Archive for January, 2018

Omanisation temporary ban on visa for 10 sectors

January 29th, 2018

The Sultanate of Oman wants companies to employ Omani professionals.

Oman has issued a six-month ban on issuing of work visas for expatriates in ten sectors, including: information systems, engineering, aviation and certain technical professions.

Sheikh Abdullah bin Nasser Al Bakri, the sultanate’s Minister of Manpower, issued the new regulation, which will begin with immediate effect.

Over the last decade, the expat workforce in Oman has almost tripled, according to Oman’s National Centre for Statistics and Information. It has risen from 660,950 in 2007 to 1,825,603 people in 2016.

The decree does not include companies owned by employers wholly devoted to management of their establishments which are registered with the Public Authority for Small and Medium Enterprises Development and insured with the Public Authority for Social Insurance (PASI).

The Knowledge and Innovation Dirham Fee

January 29th, 2018

A new law aims to engage the community in supporting educational and cultural projects in Dubai.

The Knowledge Dirham Fee, set at AED10, will be levied on all transactions for government services in Dubai including federal government services whose revenues are allocated to the Public Treasury of the Government of Dubai.

The Innovation Dirham Fee aims to support innovation-related projects and involve the public in supporting innovation.

As per the law, Dubai government entities will charge an Innovation Dirham Fee of AED10 for all transactions.

The revenues generated from the Fee will be allocated to the Dubai Future Foundation (DFF). An Innovation Dirham Investment Committee will be established to explore opportunities for investing revenues from the Innovation Dirham, WAM added.

The Knowledge Dirham and Innovation Dirham will not be refunded when transactions are cancelled. The fees only apply to transactions of more than AED50.

Healthcare services provided by government entities are exempted from the Knowledge Dirham and Innovation Dirham, in addition to traffic fines for violations committed in Dubai which are collected in other emirates or other GCC countries, as well as fines for violations committed in other emirates or GCC countries collected by authorities in Dubai.

Cyber attacks doubled in 2017 – expect 2018 to be worse.

January 27th, 2018

Cyber attacks on businesses nearly doubled in the past year. A new report, the Cyber Incident & Breach Trends Report, released by the Online Trust Alliance (OTA) found 156,700 cyber incidents last year, compared to 82,000 in 2016. The OTA is a Internet Society initiative designed to improve online trust.

The organization believes that since a majority of cybersecurity attacks are never reported, the number of cyber incidents last year could actually be closer to 350,000. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”

The OTA claimed that most of the incidents could have been prevented easily – 93 percent of breaches could have been avoided by regularly updating software, blocking fake emails, and training people to recognize phishing attacks.

52 % of security incidents were the result of an actual attack.
15 % resulted from a lack of security software,
11 % were caused by credit card skimming,
11% resulted from companies not having controls to prevent employees’ negligent or malicious actions,
8 % were the result of phishing scams.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS, The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, A critical vulnerability affecting Electron desktop apps has recently been disclosed.

Regular patching has always been a best practice and neglecting it is a known cause of many breaches.

In 2017 the Equifax breach brought home that message

In 2018 a patching strategy needs to be integral to your processes because of the Spectre and Meltdown vulnerabilities reported (see our earlier posts) when it was highlighted that nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.

Dynamics 365 v 9 Ask Dubai Dynamics partner Synergy Software Systems

January 22nd, 2018

Announced in July 2017 Dynamics 365 v9 was released for some new customers in November while existing D365 users will be able to upgrade from early 2018. This update is available for Dynamics 2016 (8.0), Dynamics 2016 UPD1 (8.1) and Dynamics 365 (8.2).

Version 9 is a mandatory update for customers using v8.0 or v8.1. This is in line with Microsoft’s update policy, which requires customers to be on the current version, or the immediate version prior to this release. With v9 being the current release, v8.2 is the previous update so system admins can choose not to take version 9.0 but remaining v8.0 and v8.1 users will be required to update.

v9 sees a fundamental change with a separation of code between the platform and apps. As well as delivering on Microsoft’s promise of an app-centric structure, this introduces a new unified user interface to provide a consistent D365 user experience across different browsers, devices and screen sizes. Dynamics 365 – Version 9.0 features a refreshed web interface, multi-select option sets, new virtual entity capability and introduces a new unified client interface.

This will be increasingly evident with the v9 release which sees Dynamics 365 break into modular apps that shift away from one platform with multiple modules hardwired in such as sales, marketing and service. With apps frequently changing and able to upgrade independently of each other, several insiders have predicted that Dynamics 365 users will see a continuous flow of improvements in a similar way that apps on a tablet or mobile device are updated.

