Information Technology

The Digital Transformation Agency (DTA) has approached the market in search of new suppliers to help refresh four categories of its hardware marketplace.
The four categories include end-user computing, enterprise computing, video collaboration system devices and services, and mobile phone and smart devices.
The request for tender (RFT) outlined that the subcategories within end-user computing includes desktop computers, notebooks, laptops monitors, thin clients, and zero end clients.
For enterprise computing, the subcategories compromise of servers and enterprise computing, server racks and enclosures, and server rack and enclosure accessories.
Meanwhile, flat-panel digital displays, electronic whiteboards, video collaboration infrastructure, video conference equipment, and audio-visual integrated systems and soft codec devices are the subcategories contained in video collaboration system devices and services.

As for the mobile phones and smart devices categories, it also includes satellite phones and tablet computers as subcategories.
The DTA said submissions for each of the categories are being accepted by suppliers who are not already listed on the hardware marketplace.
At the same time, existing panellists that are already admitted into the end-user computing and enterprise computing categories will not have to reapply, but if they wish to also be listed in the other two categories, they will need to apply, the DTA said.
“The hardware marketplace is intended to be a constantly evolving panel,” the DTA stated in the RFT.
“Over time, DTA may add, remove or change the categories (or sub-categories) and the requirements for those categories, allow new suppliers to participate in the hardware marketplace.”
According to the request for tender, some of the key requirements for sellers looking to apply include the ability to provide at least 12-month vendor support to buyers, provide an option to buyers to procure additional years of vendor support for all end user devices and server configurations, and server racks and enclosures should include a 10-year parts and labour warranty.
Closing date for submissions is August 25.
In June, the DTA had published a request for information seeking feedback on draft plans to add audiovisual and smart devices to the hardware marketplace panel category list. Feedback for the RFI closed July 17.
The hardware marketplace, when it launched in September 2018, replaced several expired IT procurement panels.
The DTA called for vendors to join its hardware marketplace in October.
According to the DTA, annual Commonwealth capex spend on the items covered by the hardware marketplace, excluding software and services, is approximately AU$150-AU$200 million per annum.
The DTA added the mobile phones and smart devices category would complement the mobility and satellite services that will be available as part of its “soon to be” established telecommunications marketplace.
The whole-of-government telecommunications panel, which was scheduled to be launched by Q2 2020, will replace the existing services made available to government through the existing Mobile and Telecommunications Services panels.
On Wednesday, the DTA also announced plans to refresh its software licensing and services panel within its software marketplace.
In issuing a request for tender, the DTA has invited new sellers to join Category 2 of the commercial off the shelf (COTS) software panel.
Existing approved software marketplace sellers of Category 2 do not need to reapply, the DTA said.
“The purpose of this RFT is to identify one or more sellers to be appointed to the Software Marketplace for the provision of COTS Software and associated services to buyers on and as required and non-exclusive basis,” the DTA stated.
According to the RFT, potential suppliers can provide offerings within various software “classes” such as governance, financial, and accounting; medical, scientific, and research; e-commerce and self-service; data management; and cyber and physical security.
On Monday, tender documents revealed the DTA handed Boston Consulting Group (BCG) a contract to provide support for its controversial COVID-19 contact tracing app. The contract was initially valued at AU$484,000 but following two amendments, it came to a total value of AU$809,380. The start date for the contract was initially scheduled for April 16, but this has now been adjusted to August 1. 
The DTA also contracted Delv in March to deliver the COVID-19 information app, valued at AU$2.38 million, following an amended value of AU$528,000.
On April 7, Delv was handed another AU$1.44 million by the Department of Health to develop the COVIDSafe app. 
In the past few months, the DTA has also awarded Maddocks a AU$12,000 contract to provide legal advice relating to the COVIDSafe app; Vision Australia a AU$14,800 contract to conduct an accessibility audit on the app; and a cybersecurity services contract to Ionize, valued at AU$44,000. 
Last month, it was revealed that the DTA knew that the app had severe flaws, despite sending it out for public use on 26 April 2020.
Documents published by the agency showed that Bluetooth encounter logging tests conducted on the day of the app going live for locked iPhones, an iPhone X to iPhone 6 specifically, had transmitted data at a “poor” rating — 25% or below.
It followed software engineer Richard Nelson publishing research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.
He said a locked iPhone with an expired ID could not generate a new ID and that, without an ID, the device would record other devices around it, but it could not be recorded by others.
The DTA said in May that functional and performance testing was conducted for the Apple iOS and Google Android versions of the COVIDSafe App prior to release.
It said 179 functional tests were conducted, including Bluetooth encounters between various device types, in various states, including the phone being locked and unlocked, and the application being open and not open.
“All tests satisfied the baseline design requirements,” the DTA said.
“Performance tests were also conducted against the technical requirements.”
The DTA previously told ZDNet it continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping the DTA to improve the app.
“The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security, and accessibility improvements as required,” it said.
“The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19.”
Related Coverage More

