Information Technology

Credit: Microsoft

It wouldn’t be a Microsoft event without a slew of Teams announcements. And on Day 1 of Microsoft’s virtual Ignite Spring 2021 event, officials didn’t disappoint.Microsoft announced a new channel-sharing feature coming to Teams broadly later this calendar year. Called Teams Connect, the feature will enable users to share channels with anyone — internal or external — to one’s organization. The shared channel will appear within a user’s primary Teams tenant, alongside other Teams channels. The new Teams Connect feature will be available in private preview starting today.If you’re wondering how Teams Connect compares to Teams Guest Access, it seems that with Guest Access, you can add an external user to your Teams environment, where they become a guest. With Teams Connect shared channels, multiple organizations can share a single channel that all members can then access from their own Teams environments.Channel sharing seems more suited for scenarios where multiple organizations are collaborating together on a specific project. Guest Access seems more suited to situations where an external party needs broad access to organizational data and information, above and beyond the channel.
See also: Microsoft Teams Panels wants to make your meetings easier when you’re back in the office |  Multi-account sign-in support added (sort of) | Teams Pro adds new webinar and ‘meeting intelligence’ capabilities | Outlook reminder gain a ‘join meeting’ button
Microsoft execs also said today that Teams will support end-to-end encyrption (E2EE) for one-to-one Teams calls. IT will have discretion over which users can use E2EE. E2EE for Teams 1:1 ad-hoc VoIP calls (as the feature is known officially) will be available in preview to commercial customers later in the first half of this calendar year.In addition, Microsoft is announcing officially the expected webinar capability for Teams which leaked last month under the name “Teams Pro.” Officials said today that Teams users can organize webinars for those inside and outside an organization of up to 1,000 attendees. Webinars can make use of custom registration; rich presentation options; host controls; and post-event reporting. Officials said those who want to broadcast to larger audiences (up to 20,000 people until June 30 and 10,000 after that) can switch to view-only broadcast. The webinar functionality will be included for no additional cost in many existing Microsoft 365/Office 365 business plans.Microsoft is adding to Teams a number of features that public speakers and PowerPoint jockeys will appreciate.PowerPoint Live in Microsoft Teams is all about enabling presenters to lead meetings with notes, slides, chat and participants in a single view. PowerPoint Live is available in Teams as of today. The new Presenter Mode in Teams lets users customize how their video feed and content appear to the audience. A mode called Standout shows the speaker’s video feed in front of shared content. There are also Reporter and Side-by-Side modes coming. Standout in Presenter Mode is launching this month; Reporter and Side-by-Side are “coming soon.” In addition, there is a Dynamic View which arranges elements of a meeting prioritized for an optimal video experience, officials said. Dynamic View is scheduled for rollout later this month, officials said.
At Ignite, Microsoft announced a new category of speakers called Teams Intelligent Speakers. Teams Intelligent Speakers can identify and differentiate the voices of up to 10 people talking in a Microsoft Teams Room. The speakers were created in partnership with EPOS and Yealink, officials said, two OEMs which both have devices certified as Intelligent Speakers. (Surface Hub also is considered a supported Teams Intelligent Speaker device, officials said.) Users can turn attribution on or off at any time for privacy and security reasons. And if these devices sound familiar, yes, there is/was a precedent: A conical speaker Microsoft demonstrated publicly in 2018 which could recognize multiple speakers even when their discussions overlapped.

Microsoft Ignite More

Cyberattackers behind ObliqueRAT campaigns are now disguising the Trojan in benign image files on hijacked websites. 

The ObliqueRAT Remote Access Trojan (RAT), discovered in early 2020, has been traced back to attacks against organizations in South Asia.
When first discovered, the malware was described as a “simple” RAT with the typical, core functionality of a Trojan focused on data theft — such as the ability to exfiltrate files, connect to a command-and-control (C2) server, and the ability to terminate existing processes. The malware is also able to check for any clues indicating its target is sandboxed, a common practice for cybersecurity engineers to implement in reverse-engineering malware samples. 
Since its initial discovery, ObliqueRAT has been upgraded with new technical capabilities and utilizes a wider set of initial infection vectors. In a blog post on Tuesday, Cisco Talos said a new campaign designed to deploy the RAT in the same region has changed how the malware is served on victim systems. 
Previously, Microsoft Office documents would be sent via phishing emails to a target that contained malicious macros leading to the direct deployment of ObliqueRAT. Now, however, these maldocs are directing victims to malicious websites instead — likely in a bid to circumvent email security controls. 
A technique known as steganography is in play. Steganography is used to hide code, files, images, and video content within other content of file formats, and in this case, the researchers have found .BMP files that contain malicious ObliqueRAT payloads. 
Websites that have been compromised by threat actors host these .BMP files. While the files do contain legitimate image data, executable bytes are also concealed in RGB data — and when viewed, trigger the download of a .ZIP file containing ObliqueRAT. 

