Archive for April, 2018

How good is your password? Can it withstand an attack every 39 seconds?

April 27th, 2018

A Clark School study at the University of Maryland found a near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and non-secure usernames and passwords give attackers more chance of success.

“Brute force” hackers, use simple software-aided techniques to randomly attack large numbers of computers.The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

Top usernames in the hackers’ scripts were “test,” “guest,” “info,” “adm,” “mysql,” “user,” “administrator” and “oracle’ so avoid use of these. The most common password-guessing ploy is to re-enter or to try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by “123″ was the second most-tried choice.

A password should never be identical or even related to its associated username.

The hackers’ most common sequence of actions is to check the accessed computer’s software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

http://www.eng.umd.edu/html/news/news_story.php?id=1881

Total meltdown – patch now and revisit patches mnay are bugged

April 27th, 2018

A person known as XPN, whose blog lists identifies as a hacker and infosec researcher, posted details of a working exploit that takes advantage of Total Meltdown on Monday. The source code for Total Meltdown, a vulnerability created when Microsoft tried to patch the initial Meltdown flaw, is available on GitHub.

XPN describes Total Meltdown as a “pretty awesome” vulnerability in that it allows “any process to access and modify page table entries.”

XPN also noted that the goal was to create an exploit that could “elevate privileges during an assessment,” but it was only to help other people understand the exploitation technique, not to create a read-to-use attack.

Total Meltdown was originally created from a botched patch Microsoft issued for the original Meltdown flaw–of the Spectre/Meltdown vulnerabilities reported earlier.

Whereas the original Meltdown flaw was read-only, Total Meltdown also provides write access. This only affects 64-bit versions of Win7 and Server 2008 R2.

See the Woody on Windows column in Computerworld, https://www.computerworld.com/article/3269003/microsoft-windows/heads-up-total-meltdown-exploit-code-now-available-on-github.
There have been a series of flawed patches and its not pretty reading so take tiem to check out the article in full.

To tell if you’re protected from Total Meltdown, you’ll have to check your patch history. If you have no patches from 2018, you should be good, according to Woody on Windows. If you do have patches, KB 4100480, 4093108, or 4093118 installed, you should also be protected. Without those, Woody on Windows noted, you’ll need to rollback your machine, manually install KB 4093108, or use “Windows Update to install all of the checked April Windows patches.”

However there is lot more cautionary advice to read.

SQL Server 2016 Service Pack 2

April 25th, 2018

SQL Server 2016 Service Pack 2 is released. This SP2 release includes the hotfixes from all released 2016 cumulative updates: SQL Server 2016 CU1 through SP1 CU8.

SQL Server 2016 Updates
Each update is linked to its Microsoft knowledge base article with the download and the list of hotfixes included. The dates show the end of support date

SP2 2018/04/24 13.0.5026.0 2026/07/14
CU8 2018/03/19 13.0.4474.0 2019/04/24
CU7 2018/01/04 13.0.4466.4 2019/04/24
CU6 2017/11/22 13.0.4457.0 2019/04/24
CU5 2017/09/18 13.0.4451.0 2019/04/24
CU4 (w/MDS bug) 2017/08/08 13.0.4446.0 2019/04/24
CU3 2017/05/15 13.0.4435.0 2019/04/24
CU2 2017/03/20 13.0.4422.0 2019/04/24
CU1 2017/01/18 13.0.4411.0 2019/04/24
SP1 2016/11/16 13.0.4001.0 2019/04/24
CU9 2017/11/22 13.0.2216.0 2018/01/09 – out of support
CU8 2017/09/18 13.0.2213.0 2018/01/09 – out of support
CU7 2017/08/08 13.0.2210.0 2018/01/09 – out of support
CU6 2017/05/15 13.0.2204.0 2018/01/09 – out of support
CU5 2017/03/28 13.0.2197.0 2018/01/09 – out of support
CU4 2017/01/18 13.0.2193.0 2018/01/09 – out of support
CU3 2016/11/17 13.0.2186.6 2018/01/09 – out of support
CU2 (see note 1 and note 2) 2016/09/22 13.0.2164.0 2018/01/09 – out of support
CU1 2016/07/25 13.0.2149.0 2018/01/09 – out of support
None (RTM) 2016/06/01 13.0.1601.5 2018/01/09 – out of support

Note 1: CU2 has a known issue with Filestream not working when SecureBoot is enabled. If you’re on Windows Server 2016 or Windows 10, and using SecureBoot (which is enabled by default with Hyper-V Gen2 VMs), and your database has Filestream, then either need disable SecureBoot, or skip CU2 for now.

