The recent leak of an internal memo to the former Chair of the Federal Energy Regulatory Commission, which was widely reported by national news media, has created a national security setback for the United States. Many are concerned that the disclosure may provide terrorists and other bad actors a roadmap for causing a prolonged nationwide blackout. Perhaps more importantly, the leak undermines the relationship of trust between industry and government agencies that the parties have been working for years to establish; a relationship that is vital to developing a stronger security posture for the electrical grid and in other critical infrastructure sectors. In an article published in Intelligent Utility Update, Hunton & Williams partner Paul M. Tiao discusses the effects of the leak on national security and on the relationship between the energy industry and the government.
Michael Behan writes in:
Perhaps you guys can make this one better. Haven’t put a ton of thought into it:
C:\> (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000
Then visit http://127.0.0.1:3000
This could of course be used to generate a lot more HTML reports via wmic that are quick to save from the browser. The downside is that in its current state is that the page can only be visited once. Adding something like /every:5 just pollutes the web page with mostly duplicate output.
Assuming you already have netcat (nc.exe) on the system the command above will work fine, but it will only work once. After the browser recieves the data the connection has been used and the command is done. To do this multiple times you must wrap it in an infinite For loop.
C:\> for /L %i in (1, 0, 2) do (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000
This will count from 1 to 2 and count by 0, which will never happen (except for very large values of 0). We could use the wmic command to request this information from the remote machine and view it in our browser. This method will authenticate to the remote machine instead of allowing anyone to access the information.
C:\> wmic /node:joelaptop process list full /format:htable > joelaptopprocesses.html && start joelaptopprocesses.html
This will use your current credentials to authenticate to the remote machine, request the remote process in html format, save it to a file, and finally open the file in your default viewer (likely your browser). If you need to use separate credentials you can specify /user:myusername and /password:myP@assw0rd.
Hal, your turn, and I want to see this in nice HTML format. :)Hal throws up some jazz hands:
Wow. Tim seems a little grumpy. Maybe it's because he can make a simple web server on the command line but has no way to actually request data from it via the command line. Don't worry Little Tim, maybe someday...
Heck, maybe Tim's grumpy because of the dumb way he has to code infinite loops in CMD.EXE. This is a lot easier:
$ while :; do ps -ef | nc -l 3000; done
Frankly, most browsers will interpret this as "text/plain" by default and display the output correctly.
But the above loop got me thinking that we could actually stack multiple commands in sequence:
while :; do
ps -ef | nc -l 3000
netstat -anp | nc -l 3000
df -h | nc -l 3000
Each connection will return the output of a different command until you eventually exhaust the list and start all over again with the first command.
OK, now let's deal with grumpy Tim's request for "nice HTML format". Nothing could be easier, my friends:
$ while :; do (echo '<pre>'; ps -ef; echo '</pre>') | nc -l 3000; done
Hey, it's accepted by every major browser I tested it with! And that's the way we do it downtown... (Hal drops the mic)
On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.
The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.
Adding to the general notification obligation under the proposed EU General Data Protection Regulation (the “Proposed Regulation”), the Opinion provides a non-exhaustive list of examples of data breaches from multiple sectors, where individuals should be notified. In each case, the Opinion also gives examples of technical measures that could have prevented a notification obligation had they been in place prior to the data breach.
The Opinion lists examples of cases where notification to the affected individuals would not be required, such as a confidentiality data breach that only concerns either encrypted data with a state of the art algorithm or salted/keyed, hashed data with a state of the art hash function (assuming all the relevant keys and salts are not compromised). The Opinion also discusses various considerations companies face when assessing whether or not to notify affected individuals, emphasizing the need to factor in likely secondary adverse effects on the individuals and indicating that companies should notify even if only one individual is affected.
According to the Opinion, providing notification in the example cases constitutes a good practice pending the adoption of the Proposed Regulation. The European Parliament recently formally adopted the compromise text of the Proposed Regulation. The next steps for the Proposed Regulation are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament and Council to begin.
On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.
