Brazil Nota Fiscal – On Premise versus Cloud

Steve Sprague, Finextra

Brazil Nota Fiscal version 3.1– On-premise solutions force you to monitor, design and implement all Nota Fiscal issues.  Managed Services offer economies of scale that can reduce annual support costs by 80 percent.

Top 5 Reasons Why Companies are Using Brazil version 3.1 to Transition from current on-premise solutions  to Managed Service Solutions

In this part of series on using the Brazil Nota Fiscal version 3.1 changes to evaluate the strengths of cloud and managed services over on-premise solutions. I wanted to discuss the issues concerning ERP customization and maintenance. This is mission critical especially if your organization has a strategy of deploying a single instance of an ERP around the globe.

With so many complicated ERP issues, why do companies want to keep up with the legislation and constantly implement the changes.   Especially, when the requirements are predominately the same for all companies.   These are government mandates and standards after all. 

Managed Service providers provide two huge benefits over on-premise solutions:

• First, Managed Services and more specifically hybrid cloud deployments can offer economies of scale gained across their install base which turns into hard costs savings in annual support and maintenance costs.
• Second, Managed Services and more specifically hybrid cloud deployments can buffer the global ERP Center of Excellence from changes. Some issues such as extended attributes and customer customizations are absorbed by the service provider. Additionally, some upgrades can be done without affecting the core ERP ERP platform. I found this quote to be intriguing from the Kellogg CIO in Latin America - Gustavo Lara, LA Regional CIO for Kellogg’s. “With {managed service provider) solution, our internal teams can focus on running our business rather than focusing on researching, implementing and reconfiguring our ERP system to meet the changes for Brazil Nota Fiscal and Mexico CFDI.” 

By transitioning to a managed service, your internal teams can:

• Avoid the burden of research, design and implementation – with an on-premise solution the IT organization must figure out how the Brazil changes will affect their ERP deployment.  In our next article, we will cover the “real” cost of this change management.

• Eliminate Fire drills – most global ERP teams look at rolling out an ERP in waves across processes and countries.  They also tend to have a very rigid procedure for updating the ERP system.  Often lead times to get on the COE calendar can be 6 to 8 weeks and in many cases the COE only wants to do major upgrades once or twice a year.  The pace of legislative change in Brazil is constant and is never timed to the ERP upgrade strategy. A managed service provider that guarantees your systems are maintained, eliminate unforeseen fire drills as they know when the legislative changes occur and coordinate the updates.

• Reduce upgrade timing issues as many companies run N-1 maintenance strategy. It is common for the ERP maintenance teams to run at least one support pack behind the latest releases.  I work with customers that are still 4.7c and many who are in the process of upgrading to ECC 6.0 during 2014.  The issues arise when ERP releases new country requirements – logically they are released in the latest support packs. This can cause an issue with maintenance teams to decipher what is needed and how it will affect the ERP system they are running. Part of the managed service provider responsibility is to understand your company “Delta” to the legislation to assist with the changes.  Why spend weeks figuring out the issue when it can be done in a 30 minute call.

• Simplify problems with ERP customizations and extended attributes – These are the processes that are unique to your business and your customers.  It is not always easy to get the data from your ERP configurations into the Nota Fiscal format.  Some of our customers sell “kits” and this unique packaging takes some unique manipulation to transform into the Nota Fiscal requirements.  And for some cases, the data doesn’t come from ERP at all but are required transactions. For example, when you bring in goods to the country, by law you must declare the fiscal value of the goods sometime referred to as a Nota Fiscal Entrada. This information often comes from an extract from the Freight Forwarder you are using to import the goods.  It still needs to be transformed, validated and tracked.

• Reduce the cost of maintaining compliance -In a recent article (in Portuguese), Alexandre Quinze, CIO América Latina da Philip, discusses the cost and productivity benefits achieved by transitioning off an on-premise software for Brazil Nota Fiscal compliance.
• Reduction of annual maintenance costs by upwards of 80%
• Increase in productivity of local Brazil business user by 25%

Fuzzing Test – Your Cyber Security Companion

Fuzzing test stands for…

How do you test against security threats you don't even know exist?   For unknown threats, an alternative such as fuzzing testing needs to be employed.  Fuzzing testing passes random data through network protocols, API calls, and file streams—virtually anywhere applications and devices receive inputs. One of the goals is to determine whether any of this random input can crash or hang an application, bring down a website or put a device in a  compromised state. Another goal of fuzzing testing is to prevent zero-day attacks.  These attacks derive their name from the fact that they take place before the related vulnerability is known – on “day zero” of awareness. 

Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. Fuzzing is a process of sending deliberately malformed data to a program in order to generate failures, or errors in the application. Fuzzing usually focuses on discovery of bugs that can be exploited to allow an attacker to run their own code, and along with binary and source code analysis fuzzing is one of the primary ways in which exploitable software bugs are discovered.  Fuzzers work best for problems that can cause a program to crash, such as buffer overflow, cross-site scripting, denial of service attacks, format bugs and SQL injection. These schemes are often used by malicious hackers  intent on wreaking the greatest possible amount of havoc in the least possible time.

What are we facing?

It is relatively easy to find possible weaknesses in an application if the source code is available and the better it is annotated the easier it is to analyse. Access to binary code is the next best thing but arguably too time consuming to analyse by disassembly. Often the code is housed on a protected, remote server. A seemingly impregnable housing that even keeps the binary shielded from prying eyes.

A burglar faced with a house that is locked uses guile to force an entry. Locksmiths produce tumbler locks that can only be opened with the correct key. The burglar often ignores the complexities of lock-picking and will try to slide a flexible plastic sheet through the gap between the door and the door jamb to push the catch back and the door sometimes opens with ease. In other words, they attack the door in a way that was not foreseen. If this does not work they may look elsewhere and smash a window to gain entry.

 

Similarly, server attackers work on accepted entry points by treating them in ways that they were not intended to be used to force an entry. The more complex the program, the more likely there is a flaw or a bug that can be worked on.

When looking for likely areas to work on, access to annotated source code can show possible areas to work on, but applications tend to have thousands of lines of code that need to be sifted through. This becomes even worse if all you have is the compiled binary code which has to be disassembled first. Then the hacker has to sift through the commands without any annotations to guide them through the logic.

These two methods are the equivalent of picking locks. In the first case using source code is akin to accessing the locksmith’s original designs or an impression of the actual key and in the second using picks and experience to prise the lock open. With so much code to sift through, both methods are time consuming and require specialist knowledge and patience. It is the preserve of the dedicated professional.

Often the code in any format is unavailable and the average hacker has to stand back and look at the bigger picture. Applications process data and that information is supplied externally using keyboard input or from strings provided by ancillary applications. These use specific formats, called protocols. A protocol may dictate that the information is a field of characters or digits of a specific maximum length, such as a name or a telephone number. The protocol may be more complex and recognise only Adobe Acrobat pdf files or JPEG image files. If the input comes from another application it might have a proprietary protocol.

December Newsletter – Fuzzing

Vega newsletter is published monthly by Vega BI, and distributed to our partners to facilitate pursuit of a common interest in top-notch technologies.
"Attackers have long exploited the fact that even subtle variations in protocols can cause compromise or failure of networked devices," says David Newman, president of Benchmarking Consultancy Network Test. "Fuzzing technology helps level the playing field, giving implementers a chance to subject their systems to millions of variations in traffic patterns before the bad guys get a chance to." Seeing the importance in early detection of security holes, we have chosen Fuzzing to be our topic of the month. 

Fuzzing Test – Your Cyber Security Companion

How do you test against security threats you don't know exist?

For unknown threats, an alternative such as fuzzing testing needs to be employed.  Fuzzing testing passes random data through network protocols, API calls, and file streams - virtually anywhere applications and devices receive inputs.

One of the goals is to determine whether any of this random input can crash or hang an application, bring down a website or put a device in a compromised state. Another goal of fuzzing testing is to prevent zero-day attacks.  These attacks derive their name from the fact that they take place before the related vulnerability is known – on “day zero” of awareness. Malicious attacks from hackers could exploit a new vulnerability they find, before your normal testing does.

Think Like an Hacker

Hackers are good at finding vulnerabilities. Why?  Because they expend the effort needed to expose them. They know that traditional functional testing on your software has likely been completed.  However, they also know that millions of permutations of invalid random input many have not been tested.  All it takes is one random string of input to cause a crash or hang.  Moreover, it is easy for them to throw garbage input at your network.  Nevertheless, since you are now thinking like a hacker, you can do the same – in controlled conditions – with fuzzing testing.

