Security Update: Meltdown & Spectre are hardware level security vulnerabilities which affect computing systems worldwide and were first disclosed on Jan 2nd 2018. Here we explain how WebCollect is protected against Meltdown and Spectre.
Please refer to the main Meltdown & Spectre website for more details on the vulnerabilities.
Impact on WebCollect service
- WebCollect hosting is exclusively on servers with AMD CPUs (ie not Intel). This means they are largely inherently resistant to Meltdown, although theoretically vulnerable to Spectre in a limited way.
- WebCollect hosts its services on dedicated server hardware which we own and control. Specifically, we do not use shared hosting, or cloud hosting with "virtual servers" where the same physical piece of equipment is actually shared among multiple companies or users.
- WebCollect is the only company who has access to install software on these dedicated servers. We have a tightly controlled process for installing new software on these servers, and the software installed is kept to the minimum necessary.
- Only WebCollect system administrators can log into the WebCollect servers. No other users can log in or run programs/software on those servers.
- Successful attacks based on Spectre or Meltdown require a malicious attacker to install and run carefully crafted programs on the same machine where sensitive data is stored in order to leak any data.
- Our 100% ownership of the hardware involved and our processes for access to those servers, prevent exploits using Meltdown or Spectre.
Vulnerabilities from Desktop machines tablets and mobiles
- As above our servers are safe from Meltdown or Spectre
- However, vigilence is still required, because anyone accessing the WebCollect service (organisation administrators, and members) , should ensure they patch their operating systems and browsers as soon as patches are available. This is important because if these devices or their browsers are compromised then login access to WebCollect could be compromised resulting in possible unauthorised data access.