Epicor 9 Wins Product of the Year

Epicor announced Tuesday that Epicor 9, a next-generation enterprise resource planning (ERP) solution, has won the 2008 Product of the Year Award from Customer Interaction Solutions magazine.

Epicor 9 combines Web 2.0 concepts with Epicor True SOA, a collaborative business architecture that manages the flow of processes across an enterprise.

Epicor was chosen to receive the award by the editors of Customer Interaction Solutions, who considered the nominees' vision and leadership in the industry.

"I am pleased to honor Epicor for their hard work and accomplishments. Their commitment to quality and excellence benefit the contact center experience as well as ROI for the companies that use them," said Nadji Tehrani, Executive Group Publisher and Editor-in-Chief of Customer Interaction Solutions.

Epicor will be featured in a winners' profile in the January 2009 issue of Customer Interaction Solutions magazine.

Insight Named First U.S.-Based Reseller Partner to Serve VMware Cloud Initiative

Insight Enterprises has announced that it has been named the first U.S.-based reseller partner to offer subscription licenses to serve the expanded VMware Service Provider Program (VSPP).

VSPP partners are part of the VMware vCloud Initiative, which delivers an enterprise-class cloud computing platform. The VMware vCloud initiative offers broad support for existing and new applications, and it enables federation between on- and off-premise clouds. The core technology underpinning of the VMware vCloud Initiative is a set of VMware vServices that provide the APIs and technologies t enable this federation and facilitate business needs such as flex capacity, disaster recovery, or test and development for enterprises. VMware vServices also enable cloud providers to simplify how SMBs acquire compute capacity.

Securing DNS should trump budget-cutting, experts say

The discovery of a major DNS flaw in mid-2008 landed the technology in many headlines, but with economic concerns weighing on many in IT, industry watchers worry that revamping systems and security around domain name servers could be put on hold in 2009.

The vulnerability discovered by director of penetration testing at IOActive, Dan Kaminsky motivated numerous vendors to upgrade their products to protect enterprise networks against cache poisoning and other DNS attacks, such as distributed denial-of-service (DDoS). IT directors were encouraged to upgrade their DNS systems to guard against potential threats, but a survey by The Measurement Group revealed that about 25% of servers had yet to be upgraded by mid-November. Now, with the year coming to a close, DNS experts worry the projects will take a back seat to cost-cutting measures.

"These name servers are trivially vulnerable to the Kaminsky attack. With an effective exploit script, a hacker can insert arbitrary data into the cache of one of these names servers in about 10 seconds," says Cricket Liu, vice president of architecture at Infoblox.

A separate survey of 466 enterprise online customers conducted by DNSstuff in September revealed that 9.6% hadn't patched their DNS servers and 21.9% didn't know if they were patched. The findings show that despite the DNS community's and several vendors' efforts, a significant number of server administrators have yet to take action. As for the reasons behind the lack of patches, more than 45% cited a lack of internal resources, 30% said they were unaware of the vulnerability and 24% reported they didn't have enough knowledge of DNS to take the appropriate steps. DNSstuff's customer research also found that the most common DNS issues among respondents include e-mail downtime for 69%, DDoS attacks and cache-poisoning attacks for nearly half and spoofing for 18.5%.

That's why the IP address management vendor is looking to dispel what it calls a handful of myths around DNS and get people paying attention to the technology in 2009, despite economic worries.

For one, Infoblox says there is a misconception that DNS is a trivial part of the network. It performs a critical function by mapping domain names to IP addresses and directing Internet inquiries to the appropriate location. "Should an enterprise's DNS systems fail ... all Internet functions, including e-mail, Web access, e-commerce and extranets become unavailable," according to Infoblox.

Secondly, the belief that any version of BIND will protect name serving machines on the Internet is false, according to Infoblox. BIND version 9 is a major rewrite of the Berkeley Internet Name Domain and includes DNS security and protocol enhancements, as well as support for IPv6.

Another misconception regarding BIND is that organizations using version 9 are safe from attacks due to the Kaminsky vulnerability. Infoblox's Liu says that is untrue. "Even running the most recent version of BIND, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers," he says.

Lastly, the belief that upgrading DNS needs to be put off until IT can gain budget approval is false. It is possible to test the system to learn of any vulnerability and upgrade the DNS server with tools available for free download.

Recursive name servers can be tested for the Kaminsky vulnerability at doxpara.com, www.dnsadvisor.com or using DNS-OARC's port testing tool. If the servers are found to be vulnerable, Infoblox suggests moving the name server to one that uses query port randomization or move to another name server that does support it.

"Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured," Liu says. "Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."