Note 2: columnstore index users should consider the on-demand hotfix update 13.0.2170.0, which includes serious performance and reliability fixes.

Warnin read the bottom note about “Uninstalling SQL Server 2016 SP2 (Not recommended): there some new features which once installed may give issues if you then try to uninstall.

https://www.microsoft.com/en-us/download/details.aspx?id=56836

Dynamics 365 Spring release and v9.2

April 23rd, 2018

We recently posted about Dynamics 365 Spring release and focused on Finance and Operations Enterprise features and enhancements.

Now lets look at the customer engagement apps. We now have the previously mentioned new Unified Interface framework and Customer Service Hub Dynamics 365 for Marketing

D365 for Marketing includes event management, email marketing and lead nurturing capabilities embedded within the Dynamics 365 user interface.

Dynamics 365 for Sales – Professional Licence. In addition to the functionality of the D365 for Sales Enterprise licence, Microsoft will offer a new streamlined licence at a lower price point for sales teams members only need lighter functionality. This new licence type restricts use of custom entities, workflows and forms and excludes some functionality including hierarchies, sales goals, social engagement and mobile offline sync.

Embedded Intelligence. Previously available as a preview feature (formerly called Relationship Insights),
• Relationship assistant helps sales users by letting them know when to: follow up on an email, answer a question, attend a meeting, follow-up with a neglected contact and much more. Alert cards are displayed throughout the application to provide relevant information for the context in which the user is currently working and uses data stored in Dynamics 365 and Exchange inbox and calendar.
• Auto capture with Outlook – analyses emails to find messages relevant to specific accounts and then tracks in Dynamics 365 with just one click
• Email engagement – insights from customer emails so sellers can prioritize the most receptive contacts.

Power BI Insights apps. Microsoft will release a series of embedded Power BI Insight apps tailored to specific business functions beginning with a previous release for Sales Insights. This is expected to include predictive lead scoring and relationship analytics to give a relationship health score calculated from emails and content exchanged, and frequency and level of customer interactions brought together from Dynamics 365, email and social networks.

New App Platform Capabilities

The application platform that sits underneath Dynamics 365 sees a significant change with this release. For Dynamics 365 v9, the legacy XRM framework behind Dynamics is npw merged with an updated version of Microsoft’s Common Data Service (CDS). This uses the same Dynamics code base and with backwards compatibility promised, there will be no obvious change, with existing Dynamics 365 apps continuing to work without any modification.
This means that the same platform that powers Dynamics 365 is also used by PowerApps, Office 365, Power BI and the Common Data Service – now renamed Common Data Service for Apps. CDS for Apps has a boost in functionality through server side logic, improved app building experiences and developer capabilities.

PowerApps. PowerApps together with the platform that powers Dynamics 365 lets you build an app and choose between a Canvas app (using a visual WYSIWYG editor) or a Model-driven app (driven by entities, their relationships & business processes). Both apps can access your data and logic in CDS for Apps.

In addition to server side logic, the latest app building capabilities include:
• Business Process Flows to model process stages and guide users through them
• Sophisticated security model providing row level security and model hierarchies
• Calculated fields that use server side logic to compute values in an entity

These new capabilities enable lightweight mobile apps to be quickly developed for field based staff to collect data and also to create new processes that will natively connect across Dynamics 365 and other Microsoft cloud services. PowerApps P2 now becomes the platform licence for users of stand-alone model driven apps. PowerApps P2 is included with the Dynamics 365 Customer Engagement Plan.

