Archive for the ‘Sunsystems and Vision’ category

Bad Rabbit – a virulent wave of data-encrypting malware is sweeping through Eastern Europe

October 28th, 2017

A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies

A new ransomware outbreak similar to WCry is shutting down computers worldwide, Ransom:Win32/Tibbar.A or Bad Rabbit, as the outbreak is dubbed, is primarily attacking targets in Russia, but it’s also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. In a blog post, the antivirus provider reported that the malware is using hacked Russian media websites to display fake Adobe Flash installers, which when clicked infect the computer visiting the hacked site. Researchers elsewhere said the malware may use other means to infect targets.

Bad Rabbit appears to specifically target corporate networks by using methods similar to those used in a June data-wiping attack dubbed “NotPetya” that shut down computers around the world.
Bad Rabbit infects Windows computers and relies solely on targets manually clicking on the installer, Kaspersky Lab said. So far, there’s no evidence the attack uses any exploits.

The Ukrainian computer emergency agency CERT-UA posted an advisory on Tuesday morning reporting a series of cyberattacks.

Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets’ hard drives. Kaspersky Labs’ blog post said the executable file dispci.exe appears to be derived from DiskCryptor and is being used by Bad Rabbit as the disk encryption module.

Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers’ hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, The malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

Once Bad Rabbit infects a computer, it displays a message in orange letters on a black background. It directs users to a Dark Web site that demands about $283 in Bitcoin to decrypt data stored on the encrypted hard drive. The dark Web site also displays a ticking clock that gives victims 40 hours to pay before the price increases. It’s not yet known what happens when targets pay the ransom in an attempt to restore their data. The NotPetya malware was written in a way that made recovery just about impossible, a trait that has stoked theories that the true objectives of the attackers was to wipe data in an act of sabotage, as opposed to generate revenue from ransomware. It also remains unclear who is behind the attack.

The outbreak is the latest reminder that you should back up all their data on drives that are secured with a password or other measure to protect them from ransomware.

Windows Defender Antivirus detects and removes this threat with protection update 1.255.29.0 and higher.

This threat appears as a fake Adobe Flash Player update.

Microsoft advice:
Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files. If you’ve already paid, then see our https://www.microsoft.com/en-us/mmpc/shared/ransomware.aspx for help on what to do.

Review logs and shutdown or run Windows Defender Offline.

This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
Check event logs for the following IDs: 1102 and 106
• Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
• Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
• If events 1102 and 106 are present, then issue a shutdown with the parameter -a to prevent a reboot

You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:
• Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
• Microsoft Safety Scanner – Run a full scan to look for anyhidden malware.

Advanced troubleshooting – To restore your PC, download and run Windows Defender Offline.

Ask us about how to use cloud protection to guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Indicators of compromise
Presence of the following files in %SystemRoot%:
• infpub.dat
• cscc.dat
• dispci.exe
• You can’t access your files or your PC
• A ransom message in red on a black background

VAT registration U.A.E. – act now deadlines are imminent

October 17th, 2017

The UAE Federal Tax Authority (FTA) online portal is open 24/7 to allow for taxpayers to register for VAT purposes. The FTA has also determined the deadlines for the application for VAT registration based on business turnover.
For larger companies VAT registration is required by 31 October 2017, and such businesses should
immediately consider the timeline requirement given their turnover profile and the other registration
requirements.
Businesses that are required to register for VAT will need to set up an online account on the FTA website and complete the VAT registration form.

The FTA has announced that a phased registration approach has been introduced. In particular, those businesses that meet these criteria must comply with the relevant application dates for registration:
● Businesses with an annual turnover exceeding AED 150 million must apply for registration by
31 October 2017
● Businesses with an annual turnover exceeding AED 10 million must apply for registration by 30 November 2017

● Remaining businesses with an annual turnover exceed the mandatory registration threshold
(expected to be AED 375,000) must apply for registration by 4 December 2017
Prior to the fulfilment of the VAT registration form, the FTA provides a “Getting Started Guide” that shares essential information that businesses should be aware of. This includes information on the registration criteria, registration of a VAT group, and necessity to register if only zero-rated supplies are made.

Additional details clarifying the VAT registration mechanism are found in the VAT registration guide, a document posted on FTA online portal under the “Advice” tab. This document captures the
calculation of turnover for VAT purposes, a walk-through of VAT registration through the FTA
registration portal, registration of a VAT group and types of books and records required to be held by a
taxpayer to ensure accurate tax compliance.

We strongly advise for businesses to visit the FTA website to initiate their VAT registration application by
their applicable deadline after having considered the guidance provided by the FTA and other advice
as required (for instance VAT Grouping).
Businesses should allow time to compile the required information for the VAT registration.

VAT in the U.A.E. – time to act.

October 16th, 2017


VAT, as a general consumption tax, will apply to the majority of transactions in goods and services. A limited number of reliefs may be granted.

As a result, the cost of living is likely to increase slightly, but this will vary depending on an individual’s lifestyle and spending behaviour. If an individual spends mainly on those things which are relieved from VAT, he is unlikely to see any significant increase.

The government will include rules that require businesses to be clear about how much VAT an individual is required to pay for each transaction. Based on this information, individuals can decide whether to buy something.

Implication of VAT on businesses

Businesses will be responsible for carefully documenting their business income, costs and associated VAT charges. Businesses that meet the minimum annual turnover requirement (as evidenced by their financial records) will be required to register for VAT. Businesses that do not think that they should be VAT registered should maintain their financial records in any event, in case the ministry needs to establish whether they should be registered. The FTA does have the power to conduct audits on taxable persons and subsequently impose penal measures on those that are not compliant with the law.

A business must register if the total value of their taxable supplies made within the UAE exceeds the mandatory registration threshold over the previous 12 month period, or they anticipate making taxable supplies with a value exceeding the mandatory registration threshold in the next 30 days.