South Korea’s Naver said on its official blog page that it has moved user backup data that was stored in Hong Kong to Singapore.
The data in Hong Kong was destroyed between July 6 to 10 and the server that was used to store it has been rebooted, the company said.
The company’s move comes shortly after China introduced stringent, new national security laws that are aimed at tightening Beijing’s control over the territory.
The decision to transfer backup data to Singapore was also in response to allegations made by local media that Naver’s sensitive user data stored in Hong Kong was at risk of being leaked and that the Chinese government could access the data at any time.
Naver said it has never received a request from the Chinese government to hand over data.

The company also said that it manages data in South Korea and abroad only through its subsidiary Naver Business Platform and does not rely on external third-parties. Data transferred abroad is also done so only through VPN, Naver said.  
“Naver only collects the minimum amount of data such as user name, password, date of birth, gender and phone number, among others, when users subscribe to our services,” the company said.  
On whether storing its backup data on Hong Kong was previously justified, the company said it was common practice for global IT companies to store their original data and back-up data in different places to prevent leaks. The company added that users of Naver had been notified back in September 2016 that their backup data resided in Hong Kong.
Naver is South Korea’s most used search engine and the company also owns the chat app Line.
Related Coverage
Naver to make user reply history public to curb malicious comments
New users will also have to wait a week before they can make a post on the search portal.
TikTok to cease operation in Hong Kong
It comes as China imposes its new national security laws in Hong Kong.
Hong Kong’s loss of special status could hurt startups
Technology transfers, international financial system access, and more at risk due to US decision.
US bans export of dual-use techology to Hong Kong over China’s new security laws
Commerce Department says it is now too risky to send technology to Hong Kong as it may end up in the Chinese Communist Party’s hands.
US imposes visa restrictions on Huawei employees, other Chinese tech workers
The new restrictions fall on certain employees of Chinese tech companies that “provide material support to regimes engaging in human rights abuses.” More

The United States has added 11 more Chinese companies into its entity list for their alleged involvement in repressing Uyghur Muslims and other Muslim ethnic minorities within China, effectively banning them from purchasing US technology without a licence.
Nine of those companies were added to the entity list for allegedly putting Uyghur Muslims into forced labour. These companies are OFilm Group, Changji Esquel Textile, Hefei Bitland Information Technology, Hefei Meiling, Hetian Haolin Hair Accessories, Hetian Taida Apparel, KTK Group, Nanjing Synergy Textiles, and Tanyuan Technology, according to the announcement.
The remaining two companies, Xinjiang Silk Road BGI and Beijing Liuhe BGI, were sanctioned for conducting genetic analyses used to further the repression of Uyghurs and other Muslim minorities, the US Department of Commerce said.
“Beijing actively promotes the reprehensible practice of forced labor and abusive DNA collection and analysis schemes to repress its citizens,” said US Secretary of Commerce Wilbur Ross. 
“This action will ensure that our goods and technologies are not used in the Chinese Communist Party’s despicable offensive against defenseless Muslim minority populations.”