The FTC alleged that Fandango and Credit Karma did not take reasonable steps to secure their mobile apps, including by overriding the industry standard Secure Sockets Layer (“SSL”) certificate validation process. According to the FTC, by disabling the SSL process, the companies undermined the security of the apps’ communications; any information the apps sent or received could be intercepted by hackers. This type of vulnerability is especially problematic with respect to sensitive transactions on public Wi-Fi networks.
The settlements require Fandango and Credit Karma to establish comprehensive security programs and undergo independent biennial security assessments for 20 years. The companies also are barred from misrepresenting the privacy or security of their products and services.
Read the FTC’s Business Center Blog post regarding the settlements.
On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.
As we previously reported, if passed, the bill would amend the Privacy Act 1988 by introducing a mandatory breach notification requirement for “serious data breaches.” The proposed definition of “serious data breach” includes a harm threshold: pursuant to the bill, the breach notification obligation would be triggered if unauthorized access to, or disclosure of, personal information would result in a “real risk of serious harm” to the individual to whom the information relates. In the event an organization “believes on reasonable grounds” that there has been a “serious data breach,” the organization would be required, as soon as practicable, to notify affected individuals and submit a copy of the notification to the Australian Privacy Commissioner. The bill also contemplates notification methods, and would allow the Privacy Commissioner to exempt organizations from the notification requirement under certain circumstances.
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.
The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.
Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.
While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.
Anonymous Ukraine has posted a short message to Pastebin that includes the following:
Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.
Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.
At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.
Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.
Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency.
Michael Assante is an internationally recognized thought leader in cyber security of industrial control systems. Assante held the position of Vice President and Chief Security Officer at the North American Electric Reliability Corporation and oversaw the implementation of cyber security standards across the North American electric power industry.
Matthew E. Luallen is a well-respected information professional, researcher, instructor, and author. Mr. Luallen serves as the president and co-founder of CYBATI, a strategic and practical educational and consulting company. CYBATI provides critical infrastructure and control system cybersecurity consulting, education, and awareness.
Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, USA has over 12 years of experience in both Industrial Process Control Systems and Network Security.
President Obama’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity identified “insurance liability considerations” as an incentive that might improve security. Over the course of the year since the Executive Order was issued, there has been an increase in the marketing of cyber insurance products. In an article published in Law360, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk discusses how most cyber insurance policies currently available do not protect against major risks to critical infrastructure. Since the Executive Order, insurers have taken steps to restrict coverage, resulting in a reduction in the protection of critical infrastructure against cyber attacks.
Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”
Other sessions will cover timely topics such as social media, Big Data, managing vendors and third party relationships, risk management and protecting data during transactions.
On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.
Listen to a recording of the March 2014 Hunton Global Privacy Update.
Previous recordings of the Hunton Global Privacy Updates may be accessed under the Multimedia Resources section of our privacy blog.
Hunton Global Privacy Update sessions are 30 minutes in length and are scheduled to take place every two months. The next Privacy Update is slated for May 14, 2014.
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it intends to survey up to 1,200 covered entities and business associates to determine their suitability for a more fulsome HIPAA compliance audit. In a notice published in the Federal Register, OCR stated that the survey will collect information such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations” to assess the organizations’ “size, complexity and fitness” for an audit.
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires OCR to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations. HHS conducted an audit of 115 covered entities in 2012. That audit found that compliance with the HIPAA Security Rule was lacking – notably, roughly 2 out of 3 of audited entities did not have a complete and accurate risk assessment. It also found that many entities were unaware of specific HIPAA Privacy Rule requirements, such as the obligation to provide a notice of privacy practices to individuals.
Although the total number of audits in 2014 is uncertain, expanding the audit program will provide a clearer picture of the extent of HIPAA compliance by business associates.
Read about our prior coverage of the HIPAA audit protocol.
On March 18, 2014, Brazilian lawmakers announced the withdrawal of a provision in pending legislation that would have required Internet companies to store Brazilian users’ data within the country.
The Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011, proposes Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality. As we previously reported, the Marco Civil received renewed attention last year in the wake of revelations that the U.S. National Security Agency’s PRISM surveillance program may have monitored digital communications in Brazil. In response, the Marco Civil was amended to add a local data storage requirement for Brazilian data. The provision generated controversy and opposition from Internet companies that claimed complying with the requirement would be expensive and burdensome.
According to reports, the legislation now states that global Internet companies “are subject to Brazilian laws in cases involving information on Brazilians even if the data is stored abroad.”
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.
Currently, the CNIL may conduct three types of investigations:
- On-site inspections – the CNIL may visit a company’s facilities and access anything that stores personal data (e.g., servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL.
- Document reviews – these inspections allow the CNIL to require an entity to disclose documents or files (upon written request).
- Hearings – the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information.
Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users’ prior consent before sending electronic marketing communications.
The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.
In 2013, the CNIL conducted 414 inspections. In light of this new online investigation tool, even more inspections are likely in 2014.
On the 25th anniversary of his first proposal for what would become the World Wide Web (the “Web”), Sir Timothy John “Tim” Berners-Lee expressed concern at what he sees as the increasing threat that governments and commercial interests pose to the openness and accessibility of the Web. In a wide-ranging interview with the UK’s The Guardian newspaper, Berners-Lee criticized the approach that some lawmakers have taken on issues such as net neutrality and copyright legislation, as well as the decision by some countries to limit access to the wider Internet. He also called for an end to the control that the U.S. Department of Commerce exerts over the Internet Domain Name System.
To address these concerns, Berners-Lee has proposed the creation of a “global constitution,” a digital equivalent of the Universal Declaration of Human Rights, to guarantee the free flow of information and to foster collaboration and creativity over the open Web. This proposal is being presented by the Web We Want campaign, which is overseen by the World Wide Web Foundation. The campaign will provide small grants to organizations that promote the principles of open access to the Web, and aim to raise public awareness of these issues. Whether the campaign will lead to tangible change remains to be seen, but it is clear that the debate over the question of online rights is far from over.
The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.
The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under the age of 13. In addition to the acceptable methods for obtaining the required parental consent listed in the COPPA Rule, the FTC’s revisions also allow entities to propose their own parental consent mechanisms for approval by the Commission. On February 25, 2014, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism submitted by iVeriFly, Inc. (“iVeriFly”) because iVeriFly’s proposal was merely a variation on existing parental consent mechanisms already recognized by the COPPA Rule or approved by the FTC.
In addition, the COPPA Rule permits industry to propose self-regulatory guidelines that implement the COPPA Rule’s protections. If the FTC approves a set of self-regulatory guidelines, companies that comply with those guidelines are protected (i.e., receive “safe harbor”) from FTC enforcement under the COPPA Rule. On February 12, 2014, the FTC announced that it approved a safe harbor program submitted by the kidSAFE Seal Program (“kidSAFE”). In the announcement, the FTC stated that kidSAFE’s self-regulatory guidelines provided the “same or greater protections” for children under the age of 13 as those contained in the COPPA Rule.
On March 14, 2014, the FTC announced that it was seeking public comment on a separate proposed safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”). The public comment period is open until April 21, 2014.
On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.
On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.
In addition to adopting the compromise text of the Regulation, the Parliament adopted the compromise text of the Police and Criminal Justice Directive (the “Directive”).
The next steps for both the Regulation and the Directive are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament and Council to begin.
Safe Harbor Suspension
The Parliament also passed a resolution setting forth its findings and recommendations regarding the National Security Agency (“NSA”) surveillance program. Among other things, the resolution calls for:
- withholding the Parliament’s consent to the Transatlantic Trade and Investment Partnership if European data protection principles are not fully respected;
- suspending the Terrorist Finance Tracking Program until alleged breaches of the underlying data disclosure agreements have been fully clarified; and
- suspending the Safe Harbor Framework immediately, alleging it does not adequately protect European citizens.