The mandatory registration threshold is AED 375,000.

A business may also apply to register if they do not meet the mandatory registration criteria and the total value of their taxable supplies or taxable expenditure in the previous 12 months exceeds the voluntary registration threshold, or they anticipate that the total value of their taxable supplies or taxable expenditure will exceed the voluntary registration threshold in the next 30 days.

The voluntary registration threshold is AED 187,500.

For the purposes of understanding whether a registration obligation exists, a taxable supply refers to a supply of goods or services, made by a business in the U.A.E., that may be taxed at a rate of either 5%, or 0%. Imports are also taken into consideration for this purpose, when a supply of such goods or services would be taxable when made within the U.A.E.

VAT registration require some official documents. Before submission of an application some important documents must be completed. Businesses will get VAT registration in the form of a VAT certificate, with the help of official documents. Every VAT certificate will have a specific identification number. The identification number will be essential for all the tasks to be carried out for VAT in UAE.

The process for VAT registration and fee submission will be done online. Following documents are required for the registration of VAT in UAE.
1. Copy of Trade License
2. Passport copy of the owner/partners who owns the license
3. Copy of Emirates ID of the owner/partners who owns the license
4. Memorandum of Association (MOA)
5. Contact Details of company (complete address & P.O Box)
6. Concerned person contact details
7. Email of the concerned person
8. Copy of all bank accounts and statements including IBAN
9. Owner has any other entities?
10. Income statement for the last 12 months
11. Expected revenue and expense for the next 30 days after VAT implementation
12. Are they exporting, or importing?
13. Are they dealing with any custom department? If yes. What is the custom code?
14. Are they doing business with any other G.C.C. country? (Country name)
15. If these are representing more than one entity, whether they want one tax group number for allof the entities, or separate tax numbers for each entity.
16.Experience of business (Owners or directors involved in any previous businesses before for the last 5 years?)

The submission of the documents will be done when you have registered online.
After online VAT registration and fees payments, you will be allowed to submit the documents. After the verification of the documents and completion of the process, a VAT certificate will be provided.

VAT will be charged at 0% in respect of the following main categories of supplies:

Exports of goods and services to outside the GCC States that implement VAT
International transportation, and related supplies
Supplies of certain sea, air and land means of transportation (such as aircrafts and ships)
Certain investment grade precious metals (e.g. gold, silver, of 99% purity)
Newly constructed residential properties, that are supplied for the first time within 3 years of their construction
Supply of certain education services, and supply of relevant goods and services
Supply of certain Healthcare services, and supply of relevant goods and services

The following categories of supplies will be exempt from VAT:

the supply of some financial services
Residential properties
Bare land
Local passenger transport

Registered businesses and traders will charge VAT to all of their customers at the prevailing rate and incur VAT on goods/services that they buy from suppliers. The difference between these sums is reclaimed or paid to the government.

VAT-registered businesses generally:
• must charge VAT on taxable goods or services they supply
• may reclaim any VAT they have paid on business-related goods or services
• keep a range of business records which will allow the government to check that they have got things right.

VAT-registered businesses must report the amount of VAT they have charged and the amount of VAT they have paid to the government on a regular basis. It will be a formal submission and it is likely that the reporting will be done online.

If they have charged more VAT than they have paid, they have to pay the difference to the government. If they have paid more VAT than they have charged, they can reclaim the difference.

Please note there will be a year end rush on consulting services we have already received over 100 inquiries for software consulting support so don’t leave it too late.

SQL Server 2012 Service Pack 4 (SP4) is available

October 16th, 2017

SQL Server 2012 Service Packs, Service Pack 4 (SP4). This release of SQL 2012 Service Pack has 20+ improvements centered around performance, scalability and diagnostics to enable SQL Server 2012 to perform faster and scale out of the box on modern hardware design.

SQL Server 2012 SP4 includes all the fixes up to and including SQL Server 2012 SP3 CU10

Security security security

September 26th, 2017

You never know when some item that queries or alters data in SQL Server will cause issues.

Bruce Schneier recently commented on FaceID and Bluetooth security, the latter of which has a vulnerability issue. I was amazed to see his piece on infrared camera hacking. A POC on using light to jump air gaps is truly frightening. It seems that truly anywhere that we are processing data, we need to be thinking (see https://arstechnica.com/information-technology/2017/09/attackers-can-use-surveillance-cameras-to-grab-data-from-air-gapped-networks/)

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected

– the Equifax breach for example must worry everyone who has ever had credit in the USA. (Hackers broke into Equifax’s computer systems in March, which is two months earlier than the company had previously disclosed, according to a Wall Street Journal report.)

The Securities and Exchange Commission said Wednesday that a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016. In a statement posted on the SEC’s website, Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system (which processes over 1.7 million electronic filings in any given year.) The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.

So let me suggest take a good look at your systems and be honest – do you feel safe?

Microsoft has released Microsoft 365, a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. Watch Satya introduce it.

What about your websites?
Although acts of vandalism such as defacing corporate websites are still commonplace, hackers prefer to gain access to the sensitive data residing on the database server and then to sell the data.

The costs of not giving due attention to your web security are extensive and apart form direct financial burden and inconvenience also risks:
• Loss of customer confidence, trust and reputation with the consequent harm to brand equity
• Negative impact on revenues and profits arising e.g. from falsified transactions, or from
employee downtime
• Website downtime – is in effect the closure of one of the most important sales and marketing channels
especially for an e-business
• Legal battles and related implications from Web application attacks and poor security
measures including fines and damages to be paid to victims.

Web Security Weaknesses
Hackers will attempt to gain access to your database server through any way they can e.g. out of date protocols on a router. Two main targets are :
• Web and database servers.
• Web applications.

Information about such exploits are readily available on the Internet, and many have been reported on this blog previously.

Web Security Scanning
So no surprise that Web security should contain two important components: web and database server security, and web application security.

