Internal Security Audit of TimeControl Online Page: 1 © 2014 Heuristic Management Systems Inc.

For more information contact: HMS Software 189 Hymus, Suite 402 Pointe-Claire, Quebec H9R 1E9 Tel: 514-695-8122 Fax: 514-695-8121 Email: info@hmssoftware.ca Web: www.hmssoftware.ca

Version: 6.7.0.3 Date: May 2, 2014

TimeControl

Online

Internal Security

Audit

Internal Security Audit of TimeControl Online Page: 2 © 2014 Heuristic Management Systems Inc.

Table of Contents

Overview ..................................................................................................................................... 3

TimeControl Components Overview ........................................................................................... 4

Database Server ..................................................................................................................... 4

Administration Transaction Server (ATS) ................................................................................ 5

TimeControl Transaction Server (TTS) ................................................................................... 5

TimeControl Scheduler Service .............................................................................................. 5

Web Server ............................................................................................................................. 6

Timesheet Web Client ............................................................................................................. 6

Administrator Web Client ........................................................................................................ 6

Communications: .Net ............................................................................................................. 7

Communications: HMI ............................................................................................................. 7

Role Based Access .................................................................................................................... 8

Menu Access test .................................................................................................................... 8

Field Level Access test ........................................................................................................... 9

Report Level Access test ...................................................................................................... 10

Manipulating the timesheet data of another user ...................................................................... 12

Accessing a client’s network via TimeControl/EPM .................................................................. 15

Escalating one’s own privileges ................................................................................................ 16

Server Side Authentication and Validation................................................................................ 18

Access Control ......................................................................................................................... 19

Cross-site Scripting(XSS) Exploit ............................................................................................. 20

SQL Injection exploit ................................................................................................................. 23

Control over Administration Ports and Pages ........................................................................... 26

Application and Network Vulnerability Assessment .................................................................. 28

Amazon security certifications ............................................................................................... 28

Physical Security ................................................................................................................... 28

Secure Services .................................................................................................................... 28

Architecture .............................................................................................................................. 29

SSL Certificate ...................................................................................................................... 29

24x7 Monitoring ........................................................................................................................ 32

Amazon Monitoring ............................................................................................................... 32

Independent Monitoring Service ........................................................................................... 32

TimeControl Sample Client List ................................................................................................ 33

About HMS Software ................................................................................................................ 34

Internal Security Audit of TimeControl Online Page: 3 © 2014 Heuristic Management Systems Inc.

Overview

TimeControl is one of the most flexible and extensible timesheet systems on the market. TimeControl was designed from the beginning to be a system that accommodates the needs of the client rather than a system that requires that clients adjust themselves to the product’s features. TimeControlOnline is the hosted in-the-cloud subscription service of TimeControl. HMS uses the Amazon EC2 service which is used by some of the most recognizable publishers of software services to deliver a highly robust and reliable system architecture. Information from Amazon on the security compliance of their architecture as well as their numerous certifications and accreditations can be found at aws.amazon.com/security. This document will describe internal tests and verifications conducted by HMS on the TimeControl architecture used in TimeControlOnline. This is a companion document to the TimeControl Security Architecture White Paper which is available at www.timecontrol.com/resources/whitepapers. For obvious reasons, we do not reveal every security method, tool and practice used in TimeControlOnline as we would not wish to provide those with malicious intent from knowing too much but it is our intent to balance prudence with a desire for our prospective clients to feel confident that the TimeControlOnline system is secure. Testing in this document follows the testing methodology outlined by the Open Web Application Security Project (OWASP). Information on OWASP can be found at https://www.owasp.org. Tools used in these tests included WebScarab and WebGoat from OWASP, Acunitex and www.networking4all.com (for SSL Certificate testing) For information on the TimeControl Security Architecture please contact: HMS Software HMS Web Service Security Officer 189 Hymus, Suite 402 Pointe-Claire, Quebec H9R 1E9 Tel: +1 (514) 695-8122 Fax: +1 (514) 695-8121 Email: info@hmssoftware.ca Web: www.hmssoftware.ca

Internal Security Audit of TimeControl Online Page: 4 © 2014 Heuristic Management Systems Inc.

TimeControl Components Overview

TimeControl has some key components that are critical to system operations. TimeControl is an n-tier application with a design that allows for the system to be infinitely scalable. The key components include a Database Server, the TimeControl Administration Transaction Server middle-ware, the TimeControl Transaction Server Middleware Web Server components and the web-based client. We’ll describe these components in more detail here.

Database Server

TimeControlOnline stores all of its data in a MySQL database. This database is housed on a server which is internal to the TimeControlOnline network. There are numerous database versions supported. To check if a particular version of your database is supported, contact HMS Software’s support services at support@hmssoftware.ca.

Internal Security Audit of TimeControl Online Page: 5 © 2014 Heuristic Management Systems Inc.