The Parliament’s resolution does not have immediate consequences for the validity of the Safe Harbor Framework. The underlying agreements relating to the Safe Harbor Framework were entered into by the European Commission, and in Europe, the Commission alone is in a position to formally renegotiate the agreements.
On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.
The HHS Office for Civil Rights (“OCR”) investigated Skagit County after learning that unauthorized individuals had accessed receipts containing the protected health information (“PHI”) of patients of Skagit County’s Public Health Department. The receipts had been mistakenly stored on a publicly accessible server. During the investigation, OCR discovered that more PHI had been exposed in the incident, including information regarding the testing and treatment of infectious diseases. In the resolution agreement, OCR alleged that Skagit County had violated (1) the Privacy Rule by improperly disclosing PHI, (2) the Breach Notification Rule by not notifying all affected individuals, and (3) the Security Rule by failing to implement policies and procedures to prevent security violations and ensure compliance with the Security Rule and by not training its workforce.
Pursuant to the resolution agreement, Skagit County has agreed to pay a $215,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Skagit County to:
- provide substitute breach notification in print or broadcast media to all of the individuals affected by the incident;
- submit its accounting of disclosures procedure, hybrid entity documentation and sample business associate agreement to HHS for review;
- conduct a risk analysis as required by the Security Rule;
- create or revise its HIPAA policies and procedures; and
- provide HIPAA training to its workforce.
In announcing the resolution agreement, Susan McAndrew, Deputy Director of Health Information Privacy at OCR, stated that the case “sends a strong message” to local and county governments that they must “adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:
- general explanations of the legal framework, including the definitions of CCTV and public space, the legal requirements for assessments, required security measures, notice obligations and retention periods for images;
- examples of how CCTV may be used by private companies in the public space (e.g., retail stores, restaurants), and discuss employee monitoring and other CCTV monitoring in non-public spaces; and
- a list of questions that may be used as a checklist for data controllers and corporate data protection officers.
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
The Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) announces Markus B. Heyder, International Consumer Protection Counsel at the U.S. Federal Trade Commission, will be joining as Vice President and Senior Policy Counselor, effective March 17, 2014. In this role, Heyder will work on policy development, research and publishing activities at the Centre, and will develop and maintain relationships with policy and regulatory authorities in North America, Asia and Latin America, among other tasks. He will be resident in the firm’s Washington, D.C. office.
“Markus has a distinguished reputation as a privacy lawyer and brings an impressive background in global data privacy, information security and consumer protection law and policy, including with the FTC, the primary U.S. privacy authority. His 20 years of experience will be an asset to Centre member companies as we work together with regulators to explore more effective solutions to the privacy challenges we face in the information age,” said Bojana Bellamy, president of the Centre. “We are privileged to have Markus on board. His leadership will enhance the effectiveness and visibility of the Centre in the United States, Latin America and Asia-Pacific.”
“I am excited about both the challenges and opportunities this role brings and look forward to working with Centre members on our common mission,” said Heyder, who served in the FTC’s Office of International Affairs in Washington, D.C. for over 10 years. At the FTC, he specialized in the areas of privacy, information security, consumer protection, international policy development, cross-border enforcement, and cooperation and information sharing. Immediately prior to his government work, Heyder was associated with Lovells (now Hogan Lovells) in Chicago, where he focused on privacy law, consumer financial services law, financial privacy law and e-commerce.
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
In this tech segment we're going to talk about regular expressions in python. We're going to be using perl-style regular expressions, which is usually referenced as "PCRE". PCRE is used in many places outside of Python, such as snort and other IDS signatures, and most places you see regular expressions, it will be PCRE. Regex is a language, but it's far more restricted than a normal programming language.
If you need to perform any complex string search and replace, you're probably going to use regular expressions. As the famous saying goes, Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.
So I'm going to teach you how to create some problems for yourself.
I'm going to put the testing strings in the show notes. If you want to play along, you don't need to install python, we're going to use pythex, an online regular expressions tester. I think this is the best way to demonstrate regular expressions without getting too bogged down in the context of code.