Addressing web application security is as critical as addressing server security.

Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web
attacks.
Since your website needs to be public, security mechanisms allow public web traffic to
communicate with your web and databases servers (i.e. over port 80).

It is of paramount importance to scan the security of these web assets on the network for possible vulnerabilities. For example, modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be
accessed through specific ports and so anyone can attempt direct connections to the databases to try and bypass the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.

Other weaknesses relate to the database application itself and the use of weak or default passwords by
administrators. Vendors patch their products regularly, and equally regularly find new ways of
attack.

75% of cyber attacks target weaknesses within web applications rather than directly at the
servers. Hackers launch web application attacks on port 80 . Web applications are more open to uncovered vulnerabilities since these are generally custom-built and therefore pass through a lesser degree of
testing than off-the-shelf software.

Some hackers, for example, maliciously inject code within vulnerable web applications to trick users
and redirect them towards phishing sites. This technique is called Cross-Site Scripting (XSS) and may
be used even though the web and database servers contain no vulnerability themselves.

Hence, any web security audit must answer the questions “which elements of our network
infrastructure are open to hack attacks?”,
“which parts of a website are open to hack attacks?”, and “what data can we throw at an application to cause it to perform something it shouldn’t do?”

Ask us about Acunetix and Web Security
Acunetix ensures web site security by automatically checking for SQL Injection, Cross Site Scripting,
and other vulnerabilities. It checks password strength on authentication pages and automatically
audits shopping carts, forms, dynamic content and other web applications. As the scan is being
completed, the software produces detailed reports that pinpoint where vulnerabilities exist

VAT for the U.A.E. some updates – July 2017

July 15th, 2017

Any taxable person must retain VAT invoices issued and received for a minimum of 5 years.

Imports
The place of supply will determine whether a supply is made within the UAE (in which case the UAE VAT law will apply), or outside the UAE for VAT purposes. For a supply of goods, the place of supply should be the location of goods when the supply takes place – with special rules for certain categories of supplies (e.g. water and energy, cross border supplies).

For the supply of services, the place of supply should be where the supplier is established – (with special rules for certain categories of supplies e.g. cross border supplies between businesses).

VAT shall be payable in addition to the custom duties paid by the importer of the goods and cannot be deducted against. VAT shall be computed on the value that includes the customs duties.

Some goods that are imported may be exempt from customs duties but be subject to VAT.

VAT is due on the goods and services purchased from abroad. In case the recipient in the State is a registered person with the Federal Tax Authority for VAT purposes, the VAT would be due on that import using a reverse charge mechanism. In case the recipient in the State is a non-registered person for VAT purposes, VAT would be paid on import of goods from a place outside the GCC. Such VAT will typically be required to be paid before the goods are released to the person.

Exempt and zero rate
- The VAT treatment of real estate will depend on whether it is a commercial or residential property.
Supplies (including sales or leases) of commercial properties will be taxable at the standard VAT rate (i.e 5%).
- Supplies of residential properties will generally be exempt from VAT to ensure that VAT does not constitute an irrecoverable cost to persons who buy their own properties. To ensure that real estate developers can recover VAT on construction of residential properties, the first supply of residential properties within 3 years from their completion will be zero-rated.

There is a difference between exempt goods and zero rate. (for example zero rate might be raised in future).
VAT will be charged at 0% in respect of the following main categories of supplies:
• Exports of goods and services to outside the GCC;
• International transportation, and related supplies;
• Supplies of certain sea, air and land means of transportation (such as aircrafts and ships);
• Certain investment grade precious metals (e.g. gold, silver, of 99% purity);
• Newly constructed residential properties, that are supplied for the first time within 3 years of their construction ;
• Supply of certain education services, and supply of relevant goods and services;
• Supply of certain Healthcare services, and supply of relevant goods and services.

The following categories of supplies will be exempt from VAT:
• The supply of some financial services (clarified in VAT legislation);
• Residential properties;
• Bare land;
• Local passenger transport

Financial Services
It is expected that fee based financial services will be taxed but margin based products are likely to be exempt.
Generally, insurance (vehicle, medical, etc) will be taxable.
Life insurance, we understand will be treated as an exempt financial service

The VAT treatment of standard financial services and Islamic finance products, the treatment of Islamic finance products will be aligned with the treatment of similar standard financial services

Businesses that meet requirements the Legislation (such as being resident in the UAE and being related/associated parties) will be able to register as a VAT group. For some businesses, VAT grouping will be a useful tool to simplify accounting for VAT.

Offsetting VAT.
VAT registered businesses will be able to reduce their output tax liability by the amount of VAT that relates to bad debt which has been written off by the VAT registered business. The legislation will include the conditions and limitations concerning the use of this relief.

A scheme will be introduced to allow a UAE national who is not registered for VAT to reclaim VAT paid on goods and services relating to constructing a new residence which will be privately used by the person and his family. This will allow the recovery of VAT on such expenses as contractor’s services and building materials.

To avoid double taxation (where second hand goods are acquired by a registered person from an unregistered person for the purpose of resale), the VAT-registered person will be able to account for VAT on sales of second hand goods with reference to: the difference between the purchase price of the goods, and the selling price of the goods (that is, the profit margin).

The VAT which must be accounted for by the registered person, will be included in the profit margin. The legislation will include the details of the conditions to be met in order to apply this mechanism.

VAT on expenses
A VAT registered person incurs input tax on its business expenses, and this input tax can be recovered in full when it relates to a taxable supply that was made, or intended to be made, by the registered person. In contrast, where the expense relates to a non-taxable supply (e.g. exempt supplies), then the registered person may not recover the input tax paid.

VAT will not be deductible in respect of expenses incurred for making non-taxable supplies. Furthermore, input tax cannot be deducted when it is incurred in respect of specific expenses such as entertainment expenses e.g. for employee entertainment.