OFilm is allegedly a strategic partner and supplier of various tech companies such as Acer, ASUS, Amazon, Dell, HP, HTC, Huawei, Lenovo, LG, Meizu, Microsoft, Oppo, Samsung, Sony, Vivo, Xiaomi, and ZTE, according to a report published in March by the Australian Strategic Policy Institute (ASPI), a think tank established by the Australian government.  
The ASPI report added that OFilm manufactured key components of iPhone 8 and iPhone X camera technologies for Apple in 2017. The now-sanctioned company is also on Apple’s 2019 supplier list [PDF]. 
Soon after the report was released, LG distanced itself from OFilm and denied having any connections with one of the factories named in the report.
“LG Electronics expects all of its suppliers to abide by our supplier code of conduct which is very clear on our stance regarding forced labour. LG Electronics has no direct relationship with any company named OFilm,” the Korean chaebol said to ZDNet.
Meanwhile, Hefei Bitland, another company added to the entity list, says on its website that it is partnered with Google, Haier, Hisense, HTC, HP, and Lenovo.
China has faced growing condemnation for its treatment of Uyghur Muslims and other Muslim minorities, with numerous reports stating that Chinese authorities have been tracking the movements of these people. There have also been reports of other human rights abuses, such as the installation of spyware on the phones of Uyghur Muslim and placing Uyghur Muslims into “re-education” camps. 
Prior to these latest sanctions, since October, 37 Chinese companies had already been added to the entity list for violations related to Xinjiang. The US government has also placed other Chinese technology companies, including Huawei and ZTE, on its entity list and labelled them as national security threats.
Related Coverage
Tech giants push back on forced Uyghur labour claims
ASPI report claims technology supply chains make use of workers that were forced to relocate out of Xinjiang province.
Chinese users attack Notepad++ app after ‘Free Uyghur’ release
Notepad++’s GitHub issue tracker flooded with pro-Chinese and anti-western messages. Anti-Chinese activists are fighting back with their own spam and attacks on the Beijing regime.
US blacklists 28 Chinese entities, citing their role in repressing Uyghur Muslims
HikVision and Dahua, two of the world’s largest manufacturers of surveillance technology, are among those that have been blacklisted.
Chinese company leaves Muslim-tracking facial recognition database exposed online
Researcher finds one of the databases used to track Uyghur Muslim population in Xinjiang.
US bans export of dual-use techology to Hong Kong over China’s new security laws
Commerce Department says it is now too risky to send technology to Hong Kong as it may end up in the Chinese Communist Party’s hands. More

Six of the world’s privacy commissioners have signed an open letter asking video teleconferencing companies to be mindful of their obligations to comply with the law and handle people’s information responsibly.
The open letter is signed by six authorities brought together through the Global Privacy Assembly’s International Enforcement Cooperation Working Group: The Office of the Australian Information Commissioner (OAIC), the Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Hong Kong Privacy Commissioner for Personal Data, the Switzerland Federal Data Protection and Information Commissioner, and the UK Information Commissioner’s Office.
In the wake of the COVID-19 pandemic, there’s been a sharp increase in the use of video conferencing platforms not just to stay connected to friends and family, but for business purposes and telehealth.

The group said that media reports, as well as concerns raised directly to each member in their respective jurisdictions, indicate the realisation of these risks in some cases.
“This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process,” they wrote.