On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.
The purpose of the MOU is to facilitate mutual assistance and the exchange of information in investigating and enforcing privacy violations. The MOU follows a number of international efforts to increase cross-border cooperation in privacy enforcement, including the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, the GPEN Action Plan, the International Conference of Data Protection and Privacy Commissioners Resolution on International Enforcement Coordination, and the APEC Cooperation Arrangement for Cross-border Privacy Enforcement. In the increasingly interconnected and globalized world of today’s information age, regulators are recognizing the need to join forces to effectively investigate alleged privacy breaches and bring multilateral enforcement actions against companies operating in multiple jurisdictions.
In order to further common interests of cooperation, research and education, knowledge-sharing, and better understanding, the MOU sets out the FTC’s and ICO’s intentions, including to:
- share information (including complaints);
- provide investigative assistance in appropriate cases, such as obtaining evidence in the local jurisdiction on behalf of the other agency;
- consider joint training programs and staff exchange; and
- coordinate enforcement actions for privacy violations constituting breaches in both jurisdictions.
On its website, the ICO stated that the MOU will allow for closer cooperation between both organizations. The two agencies cooperated previously on a number of joint initiatives, including enforcing do-not-call and telemarketing laws. The ICO also has entered into a number of other memoranda of understanding with other authorities.
On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.
Experts from EU data protection authorities (“DPAs”), along with their counterparts from the Asia-Pacific Economic Cooperation (“APEC”) Data Privacy Sub-Group developed a practical tool (the “Referential”) to reflect the respective requirements of the Binding Corporate Rules (“BCR”) and the Cross-Border Privacy Rules (“CBPR”) systems. The Referential lists the main elements generally required for submission of BCR to EU DPAs on the one hand, and those required to submit CBPRs to APEC CBPR recognized Accountability Agents on the other hand. The Referential was endorsed by APEC Senior Officials at their meeting on February 27-28, 2014, and the Working Party adopted its Opinion during its plenary meeting that took place on February 26-27, 2014.
Practical Checklist and Double Certification
The aim of the Referential is to provide an informal, practical checklist and comparative tool for organizations applying for BCR authorization and/or CBPR certification. It was developed to facilitate the design and adoption of data protection policies that comply with both systems. Although the Referential does not establish mutual recognition of both systems, according to the Working Party, it is intended to facilitate double certification. The Working Party also emphasizes that data protection policies of applicant companies operating in both regions must be approved separately by the relevant institutions in accordance with the applicable approval procedures for each system.
Common Requirements and Additional Elements
For each of the essential principles and requirements of the BCR and CBPR systems, the Referential lists the common elements as well as the additional elements that are specific to each system. The Working Party explicitly states that these additional elements must be taken into account by organizations applying for BCR or CBPR approval, but that the Referential does not affect individual authorization of BCR by EU DPAs or the certification of CBPR by APEC Accountability Agents. Further, the Referential does not affect enforcement by the relevant supervisory and/or enforcement authorities.
No Full Compatibility
The Working Party notes that significant differences exist between the requirements generally imposed by EU DPAs for BCR approval (in particular those deriving from EU data protection laws) and the CBPR program requirements. There also are differences between the respective objectives, scopes and review processes of the BCR and CBPR systems. Accordingly, certain BCR and CBPR requirements are not fully compatible.
Recommendations and Guidelines for Applicant Organizations
The Working Party recommends that applicant organizations provide clarity regarding their scope of data protection and privacy rules in order to avoid conflict with applicable laws. According to the Working Party, organizations must clearly specify in their applications the circumstances under which they intend to apply EU data protection laws and/or APEC CBPR program requirements.
The Working Party also notes that an organization’s data protection and privacy rules should be tailor-made to reflect the structure of the corporate group to which they apply, the data processing undertaken by the corporate group, and the policies and procedures that they have in place to protect personal data – EU DPAs and APEC Accountability Agents will not accept a straight “copy and paste” of the Referential.