VAT on expenses that were incurred by a business can be deducted in the following circumstances:
• The business must be a taxable person (the end consumer cannot claim any input tax refund).
• VAT should have been charged correctly (i.e. unduly charged VAT is not recoverable).
• The business must hold documentation showing the VAT paid (e.g. valid tax invoice).
• The goods or services acquired are used or intended to be used for making taxable supplies.
• VAT input tax refund can be claimed only on the amount paid or intended to be paid before the expiration of 6 months after the agreed date for the payment of the supply.

In certain situations, an expense may relate to both taxable and non-taxable supplies made by the registered person (such as activities of the banking sector). In these circumstances, the registered person would need to apportion input tax between the taxable and non-taxable (exempt) supplies.

Businesses will be expected to use input tax (ratio of recoverable to total) as a basis for apportionment in the first instance – (there will be the facility to use other methods where those are fair and agreed with the Federal Tax Authority).

Compliance and returns
Penalties will be imposed for non-compliance. Examples of actions and omissions that may give raise to penalties include:
• A person failing to register when required to do so;
• A person failing to submit a tax return or make a payment within the required period;
• A person failing to keep the records required under the issued tax legislation;
• Tax evasion offences where a person performs a deliberate act or omission with the intention of violating the provisions of the issued tax legislation.

No special rules are planned for small or medium sized enterprises. The FTA will provide materials and resources available for these entities to assist them in their enquiries.

A supplier registered or required to be registered for VAT must issue a valid VAT invoice for the supply. To be considered as a valid VAT invoice, the document must follow a specific format as mentioned in the legislation. In certain situations the supplier may be able to issue a simplified VAT invoice.

Government entities
Supplies made by government entities will typically be subject to VAT. This will ensure that government entities are not unfairly advantaged as compared to private businesses. Certain supplies made by government entities will, however, be excluded from the scope of VAT if they are not in competition with the private sector or where the entity is the sole provider of such supplies. It is likely certain government entities will be entitled to VAT refunds – this is designed to avoid budgeting issues and provide a level playing field between outsourced and insourced activities. For the supplies provided for government entities, the treatment of such supplies shall depend on the same supply and not on the recipient of the supply. Therefore, if the supply is subject to the standard tax rate, the treatment would remain the same even if it is provided to a government entity.

Transitional rules
Special rules will be provided to deal with various situations that may arise in respect of supplies that span the introduction of VAT. For example:
• Where a payment is received in respect of a supply of goods before the introduction of VAT, but the goods are actually delivered after the introduction of VAT. This means that VAT will have to be charged on such supplies. Likewise, special rules will apply with regards to supplies of services spanning the introduction of VAT.
• Where a contract is concluded prior to the introduction of VAT in respect of a supply, which is wholly or partly made after the introduction of VAT, and the contract does not contain clauses relating to the VAT treatment of the supply, then consideration for the supply will be treated as inclusive of VAT.

There will, however, be special provisions to allow suppliers to charge VAT in situations where their recipient is able to recover their VAT but where there is no VAT clause.

Payments and claims
Note that VAT will be payable in full not after netting off input tax which will then have to be claimed. This is more of a challenge for cash flow and business risk, especially given the penalties for late payments.
Refunds will be made after the receipt of the application and will be subject to verification checks, with a particular focus to avoid fraud.

The FTA may provide its views on various matters in the law. Taxpayers may choose to challenge these views. However, penalties may be imposed on taxpayers who are found to violate any tax laws and regulations.

Other Emirates
It is expected that businesses will need to complete additional information on their VAT returns to report revenues earned in each Emirate. Guidance will be provided to businesses with regards to this. It is expected that the rules will be relatively straightforward for most businesses and will be based, for example, for B2C transactions, on the location of the transaction (e.g. in a retail environment, the location of the shop).

European Union General Data Protection Regulation (GDPR) – 2018 what should GCC countries consider?

May 30th, 2017

The UAE Ministry of Economy is raising awareness among private sector companies of the need to be ready for new European data protection rules, which comes into force one year from now.

The European Union General Data Protection Regulation (GDPR) is set to become law by May 2018. The new rules govern all companies in Europe, as well as all companies trading with European companies and individuals.

The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States

The law includes strong penalties for either misuse of data, or failure to protect the personal data of customers, with fines of up to 4% of annual turnover, or 20m euros ($22m).

HE Juma Mohammed Al Kait, Assistant Undersecretary for Foreign Trade at the Ministry of Economy, noted that the regulation issued by the EU aims to protect the data of every individual in the EU.

This not only impacts companies operating in European countries, but includes all institutions and companies that conduct business, trade and investment activities within EU countries, including the UAE business sector linked with European trade relations.

Due to this, the Ministry is working on deepening its knowledge about the new legislation, its provisions and requirements, and aims to reconcile its operational procedures with European authorities, in adherence with the framework of the GDPR, before May 2018.

Al Kait emphasized the EU is one of the UAE’s most important trade partners. Trade between the two sides generated $65.8 billion in 2016 alone. The UAE has become one of the top 10 destinations for EU exports, and is home to over 41,000 European companies, in addition to over 121,000 EU citizens.

Penalties will also apply to information controllers and processors, including cloud software companies.

The new legislation also outlines terms of approval for the use of data, to prevent companies from using legally illegitimate terms, and gives both parties the ability to easily withdraw if desired.

The compliance world will change dramatically for a number of GCC organizations on 25 May 2018. In just over one year’s time GCC organizations that:
1.have a branch, subsidiary or single representative in the European Union (“EU”);
2.do not have a physical presence in the EU, but offer goods or services to data subjects in the EU; or
3.neither have a physical presence in the EU nor offer goods or services to people in the EU, but monitor the online behavior of data subjects in the EU, will have to ensure that they are complying with the European Union General Data Protection Regulation (“GDPR”).

Who is likely to be affected?