Hackers target and exploit many different attack vectors such as:

·         Web Browsers (HTTP)

·         Email Attachments (popular applications, movie files, graphic files, executables)

·         Network Protocols (vulnerabilities in FTP, DHCP, RSYNC, NTP)

·         VoIP and IPTV protocols

How does it work?

In its simplest form, fuzzing testing sends a random sequence, either as command line options or via protocol packets that have been randomly malformed, to the target being tested.  As such, fuzzing testing can start out manually.  But, automation is required in order to get sufficient test coverage.  Fuzzing testing tools can generate millions of variations or mutations in traffic patterns on the attack vector being tested.  These tools apply "fuzzing" to the chosen test pattern and can literally test millions of permutations, making your network much more secure, while keeping your test team efficient.

Stay Ahead with Fuzzing Testing

Fuzzing testing does not replace traditional white box or black box quality processes, but rather complements them.  Add fuzzing testing to your test arsenal to stay a day ahead of the hackers and their zero-day attacks.

For more ...... See Vega's December  Newsletter

Breakthrough Israeli ‘Wrapping Paper’ Will Make Bones Heal Faster And Better

By Johanna Weiss, NoCamels

“Break a leg” may be what people say when they want to wish someone luck, but breaking a leg is more than bad luck. That is especially true for elderly people, who’s weaker bones often lead to severe fractures and complications.

Thanks to the Israeli company Regenecure, that may no longer be the case. Regenecure is developing what can be understood as an intelligent wrapping paper that enables broken bones to heal faster, more smoothly and even compensate bone loss.

In medical terminology, this wrapping paper is called membrane implant. “Membranes in general are semi-selective materials. They allow certain materials to get through, while others cannot,” CEO Moshe Tzabari tells NoCamels.

When the Regenecure membrane is wrapped around the broken bone, it allows fluids to get through, but prevents cells, vigor or soft tissue from getting to the bone. This feature is crucial for the healing process.

“After a fracture there is a competition going on in the human body between soft tissue and bone,” Tzabari explains. “If there is no barrier, soft tissue will infiltrate the wound and stop the bone from growing or make it grow in unintended ways.”

The membrane implant is a transparent, thin-yet-strong material that looks like plastic wrap. However, the membrane is regenerative and can be sutured, drilled and shaped into any geometrical form. Moreover, it attracts stem cells to grow and populate along the membrane surface.

The material, which comes from Germany, has been used in the past as a drug delivery system – to cover tablets that are not meant to dissolve in the stomach but only to take effect later. Michael Friedman, Professor at the Hebrew University in Jerusalem, discovered that the same material can be used to enable guided bone growth after fractures. The membrane implant can assist, and sometimes replace, traditional healing methods, he explains.

Brazilian government to ditch Microsoft in favour of bespoke email system

Summary: President Dilma Rousseff requested the deployment of the in-house communications platform across all federal government bodies

By Angelica Mari ,Brazil Tech 

Brazilian president Dilma Rousseff announced yesterday (13) her request to deploy a secure electronic communications system aimed at strengthening privacy and avoiding spying of communications across federal government bodies.

"I have mandated the deployment of a secure email system throughout the federal government," the president tweeted. She added that this is "the first step to expand privacy and inviolability of official messages."

The Brazilian data processing body Serpro is responsible for decommissioning the current platform Microsoft Outlook and leading the development of the new platform, which has been procured following the news that communications between Rousseff and her key aides have been monitored by the US National Security Agency (NSA).

"A more secure messaging system is needed to prevent possible spying," Rousseff posted on Twitter.

Expresso, an encrypted communications suite, is already used by about 700,000 employees at a few government bodies. The bespoke system runs on the cloud platform maintained by Serproand the intention is to make it more robust then roll it out across the entire federal administration departments.

The Expresso platform will also be used as the base of the Hotmail-lke system that the government is also planning to offer to citizens.

According to the Communications minister, Paulo Bernardo, it is expected that all government bodies will swap the current email system by the new set-up by the second half of 2014.

Bernardo told newspaper Folha de São Paulo that the government has already told Microsoft that it will not renew its licensing agreement and that it will reinvest the savings in improving the in-house system.

As well as the changes in the email set-up, the Brazilian government is also planning to work with public telecommunications company Telebras on a future project that would allow the government to only use its own infrastructure for its communications.