By redefining the platform layer and breaking modules into role-based solutions for sales, finance & operations, customer service, talent, field service, to name just a few, this change will remove the need to test all at once and to upgrade everything in one big bang project. This will quicken release cycles and enable more rapid changes by allowing these apps to work independently of each other, and crucially these are all connected with a common data service.

Several legacy Dynamics CRM features will be deprecated with this release. In addition to the Outlook client, further deprecations included dialogs, contracts, mail merge and standard SLA’s. Some of those like dialogues will impact many clients

The deprecation of the Outlook client will also impact Excel dynamics worksheets.
https://docs.microsoft.com/en-us/dynamics365/get-started/whats-new/customer-engagement/important-changes-coming

Unlike the other mobile apps, the App for Outlook isn’t something that a normal end user can (typically) download and configure for themselves. A system administrator must take care of the deployment steps, such as switching over to server-side synchronization, approving user mailboxes (with O365 Global Admin rights) and pushing the app to either selected or all eligible users under the menu Settings – Dynamics 365 App for Outlook.

The Dynamics 365 App for Outlook in V9 is still in Preview mode, so a sysadmin needs to enable it from the System Settings – Previews tab. This is because the earlier app has been replaced with a completely new app in this release, built on UCI (Unified Client Infrastructure) that is used in the new Unified Interface. This will actually turn the previously feature limited Outlook sidebar app into a full Dynamic 365 Customer Engagement app that has similar capabilities as the mobile app mentioned above.

Microsoft has confirmed it has begun the scheduling process for upgrading instances of Microsoft Dynamics 365 to Version 9.0. v9 was rolled out in the closing months of 2017 for new instances of Dynamics 365 and will invite system administrators to run their Version 9 upgrade from February 2018.

Administrators should see a notification in the Office 365 Message Centre advising that their D365 update scheduling window is now open. Starting January 15, existing Dynamics 365 customers will be able to schedule updates to occur from February 20th through August 20th. https://blogs.msdn.microsoft.com/crm/2018/01/12/scheduling-your-dynamics-365-organization-for-microsoft-dynamics-365-online-version-9-0-update/

Microsoft intends to complete scheduled Version 9.0 upgrades by August 2018. v9.0 updates can be scheduled for any day, including weekends, but each date is limited to available bookings so admins are strongly recommended to schedule their update as soon as possible. Microsoft will allocate update slots on a first come, first serve basis.

Administrators will be able to schedule updates to sandbox instances before their production instance. View Sandbox and Production update schedules in a single view within the Dynamics 365 Admin Center.

If you have any questions about scheduling or preparing for this update then please get in touch with us.
At this stage, we do not have any timescale for when Microsoft will release v9.0 for its on-premise edition of Dynamics 365.

Dubai Dynamics Partner Synergy Software System receives appreciation award for another successful project

January 15th, 2018

A turnaround re-implementation project in Nigeria started in Oct 2017 went live on New Year’s Day thanks to an experienced team working flat out.

The customer appreciation for the consultants was confirmed by these individual awards.

The project also earned praise from Microsoft and Ax Pact.

Congratulation Synergy- Management and consultants and thank you for all your hard work and commitment to the project and the customer. Am so proud and thrilled of the below news

AMAZING!
Thank you Synergy team for bringing this implementation on the right track
Thank you for your partnership, expertise and professional work implementing our technology the “right” way
Looking forward to more projects together.
.

If you are looking to implement Dynamics 365/dynamics Ax then why not try the Synergy way a Dynamics partner in Dubai since 2003 and a Microsoft partner since 1993. .

Infor Ming.le and the Xi platform from Infor partner Synergy Software Systems, Dubai

January 8th, 2018

Infor Ming.le™—the beautiful entralized platform for collaboration, business process improvement, and contextual analytics. Use with Sunsystems ask Synergy Software Systems an implementation partner of Sunsystems for 20 years.

See the new features of Infor Ming.le™ 12 to improve business processes using the new Xi platform.

VAT key steps – Synergy Software Systems, Dubai.

January 8th, 2018

– Maintain regular accounting books and records

Account maintenance is now mandatory under UAE VAT Law and it facilitates the correct receipt and payment of cash and other transactions entered by a company. Audited accounts will be needed so don’t wait till year end to find an auditor that suits your business.

2- Make changes to the core processes and accounting departments

It is important to change your core processes and adapt your accounting departments to achieve tax compliance. For SMEs, with limited transactions, the task is easier as the transition is less likely to require significant systematic change or they might use an external bookkeeper or tax agent.

3- Train staff, especially financial management

Employees need proper insight around GCC-wide initiatives to implement VAT across the region and how companies should prepare. Help them de-mystify VAT by providing on the job training and a framework to raise and clarify queries. Avoid disputes with trading partners and ensure staff have the relevant information and training to resolve issues that arise.