Administration Transaction Server (ATS)

TimeControl’s middle-tier layer is a proprietary system called the Administration Transaction Server or ATS. The ATS translates requests from the web based client interface into SQL database commands that the database can understand and sends the data required from the database back to the user’s terminal. The ATS contains an extensive selection of functionality but can only be talked to by the client interface. Aside from the database, the ATS can also communicate directly with some server-based project management software such as Microsoft Project Server or Primavera. This is in addition to the client-based project management links that can be effected from an end-user’s terminal. While the ATS is often exposed to the outside world through the Internet, having a middle-tier layer like this makes for a highly secure system since the database server and database itself are isolated from the outside world. The ATS runs as a Windows Service which starts automatically on the Windows Server. Multiple instances of an ATS can be established on the same server.

TimeControl Transaction Server (TTS)

Starting with version 6, TimeControl includes a 2nd middleware component called the TimeControl Transaction Server or TTS. The TTS is a .Net web service which interfaces with web-based .Net components and interacts with the database. The Microsoft .Net architecture is highly secure. In early versions of TimeControl 6, the TTS will manage the server-side commands for the timesheet, approvals, Debit/Credit adjustments, the dashboard and the User Options/My Account area. In future versions more and more of the ATS will be migrated into the TTS structure. The TTS runs as a Windows Service which starts automatically on a Windows Server. Multiple instances of a TTS can be established on the same server. The TTS is typically installed on the same Windows Server as the ATS.

TimeControl Scheduler Service

There are several automated functions which can be run as scheduled events within TimeControl. These include unattended emails sent on a schedule, for example, when timesheets are missing and overdue or the posting of timesheets or linking of TimeControl to server-based project management tools. To manage the schedule of these events, the TimeControl Schedule Service is installed on the same Windows Server as the ATS and TTS.

Internal Security Audit of TimeControl Online Page: 6 © 2014 Heuristic Management Systems Inc.

Web Server

TimeControl 6 users are presented with a browser-based web interface written in an AJAX (Asynchronous JavaScript and XML) structure. To deliver this interface to the browser, TimeControl uses Microsoft’s Internet Information Services (IIS) which is included with every Windows Server.

Timesheet Web Client

The TimeControl web interface requires a web browser. Numerous browsers and hardware platforms are supported. TimeControl 6 works with Internet Explorer, Firefox, Safari and Mozilla.

The multi-browser functions are those which do not require an ActiveX. This includes the timesheet, approvals, Debit/Credit adjustments, the Login and Dashboard and the Options/My Account page.

Administrator Web Client

Additional functionality in TimeControl 6 is available to administrators. These functions may require the installation of ActiveX components. If so, accessing these components for the first time, the user will be asked for permission for TimeControl to install several ActiveX controls. Only those users who require TimeControl’s administrative functionality require the installation of these ActiveX components. Administrators can also install the ActiveX controls using the

Internal Security Audit of TimeControl Online Page: 7 © 2014 Heuristic Management Systems Inc.

supplied MSI installation packages which can be “pushed” using Active Directory or other push technologies.

Communications: .Net

TimeControl’s user web client uses Microsoft’s .Net architecture to communicate between the web page and the TimeControl TTS middleware service. This is a highly secure, encrypted environment which uses a streaming object protocol to package data and transmit it quickly from one end to the other.

Communications: HMI

TimeControl’s administrative functions must communicate also. The ActiveX components communicate with TimeControl’s Administration Transaction Server middleware service using a proprietary communications layer developed by HMS Software. Heuristic Method Invocation (HMI) is a socket-level encrypted object-streaming communications protocol. What this means is that once the end user has logged into TimeControl, every communication between his or her terminal and the TimeControl Server will be encrypted and protected. This makes compromising a TimeControl transaction while enroute virtually impossible.

Internal Security Audit of TimeControl Online Page: 8 © 2014 Heuristic Management Systems Inc.

Role Based Access

User Profiles control the roles that are defined in TimeControl and what can be controlled in them. A full description of User Profiles can be found in the TimeControl Reference Guide. Our tests for Role-Based access reviews 3 of the most-used aspects of TimeControl’s User Profiles: Role-based access to the menus, Role-based access to reports and Role-based access at the data field level.

Menu Access test

TimeControl’s menus are managed in the TimeControl Users Profile module within TimeControl. Each user is assigned to a User Profile. An Administrator can create an unlimited number of User Profiles and within each there are numerous possible settings to control what is visible. A menu can be turned off from its header or tab or for each item for the profile. The following screen shows an example Individual Profile

1 User Profiles lets us define what menu items, reports, field items and even data selections are possible on a role-based profile. Here we can see the menu selection for the “Individual” profile. In the timesheet tab, Gail should be able to only see the Timesheet List, Timesheet Entry and TimeRequest options.

Internal Security Audit of TimeControl Online Page: 9 © 2014 Heuristic Management Systems Inc.

2 Profiles are attached to the user in the Users Table. Here we can see that Gail Robinson has been assigned to the Individual Profile.

3 We have logged in as Gail and in the Timesheet Tab, Gail does indeed only have access to List, Entry and TimeRequest.

Field Level Access test

TimeControl can control data to the field level. Field level security pervades the TimeControl environment including the tables, the reports, exports, views and anywhere fields might be visible.

Internal Security Audit of TimeControl Online Page: 10 © 2014 Heuristic Management Systems Inc.

1 In User Profiles, we can see that a Supervisor Profile has restricted “Rate 2” from the Rates table. This might be because Rate 2 includes private salary values.