Common Data Service for Analytics. Another CDS for Analytics reduces the complexity of analysing data and extracting insights across standalone business apps and other sources. A new capability in Power BI, Common Data Service for Analytics enables organisations to integrate data from multiple sources and will provide teams with increased access to analytics across all the relevant tdata.

GDPR Microsoft states its Spring 18 release features a series of updates across Dynamics 365 products to address the requirements of the General Data Protection Regulation (GDPR). Visit the Microsoft Trust Center to find tools and auditing reports for managing cloud-data security and compliance within your organisation and to read more about what Microsoft is doing to help its customers comply with this regulation.
Use Microsoft Compliance Manager to get insights into your responsibilities for meeting compliance standards.

GDPR stands for General Data Protection Regulation effective from 18th May 2018 in Europe.
The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to “simplify” the regulatory environment for international business by unifying the regulation within the EU.
As per the ICO, the UK’s independent body set up to uphold information rights, the GDPR applies to “controllers” and “processors”. The definitions of controllers and processes are broadly the same as those under the Data Protection Act. In short, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

If you are a processor, then the GDPR places specific legal obligations on you. For example, when you/ your organisation / your solution / your product maintains or stores records of personal data and includes processing activities, you will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR and were not as such in the Data Protection Act (DPA).

For Microsoft Dynamics 365 CRM projects, this is a significant legal obligation. The majority, of Dynamics CRM projects include the storage, maintenance and processing of personal data and will most probably fall under GDPR rules if you have European operations, customers and vendors..

LinkedIn Sales Navigator Integration. Improvements to the integration between Dynamics 365 for Sales and LinkedIn Sales Navigator provides more detail about companies and LinkedIn members synchronised to Dynamics record forms and dashboard including profile pictures.

Web Portal . With the Spring Upgrade, portal search is now extended to knowledge article attachments increasing the likelihood of relevant search results.

Dynamics 365 – 9.0.2 Update. This month icrosoft will begin applying Update 9.0.2 to Dynamics 365 (Online), version 9.0 and higher. This update is focused on reliability and performance improvements as well as some new features. Any updates from version 8.x to version 9.0 are scheduled on or after April 2 will automatically get this update – no change of schedule is needed. For customers already running Dynamics 365 (Online) version 9.0.1 or higher, Microsoft begin deploying this update from April 7 through its normal deployment process. No customer action is needed to deploy this update.

Dynamics 365 Spring 2018 (v9.0.2) licensing guide:

https://mbs.microsoft.com/Files/public/365/Dynamics365LicensingGuide.pdf

April 9th, 2018

The newest update to Microsoft Dynamics 365 for Finance and Operation, now version 8.0 (specifically build number 8.0.30.8020).comes with release notes fthat run to 222 pages,

https://docs.microsoft.com/en-us/dynamics365/unified-operations/fin-and-ops/get-started/whats-new-changed-8-0-april-2018

The Dynamics technology platform now has easier integration from Dynamics 365 Enterprise to other Dynamics products such as : Dynamics Talent, Field Service and Project Service Automation.
In addirion to the Common Data Service (CDS) for Apps which includes templates that are easily configured rgere is also a new Data Integrator tool for Dynamics 365 Enterprise provides thtat makes it easier way to work with the Common Data Service .

Microsoft is leveragign the scalaeability and data mining powers of the clud to use Telemetry acorss ts products. We will now get knowledge-base (KB) recommendations that help Microsoft support to understand how well hotfixes have solved an issue and rhen to proactively push out hotfixes to customers. This proactuve approach will allow customers to spend less timesearching for hotfixes for solutions to problems that already have a published hotfix. after all isn’t that the job of the software author – to provide code that works and for support to fix it when it doesn’t? Aggod example of how Aiis alreaqdy changign things.