Based on the test set out in the GDPR, the new regulations will likely apply to a significant number of entities in this region.
Obvious examples include:
– major airlines that fly to and from the EU,
- hotel and tourism operators who promote travel to the region to EU data subjects,
- regional banks and other financial service companies that have branches in the financial centres in the EU and online.

Less obvious examples include:
- e-commerce companies that are able to accept payments in euros and deliver to the EU
- mobile apps that can be downloaded by users in the EU and which have access to a user’s contacts, photos or location data.

All of these businesses may need to comply with the GDPR and to mitigate the risk and cost of failure to do so.
If your organization is affected it has three main options:
1. wait and see i.e. do nothing (not advisable);
2.consider what it needs to do to ensure that it does not fall within the scope of the GDPR;
3. take immediate steps to prepare to comply with the GDPR .

For option (2), if your organization does not have an establishment in the EU and does not need to target or monitor EU data subjects then you ight consider making it very clear that your website or app is not for use by EU users (e.g. including geo-blocking EU data subjects).

for option (3), if you have not started the process of ensuring compliance by now, then there is a lot to do.

1.monitor business to consumer business practices, including:
- conducting a data protection audit,
- examining the legal basis on which it processes personal data and updates its privacy policies;
2.monitor internal business practices, including:
- review and update of agreements with data processors,
- implement processes for adoption of pseudoanonymization and privacy by design
- considering the legal basis on which it transfers personal data between jurisdictions;
3.establish compliant accountability processes, including”
- processes for record keeping,
- appointment of a data protection officer or EU representative and dealing with data subjects;
4.invest in infrastructure, including:
- how to determine the severity, and impact on data subjects of a data breach
- to establish robust security processes and procedures for notifying regulatory authorities and data subjects -

The need for compliance, especially for longer-term projects such as records of processing and compliant contracting, must be addressed as soon as is practicable.

Businesses that either operate, target customers or monitor individuals in the EU should :
• Audit: to identify key remediation areas.
• Record of Processing: This mandatory record will require significant internal resources, but will also help to plan and implement GDPR processes. .
• Consider Contract Renegotiations: The GDPR requires that contracts with data controllers include additional obligations. As companies come to renegotiate contracts, ensure that adequate data protection clauses are added.
• Review and update, where necessary, employee notices to be GDPR compliant. If you currently conduct criminal records checks, then review national laws where you operate to ensure you can continue to do so . There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorized by member state law.

Consider whether your organization is processing any sensitive personal data and ensure the requirements for
processing such data are satisfied While the grounds for processing are broadly the same as those set out
in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent. Consent can be withdrawn at any time and systems must be able to handle withdrawal request.

• Review and update, where necessary, customer notices to be GDPR compliant
• Consider whether your notices have to accommodate “child-friendly requirements”. he GDPR requires parental consent for the processing of data related to information society services offered to a “child” (ranging
from 13 to 16 years old depending on the member state.
• Data privacy rights. The current rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion (“the right to be forgotten”), a right not just to access your data but have it provided to you in a machine readable format (“data portability”). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decision based on automated processing are also included and expressly refer a right to object to profiling.
These must be clearly communicated in the notices given to data subjects, e.g. privacy policy
• Privacy by design. Ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security)

Consider what data you hold in emails, in CRM systems, Social media.
What should be your data access use and retention policies?

Personally I think it will be great if this is a way to prosecute the perpetrators of all the spam nd phishing emails I get or at least to remove data form their lists!

3 new Microsoft tools to help you to move to the cloud.

April 18th, 2017

Here’s a breakdown of the three new Microsoft tools to help you move to the cloud faster and what they can offer businesses.

1. Free cloud migration assessment

This assessment will help customers to more easily find and to better understand their current server setups, to help them to determine the cost and the value of moving to the cloud. Once the servers are discovered, the tool can analyze their configurations, and give the user a report of the potential cost drop of moving to Azure.

Data center administrators can export the results of the assessment into a customized report. The report could provide some valuable data and statistics for a CIO conversation with the CFO.

2. Azure Hybrid Use Benefit

This tool should save users money on their cloud deployments. Customers can activate the Azure Hybrid Use Benefit in the Azure Management Portal,It is available on Windows Server virtual machines in Azure, to all customers. “Use your on-premises Windows Server licenses that include Software Assurance to save big on Windows Server VMs in Azure. By using your existing licenses, you pay the base compute rate and save up to 40 percent.” the tool’s web page said,

3. Azure Site Recovery

Azure Site Recovery is meant to ease the process of migrating virtual machines to Azure. Applications running on AWS, VMware, Hyper-V, or physical servers can be moved. Additionally, a new feature in Azure Site Recovery will “allow you to tag virtual machines within the Azure portal itself, This capability will make it easier than ever to migrate your Windows Server virtual machines.”

Other features include automated protection and replication of virtual machines, remote monitoring, custom recovery plans, recovery plan testing, and more

ASC 606 is coming in 2018

April 17th, 2017

ASC 606 is an updated accounting standard issued by FASB and IASB that is designed to ensure revenue recognition is consistent across industries, geographies, and capital markets. It is intended to increase financial statement comparability across companies and reduce the complexity in revenue recognition.

It applies to virtually all sectors where there are “contracts with customers” (exceptions include leases, insurance, and financial instruments).

The transition period for ASC 606 is underway. If it affects your business then save yourself the hassle and start planning and re-evaluating your contracts now. Don’t underestimate the time or effort required to bring your systems and processes into compliance especially if you are also having to update your systems to accommodate the introduction of VAT.

While it may appear that the changes primarily take place in 2018, there is a 2-year accounting retrospective. Take advantage of this time to prepare for conducting business under this new guidance.

Project failure? – what wait of find out, try a pre-mortem.

January 23rd, 2017

A recent survey by PwC showed that over 85% of Dynamics AX projects failed to achieve their core objectives.