200 Sony PS3s Harnessed To Crack Secure Site Certification

Using 200 Sony PlayStation 3s for crypto cracking, a group of security researchers has found a way to forge certain digital certificates used to identify secure Web sites, a technique that could be used to create fake versions of popular e-commerce and banking sites.

The researchers -- Jake Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Alex Sotirov, Marc Stevens, and Benne de Weger -- presented their work Tuesday at the Chaos Computing Congress, a four-day computer hacking conference held annually in Berlin.

Google Apps Business Development Manager Jeff Keltner busts some of the most common myths about cloud computing.

The group identified a weakness in the public key infrastructure used on the Internet to issue digital certificates for Web sites that employ the secure HTTPS protocol.

"Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash," the researchers said on their Web site. "This is known as an MD5 'collision.' Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the Web to realistic threats."

Discussing the research, Princeton computer science professor Edward Felten explained on his blog that the hash is a 128-bit code that's supposed to represent a unique digest of the digital certificate in question. "To be secure, the hash method has to have several properties, one of which is that it should be infeasible to find a collision, that is, to find two values A and B which have the same hash," he wrote.

But as the researchers have shown, it's not infeasible. In theory, at least, that means someone could create a fake HTTPS banking site, for example, using a forged certificate to hijack a trusted brand name.

The group identified six certification authorities that issued certificates signed with MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte, and verisign.co.jp.

Shortly after the research was presented, Tim Callan, a product manager for VeriSign's SSL business, said in a blog post that his company had taken steps to eliminate the vulnerability. He said that VeriSign has "been in the process of phasing out the MD5 hashing algorithm for a long time now."

Microsoft also responded, issuing a security advisory Tuesday. "This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," Microsoft's advisory says. "Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm."

The research group goes further, advising that certification authorities stop using MD5 and move to more secure hash functions, such as SHA-2. While collision attacks have not yet been shown to be practical against SHA-1 hashes, work along these lines is progressing.

Dell Unveils Massive Reorganization

Dell, which has seen PC sales slow in the economic downturn, announced on Wednesday a massive reorganization that establishes three separate global units for selling to businesses and government agencies. In addition, the world's second-largest computer maker said Mike Cannon, president of global operations, would retire effective Jan. 31; and Mark Jarvis, chief marketing officer, would leave during the current fiscal quarter. However, Cannon and Jarvis would continue to be involved with the company as consultants.

Asset Management has always been a critical part of management the life cycle of your IT infrastructure. Avocent CTO Ben Grimes walks us through a hands-on look at how his company's technology helps. The reorganization, announced about a month after Dell reported a drop in revenue and profits as a result of slowing sales for servers and PCs, changes the company's approach in selling to businesses and government from a regional to a global strategy. Dell this year adopted a global approach in its consumer business, led by Ron Garriques.

The latest move establishes three worldwide business units, one targeting large companies; another focused on the public sector, which includes government and education; and the third on small and medium-sized businesses.

"We have laid the foundation for the transition from a global business that's run regionally to businesses that are really globally organized," Michael Dell, chairman, chief executive, and founder of the company, said in a statement.

Steve Schuckenbrock, currently president of global services and CIO, will lead the sales effort to large corporations, and Paul Bell, currently president of Dell Americas, will head the public-sector business unit. Leading the SMB sales operation will be Steve Felice, currently president of Dell Asia-Pacific and Japan.

The company plans to align its financial reporting with the new structure during the first half of fiscal year 2010, which begins in February.

Meanwhile, the company said Cannon will be succeeded by Jeff Clarke, who will become vice chairman of global operations while continuing to head Dell's business client product group. Jarvis will be succeeded by Erin Nelson, who was VP of marketing for Dell in Europe, the Middle East, and Africa.

Dell in November reported that profits in the fiscal third quarter fell to $727 million from $766 million the same period a year ago, as revenue fell more than 3% to $15.2 billion. Dell blamed the drops on lower sales across the globe.

Dell's dependency on the PC market makes the company particularly vulnerable to weakening demand in the current economic recession. Dell released its latest earnings the same day iSuppli slashed its 2009 forecast for PC shipments by nearly two-thirds because of rapidly deteriorating conditions in the global economy.

At the same time, Dell is struggling to regain market share from its rival Hewlett-Packard, the world's largest computer maker. HP in November reported fiscal fourth-quarter earnings that exceeded Wall Street forecasts.

LG Teams with YouTube, CinemaNow

Cancel your cable bill: LG will unveil a new line-up of Blu-ray players at the Consumer Electronics Show in Las Vegas capable of streaming YouTube and CinemaNow videos. Add these upcoming features to LG's new standard for streaming Netflix movies and you have three fewer reasons to subscribe to expensive cable packages.