4- Review your contracts and the contracts and conditions agreed with dealers

Many businesses negotiated contracts at a time VAT was not payable but running across the implementation dates. It is time to now bring contracts into step with the UAE’s economic context.

– Consider accounting software for bookkeeping

Electronic reporting systems are increasingly being used by tax authorities. The ability to produce the required audit file details on demand will be difficult without a system. Companies that use electronic invoicing are likely to improve the timing of VAT recovery on costs.

6- Adhere to VAT deadlines

Register your company to avoid a fine as severe as AED 20,000. The Federal Tax Authority (FTA) has already been extend the deadline to the 1st January and if you don’t complete VAT registrations you will also have to stop sales till you get your tax registration certificate (TRC).

Note initial returns are due 28 January 2018 so time is running out.

7- Study UAE tax legislation

The implementation of taxes in the UAE came with a whole new set of procedures. we recommend to study and get familiar with the different laws in place including the UAE VAT Law and to discuss with your auditor, tax agent and software provider.

8- Keep an eye out for new information

There have been a slew of clarifications in the last month and some details are still not finalised e.g. with regard to free zones, or which companies will report monthly and which quarterly.

Meltdown and Spectre – why do these matter?

January 6th, 2018

One of the most basic premises of computer security is isolation: When you run somebody else’s code as an untrusted process on your machine, then you restrict it to its own tightly sealed test environment. Otherwise, it might peer into other processes, or snoop around the computer as a whole. A security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.

A bug in Intel chips allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. On multi-

Meltdown affects Intel processors, and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.

Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it. Which, of course, is everything from thermostats to baby monitors now.

It works differently from Meltdown; Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area. This is a trickier one to pull off, but because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.
user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.

Because Meltdown and Spectre are flaws at the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable. A huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.

Not only that, but Meltdown in particular could conceivably be applied to and across cloud platforms, where huge numbers of networked computers routinely share and transfer data among thousands or millions of users and instances.

The one crumb of comfort is that the attack is easiest to perform by code being run by the machine itself — it’s not easy to pull this off remotely. So there’s that, at least.

On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.

“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”

Both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well. With these glitches, if there’s any way an attacker can execute code on a machine, then it can’t be contained.

Meltdown and Spectre

When processors perform speculative execution, they don’t fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer’s kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel’s memory with speculative execution.

he processor basically runs too far ahead, executing instructions that it should not execute. .

Retrieving any data from that privileged peeking isn’t simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores those in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker’s code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer’s high privilege memory, including even sensitive personal information or passwords.

Many security researchers who spotted signs of developers working to fix that bug had speculated that the Intel flaw merely allowed hackers to defeat a security protection known as Kernel Address Space Layout Randomization, which makes it far more difficult for hackers to find the location of the kernel in memory before they use other tricks to attack it, but the bug is more serious: It allows malicious code to not only locate the kernel in memory, but steal that memory’s contents, too.

Tough Fix

In a statement responding to the Meltdown and Spectre research, Intel noted that “these exploits do not have the potential to corrupt, modify, or delete data,” though they do have the ability to spy on privileged data. The statement also argued that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” mentioning ARM and AMD processors as well.

Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” the company said in a statement. “We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Linux developers have already released a fix, apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Apple released a statement Thursday confirming that “all Mac systems and iOS devices are affected,” though the Apple Watch is not. “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown,” the company said. “In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”

Amazon, which offers cloud services on shared server setups, says that it will take steps to resolve the issue soon as well. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the company said in a statement. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”

Google, which offers similar cloud services, pointed WIRED to a chart of Meltdown and Spectre’s effects on its services, which states that the security issue has been resolved in all of the company’s infrastructure.

Those operating system patches that fix the Intel flaw may come at a performance cost: Better isolating the kernel memory from unprivileged memory could create a significant slowdowns for certain processes.

According to an analysis by the Register, which was also the first to report on the Intel flaw, those delays could be as much as 30 percent in some cases, although some processes and newer processors are likely to experience less significant slowdowns. Intel, for its part, wrote in its statement that “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Until the patches for Meltdown and Spectre roll out more widely, it’s not clear just what the speed cost of neutering those attacks may turn out to be. But even if the updates result in a performance hit, it is a worthwhile safeguard: Better to put the brakes on your processor, perhaps, than allow it to spill your computer’s most sensitive secrets.

Spectre, is not likely to be fully fixed any time soon. The fact is that the practice that leads to this attack being possible is so hard-wired into processors that the researchers couldn’t find any way to totally avoid it. They list a few suggestions, but conclude:

While the stop-gap countermeasures may help limit practical exploits in the short term, there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors – much less future designs.