In terms of scope of the two systems, the Working Party clarifies that CBPR certification is limited to organizations certified within a CBPR-participating Economy, and the scope of a particular organization’s CBPR certification will be limited to the entities, subsidiaries and affiliates identified in its application for CBPR certification. Similarly, the scope of a particular organization’s BCR will be limited to those entities, subsidiaries and affiliates identified in its application for BCR approval. An organization that wishes to transfer personal data from EU Member States to recipients located in non-EU countries may submit an application to the relevant national DPA in the EU for approval of its BCR.
If properly approved, the data protection and privacy rules applicable to cross border transfers of personal data can serve as the corporate group’s policy for all personal data processed by the corporate group as defined pursuant to its BCR and CBPR. Nevertheless, the Working Party emphasizes that EU data protection law requirements also apply where personal data is processed in the EU and, where personal data is processed in an APEC Economy, the laws of the relevant jurisdiction will apply.
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently released guidance about the use and disclosure of mental health information. The guidance, entitled “HIPAA Privacy Rule and Sharing Information Related to Mental Health,” contains thirteen questions and answers that address the following topics:
- Communicating mental health information to a patient’s family or friends;
- Restricting the use and disclosure of psychotherapy notes;
- Determining when a patient’s mental illness makes him or her incapacitated under the Privacy Rule;
- Discussing the mental health conditions of minors with their parents;
- Contacting law enforcement if a doctor is concerned about the patient’s safety or that the patient might harm someone else;
- Disclosing to law enforcement when a patient is released after a temporary psychiatric hold; and
- Sharing of a student’s mental health information by a school administrator, doctor or nurse and how such information is subject to the Family Educational Rights and Privacy Act.
In releasing the guidance, OCR noted that ensuring strong privacy protections is “critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important” with respect to mental health information.
On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).
In the context of online purchases, the Guidelines make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent. Although visual cryptograms should not be retained at all, the merchant may archive bank card numbers for up to 15 months (i.e., the time period during which a cardholder may challenge a charge).
Direct Marketing by Mail and Telephone
The Guidelines also focus on direct marketing by mail and telephone, reiterating that companies must (1) inform individuals of any possible commercial use of their personal data (either by the company itself or by business partners), and (2) enable individuals to object to such use when their data are collected.
Direct Marketing by Email, SMS and MMS
Turning to electronic direct marketing, the Guidelines note that, with a few exceptions, companies must obtain the individual’s prior consent (“opt-in”) to send marketing communications by email, SMS and MMS.
Contests, Sweepstakes and Refer-a-Friend Programs
With respect to contests and sweepstakes, the Guidelines emphasize that web users must be able to participate in online contests without being obligated to receive commercial communications. The Guidelines further clarify that the players’ electronic contact details may not be used for marketing purposes, except with the individual’s explicit consent.
Finally, the Guidelines address the issue of consumer tracking and the fact that the individual’s prior consent must be obtained when using geolocation information for commercial purposes, and when placing or accessing cookies or any other similar technologies on the user’s device. In certain cases, some cookies may, however, be placed without the users’ prior consent. For example, if the cookies are used for security purposes with respect to a service requested by the user (such as online access to the user’s bank account information).
The CNIL issued these Guidelines to increase merchant and consumer awareness and to help all parties understand their respective rights and obligations under French data protection law. In 2012, 20% of the complaints the CNIL received were related to commercial practices, in particular, direct marketing. When conducting inspections, the CNIL found that the majority of French data protection law violations pertained to unfair or illicit collection of personal data, failing to provide (or providing inaccurate) information to individuals, and not honoring the right to object to personal data processing.
Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:
- Protecting Privacy under the Cybersecurity Microscope
Thursday, March 6, 10:45 a.m.
Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice, Hunton & Williams LLP; Victoria King, Global Privacy Officer, United Parcel Service, Inc.; and Karen Neuman, Chief Privacy Officer, U.S. Department of Homeland Security.
- Thinking Ahead vs. Keeping Up: The Challenge to Think Strategically
Thursday, March 6, 10:45 a.m.