Implementing Dynamics AX has been compared to performing open heart surgery on an organisation, where the stakes couldn’t be higher, and so the ‘physicians’ that are entrusted to give the ‘patient’ it’s new lease of life, need to be masters in their craft and highly experienced

the same is true of most erp systems, and indeed of most projects. There si always over optimism, and over confidence, and an assumptions of perfections, despite the copious evidence that other good companies made the same errors of judgement.

So before you start a project rather than wait to see how it pans out and then do a post mortem, instead do try holding a pre-mortem. Assume it did no go so well. Ask your project team/stakeholders to write down why.

In the re-project phase one a senior executive gives a green light to go ahead, dissenting voices tend to go quiet. Costs are negotiate down rather than risk management, contingency and quality built in.

A pre-mortem can help you find what people really think and inject a touch of realism, about challenges, realistic scope, time and resources needed. With concerns identified they can be addressed and the team who has to deliver will be much more committed with their concerns out in the open and a less rosy tinted outlook.

Financials for Office 365 – ask Synergy Software Systems, Dubai

October 31st, 2016

Last week, Microsoft announced AppSource – an application store for business, and the Financials for Office 365 app is one of the first to be feature. Users can log on and evaluate a whole range of apps designed for Microsoft Dynamics, Office 365, Cortana Inteligence and the Azure platform, as well as add-ons, extensions and content packages for existing apps. You can search for product type, industry, or catergory. The apps cover a diverse range of uses, from Finance and Accounting (Financials), to Sales (Linkedin Sales Navigator) and Payments (Paypal).

Financials is designed to seamlessly work with applications you use everyday, from Office 365, Dynamics CRM, Skype for Business, Power BI and more. Track exactly how your business is performing and where your funds are going with powerful real-time reporting.

Inventory Management : Know your real-time stock availabilities and movements. From single items to multiple warehouses ,it has your supply chain covered
Sales: a complete solution for sales that is flexible in a world of negotiations, discounts and credits
Purchasing:Stay ahead with purchasing strategies that help keep your business lean and agile to meet the demands of the market.
Manufacturing: Keep your processes lean while managing the fine details by accounting for multiple levels of Bill of Materials and the use of items and resources.
Fixed Assets: Know the value of your company’s fixed assets. From purchasing and selling the fixed asset, to having multiple depreciation books as well as disposal, you are able to see the changes in value of what you own.

Available subscriptions from tomorrow for ‘lite’. ‘standard’ and ‘performance editions’. For pricing plans and feature details see http://www.o365financials.com/for-business/pricing

SQL Cumulative updates for September 2016 –

September 24th, 2016

Cumulative update 14 release for SQL Server 2012 SP2 is now available for download at the Microsoft Downloads site. Please note that registration is no longer required to download Cumulative updates.
CU#14 KB Article: https://support.microsoft.com/en-us/kb/3180914
Microsoft® SQL Server® 2012 SP2 Latest Cumulative Update: https://www.microsoft.com/en-us/download/details.aspx?id=50731
Cumulative update 5 release for SQL Server 2012 SP3 is now available for download at the Microsoft Downloads site. Please note that registration is no longer required to download Cumulative updates.
To learn more about the release or servicing model, please visit:
• CU#5 KB Article: https://support.microsoft.com/en-us/kb/3180915
• Microsoft® SQL Server® 2012 SP3 Latest Cumulative Update: https://www.microsoft.com/en-us/download/details.aspx?id=50733
• Update Center for Microsoft SQL Server: http://technet.microsoft.com/en-US/sqlserver/ff803383.aspx
-
Microsoft also just announced that Cumulative Update 2 for SQL Server 2016 is now available for download here. There are a number of fixes including one regarding the Query Store. See here – you should seriously consider if you are running QSL Server 2016.

Stephen Jones
Director
Synergy Software Systems
009714 3365589
Visit our active blog site for news and the latest product information
www.synergy-software.com/blog
Microsoft Award – Highest Customer Satisfaction 2014
Microsoft President’s Club 2015

Gartner shows Microsoft Azure as a cloud leader for the third succesive year

September 23rd, 2016

Gartner has recently identified Microsoft Azure as a leader in the analyst firm’s Magic Quadrant for Cloud Infrastructure as a Service (IaaS), for the third year in a row, both based on both completeness of vision and the ability to execute.

Microsoft’s Azure cloud platform enables the creation of virtual networks, servers and machines, and supports multitenant storage, object storage and a robust content delivery network for both Microsoft and other vendor solutions. Azure also provides advanced services such as machine learning and Internet of things.

The Azure infrastructure has security integrated from the ground up, and all data, whether at rest or in transit, is strongly encrypted. All of offerings are supported by a leading-edge Cyber Defense Operations Centre that monitors customer infrastructure around the clock.

Gartner’s announcement comes at a time when the Gulf region is taking strident steps towards cloud infrastructure adoption. Saudi Arabia plans to invest $2 trillion in IT projects in the coming years, with a significant portion to be invested in cloud. Meanwhile, the United Arab Emirates will see a gradual growth in IT spend from now until 2020, according to a report from BMI Research. A compound annual growth rate (CAGR) of 3.4 per cent is expected.

An accompanying decline in hardware sales together with BMI’s prediction that SaaS will take an increasing share of software sales, and strongly indicates a decisive shift to cloud for the GCC.

When Microsoft announced the G series of virtual machines, back in Q1 of 2015, it represented the most memory, highest processing power and the largest local SSD capacity of any VMs then available in the public cloud. The G series, allowed Azure to lead the market with continued innovation also supporting SAP HANA workloads up to 32 TB. Azure has industry-wide recognition too for its support of Linux and other open-source technologies having nearly one third of all Azure VMs on Linux boxes.