According to the researchers, the malicious macros contained in the maldoc extract the archive file and deploy the Trojan on the target endpoint system. 
In total, four new versions of the malware have been recently discovered and appear to have been developed between April and November 2020. Improvements include checks for blocklisted endpoints and computer names, as well as the inclusion of the ability to extract files from external storage. A new command prompt, as of yet unassigned, also indicates that additional updates will occur in the future. 
ObliqueRAT has also been connected to campaigns distributing CrimsonRAT. There are potential links to Transparent Tribe (.PDF), a state-sponsored threat group Proofpoint says has previously attacked Indian embassies in Saudi Arabia and Kazakhstan. Due to C2 infrastructure overlaps, there may also be ties to RevengeRAT campaigns. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google Cloud, Allianz Global Corporate and Specialty (AGCS), and Munich Re are pairing up to make cyber insurance more mainstream and embed it into cloud services.

ZDNet Recommends

The best cyber insurance
The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.
Read More

The partnership comes as it becomes increasingly clear that cyber insurance is going to play a role in enterprises of all sizes. Specifically, the trio of companies is launching the Risk Protection Program.
Also: What is cyber insurance? Everything you need to know
The Risk Protection Program aims to cut cloud security risks and offer cyber insurance designed for Google Cloud customers. What’s notable about the program is that cyber insurance, which is evolving, could become more mainstream should it be resold via technology providers.
Sunil Potti, general manager and vice president of Google Cloud Security, said that the partnership with Allianz and Munich Re has been “in the works for a few years.” Potti added that cyber insurance is an effort to turn the concept of shared responsibility of security into shared fate. “This is the first down payment on that journey,” said Potti.

Should the Google Cloud, Allianz, and Munich Re model be emulated, businesses could procure cyber insurance through enterprise software makers, security companies, web hosting firms, and other providers.
Google Cloud said that the Risk Protection Program aims to address the reality that more sensitive workloads are being housed in the public cloud. That fact also means that risk protection has to be more integrated with services. Customers, who were previously expected to create their own security models, will be able to leverage Google’s Trusted Cloud and layer in cyber insurance protection.

The parts of Risk Protection Program go like this:
Risk Manager, a diagnostic tool that enables Google Cloud customers to manage and measure risks on the platform get reporting. The Risk Manager tool is available to Google Cloud customers by request and will be prioritized for Security Command Center Premium customers in the US.
Cloud Protection +, a cyber insurance product that’s offered by AGCS and Munich Re, and designed for Google Cloud customers.
Customers would run Risk Manager and send to AGCS and Munich Re to obtain a quote for cyber insurance if eligible for Cloud Protection +. The companies’ theory is that cyber insurance procurement will be easier if integrated with Google Cloud.

A model to expand cyber insurance
AGCS said Cloud Protection + will cover cyber incidents within their own corporate environments as well as on Google Cloud.
For now, the offering is targeted at US Google Cloud users, but “this offering may be offered globally at a later date.”
Bob Parisi, head of cyber solutions at Munich Re, said that the partnership with Google Cloud will streamline applications and underwriting. Parisi added that Risk Manager will connect data to the underwriting process, but Munich Re and Allianz aren’t monitoring corporate networks in real time. “Risk Manager gives us an inside-out look at a company,” said Parisi. “We’re driving underwriting toward a more data-driven approach.”
Thomas Kang, the North American head of cyber, tech, and media at Allianz, said the goal was to make a program that was cloud-first given that’s where workloads are going.
The other moving part is that Risk Manager could gauge security posture of an enterprise over time. As a result, the more frictionless experience may improve underwriting speed as well as discounts over time.
In addition, Google Cloud also gets a bump from cyber insurance via the Allianz and Munich Re partnership. By leveraging cyber insurance partnerships, it can target more regulated industries such as financial services and healthcare. Allianz and Munich Re will share the coverage 50/50.  
Bottom line: The Google Cloud alliance with Allianz and Munich Re may provide a blueprint for other cloud and tech services providers to emulate. You can expect similar bundles going forward aimed at enterprises of all sizes. More