2 Tom Logan is a Supervisor and has access to the Rates Table. We can see however, that while Tom can see much of the Rates data, the Rate 2 value is invisible.

Report Level Access test

TimeControl can give a user access to the reports menu but show only certain reports to a user based on their user profile. Even if a user has access to a report format, they may be restricted from what data would be visible on that report by data-level security defined in the

Internal Security Audit of TimeControl Online Page: 11 © 2014 Heuristic Management Systems Inc.

User Profile. In this test we check to see that reports that have been made invisible for a particular User Profile do not appear to users with that profile.

1 The Project Manager Profile shows that the Expense Wizard, the Posted Wizard and the Table Wizard for creating new reports have been hidden along with several CrossTab reports.

2 Sally Thompson is a Project Manager with access to certain reports. We can see however that the Expense Wizard, the Posted Wizard and the Table Wizard along with the CrossTab reports are not displayed

Internal Security Audit of TimeControl Online Page: 12 © 2014 Heuristic Management Systems Inc.

Manipulating the timesheet data of another user

TimeControl includes tracking at the line item level of who entered timesheet data which is an audit requirement for many TimeControl clients. A supervisor who has the rights to enter data for a subordinate for example, can do so, but for each line entered, TimeControl tracks who did that that entry. Let us test the following example in TimeControl 6.5.0.4 to make this point:

1 Gail Robinson enters her timesheet for the week. At the far right of each line, we see that Gail is the author or “source” of that line of data.

2 Gail releases her timesheet to her supervisor, Tom Logan. The current owner of the entire document has become Tom Logan as is noted at the top of the page. The ability to change even her own timesheet has been removed. Tom now has control over this timesheet.

Internal Security Audit of TimeControl Online Page: 13 © 2014 Heuristic Management Systems Inc.

3 We’ve now entered TimeControl as Tom Logan who is viewing Gail’s timesheet. Tom does not have any ability to append, copy or delete data. This is due to a system setting called “Only source may modify timesheet”.

4 If we log into TimeControl as an Administrator (in this case Joseph Gardner) and change this setting in TimeControl’s System Preferences, Tom will be allowed to append data to Gail’s timesheet.

5 We now return to TimeControl as Tom Logan and re-open Gail’s timesheet. Tom still cannot delete an item or edit it. The locked icon on each line lets him know that these items are not available to be changed. However, Tom can now append a line even with negative numbers in order to reverse the values of a line.

Internal Security Audit of TimeControl Online Page: 14 © 2014 Heuristic Management Systems Inc.

6 When Tom enters a line, we can see that Tom becomes the author or source of that line of information. He has not and cannot change Gail’s entries which are distinct from his own.

Internal Security Audit of TimeControl Online Page: 15 © 2014 Heuristic Management Systems Inc.

Accessing a client’s network via TimeControl/EPM

When TimeControlOnline links to an external system such as Project Server, there are several methods of communicating: Link via Project Professional TimeControl includes functionality to allow clients to link between TimeControl and Project Server via Project Professional. In this case, the TimeControl Links ActiveX which works within Internet Explorer on the user’s terminal is communicating securely with TimeControlOnline via our unique HMI™ encrypted, streaming object protocol and makes a local connection to a copy of Project Professional which is installed on the user’s terminal. Project Professional then makes a secure link from inside the client firewall to Project Server. This type of transfer can only be done on demand. Link via the Project Server Interface (PSI) Microsoft Project Server includes an API called the Project Server Interface. It is a SOAP Web Service. If the client has elected to link directly from TimeControl using the Project Server PSI then TimeControl will make a SOAP call to the PSI WebService. The PSI contains requirements for authentication and numerous methods for both pulling and pushing data. TimeControl both pulls data from Project Server to update task and resource information and pushes actual results back to Project Server. When using the PSI, transfers from Project can be made on demand, on a schedule or on a triggered event (OnPublish) and transfers to Project Server can be made on demand or on a schedule. The security of Project Server or the PSI is not under the control of HMS or able to be changed by TimeControl but obviously opening a web service to the Internet carries potential risks. The Project Server PSI supports commands which could delete project data. At a minimum, clients are recommended to restrict PSI traffic to only IPs which are known to them. HMS is unaware of any exploits of the Microsoft Project Server PSI which would result in access to a client’s network.

Internal Security Audit of TimeControl Online Page: 16 © 2014 Heuristic Management Systems Inc.

Escalating one’s own privileges

TimeControl’s User Profiles define what menu items, report items, data access and even field items can be access by a user. However, what if a user, in the same Web session, were to be able to access a PC that an administrator had logged in as then logged out from, and then, before the browser is closed and the session is still active, try to log in as themselves with a URL that they wouldn’t otherwise see in order to access a module they don’t have rights for. This test was passed on TimeControl 6.5.0.4

1 We’ll start this test by logging into TimeControl as Joseph Gardner, a user with Administrator privileges. Joseph can access the System Preferences as an Administrator, a function which is never made available to regular users.

2 We’ll copy the URL to this module which, for this instance of TimeControl is:

http://docs.timecontrol.org/Application/Administrator/SystemPreferences.aspx?st=43&mnu=44

3 Now Joseph will log out and without closing Internet Explorer, we’ll log in as Gail Robinson; an individual user with very few privileges who would normally just access TimeControl to do her timesheet. We can see she has much fewer menu items available.