Gartner’s report singled out Microsoft’s “rapid rollout” of these new features and many others, signaling that the company’s brand and history, both with its customers and with its delivery of enterprise-class solutions and services, combine to allow the company to ‘rapidly attain the status of strategic cloud IaaS provider’.
“Microsoft Azure encompasses integrated IaaS and PaaS components that operate and feel like a unified whole,” Gartner analysts wrote.

Microsoft has been rapidly rolling out new features and services, including differentiated capabilities. It has a vision of infrastructure and platform services that are not only leading standalone offerings, but also seamlessly extend and interoperate with on-premises Microsoft infrastructure (rooted in Hyper-V, Windows Server, Active Directory and System Center), development tools (including Visual Studio and Team Foundation Server [TFS]), middleware and applications, as well as Microsoft’s SaaS offerings.”

Gartner’s analysts also cited Microsoft’s “deep investments” in engineering and “innovative roadmap” as crucial factors in the company’s current IaaS market standing. The report further recommends Microsoft Azure for General business applications and development environments that use Microsoft technologies; migration of virtualized workloads for Microsoft-centric organizations; cloud-native applications (including Internet of Things applications); and batch computing.

Microsoft is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organisation on the planet to achieve more.

Microsoft Gulf opened its Dubai-based headquarters in 1991 the same year as Synergy Software Systems.

For cloud hosting, or to back up to the cloud, or for applications like Dynamics 365 or Ax RTW (7) or Synergy MMS, or our xRM HIS, or Imaging storage, and Document management, or for cloud based monitoring of your clouds and on premise networks, find out how we can help with your move to the cloud.

Windows Server 2016 – Synergy Software Systems, preview.

September 19th, 2016

Microsoft will launch Windows Server 2016 at the upcoming Ignite event on September 26-30. (The event is sold out, but sessions will be available online).
Security is the main focus areas for this release. Windows Server 2016 includes layers of security that help prevent attacks and detect suspicious activity with new features to control privileged access, protect virtual machines and harden the platform against emerging threats.

- Better detect threats using Microsoft Operations Management Suite and new Windows Server 2016 security events
- Use Microsoft Operations Management Suite with the new Windows Server 2016 security events
- Protect credentials from ‘Pass the Hash’ attacks using Credential Guard and Remote Credential Guard:
- Deploy Shielded Virtual Machines
- Device Guard, helps to control what runs on your server so that you can lock down highly sensitive servers and make sure your environment is running authorized code
- Manage privileged identity using ‘Just Enough’ administration.

Why the ‘cloud’? What is a hybrid cloud? Ask Synergy Software Systems, Dubai

September 19th, 2016

Buy or rent?. On premise or SaaS.? The answer to the questions, for enterprise computing, goes in cycles. When mainframe computing was at its peak, many organizations did not own such expensive machines outright and many companies rented processing time on these machines when needed, an arrangement known as time-sharing.
Moore’s law changed that. The era of mini — and then micro — computing made processing power so cheap that many organizations chose to own. As enterprise computing infrastructures became more complex, and the cost and difficulty of finding expert IT staff increases, so renting or subscription as it now called, has come back into vogue once more, in the form of Software-as-a-Service (SaaS) and cloud computing

The terms “cloud” and “data center” may sound like interchangeable technical jargon or trendy buzz words. A data centre is ideal for those companies that need a customized, dedicated system that gives them full control over their data and equipment. Typically those with many integrations, and uncertain internet connections, and an internal IT team will consider this route. Since only the one company will be using the infrastructure’s power, a data centre is suitable for organizations that run many different types of applications and complex workloads.

A data centre, however, has limited capacity — once you build a data centre, you will not be able to instantly change the amount of storage, or processing power to accommodate for example significant changes in workload and data processing. On the other hand, a cloud system is scalable to your business needs. It has potentially unlimited capacity, based on your vendor’s offerings and service plans. When you are looking at big data processing for predictive analytics, of have high day end or seasonal workloads, then the ability to ramp up and down is important to avoid oversizing. For project based companies both the number of user licences required, and the processing power may vary from year to year. For a rapidly expanding company hardware and server room expansion and management is a challenge on premise.

In a recent IDC (International Data Corporation) Multi-Client Study, CloudView 2016) respondents to the survey said that they expect to increase their cloud spending by approximately 44% over the next two years, and 70% of heavy cloud users are thinking in terms of a “hybrid” cloud strategy.

The idea of a hybrid cloud is to get the best of on-premise deployment by leveraging cloud services. Some work is done on premise, some on the cloud e.g. BI or payment gateway. A combination of both public and private platforms, a hybrid cloud is meant to provide organizations with greater IT and infrastructure flexibility, as well as visibility and control over their cloud usage. The result should be that a, hybrid cloud enables business agility, including streamlined operations and improved cost management.

Sounds good but what does it all mean and what are the challenges? First let’s review some of the basics concepts.

Public Cloud
A public cloud is one in which the services and infrastructure are provided off-site, over the Internet. Data centre hardware is not owned by clients and so you face no capital expenses. Instead, providers sell hosting as a ‘utility’ or rental service. Providers offer maintenance, disaster recovery and backup, however basic this may be. This is typically a multi-tenant software solution. Individual company data sits in separate blocks in a common clustered hardware. Data for individual organisations is kept separate and protected with robust security. Breaches of data with a reliable provider are rare. However, some security standards are not suitable for very sensitive data, rigorous audit trails or industry-specific compliance.

A Public cloud is y used to host web servers or develop applications. It is attractive to small and mid-sized enterprises (SMEs) when they are happy to use out-of-the-box menu specifications. Virtual machines are configured quickly – often within hours. Some SaaS (Software as a Service) services are placed within a public cloud when they have high levels of built-in security.