Some 12,000 movies are available for instant viewing on Netflix, millions on YouTube, and now an additional 14,000 movies via CinemaNow. Those looking for a wide variety of inexpensive or free content, and also prepared to make the switch to Blu-ray, couldn't find a better deal.

LG's integration of network-capable players and high-quality movie services will become in the industry standard in 2009. A wide variety of devices -- from DVD players to game consoles -- already support Netflix streaming. The original stand-alone player -- the Roku box -- has announced plans to broaden its scope and include streaming Internet video channels such as Hulu to the mix in early 2009.

By this time next year, cable providers will be forced to seriously consider major price cuts in order to maintain a competitive edge, as users will be netting all their content online, in HD, and on the big screen.

Microsoft Says Leap Year Bug Caused Zune Failures

Picture this: You're gearing up to create a killer playlist on your 30GB Zune for your annual New Year's bash. All of a sudden, your Zune locks up, reboots itself, and freezes. What the heck is going on?

In September, Microsoft released the Zune 3.0 software and firmware update along with its newest hardware, the Zune 120GB and 16GB models. At the time, Microsoft mentioned that it would be phasing out the older models slowly--but the company didn't say the change would be this dramatic.

As early as yesterday evening, reports of 30GB Zunes crashing began to surface on Microsoft support forums and gadget blogs. Microsoft updated the Zune support Web site with the following acknowledgement: "Customers with 30GB Zune devices may experience issues when booting their Zune hardware. We're aware of the problem and are working to correct it. Sorry for the inconvenience, and thanks for your patience!"

We contacted a Microsoft spokesperson, who confirmed the issue with this official statement:

"Early this morning we were alerted by our customers that there was a widespread issue affecting our 2006 model Zune 30GB devices (a large number of which are still actively being used). The technical team jumped on the problem immediately and isolated the issue: a bug in the internal clock driver related to the way the device handles a leap year.

"That being the case, the issue should be resolved over the next 24 hours as the time change moves to January 1, 2009. We expect the internal clock on the Zune 30GB devices will automatically reset tomorrow (noon, GMT). By tomorrow you should allow the battery to fully run out of power before the unit can restart successfully then simply ensure that your device is recharged, then turn it back on.

"If you're a Zune Pass subscriber, you may need to sync your device with your PC to refresh the rights to the subscription content you have downloaded to your device.

"Customers can continue to stay informed via the support page on zune.net (zune.net/support).
"We know this has been a big inconvenience to our customers and we are sorry for that, and want to thank them for their patience."

Microsoft's Official Fix for Failing Zunes

Zune owners now have a fix for their failing devices thanks to Microsoft that has posted instructions on how to start the new year off with a working digital music player. Yesterday 30-gigabyte Zunes suffered a crippling glitch causing the digital music players to lock up, reboot themselves, and freeze. Zune users are calling Micorosoft screw-up "Zune 2K9," a reference to the Y2K bug. The problem was caused by the Zune's internal clock and its inability to handle leap years, according to Microsoft.

Microsoft posted instructions on its support site Zune.net/support on how to thaw your Zune from its deep freeze and get it working again. However, if you're a Zune Pass subscriber with music managed by DRM copyright protection Microsoft says you might have to take extra steps to play those music tracks.

The Zune fix (outlined below) will work at 7am ET January 1, 2009. Microsoft says it will also issue a fix for the device so that this problem won't re-occur the next leap year, in 2012.

To Fix Your Zune Follow These Steps:

1. Disconnect your Zune from USB and AC power sources.

2. Because the player is frozen, its battery will drain-this is good. Wait until the battery is empty and the screen goes black. If the battery was fully charged, this might take a couple of hours.

3. Wait until after noon GMT on January 1, 2009 (that's 7 a.m. Eastern or 4 a.m. Pacific time).

4. Connect your Zune to either a USB port on the back or your computer or to AC power using the Zune AC Adapter and let it charge.

Once the battery has sufficient power, the player should start normally. No other action is required-you can go back to using your Zune!

What if I have rights-managed (DRM) content on my Zune?

Most likely, rights-managed content will not be affected by this issue. However, it's a good idea to sync your Zune with your computer once the freeze has been resolved, just to make sure your usage rights are up to date.

What if I took advice from the forums and reset my Zune by disconnecting the battery?

This is a bad idea and we do not recommend opening your Zune by yourself (for one thing, doing so will void your warranty). However, if you've already opened it, do one of the following:

* Wait 24 hours from the time that you reset the Zune and then sync with your computer to refresh the usage rights; or

* Delete the player's content using the Zune software (go to Settings, Device, Sync Options, Erase All Content), then re-sync it from your collection.