Internal Security Audit of TimeControl Online Page: 17 © 2014 Heuristic Management Systems Inc.

4 Gail will paste the URL from Joseph’s session into the Internet Explorer URL bar:

5 TimeControl knows this is not Joseph Gardner because Joseph’s Session ID was abandoned the moment he logged out and Gail started another Session ID the moment she logged in. TimeControl returns Gail to her home dashboard view despite the URL she has tried to paste and denies her access to the System Preferences.

Internal Security Audit of TimeControl Online Page: 18 © 2014 Heuristic Management Systems Inc.

Server Side Authentication and Validation

TimeControl’s maintains login information in the database along with encrypted storage of passwords if TimeControl passwords are used (other authentication options include LDAP and Active Directory support). But what if the complete call to the TimeControl server including the Session ID was copied and sent. Could someone identify a pattern of Session IDs and thus try over and over to get into the system with them until they luckily got into the system as an administrator? This would be extremely difficult. Session IDs are randomized in the TimeControl environment. Using WebScarab, we can see an analysis of numerous logins and calls to the TimeControl server. Session IDs that were, for example, sequential would show as a visible pattern.

It is obvious that there is no discernible pattern to these session IDs here.

Internal Security Audit of TimeControl Online Page: 19 © 2014 Heuristic Management Systems Inc.

Access Control

During login, TimeControl uses server-side authentication of a user name and password combination to determine if a) the user has an authenticatable login and, b) what rights the user has. Then the TimeControl server establishes a session ID and returns that session ID to the client station. The ID allows session variables to be maintained and for authentication to be remembered. No authentication status of the user is ever stored and submitted from the client side for any module so exploiting an “authenticated” parameter is impossible. TimeControl’s middleware server checks for each and every access to a module based on who the user is to ensure that the user has the appropriate access at that time. If a user’s right to a module were to be revoked by a TimeControl Administrator, the next time the user would attempt to access that module, even a few moments later, they would be denied. Using WebScarab, we can see a complete capture of a call to the server, in this case to display the Timesheet List: /Application/Timesheet/TimesheetList.aspx?st=0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A&mnu=0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A There are two session variables in this call: “st” which is the “section tab” and “mnu” which is the Menu item. There is no session authentication token with login information and no sensitive information which could be used by anyone to gain access to something they didn’t have rights to. It is important to remember also that someone would need to get this string even to be able to start manipulating it. If someone were able to defeat the SSL encryption and capture this string, all they would have is the menu call for a module of TimeControl. Without also having a) a valid login to TimeControl and b) having that login have the rights to this menu item, they would have no access to TimeControl at all. Even to capture this information, the intruder would need to either get physical access to the client station as its being used or try to intercept the data as it is transmitted to the server and that data is encrypted both by Windows .Net and by the Secure Socket Layer (SSL) encryption.

Internal Security Audit of TimeControl Online Page: 20 © 2014 Heuristic Management Systems Inc.

Cross-site Scripting(XSS) Exploit

Numerous tests for cross site scripting have shown that the TimeControl controls are resistant to such exploits. Testing of version 6.5.0.4 using WebScarab produced the following pass results. Full test results are visible in the Excel file: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS. 1: URL: http://s8:81/Application/Default.aspx Parameters: mnu HTTP Request-Response files: 11-74. HTTP Response file sampling (unencrypted): 11, 22, 33, 44 & 55. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

2: URL: http://s8:81/Application/Timesheet/TimesheetEntry.aspx Parameters: mnu HTTP Request-Response files: 217-281. HTTP Response file sampling (unencrypted): 217 & 317. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

3: URL: http://s8:81/Application/Timesheet/TimesheetList.aspx Parameters: st, mnu HTTP Request-Response files: 375-442. HTTP Response file sampling (unencrypted): 375 & 385. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

4: URL: http://s8:81/Application/Timesheet/TimesheetList.aspx Parameters: st,mnu,ts,ACTIVE,tk HTTP Request-Response files: 486-549. HTTP Response file sampling (unencrypted): 486 & 496. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

5: URL: http://s8:81/Application/Timesheet/TimeRequests.aspx Parameters: st, mnu HTTP Request-Response files: 576-643. HTTP Response file sampling (unencrypted): 576 & 586. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

6: URL: http://s8:81/Application/Dashboard/vsp.aspx Parameters: tpbKey HTTP Request-Response files: 683-746. HTTP Response file sampling (unencrypted): 683 & 693.

Internal Security Audit of TimeControl Online Page: 21 © 2014 Heuristic Management Systems Inc.

Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

7: URL: http://s8:81/Application/Reports/Designer/TimeControlReportDesigner.application Parameters: sn,sp,si,uk,rk HTTP Request-Response files: 872-936. HTTP Response file sampling (unencrypted): 872 & 882. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

8: URL: http://s8:81/Application/ActiveX/ActiveXControl.aspx Parameters: st, mnu HTTP Request-Response files: 1001-1021. HTTP Response file sampling (unencrypted): 1001 & 1011. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

9: URL: http://s8:81//Application/Timesheet/ProjectValidation.aspx Parameters: st, mnu HTTP Request-Response files: 1054-1074. HTTP Response file sampling (unencrypted): 1054 & 1064. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

10: URL: http://s8:81/Application/Tables/ResourceTable.aspx Parameters: st, mnu HTTP Request-Response files: 1121-1183. HTTP Response file sampling (unencrypted): 1121 & 1122. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

11: URL: http://s8:81/Application/Tables/EmployeeTable.aspx Parameters: st, mnu HTTP Request-Response files: 1121-1183. HTTP Response file sampling (unencrypted): 1121 & 1131. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

12: URL: http://s8:81/Application/Tables/MyAccount.aspx Parameters: st, mnu HTTP Request-Response files: 1322-1388. HTTP Response file sampling (unencrypted): 1322 & 1332. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

13: URL: http://s8:81/Application/Tools/UpdateLicenseKey.aspx Parameters: st, mnu HTTP Request-Response files: 1413-1414.

Internal Security Audit of TimeControl Online Page: 22 © 2014 Heuristic Management Systems Inc.

HTTP Response file sampling (unencrypted): 1413 & 1414. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

14: URL: http://s8:81/Application/Administrator/ValidationRules.aspx Parameters: st, mnu HTTP Request-Response files: 1443-1606. HTTP Response file sampling (unencrypted): 1443& 1453. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests 15: URL: http://s8:81/Application/Reports/ReportList.aspx Parameters: st, mnu HTTP Request-Response files: 787-850. HTTP Response file sampling (unencrypted): 787& 797. Batch results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : XSS Tests

Internal Security Audit of TimeControl Online Page: 23 © 2014 Heuristic Management Systems Inc.

SQL Injection exploit

SQL Injection is a common method of attack on web-based services. Testing of version 6.5.0.4 using WebScarab produced the following pass results. Full test results are visible in the Excel file: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS. 1: URL: http://s8:81/Application/Default.aspx Parameters: mnu HTTP Request-Response files: 75-99. HTTP Response file sampling (unencrypted): 75 & 85. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

2: URL: http://s8:81/Application/Timesheet/TimesheetEntry.aspx Parameters: mnu HTTP Request-Response files: 459-481. HTTP Response file sampling (unencrypted): 459 & 469. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

3: URL: http://s8:81/Application/Timesheet/TimesheetList.aspx Parameters: st, mnu HTTP Request-Response files: 459-481. HTTP Response file sampling (unencrypted): 459 & 469. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

6: URL: http://s8:81/Application/Timesheet/TimeRequests.aspx Parameters: st, mnu HTTP Request-Response files: 644-664. HTTP Response file sampling (unencrypted): 644 & 654. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

7: URL: http://s8:81/Application/Dashboard/vsp.aspx Parameters: tpbKey HTTP Request-Response files: 747-767. HTTP Response file sampling (unencrypted): 747 & 757. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

8: URL: http://s8:81/Application/Reports/Designer/TimeControlReportDesigner.application Parameters: sn,sp,si,uk,rk HTTP Request-Response files: 1501-1521. HTTP Response file sampling (unencrypted): 1501 & 1511. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

Internal Security Audit of TimeControl Online Page: 24 © 2014 Heuristic Management Systems Inc.

9: URL: http://s8:81/Application/ActiveX/ActiveXControl.aspx Parameters: st, mnu HTTP Request-Response files: 1024-1042. HTTP Response file sampling (unencrypted): 1024 & 1034. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

10: URL: http://s8:81//Application/Timesheet/ProjectValidation.aspx Parameters: st, mnu HTTP Request-Response files: 1075-1105. HTTP Response file sampling (unencrypted): 1075 & 1085. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

11: URL: http://s8:81/Application/Tables/ResourceTable.aspx Parameters: st, mnu HTTP Request-Response files: 1184-1205. HTTP Response file sampling (unencrypted): 1184 & 1194. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

12: URL: http://s8:81/Application/Tables/EmployeeTable.aspx Parameters: st, mnu HTTP Request-Response files: 1277-1297. HTTP Response file sampling (unencrypted): 1277 & 1287. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

13: URL: http://s8:81/Application/Tables/MyAccount.aspx Parameters: st, mnu HTTP Request-Response files: 1389-1409. HTTP Response file sampling (unencrypted): 1389 & 1399. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

14: URL: http://s8:81/Application/Tools/UpdateLicenseKey.aspx Parameters: st, mnu HTTP Request-Response files: 1522-1539. HTTP Response file sampling (unencrypted): 1522 & 1532. Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

15: URL: http://s8:81/Application/Administrator/ValidationRules.aspx Parameters: st, mnu HTTP Request-Response files: 1607-1625. HTTP Response file sampling (unencrypted): 1607 & 1617.

Internal Security Audit of TimeControl Online Page: 25 © 2014 Heuristic Management Systems Inc.

Results status reference: Cross_Scripting__SQL_Injection_Batch_Status_Results.XLS : SQL Injection Tests

Internal Security Audit of TimeControl Online Page: 26 © 2014 Heuristic Management Systems Inc.