The document provides video teleconferencing companies (VTCs) with five principles to consider across security, privacy by design, knowledge of their audience, transparency and fairness, and end-user control.
“Your organisation should remain constantly aware of new security risks and threats to the VTC platform and be agile in your response to them. We would anticipate that you routinely require users of your platform to upgrade the version of the app they have installed, to ensure that they are up-to-date with the latest patches and security upgrades,” the letter says, under the header of security.
“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries.”
The letter also calls for VTC companies to ensure they take a privacy-by-design approach to their service, which includes implementing features that allow business users to comply with their own privacy obligations, as well as to minimise the personal information or data captured, used, and disclosed by the product to only that necessary to provide the service.
With the group noting COVID-19 has meant platforms and services are being used differently to how they were intended, the letter asks that companies review and determine the new and different environments and users of its platform.
“This is particularly important when it comes to children, vulnerable groups, and contexts where discussions on calls are likely to be especially sensitive (in education and healthcare for example), or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the platform,” the letter continues.
Under transparency and fairness, the letter reminds VTCs that failing to tell users how their information is used, and not considering whether what a company is doing is expected and fair, may lead to a violation of the law and of the trust of users.
“You should be up-front about what information you collect, how you use it, who you share it with (including processors in other countries), and why — even if you do not consider the collection, use or sharing of that information to be particularly significant yourself, it is still important that its use is honestly communicated to the customer at all times,” they wrote.
The group also asks that VTCs give as much end-user control over privacy and information collection as possible.
While the letter is for all video conferencing companies, it has also been sent directly to Microsoft, Cisco, Zoom, House Party, and Google. The group is seeking responses to its letter from VTC companies by 30 September 2020.
RELATED COVERAGE More

If you’re one of the millions of people who are now working from home, it’s time to take your security more seriously. The last thing that you want is for your work account to be compromised while you’re away from the office. Having a strong, secure password is one of the easiest ways to keep yourself safe, but remembering that password can be a task all on its own. That’s why it’s time for you to get a password manager.
Password managers make life simple. Instead of needing to remember multiple long, complicated strings of letters and numbers that you use to secure your account, all you have to remember is a single master password. Your password manager takes care of the rest, creating unique and uncrackable passwords for all of your accounts — whether they’re for work or personal accounts. If you’re ready to lock down your accounts, check out Dashlane, a highly-rated password manager that is on sale right now for $29.99.

50% off
Ekaterina Bolovtsova
Dashlane is one of the most feature-rich and functional password managers around. Whether you’re on desktop or mobile, Mac or Windows, iOS or Android, Dashlane operates at full speed. All you have to do is download the app, log in with your master password, and you’ll have access to every password for every account that you need to secure.
$29 at ZDNet Academy
Dashlane generates strong, unique passwords that you can customize in a click to ensure they fit any password requirement. When you visit a site that you have an account for, Dashlane will automatically fill in the information for you so you don’t have to track down the password every time. You can also trust Dashlane with other sensitive information, including payment cards, that it will lock down under its military-grade encrypted vault. It’s the perfect tool for anyone working from home or anyone who simply wants to make their accounts a little more secure.
When it comes to password managers, you can’t do much better than Dashlane. It has a 4.6 star rating in the Google Play Store and 4.7 star rating in the Apple App Store with thousands of satisfied users. You can join them by getting a one-year subscription to Dashlane Premium on sale. Valued at $59, you can get it for just $29.99 for a limited time.

ZDNet Recommends More

US prosecutors have announced charges against two Chinese hackers accused of stealing trade secrets from technology and biotech companies, including firms working on COVID-19-related treatment, testing and vaccines. 

Assistant Attorney General for National Security John Demers said in a Department of Justice press conference Tuesday that the cyber intrusions are examples of China’s “brazen willingness to engage in theft” of intellectual property to advance their competitive edge in key technology sectors.
As part of a multi-year cyber attack resulting in terabytes of stolen data, Demers said hackers targeted firms in eight of 10 technology sectors, including robotics, aircraft, maritime equipment, clean energy, biotech and advanced rail. More recently, the hackers began targeting the networks of biotech and other firms known to be developing COVID-19 treatments. 
The DOJ suggests in the 11-count indictment that the hackers were working for both themselves and for the benefit the Chinese government’s Ministry of State Security. 
“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” Demers said in a statement.