Cyber insurance is quickly becoming a must-have amid cybercrime, ransomware, and daily threats. The problem is that wading through insurers is a bit daunting. With that in mind, I went shopping. 
For large enterprises, cyber policies are increasing the cost of doing business. Large firms such as Equifax, Marriott, and SolarWinds all had coverage to cushion the hit from high-profile data breaches. Smaller enterprises may not have the coverage.
Also: What is cyber insurance? Everything you need to know
I have a few working theories about the cyber insurance market.
This year — 2021 — will be the year that cyber insurance evolves significantly. It’s possible that cyber insurance will be required for businesses much like home and auto.
The market is dominated by massive insurers targeting large enterprises, but there will be segments of the marketing targeting mid-sized and smaller businesses.
Cyber insurance could be part of a cloud services stack. For instance, Google Cloud’s partnership with Munich Re and Allianz is a start, but cyber insurance could be resold by cloud providers, web hosting, and other parts of the business technology stack.
While cyber insurance may become part of a tech bundle or at least easier to acquire, there will be multiple players gunning for policies in a fragmented market. Reportlinker projects that cyber insurance will be a $70.6 billion global market in 2030, up $5.6 billion in 2019.
In any case, cyber insurance scouting needs to commence for businesses. According to the National Association of Insurance Commissioners (NAIC), the top 20 cyber insurance providers accounted for 92% of the market in the US.

Features risk mitigation tools

According to NAIC, AXA is the cyber insurance market share leader based on standalone policies. AXA’s cyber insurance covers North America and writes policies for data breach response and crisis management, privacy and security liability, business interruption, data recovery, cyber extortion and ransomware, and PCI among others.
AXA also provides risk mitigation resources via partners and an online service called CyberRiskConnect. Here’s a sample policy. 
View Now at Axa cyber insurance

Three flavors of cyber insurance

AIG’s cyber insurance can be standalone or added to an existing policy as an endorsement. AIG also offers three cyber insurance products.
CyberEdge, which covers the financial costs due to a breach as well as first-party costs.
CyberEdge Plus to cover physical world losses caused by a cyber event including business interruption and property damages.
CyberEdge PC, which can be added to traditional property and casualty policies.
AIG also offers threat scoring and analytics as well as tools to prevent attacks. AIG has a network of vendors to restore and recover, too.
View Now at AIG cyber insurance

Options for SMBs too

Travelers takes a broader approach to cyber insurance, with plans designed to mitigate risks for companies of all sizes. The insurer has cyber insurance plans for technology companies, public entities, and SMBs.
The company bundles pre- and post-breach services provided by Symantec and a hub to evaluate risks. 
Travelers policies fall into these categories:

View Now at Travelers cyber insurance

Big in cyber insurance

Compared to the big insurers, Beazley isn’t a household name, but NAIC rates the firm No. 4 with 11.2% market share just behind Travelers.
Beazley’s headliner is Beazley Breach Response, which is a customized policy based on a company’s situation. Beazley claims to be the “world’s best designed cyber insurance solution.” Beazley also covers breach response services for up to five million people. 
For companies in specific industries, Beazley looks like an option. Beazley counts healthcare, higher education, hospitality, financial services, and retail as target industries. 
View Now at Beazley cyber insurance

Partnership with Google Cloud

Allianz provides cyber insurance on a standalone basis but is now partnered with Google Cloud along with Munich Re under a program called Cloud Protection +. The pairing is likely to move Allianz as well as partner Munich Re up the cyber insurance rankings. 
View Now at Allianz cyber insurance

Targeting the mid-market companies

While the big-name insurers are going after the large enterprises, midmarket companies may gravitate toward a specialist. Midmarket companies often have their own tech providers since they are often ignored by large enterprise vendors.
Cyber insurance companies may also shortchange the midmarket. Resilience offers cyber insurance with a few interesting perks. First, it combines insurance and expertise like the large players. And, second, Resilience includes a program where customers can earn credit to put toward security services and products.
View Now at Resilience cyber insurance

Specializes in small businesses

Hiscox specializes in cyber insurance for small businesses. The firm is also spending heavily on marketing but is worth a look. The company offers a training academy to shore up small business defenses, or what it calls the “human firewall.”
According to Hiscox, its cyber insurance covers lost business revenue and data recovery costs, money lost to phishing, defense against fines and privacy lawsuits, and breach response. The Hiscox policies also include digital media upgrades. It doesn’t cover criminal action, fund transfer, infrastructure interruption, and prior acts of knowledge.
View Now at Hiscox cyber insurance
More notable providers
There is a bevy of other providers — and many insurers offer cyber insurance as part of a broader package of business offerings. Among those that looked interesting:

ZDNet Recommends More

Oxfam Australia has confirmed a data breach after a database belonging to the organization was leaked on an underground forum. 