Control over Administration Ports and Pages

Port control at Amazon is managed in the Amazon EC2 security profile dashboard. The following ports were open or open under restrictions as of May 2, 2014:

Port Restriction Purpose

80 HTTP Was used for non SSL web access. Further testing must be done to determine if this port is still required to be open as all TimeControlOnline web traffic is via HTTPS

443 HTTPS All SSL secured web traffic to TimeControl’s .Net interface

8000-8300 ATS Traffic This port range is used for traffic from the TimeControl ActiveX controls to the TimeControl Administration Transaction Server (ATS) via HMS Software’s HMS™ encrypted streaming object protocol.

32843-32844 These ports are being used for SharePoint and Project Server transfer testing.

445 Restricted to a single IP and port at HMS Headquarters. This port is not visible from outside of the HMS Office.

Used for authentication from the HMS offices only

3389 Restricted to a single IP and port at HMS Headquarters. This port is not visible from outside of the HMS Office.

Used for Administrative control of the TimeControlOnline environment. This port can only be accessed from a particular location by specific named personnel using a specific security protocol.

Internal Security Audit of TimeControl Online Page: 27 © 2014 Heuristic Management Systems Inc.

137 Restricted to a single IP and port at HMS Headquarters. This port is not visible from outside of the HMS Office.

Used for transfer of encrypted backup files to our offsite location.

Internal Security Audit of TimeControl Online Page: 28 © 2014 Heuristic Management Systems Inc.

Application and Network Vulnerability Assessment

TimeControlOnline runs on the Amazon EC2 environment. Information on the network architecture and the layers of security which exist prior to any potential threat even reaching the TimeControlOnline hosted servers can be found at aws.amazon.com/security.

Amazon security certifications

According to Amazon, they have past successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP). We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services.

Physical Security

The Amazon infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.

Secure Services

Each of the services within the Amazon EC2 environment contains a number of capabilities that restrict unauthorized access or usage. For more information on the physical security, secure services that are automatically part of the EC2 environment and how Amazon monitors and defends against external threats, visit aws.amazon.com/security.

Internal Security Audit of TimeControl Online Page: 29 © 2014 Heuristic Management Systems Inc.

Architecture

SSL Certificate

Testing of the TimeControl.net SSL Certificate was done at: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=http%3A%2F%2Fmaster.timecontrol.net&protocol=https Testing Results:

SSL Certificate is not expired Site is listed in the certificate Organisation details are listed Encryption strength is at least 1024-bit Signature Algorithm is strong Accepting only high encryption cipher suites No connection upgrade to 128-bit for old browsers No Extended Validation on company details No Debian weak key present No known security issues for this Certificate Authority

Subject Alternative Name (SAN) This SSL Certificate has 2 subject alternative name(s). This means that this SSL Certificate is not only valid for *.timecontrol.net but in this case also for the alternative names *.timecontrol.net, timecontrol.net Organization details The identity of the owner of this domain/certificate has been validated. The details can be retrieved from the certificate. Encryption strength The SSL Certificate has a 2048-bit length private key. Longer RSA keys are required to provide security as computing capabilities increase. The recommended RSA key-length is 2048 bits. Although a 2048-bit RSA key length is more secure than the common 1024-bit length, it is also slower and might affect server performance. Most web servers continue to use 1024-bit RSA keys without negatively influencing security for normal operations Signature Algorithm The SSL Certificate is signed with a sha1WithRSAEncryption method which is an accepted secure standard algorithm for signing certificates. The less secure MD5 algorithms can be potentially manipulated during the signing process and should no longer by used Cipher Suite This site only accepts connections with a strong cipher suite and will not allow weak encryption for SSL sessions. Server Gated Cryptography (SGC)

Internal Security Audit of TimeControl Online Page: 30 © 2014 Heuristic Management Systems Inc.

This certificate is not able to create a 128-bit secure connection for older browsers. The certificate has no SGC, Server Gated Cryptography support which will upgrade a 40-bit connection to a secure 128-bit connection. Extended Validation (EV) This SSL Certificate will not display a green address bar in the visitor’s browser, nor the identity of the website owner or the Certificate Authority. EV SSL Certificates have the highest level of trust and security. Certificate Authority Security Issues There are no known issues with the Certificate Authority who issued this SSL Certificate. Debian Weak Key This SSL Certificate is not affected by the Debian weak key problem. Between September 2006 and May 2008, Debian-based servers have generated weak keys. Once a hacker finds a server using a weak key, he can use the public key to find the private key.