Critical Server Patches for Meltdown and Spectre – processor bugs

January 5th, 2018

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre.

If you haven’t been paying attention, a serious security flaw in nearly every processor made in the last ten years was recently discovered. Initially it was thought to be just Intel, but it appears it’s everyone. The severe design flaw in microprocessors allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.
On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine’s physical memory and steal data from other customers’ virtual machines.

This is so serious CERT recommends throwing away your CPU and buying a non-vulnerable one to truly fix the issue.
https://www.kb.cert.org/vuls/id/584653

There are two bugs which are known as Meltdown and Spectre. The Register has a great summarized writeup here – no need for me to regurgitate. This is a hardware issue – nothing short of new chips will eradicate it. That said, pretty much everyone who has written an OS, hypervisor, or software has (or will have) patches to hopefully eliminate this flaw. This blog post covers physical, virtualized, and cloud-based deployments of Windows, Linux, and SQL Server.

The fact every vendor is dealing with this swiftly is a good thing. The problem? Performance will most likely be impacted. No one knows the extent, especially with SQL Server workloads. You’re going to have to test and reset any expectations/performance SLAs. You’ll need new baselines and benchmarks. There is some irony here that it seems virtualized workloads will most likely take the biggest hit versus ones on physical deployments. Time will tell – no one knows yet.

What do you need to do? Don’t dawdle or bury your head in the sand thinking you don’t need to do anything and you are safe. If you have deployed anything in the past 10 – 15 years, it probably needs to be patched. Period. PATCH ALL THE THINGS! However, keep in mind that besides this massive scope, there’s pretty much a guarantee – even on Linux – you will have downtime associated with patching.
Information that you might want to review and decide how to patch your systems.

SQL Server Versions Affected

This is a hardware issue, so every system is affected SQL Server running on x86 and x64 .for these versions:

SQL Server 2008
SQL Server 2008R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB that discusses the attacks. Here are the patches as of this time:

SQL Server 2017 CU3
SQL Server 2017 GDR
SQL Server 2016 SP1 CU7
SQL Server 2016 SP1 GDR
.
OS Patches

The Window KB for guidance is 4072698. Here are the OS patches that I’ve been able to find.

Windows Server (Server Core) v 1709 – KB4056892
Windows Server 2016 – KB4056890
Windwos Server 2012 R2 – KB4056898
Windows Server 2012 – N/A
Windows Server 2008 R2 – KB4056897
Windows Server 2008 – N/A
Red Hat v.7.3 – Kernel Side-Channel Attacks CVE-2017-5754, 5753, 5715
SUSE Linux – 7022512
Ubuntu – N/A

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

ESXi 6.5
ESXi 6.0
ESXi 5.5 (partial patch)
Workstation 12.x – Upgrade to 12.5.8
Fusion 8.x – Updated to 8.5.9

When to PATCH – Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available.

SQL Server (Windows) VM in your data center – Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code – Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux – Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

SQL CLR
R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
SQL Agent running ActiveX scripts
Non-MS OLEDB providers in linked servers
Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you’ll have to wait on SQL Server patches. They aren’t out yet. However, there are other situations that remove an immediate need for patching.

When You Don’t Need to Patch
If you are on AWS, they’ve patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don’t get automatic updates. You need to patch those manually.

Apple – If you’re running High Sierra, Sierra, or El Capitan, it looks like Apple took care of this back in December of 2017.

Browsers

Chrome – It looks like Google is going to release a patch for Chrome later in January. See this link for more information.
Firefox – Version 57 or later has the proper fixes. See this blog for more information, so patch away!
Edge and Internet Explorer – Microsoft has a blog post . It looks like the January security update (KB4056890) takes care of that. So if you’re using either of these browsers, please update your OSes as soon as possible.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

https://meltdownattack.com/
The Register
Ars Technia
cyber.wtf researcher blog

December 2017 release Dynamics Ax 2012 R3 – ask Synergy Software Systems

January 4th, 2018

The December 2017 release for the Dynamics AX 2012 R3 version is now available in LCS on the updates tile inside your R3 project.

This update has a number of smaller functional improvements and technical fixes.

Some important bugs are fixed in almost all areas of the software. This release is a cumulative package including all other fixes released in the prior CU13 update. This release is intended to give visibility into fixes recently shipped for R3, including some features and design changes that are newly released in this month.

• Primary Build: 6.3.6000.3475
• Number of Application hotfixes: 84
• Number of Binary hotfixes: 12

Ask Synergy Software Systems the oldest Dynamics partner in the UAE.