After being made aware of a suspected security incident by Bleeping Computer, the charity’s Australian arm has now confirmed that supporters of the charity have been impacted. 
A threat actor was attempting to sell a database containing Oxfam Australia records on an underground forum and this information appears to have subsequently been leaked in February. 
The records have been added to Have I Been Pwned, a search engine for users to see if their information has been leaked in data breaches. According to HIBP, 1.8 million unique email addresses, names, phone numbers, physical addresses, genders, and dates of birth were included — alongside partial credit card data in a small number of cases. 
Donation histories may have also been exposed. 
In a statement concerning the data breach, Oxfam Australia said a database was compromised on January 20, 2021, and the organization was made aware of the issue on January 27. 
“The database includes information about supporters who may have signed a petition, taken part in a campaign, or made donations or purchases through our former shops,” the charity said. 

The group, however, will not say exactly how many individuals have been affected. 
Oxfam Australia has notified the Office of the Australian Information Commissioner (OAIC) and Australian Cyber Security Centre (ACSC). Impacted supporters will also be contacted. 
No account passwords are thought to have been compromised and so the charity says it will “not be asking supporters to change their password.” 
However, as is the case with any data breach, it is recommended that users do so anyway in the interest of their personal security. If the same password is in use elsewhere, these account credentials should also be changed. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has outlined how the company handles customer data in response to a Dutch data protection assessment. 

Launched in October, Google Workspace is an enterprise suite for applications including Gmail, Meet, Drive, and Sheets, software that can be useful for businesses currently adopting work from home or hybrid workplace models. 
A Data Protection Impact Assessment (DPIA) was recently published by Dutch data protection authorities outlining comparisons between data handling in Google Workspace. 
The DPIA included ten original ‘risk’ factors to government agencies adopting Google Workspace, citing issues including a lack of transparency concerning the purposes behind processing both customer and diagnostic data; potential legal gray areas surrounding both the tech giant and government bodies acting as data controllers or processors, “privacy-unfriendly” default settings, and potential spill-overs between ‘one-account’ users in personal and enterprise settings. 
On Monday, Google Cloud VP of EMEA South, Samuel Bonamigo, said that in response to the DPIA and a separate assessment of and Google Workspace for Education delivered to the Dutch government, Google “welcomes the opportunity to demonstrate our commitment to privacy and security.”
Google is in discussion with the Dutch government over the concerns highlighted, but wants to emphasize that Workspace solutions have been designed “to secure and protect the privacy of our customers’ data.”
“Our cloud is designed to empower European organizations’ strict security and privacy requirements and expectations,” Google says. “We adhere to regulatory and compliance requirements to protect our customers’ data. And we believe that it is deeply important for us to be transparent about our products and our practices.”

Google says that user or service data is not used for targeted ads or creating ad profiles, and ads are not shown in Workspace and Workspace for Education Core Services, which are the premium versions of existing tools. Cloud customer data is also only processed based on customer agreements and is kept in the control of the user, the company says. 
Google has also created the Google Cloud Privacy Notice to outline how service data is processed, alongside a new Google Workspace for Education data protection implementation guide (.PDF). 
“Our goal in addressing the DPIA is complete transparency for our customers, regulators, and policymakers on the open issues,” Google said. “We will continue to discuss the findings with the Dutch government in the next few months, with the goal of reaching an agreement that will lead to more choice for public sector organizations in the Netherlands and beyond.”
In related news, Google has also updated Google Workspace with new features including new security access controls, the “Workspace Frontline” function for key workers that need to use their own devices to access corporate resources, improved endpoint management, and support for Google Assistant in Workspace. 
On Monday, Google warned of an increase in bots targeting businesses, not only to perform Distributed Denial-of-Service (DDoS) assaults, but also the use of bots for content scraping and other forms of attack.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A water treatment plant fell victim to a hacker to the extent that the intruder was able to tamper with chemical levels and attempt to poison the drinking water supply.
Nobody was harmed when the intruder interfered with the system at the water treatment facility in Oldsmar, Florida because the changes were spotted and the chemical levels reverted to normal, but the incident is a reminder to all organisations that networks must be secured against cyberattacks, especially if systems that manage physical capabilities can be remotely accessed and manipulated.