-----BEGIN CERTIFICATE----- MIIFCjCCA/KgAwIBAgIQP2ELPJtVS163GLDultYkmjANBgkqhkiG9w0BAQUFADBz MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEZMBcGA1UE AxMQUG9zaXRpdmVTU0wgQ0EgMjAeFw0xMjEyMDYwMDAwMDBaFw0xMzEyMTMyMzU5 NTlaMF4xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UE CxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxGjAYBgNVBAMUESoudGltZWNvbnRyb2wu bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1/T2T9EM55H1YQf7 HozzHeoePGepbTaE0lY554lEKnNf71lXOFepqxhLWNt+zThi1xxqQ//yf9iGxUYM 9/13A00tqWjMso7nhU9oQkCASfLeI9nmQZaQ9ZoMzVZp3wLenlnNs0r6ZljLCzRt eQICKnfgap+XF3rEtU4zBmoYY63Gj7SSmMeMI89e/kd+kH1SwGq7htqu/wv+bJVL JvUZeKsZVvHpNZ248BC3X5nJ8vXBFivRSHSudvqVFwf8Zw9nrZD3Vl/qTXl9bpqj MDmLbrPFAQ4TZ149ILUe2dixvRG4Rv5NlyC/PmIA1Y53s4QQAy8ESBO49N1HQrGF NzkMHwIDAQABo4IBrTCCAakwHwYDVR0jBBgwFoAUmeRAX2sUXj4F2d3TY1T8Yrj3 AKwwHQYDVR0OBBYEFGYEYLxkS+b696QbprP1emMRxoY1MA4GA1UdDwEB/wQEAwIF oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBQ BgNVHSAESTBHMDsGCysGAQQBsjEBAgIHMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93 d3cucG9zaXRpdmVzc2wuY29tL0NQUzAIBgZngQwBAgEwOwYDVR0fBDQwMjAwoC6g LIYqaHR0cDovL2NybC5jb21vZG9jYS5jb20vUG9zaXRpdmVTU0xDQTIuY3JsMGwG CCsGAQUFBwEBBGAwXjA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5jb21vZG9jYS5j b20vUG9zaXRpdmVTU0xDQTIuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j b21vZG9jYS5jb20wLQYDVR0RBCYwJIIRKi50aW1lY29udHJvbC5uZXSCD3RpbWVj b250cm9sLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAT+c1f3JmZmP8qkPb33ftd9QJ HmL2U8pWhF6ToMt9ml4bvSxPwEinjf0SyXRyxS7f2QTDlQ8+F4/srpht4bN9okMn wdcdXHBh1Z7FjMlQdyF1k8S/9/bF8p3/b5zFa81wtSO8/pf2/7HeOnB+tlqV3Ruv 6qLtNHiQs87X+s0MiwTqUA7epVnXhalXcWz39bvC3+wYKmCguratsYkP7u5ZOL0+ MwWGT029qP3U7aOJ0pn/Vn8msP1b+N7jjZ0t2JQgZ1975Av4ZTSG0ccJTG9B+8S6 ikcP3QzV1CJqKtdZqSWqDJAGjHowslwlO3PI9f5JevZXH35AUNUpOuY/uGrHTg== -----END CERTIFICATE-----

Certificate information: PositiveSSL Wildcard Valid from: Thursday 6 December 2012 Valid till: Saturday 14 December 2014 keyLength: 2048 Signature Algorithm: sha1WithRSAEncryption

PositiveSSL CA 2 -----BEGIN CERTIFICATE----- MIIE5TCCA82gAwIBAgIQB28SRoFFnCjVSNaXxA4AGzANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEyMDIxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFow czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV BAMTEFBvc2l0aXZlU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDo6jnjIqaqucQA0OeqZztDB71Pkuu8vgGjQK3g70QotdA6voBUF4V6a4Rs NjbloyTi/igBkLzX3Q+5K05IdwVpr95XMLHo+xoD9jxbUx6hAUlocnPWMytDqTcy Ug+uJ1YxMGCtyb1zLDnukNh1sCUhYHsqfwL9goUfdE+SNHNcHQCgsMDqmOK+ARRY FygiinddUCXNmmym5QzlqyjDsiCJ8AckHpXCLsDl6ez2PRIHSD3SwyNWQezT3zVL yOf2hgVSEEOajBd8i6q8eODwRTusgFX+KJPhChFo9FJXb/5IC1tdGmpnc5mCtJ5D YD7HWyoSbhruyzmuwzWdqLxdsC/DAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBSt vZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUmeRAX2sUXj4F2d3TY1T8Yrj3 AKwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAow

Certificate information: COMODO CA Limited Salford, Greater Manchester GB Valid from: Thursday 16 February 2015 Valid till: Saturday 30 May 2020 keyLength: 2048

Internal Security Audit of TimeControl Online Page: 31 © 2014 Heuristic Management Systems Inc.

CDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYw gaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVz dEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2Vy dHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRw Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCcNuNOrvGK u2yXjI9LZ9Cf2ISqnyFfNaFbxCtjDei8d12nxDf9Sy2e6B1pocCEzNFti/OBy59L dLBJKjHoN0DrH9mXoxoR1Sanbg+61b4s/bSRZNy+OxlQDXqV8wQTqbtHD4tc0azC e3chUN1bq+70ptjUSlNrTa24yOfmUlhNQ0zCoiNPDsAgOa/fT0JbHtMJ9BgJWSrZ 6EoYvzL7+i1ki4fKWyvouAt+vhcSxwOCKa9Yr4WEXT0K3yNRw82vEL+AaXeRCk/l uuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cq cdnUl4XmGFO3 -----END CERTIFICATE-----

Signature Algorithm: sha1WithRSAEncryption

AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChML QWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYD VQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEw NDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRU cnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0Eg Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821 +iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfw Tz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmo aSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy 2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv7 7+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0P BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTL VBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRk VHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENB IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZl j7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355 e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4u G+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE-----

Certificate information: AddTrust AB SE Valid from: Tuesday 30 May 2000 Valid till: Saturday 30 May 2020 keyLength: 2048

Internal Security Audit of TimeControl Online Page: 32 © 2014 Heuristic Management Systems Inc.