Previous posts have hgihglighted of Business Productivity Improvements. Let’s recap:

Alerts – As with Ax 2012 client-based alert functionalityis now availbale for a user to define alert rules on business events, such as when master data is changed or an invoice is paid or a customer changes an address.
Optimization advisor – Uses telemetry to analyze customers’ business processes, finds optimization opportunities,and uses application data to quantify the opportunities, and then recommends solutions.
Project timesheet mobile – Employeescreate and submit project timesheets. Out-of-box mobile app for submitting timesheet. Nnow we have saved favorites. We can also copy from a previous timesheet ffir mire raOid entry rapid, accurate time entry.
Project resource managers can edit the default hours as part of the project booking fulfillment process. Thhey can also now eserve project resources past the task end date
A Person search report – to find a person and their personal data in Finance and Operations.
Data sharing for customer and vendor tables – Data can be shared across customer and vendor tables and many related tables across multiple legal entities.
One voucher deprecation – One voucher is turned off by default, through a General ledger parameter.

Supply Chain Management Updates

Vendor collaboration – RFQ process – Enhancements to tell who entered a bid (a vendor or a procurement department).
Partial shipment of a load (split load) – Allows single loads or multiple loads to be fully or partially loaded.Immediate replenishment of locations – Used during wave execution wjen allocation fails for a location directive line that has a replenishment template.
Add Reason codes to warehouse counting and adjustment – Users can add a reason code when performing counts and when making an adjustment for better control and audit
Batch balancing is enabled for advanced warehouse module processes.
New Cost administration and Cost analysis Power BI workspaces/

Power apps
Ability to embed PowerBI and PowerApps directly in forms without writing code using a host control. User select in form from the menu bar.an option to add PowerApps

There are also improvements regarding Lifecycle Services and environment management. There is also a new channel to report production outage to escalate a support issue with Microsoft should your Production environment not be available. Financial reporting enhancemtns for (Management Reporter) is alo included.

Another important change is upgrade automation- to upgrade non-production environments.

Dynamics 365 Business Applications Spring 2018

April 3rd, 2018


Take a look into new PowerApps capabilities added during Business Applications Spring 2018 Launch

Office 2019 and Office 365

April 2nd, 2018

After Office 2019 is released in the 2nd half of this year – that will be the last version of Office sold without an office365 subscription.

Microsoft will shorten the lifecycle for all the existing versions of office so everyone who wants to use office tools will need to buy an Office365 subscription at some point.

In 2017, Microsoft slashed the rights of users running non-subscription Office when it announced that perpetual-licensed versions of Office 2016 will be barred from connecting to Microsoft’s cloud-based services, including hosted email (Exchange) and online storage (OneDrive for Business) after Oct. 13, 2020. Under the new rules, owners of a perpetual license for Office 2016 can use those services only during the first half of their 10-year support lifecycle, the portion Microsoft dubs “mainstream.” Office 2016′s mainstream support ends Oct. 13, 2020.

By releasing Office 2019 this year, Microsoft will give enterprises a year or so to migrate from Office 2016 (or an earlier edition) before the cloud service cutoff. Rather than the usual decade of support – the first five in what Microsoft dubs “Mainstream,” the second five as “Extended,” which provides security-only updates – Office 2019 will get only seven years. “Office 2019 will provide 5 years of mainstream support and approximately 2 years of extended support,” said Spataro in the Feb. 1 announcement. “This is … to align with the support period for Office 2016. Extended support will end 10/14/2025.”

That’s the same day Office 2016′s support expires.

The simultaneous retirement of the two perpetually-licensed suites is the strongest signal yet that Microsoft plans to shut down the one-time purchase option after Office 2019. By shortening 2019′s support lifespan – something Microsoft has never done to Office for Windows – it will be able to wash its hands of both suites at the same time, ending the decades-old purchasing option and making the subscription-based Office 365 the only way to license the applications.

Office 2019 will be supported only on Windows 10.

Drupal CMS critical bug

April 2nd, 2018

The team behind the popular open-source CMS Drupal is urging admins to update their sites to ward off a nasty bug that could leave their sites “highly compromised” to attackers, according to the organization.

The effected versions (Drupal i 6, 7 and 8) of the CMS power over one million websites on the internet.

Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

“This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,”