According to the indictment, the hackers were able to gain access to corporate networks by exploiting publicly known software vulnerabilities that in some cases had not yet been patched, and then used that access to install malicious shell programs and credential-stealing software. From there they were able to remotely execute commands on employee computers.
The hackers, identified as Li Xiaoyu and Dong Jiazhi, were each charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit theft of trade secrets, one count of conspiracy to commit wire fraud, one count of unauthorized access of a computer, and seven counts of aggravated identity theft. 
The indictment comes just a week after it was disclosed that state-backed Russian hackers were targeting pharmaceutical companies, healthcare, academic research centers and other organizations involved in coronavirus vaccine development. The warning came via an advisory put out by the UK’s National Cyber Security, with support from the US National Security Agency and the Canadian security services.
It’s previously been warned that other nations are also likely to be attempting to steal coronavirus related research.
RELATED: More

Microsoft announced today the first public preview of a new Microsoft 365 security feature named Double Key Encryption.
“Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key,” Microsoft said today.
“It uses two keys to protect your data – one key in your control, and a second key is stored securely in Microsoft Azure.
“Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security,” it added.
Microsoft says the new feature was specifically designed for highly regulated industries, such as financial services or healthcare, or for companies that need to safely store sensitive data in the cloud, such as trade secrets, patents, financial algorithms, or user data, and need the highest level of protection to satisfy both regulatory requirements and internal protocols.

Two example scenarios where Double Key Encryption can help include:
Scenario 1: Sensitive Intellectual Property: Big Pharma company, Contoso, would like to move their sensitive information to the cloud, but some formulations of their market leading drugs need to be kept secure even during migration to the cloud. Using the Cloud provider’s key to encrypt the data is not enough security assurance for Contoso, as there is a concern that the cloud provider may grant some third-party access to the data or have an operator that may inadvertently decrypt sensitive information (i.e., during a technical support call). In such a case, Contoso, would like to encrypt the sensitive content with their key, and then proceed to re-encrypt with the Cloud Provider’s key.
Scenario 2: Regulated Environments: A Government Agency is about share confidential information via a cloud platform with some of their contractors. The Government agency needs to ensure that the information remains opaque to third parties based on their regulated government data policies. The Agency encrypts their content with Double Key Encryption and shares such content via a cloud platform with their contractors; thereby, guaranteeing that the cloud provider does not have access to the content and only the intended recipients have access.
Image: Microsoft
Double Key Encryption is also integrated with the Azure Information Protection unified labeling capabilities, allowing tenants to create multiple DKE labels, and protect data with different encryption keys, while also applying different group policies and access restrictions based on the users who need to access the data.
Once the label deployed, users will be able to activate it for any document and have the file automatically encrypted and protected while managed inside a company’s Microsoft 365 account.

Image: Microsoft
Double Key Encryption will be available starting today as a public preview for Microsoft 365 E5 and Office 365 E5 customers.
Additional information will be available later today, such as official documentation and GitHub repositories. Links to be added when they go live. More

Credit: Microsoft

Microsoft is making a public preview of its Dynamics 365 Connected Store service available as of today, July 21. It’s also rolling out previously announced Dynamics 365 Fraud Protection with loss prevention and account protection functionality.Microsoft provided updates on these two retail-focused apps on Day 1 of its Microsoft Inspire worldwide partner conference, which is a virtual event this year.Dynamics 365 Connected Store, which Microsoft initially announced in 2019, uses information collected from edge devices like video cameras and IoT sensors to deliver alerts and recommendations to make retail spaces more efficient. The initial focus of the app is three core scenarios: Shopper Analytics, Queue Management, and Display Effectiveness. Microsoft also is adding “soon” a new Store Traffic and Curbside Queue capability designed to improve shopper safety. 
Microsoft recently announced intentions to buy Orions Systems, which sells AI-powered vision-systems technology that Microsoft plans to integrate with its Connected Store offering.As part of the Dynamics 365 Fraud Protection service, Account Protection is meant to help retailers recognize patterns related to e-commerce activities during account creation or attempted hijacking. Loss Prevention is meant to provide insights around returns and discount fraud. Microsoft officials said these features were available starting July 1.Microsoft officials also announced at Inspire that the company has created a Power Platform-based pre-built “return to the workplace” template that officials say will help businesses reopen quickly and safely. The template includes modules for location readiness assessments; a remote check-in and self-screening app; and tools for managing COVID-19 cases and identifying hot spots for safety improvement. Microsoft also is planning to add location management tools for monitoring occupancy, health supplies, safety procedures, and other “facility-related best practices.”  More