Private Cloud
A private cloud is one in which the services and infrastructure are maintained on a private network. It operates on an isolated network and is extremely secure. It keeps data behind a firewall and is built either on-premise or in a ring-fenced section of a data centre. A Private cloud is a single tenant solution, with the hardware accessed by one, or multiple businesses. It’s an ideal solution for enterprise organisations or specialist firms with high levels of security and compliance. Clients generally maintain their own cloud system and own their hardware.

Security and compliance on private cloud is configured to meet compliance standards. Private cloud systems cost much more than public cloud and re-configuring is more complex and lengthy.

Hybrid Cloud
Hybrid cloud uses public and private cloud for different elements of computing. Only some elements will require high security and customisation but others will not. Hybrid cloud offers private cloud for sensitive data but keeps non-sensitive, generic data (e.g. customer literature) in a cheaper public cloud environment. Hybrid cloud is usually hosted by different cloud providers – one for public and one for private. Hybrid cloud benefits companies who experience seasonal spikes so extra computing power is deployed quickly and cheaply in public cloud while keeping sensitive information in its private cloud.

A Hybrid cloud is the biggest growth area in cloud computing for enterprise businesses. As servers become ‘smarter’, hybrid cloud is estimated to represent 75% of future enterprise cloud computing.

A Hybrid cloud does not mean failover to onsite, for which a failover solution or a clustered install is needed and the failover can be to any other site whether local, remote or on cloud. Nor does hybrid mean offline working on premise option.

IBM’s Institute for Business Value (IBV) polled more than 1,000 C-level executives to reveal that 78% of respondents deploy a cloud initiative that is fully integrated or coordinated — an increase from 34% in 2012. Enterprises may be embracing the cloud, but they are not yet fully invested in a cloud-only strategy. Across 18 industries, 45% of workloads are expected to remain on-premise in the near future.

A hybrid cloud deployment is a collaboration of public cloud, private cloud and traditional IT platforms that allow enterprises to customize a cloud solution that meets the particular needs of their company. The top motivating factors for adopting hybrid cloud solutions, according to the IBM study, include lowering the total cost of ownership, facilitating innovation, improving efficiency and meeting customer expectations.

Among the companies that embrace cloud computing, 76% responded that they were able to expand into new industries, 71% created new revenue sources and 69% supported new business models.

Security remains a concern, however, and has become a hurdle for companies and a deterrent from fully investing in the cloud. Nearly half of respondents expressed that security and compliance risks are a challenge in IBM’s study, while 41% of respondents expressed that the cost of the cloud was a deterrent and 38% feared a disruption to company operations by introducing a new cloud solution.

When survey respondents are segmented by performance, IBM concludes that twice as many high performers have fully integrated their cloud initiatives compared to low performers.

Nati Shalom, recently discussed in his post Achieving Hybrid Cloud Without Compromising On The Least Common Denominator, a survey that demonstrates that enterprises these days are often leveraging as many as six clouds simultaneously, and the list just keeps on growing with new technologies sprouting up by the minute. IT markets are not just moving to the cloud — they are moving to ‘clouds’,” said Ed Anderson, research vice president and Sid Nag, research director at Gartner in their report: “Market Trends: Cloud Adoption Trends Favor Public Cloud With a Hybrid Twist,” published August 4, 2016. “Evidence is mounting that as organizations mature in their usage of cloud services they are opting to use multiple cloud services, bound together through hybrid implementations.”

That’s why solutions like the Azure Stack, that are also geared towards multi-cloud scenerios in the context of app migration to the cloud from traditional data centers, especially while taking all of the enterprise-grade considerations involved in such a transition into account, are critical.

Many solutions don’t provide the extensibility and interoperability that enterprises need for future-proofing, application deployment portability among other popular use cases across clouds. Hybrid cloud itself has also has proven that it isn’t immune to future proofing with disruptive technologies arising every day

Azure users now have a set of building blocks for managing the entire application stack and its lifecycle, across clouds, stacks and technologies. And with Microsoft now having the most open source developers on GitHub, yup – ahead of Facebook, Angular, and even Docker – Azure is uniquely positioned to achieve this level of openness and interoperability.
This will also ultimately provide a higher degree of flexibility that allows users to define their own level of abstraction per use case or application. In this manner, cloud portability is achievable without the need to change the underlying code, enabling true hybrid cloud.

Fifty-five percent of CIOs surveyed by Gartner indicated that by 2020 they will structure more than half of their applications as SaaS or manage them in a public cloud infrastructure. To manage and govern public, private and hybrid cloud services requires a focus on cloud management. This, in turn, requires new roles, processes and technologies.

Key Employee roles for the Hybrid cloud
Database professionals to filter out business critical data from the data overload we have today. A Big Data Foundationprofessional will be familiar with – Hadoop and MongoDB.
Software developers no longer just push code, they are pivotal to the user experience and thus the user adoption of cloud solutions.
Information security managers must appreciate the risks involved with business data and discuss this across the organization (at all levels) to align key stakeholders in positions to invest in and implement security measures.
Enterprise architects. Today solution architects, need the skills to adapt to cloud computing and hybrid cloud environments. Companies want to avoid working with ad hoc systems implementations, and architects who understand cloud computing and all its service models are in high demand. to design a scalable and sustainable cloud infrastructure which optimizes the use of private and public cloud.
Business managers working in the cloud need to understand how the technical infrastructure supports the business strategy get the benefits of cloud computing to drive their objectives.

Microsoft’s Hybrid cloud blog: https://blogs.technet.microsoft.com/hybridcloudbp/2016/09/

If you are considering how the cloud can benefit your business then contact us to explore the many options.

Find out out about the new integrated Dynamics 365 offerings. e.g.
Ask about specific vertical solutions like Synergy MMS for hotel facility management, or 7 Medical HIS and imaging solutions
Host your applications in a secure managed cloud – with both fixed price or based on use billing.
Monitor your on site global networks with cloud based monitoring systems.
Use Cortana Analytics and Power BI to turn data into information.
Back up to the cloud.
Skype Business
and much, much more.