More on privacy

“What we can learn from this from a defender and an operator perspective as the utility is making sure that we’re securing credentials and, wherever possible, limiting the exposure of authentication portals to external entities and implementing multi-factor authentication wherever possible to really minimize the impact of credential guessing,” Joe Slowik, senior security researcher at DomainTools, told ZDNet Security Update.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
Additional security capabilities, such as multi-factor authentication, can also provided an additional barrier to an attacker gaining access.
In this instance, the attack was spotted after the intruder had attempted to manipulate industrial control systems, and in order to ensure the full security of an industrial network, there should be protections in place to detect any suspicious activity before attackers can attempt anything at all.
That starts with knowing what’s on your network and being able to identify unexpected or unusual activity.

“First and foremost, it’s just understanding your own attack surface; what do we have exposed? What are the possibilities for third parties or unwanted entities for accessing our environments. Knowing what those avenues are and, after they’ve been identified, securing them,” said Slowik
“So that combination of understanding our own networks, hardening our networks, where possible, and then looking for attempts to subvert or break into these environments. It sounds fairly basic but that’s, at least where we need to get started for defending these environments,” he added.
MORE ON CYBERSECURTY More

Singapore has released guidelines on heightened risks businesses in the financial services industry (FSI) now face as remote work practices take hold and how they can mitigate such risks. These include implementing safeguards in their outsourcing arrangements as well as security controls to combat data leaks and fraud. 
The document aimed to outlined key risks associated with a remote workforce for FSI companies and drive the adoption of good practices to manage these risks, said the Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) in a joint statement Tuesday. 
A non-profit group representing interests of the FSI, ABS currently has a membership base of 154 local and overseas banks and financial institutions with local operations. Members of its Return to Onsite Operations Taskforce (ROOTS) — specifically, its Workstream 8 team that focused on remote work — had participated in the establishment of the document, including DBS Bank, Standard Chartered Bank, Barclays Bank, Bank of China, and Bank of America. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“Remote working requires changes to policies and operational processes, some of which could lead to new risks and risk management challenges,” they said. With organisations expected to extend remote work arrangements and adopt hybrid work models in future, financial institutions would have to remain vigilant and take preemptive steps to manage the risks arising from this work environment.
In particular, the document highlighted 10 key areas financial institutions should review, such as assessing changes to outsourcing and third-party vendors’ risk profiles amidst the new work environment including their remote working controls and operational resiliency. 
“Vendors’ infrastructure and controls, including business continuity plans, may not be as robust as the financial institutions’ to allow them to fully manage remote working risks [and] this translates to heightened risks for financial institutions, especially if vendors have access to sensitive information, client data, or connectivity to the financial institutions’ systems, or provide critical services to financial institutions,” the report noted. 
In addition, vendor services previously provided on-site at the financial institutions’ premises, such as IT development and support, would no longer be under close supervision with remote working.  This could lead to higher error rates or delays in service delivery. in its place, financial institutions might conduct alternative procedures such as desktop or virtual reviews, which generally relied more on vendors’ attestations. These were less effective in detecting risk issues, including weaknesses in vendors’ infrastructure, controls, and operational resiliency. 

Financial institutions should assess such changes and roll out safeguards and contingency plans to ensure service continuity, the document recommended. 
Organisations also should review the risks and implications of data loss when identifying activities that could be carried out remotely, and put in preventive and detection controls to address these risks. In addition, cybersecurity controls should be in place to ensure employees’ remote working infrastructure, including personal devices, were secured. 
“To facilitate remote working, financial institutions may have amended information governance policies to allow staff to access customer and other sensitive information when they are working remotely, [where] staff could previously only access such information within the office premises,” the report stated.
Enabling employees to access customer and other sensitive data remotely heightened inherent risks of data leaks, for instance, through eavesdropping amongst family members, employees browsing online on corporate devices while bypassing corporate proxy or gateway, and staff forwarding sensitive data to personal devices. 
They should continue to have robust technology risk management practices to manage hardware and software deployed to support large-scale remote working, MAS said. 
Furthermore, financial institutions would need to keep updated on fraud typologies from remote work environments and roll out the necessary countermeasures, as well as implement guidelines to identify situations where in-person meetings, site visits, and verification against original documents were needed. 
MAS’ deputy managing director of financial supervision Ong Chong Tee said: “Financial institutions in Singapore have swiftly adapted to remote working and split-team arrangements in response to COVID-19. The operational resilience of our financial institutions during this period reflects the soundness of their business continuity management plans. It also underscores the importance of regular tests through internal drills and industry-wide exercises jointly organised by the MAS and the financial industry.”
RELATED COVERAGE More