Fred H. Cate, Senior Policy Advisor of the Centre for Information Policy Leadership at Hunton & Williams LLP and Distinguished Professor of Indiana University, will moderate the session. Speakers include: Sharon Anolik, President, Privacy Panacea; Stanley Crosley, Director, Indiana University CLEAR Health Information, Crosley Law Offices LLC; and Peter Lefkowitz, Chief Privacy Officer, General Electric Company.
- The Risks of Processing Personal Information
Thursday, March 6, 1:00 p.m.
Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, will moderate the session. Speakers include: Peter Cullen, General Manager Trustworthy Computing, Microsoft Corporation; Isabelle Falque-Pierrotin, President, French Data Protection Authority (CNIL); Florence Raynal, Head of the Department of European and International Affairs, French Data Protection Authority (CNIL); and Richard Thomas, Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton & Williams LLP.
- The Digital Marketing Ecosystem: Trends, Risks and Obligations
Thursday, March 6, 2:30 p.m.
Speakers include: Bridget Treacy, partner, Hunton & Williams LLP; and Teena H. Lee, Vice President, Privacy and E-commerce Counsel, The Estée Lauder Companies Inc.
In addition to these panels, stop by Booth 2 in the Exhibit Hall to learn more about Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership. Visit the IAPP’s website for more information and the full conference schedule.
To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:
Config download in python:
Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version
The answer of the server have X_ID as cookie:
For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
Man in the browser:
Clean browser surfing Trusteer website:
Infected browser surfing Trusteer website:
bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
Phone number: 79670478968
Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)
Sort of Fake AV:
All these samples use the same IP range:
• dns: 1 ›› ip: 126.96.36.199 - adress: SECURE730.COM
• dns: 1 ›› ip: 188.8.131.52 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 184.108.40.206 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 220.127.116.11 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 18.104.22.168 - adress: KOLOBOKTV.COM
I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...
On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.
Under the UK Data Protection Act 1998 (the “Act”), organizations are not subject to any statutory requirement to conduct PIAs. However, the ICO promotes PIAs as a useful good practice tool to help manage compliance with key obligations under the Act, including fair and lawful processing, purpose limitation, data quality and minimization, security safeguards, international data transfers, and individuals’ rights in relation to their personal data. In the ICO’s view, organizations that choose to conduct PIAs are better able to identify data protection compliance issues early on, thereby avoiding potential costs and associated reputational damage that might otherwise occur. The ICO also emphasizes that PIAs are an “integral” part of privacy by design. Even if a detailed PIA is not required by law, the ICO recommends that organizations nevertheless conduct a legal compliance check against the requirements of the Act.
The ICO considers its PIA methodology to be sufficiently flexible, so it can be used by all types of organizations and be integrated with existing compliance practices. The Code emphasizes that there is no one-size-fits-all approach for PIAs, and that each organization is “best placed to determine how it considers the issue of privacy risks,” emphasizing that “conducting a PIA does not have to be complex or time consuming but there must be a level of rigor in proportion to the privacy risks arising.” The Code stresses that consultation is an important part of a PIA. In particular, effective internal consultation is key; without the involvement of relevant stakeholders, privacy risks are likely to remain unmitigated.
The Code provides examples of the types of projects that may benefit from a PIA, including new IT systems, data sharing initiatives, profiling, surveillance systems and using existing personal data for new and unexpected (or potentially intrusive) purposes. Annex 1 to the Code provides example screening questions that organizations may use to determine whether a substantive PIA is required, including questions relating to new uses of existing data sets, and the use of technologies that may be perceived as being particularly invasive (for example, facial recognition technology). Annex 3 provides example PIA questions linked to the eight Data Protection Principles contained in the Act. For example, for Principle 3 (personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed), the Code suggests asking, “[w]hich personal data could you not use, without compromising the needs of the project?”
Finally, the ICO encourages organizations to publish their PIAs to improve transparency and to improve individuals’ understanding of the ways in which their personal data are used.