector stated that America’s ACV, while highest in the group, was down by 16% to $1.9bn. In America, while the financial and retail sector was growing the manufacturing and telecom/media sector registered a decline. “In BFSI”, according to Nomura, “deals have changed from standardised solutions to more bespoke deals with highly tailored customized requirements. Discretionary spend is back and transformational work to drive growth is driving the demand.”

The ACV of EMEA, owing to UK, France and Nordic was up by 29% y-o-y at almost USD2.9bn, while APAC, driven by India, South-East Asia and Australia-New Zealand was up by 89% y-o-y.

Nomura stated that “We view these findings to be positive from a demand perspective for India IT as 1) it indicates a strong start to the year with likely 1H ACV growth of 15%+; 2) suggests some pick-up in Americas (highest ACV in last 4 quarters) and APAC (90% y-y growth), which have underperformed Tier 1 IT growth on an LTM basis and 3) continuation of strong growth trends in Europe.”

User

Maruti to recall over 1 lakh Swift, DZire and Ertiga

Maruti Suzuki is recalling over 1 lakh units of Swift, DZire and Ertiga for replacing a faulty fuel filler neck that may cause fuel smell and leakages

Maruti Suzuki India Ltd (MSIL), the country's largest car maker on Friday said it will replace the ‘fuel filler neck’ of 1.03 lakh units of its popular cars like Swift, DZire and Ertiga. It will replace fuel filler neck in these vehicles free of cost.

In a regulatory filing, MSIL said, 42,481 units of DZire, 47,237 units of Swift and 13,593 units of Ertiga manufactured between 12 November 2013 and 4 February 2014 would be recalled.

There is a possibility of fuel smell in the affected vehicles and in extreme condition, there may be some fuel leakage if fuel is filled up to the Fuel Cap beyond the ‘Auto cut-off level’, it added.

MSIL said dealers would contact owners of all vehicles and would replace the ‘fuel filler neck’ free of cost.

The statement added that this exercise is limited to vehicles within the above specified range and does not pertain to any other vehicle.

Maruti Suzuki closed Friday 1.5% down at Rs1,930.5 on the BSE, while the benchmark Sensex ended the day marginally down at 22,629.

User

Heartbleed bug affects 17% servers across globe

The Heartbleed bug, a serious ‘catastrophic’ vulnerability in OpenSSL allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users

A new serious vulnerability in the popular OpenSSL cryptographic software library, nicknamed as the Heartbleed Bug (http://heartbleed.com/ ) has affected over 5 lakh or 17% of the servers across the world. The vulnerability allows the Bug to scrape the server's memory, like usernames, passwords as well as credit card numbers. An analysis posted on GitHub of the top 1,000 most visited websites as of 8 April 2014 revealed vulnerabilities in sites including Yahoo.com, Imgur.com, flickr.com, addthis.com, archive.org and whether.gov.

In his blog post, renowned security technologist and author, Bruce Schneier, said, “Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

According to internet research firm Netcraft, this an extremely serious issue and would affect about 5 lakh servers across the world. At its disclosure on 7 April 2014, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack. Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66%, says Netcraft's April 2014 Web Server Survey.

However, contrary to claims by certain media, websites like Google, Facebook, YouTube, Yahoo, Wikipedia, Twitter, Amazon and Paypal are found to be not vulnerable, says GitHub . Sites like Baidu, Live.com, eBay.com, MSN.com, Bing are not affected as they do not use SSL.

 

Kurt Baumgartner, researcher at Kaspersky Lab, said, "Shortly after news of the Heartbleed Bug first surfaced, we uncovered evidence that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans. We identified such scans coming from 'tens' of actors. The numbers were gradually increasing and this was even more evident when security software company Rapid7 released a free tool for conducting such scans. This problem is insidious and devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them."

OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols designed to provide communication security over the Internet.

On 7th April, the Tor Project advised that anyone seeking "strong anonymity or privacy on the Internet" should "stay away from the Internet entirely for the next few days while things settle." The Canada Revenue Agency (CRA) closed down its electronic services website over Heartbleed bug security concerns.  
 
"The problem, disclosed Monday night, is in open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored.  It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too," said CNET in a report.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


What makes the Heartbleed Bug unique?
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Most of us assume that any secure site with https and a lock icon would be safe. "However," said, Eswar Santosh, "the discovery of this bug which was 'open' for the past two years brings that assumption into question. The worst thing about the bug is that there is no way to detect a data theft that has happened already."

Several financial sites including banks, payment gateways and online shopping sites use OpenSSL, and therefore are open to risk. Many of these financial sites may be using Microsoft's IIS server that is not vulnerable to Heartbleed But. But then one cannot be sure about the server used by her bank or online shopping site.

Am I affected by the bug?
According to Heartbleed.com, almost everyone is likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services, it says.

To check if a site is still vulnerable, you may use the tool at: http://filippo.io/Heartbleed/

How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

What versions of the OpenSSL are affected?
Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14 March 2012. OpenSSL 1.0.1g released on 7 April 2014 fixes the bug.

To resolve the bug, server administrators are advised to either use 1.0.1g or to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS, thus disabling the vulnerable feature until the server software can be updated.

User

COMMENTS

Akash Mahajan

3 years ago

It is now known for sure that it was possible for anyone to steal private keys of the servers for the last 2 years.

This means that if someone (like an ISP) has been storing encrypted traffic, now they can get access to all that encrypted data.

Akash Mahajan

REPLY

Pravesh Pandya

In Reply to Akash Mahajan 3 years ago

To decrypt encrypted data - you will atleast need the keys. To get the keys you will atleast require a live connection - on which you can execute the bug.

However it still depends on the underlying encryption software running. For example, if you are using windows you are most likely attack proof, unless you are runnig a server which uses OpenSSL. Even java based servers are fine if they use JSSE for encryption.

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)