24x7 Monitoring

As an online service, TimeControl can be accessed by users from anywhere in the world in any time zone possible. We use multiple monitoring services to check on TimeControlOnline 24 hours a day, 7 days a week and, in the case of an emergency, automatically update key HMS staff regardless of the time.

Amazon Monitoring

Amazon’s EC2 provides a service called CloudWatch which HMS uses to monitor the health of the TimeControlOnline environment. The service currently makes available 26 different metrics. HMS uses the Cloud Watch service to monitor the TimeControlOnline service in real-time for events such as the stoppage of service as well as the server experiencing overload from, for example, denial of service attacks which Amazon might not have intercepted. Alarms from CloudWatch generate emails which are sent to the 3 HMS Staff with the authority to access the server and determine the nature of the difficulty.

Independent Monitoring Service

In the event that whatever problem with Amazon that would have TimeControlOnline not be available has also affected the Amazon CloudWatch service, HMS uses an independent monitoring tool to check on the availability of TimeControlOnline 24 hours a day. This service is capable of determining if a key page has been manipulated and if that page is being served at a reasonable speed. Any variant from this results in emergency emails to key HMS personnel who can intervene regardless of the time.

Internal Security Audit of TimeControl Online Page: 33 © 2014 Heuristic Management Systems Inc.

TimeControl Sample Client List

Engineering/Construction Lockerbie & Hole AeroInfo Koch Business Solutions Kongsberg Devotek Thompson Beta Gas / Utilities Gulf South Pipeline Iogen Acergy Petrocon VenCorp Manufacturing Alcan Parker Hannifin Dofasco Georgia Pacific John Deere Magneti Marelli Mercury Marine Tennant Wagner Spray Tech Vision Systems Defense / Aerospace Bombardier Inc. CAE Electronics General Motors Diesel Lockheed Martin Rolls Royce SAAB Government Amsterdam Port Authorities Atlanta Airport City of Montreal Dutch Railways Government of Saskatchewan Railway Procurement Agency (UK)

Technology Arivia CSI Piemonte DRS Power Control Tech EDS Face Technology Fuel Plus Software GE Access Lockheed Martin Microsoft Positron Psion Techlogix DRUCK Ltd Telecommunications Cable & Wireless Bartel Ericsson EXFO Motorola Philips Semiconductors SARA Amsterdam Stratos Global Financial Standard Life Development Bank of Canada Alliance One Health/Pharmaceutical Boehringer Ingelheim Azko Nobel (Organon) RTS Thurnall Canadian Institute for Health Info Registrat

Internal Security Audit of TimeControl Online Page: 34 © 2014 Heuristic Management Systems Inc.

About HMS Software

HMS Software, a division of Montreal, Canada-based Heuristic Management Systems Inc., is a leading provider of enterprise timesheet and project management systems. Founded in 1984, HMS Software's expertise in implementing enterprise project-management and enterprise timesheet systems is recognized worldwide by some of the world's best known organizations. HMS's signature product, TimeControl, an enterprise timekeeping system designed to serve the needs of both Finance and Project Management, is distributed worldwide through an extensive list of distributors and dealers located on every continent with representatives in the US, the UK, Australia, Mexico, Europe, Asia, South Africa and the Middle East. HMS Software's client list includes some of the world's leading corporations in the telecommunications, IT, finance, engineering, defense/aerospace and government sectors including such organizations as Acergy, Aecon Construction, Alcan, the Atlanta Airport, Akzo Nobel, The Canadian Business Development Bank, The City of Montreal, EDS, Ericsson, General Motors, the Government of Saskatchewan, John Deere, Kelly Services, The UK’s National Health Service, Standard Life, UPS, Volvo Novabus and hundreds of others. HMS maintains offices in Montreal, Quebec and Toronto, Ontario. For more information about HMS, please visit www.hmssoftware.ca.

TimeControl First published by HMS in 1994, TimeControl has been adopted hundreds of clients and over 250,000 users around the world. TimeControl is designed to serve the needs of both project and finance simultaneously. It allows an organization to use a single timesheet for project tracking, time and attendance, time and billing, HR tracking, R&D Tax Credits, DCAA and project costing instead of having to deploy many timesheets to serve these needs. TimeControl is available for purchase for an on-premises implementation or as a subscription as service. TimeControl’s architecture is flexible and extensive supporting numerous databases such as Oracle, Microsoft SQL Server and MySQL, multiple browsers such as Internet Explorer, Firefox, Safari and Chrome and even includes a mobile interface for Smartphones For more information about TimeControl please visit: www.timecontrol.com.

Strategic Services In addition to being a publisher of one of the world’s best known timesheet systems, HMS provides a full range of support services including technical support, training and consulting tailored to meet clients' specific needs. HMS Software consultants are skilled in activity-based-costing, timekeeping methodology, project management techniques, cost and earned-value management as well, of course, in the HMS-supplied products. For more information about HMS Software services, please visit www.hms.ca.