Monthly Archives: September 2015

CJEU Announces Date for Judgment on Safe Harbor

On September 29, 2015, the Court of Justice of the European Union (“CJEU”) announced that it will deliver its judgment in the Schrems vs. Facebook case on October 6, 2015. The CJEU’s judgment will be the final ruling in the case, and comes after the Advocate General’s Opinion regarding Safe Harbor earlier this week.

Typically, the CJEU delivers its ruling approximately three to six months after publication of the Advocate General’s opinion. Therefore, the timing of the CJEU’s judgment in this case is unexpected. The exact reasons for the early date are unclear, but the judgment will be very timely in light of the ongoing renegotiations of the U.S.-EU Safe Harbor Framework between the European Commission and the U.S. government.

Blockchain, Cybersecurity and Global Finance

When novelist William Gibson said, “[t]he future is already here, it’s just not very evenly distributed,” he may have had innovation like blockchain technology in mind. In the near future, blockchain may become the new architecture of a reinvented global financial services infrastructure. The technology – a distributed, consensus-driven ledger that enables and records encrypted digital asset transfers without the need of a confirming third party – is revolutionary to global financial services, whose core functions include the trusted intermediary role (e.g., payment processor, broker, dealer, custodian).

Realizing this potential, global investment banks are beginning to develop public and private blockchain technology standards and protocols, with a goal of re-imagining their daily operations within the global financial system. While the possibilities for financial innovation – shared ledgers and smart contracts to name a few – are dizzying, it is important to remember one thing: the speed and extent of acceptance of blockchain technology within the global financial services community will ultimately depend on the security of the network. Earlier this year, Interpol reported that blockchain can be repurposed by hackers to export malware to all computers in the network. Interpol proved this by introducing a proof-of-concept malware that showed the viability of such a cyber-attack. In the event of an actual attack, blockchain’s virtues, such as decentralization and immutability, would instantly become vices, as the malware would spread far and wide and the pollution would not be easily erased.

The intermediary functions described above are currently critical actions within global financial services, particularly in relation to financial asset trading; however, these activities are increasingly expensive, inefficient and, most dangerous of all, risky. They are expensive because the information technology investment and maintenance costs are significant. They are inefficient because although trading is swift for many financial assets, settlement is not, with too much reliance on back office human agency and duplication of effort and systems. They are risky because settlement delay introduces counterparty risk, and data concentration on centralized servers introduces operational/systems risk. In short, they are increasingly capital-intensive activities in the post-Credit Crisis milieu, where despite muted trading revenue, the demands of regulators grow louder for more transparent reporting and real-time risk exposure recordkeeping.

What, then, is blockchain technology? It’s a decentralized ledger of digital asset ownership on which the asset owners, or users, can initiate transfer to other users whose interconnected computers run blockchain software (“nodes”). The transactions themselves are encrypted transfer data that, when confirmed (in batches, roughly every ten minutes), comprise the “blocks” and when linked sequentially to the referenced prior block, comprise the “chain.” Confirmation occurs when the first of these nodes, each of which maintains a current copy of the blockchain, verifies the transaction(s) by utilizing specialized computational software to solve a complicated encryption problem. Then, and only then, does this node add the new block sequentially into the chain, causing the other nodes to validate the solution and update their ledgers accordingly. This verification yields compensation (e.g., in bitcoins or other cryptocurrency) to the problem-solving node, a “miner”, for the processing power expended in first successfully confirming the transaction.

Blockchain is thus both a secure means of digitized asset transfer and a virtually incorruptible record of such transfer, confirmed by processing power consensus and protected by ledger distribution, from the original “genesis” block all the way through the current transaction. A technology that can automate trust in the transfer for value of digitized assets poses an existential threat to the financial institutions that choose to ignore it. However, blockchain offers an opportunity for collaboration and co-development – creative construction rather than destruction – for financial institutions and other market participants that choose to embrace it, for the technology is an elegant response to each of the challenges mentioned above. Distributed ledgers reduce cost and risk and, through secure consensus verification, increase data integrity. Third party disintermediation and the prospect for near real-time settlement increase efficiency.

Blockchain’s potential for disruptive innovation within the financial services industry and beyond is great. It will be greater still if network security remains foremost in mind.

Seventh Circuit Denies En Banc Review For Data Breach Class Action

On September 17, 2015, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted to deny rehearing. As we previously reported, and according to The Practitioner’s Handbook for Appeals to the United States Court of Appeals for the Seventh Circuit, “it is more likely to have a petition for writ of certiorari granted by the Supreme Court than to have a request for en banc consideration granted” in the Seventh Circuit.

At least for now, a circuit split will remain on whether the risk of future fraud and identity theft, or their associated mitigation costs, confer Article III standing.

Article 29 Working Party Issues Opinion on C-SIG Code of Conduct on Cloud Computing

On September 22, 2015, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Cloud Select Industry Group (“C-SIG”) Code of Conduct on data protection for Cloud Service Providers (the “Code”). In the Opinion, the Working Party analyzes the Code that was drafted by the Cloud Select Industry Group (the “C-SIG”).

Although the Opinion recognizes the effort of the C-SIG to provide guidance to cloud service providers (“CSPs”) regarding data protection and privacy rules in Europe, it does not formally approve the Code. According to the Working Party’s Opinion, some major concerns remain and should be taken into account when drafting the final  version of the Code.

Main Concerns

In particular, the Working Party addresses the following concerns:

  • Adhering to the Code will not make CSPs immune to any future changes in the data protection law. In particular, the Code should take into consideration provisions that will be introduced by the future EU General Data Protection Regulation such as certifications, powers of Data Protection Authorities (DPAs), controllership, status of processors and codes of conduct.
  • Adhering to the Code will not make CSPs immune to any enforcement actions by DPAs or the imposition of sanctions, but the Code will help CSPs demonstrate accountability with regard to data protection rules.
  • The C-SIG should clarify the governance of the Code, specifically with regard to the conditions for adherence to the Code (i.e., self-assessment or third party certification procedures).
  •  The Code should provide guidance to CSPs with regard to cloud services dedicated to the processing of sensitive data, citing specific examples.
  • The Code should provide clear guidance with regard to the location of processing. In addition, the obligation of CSPs to inform controllers should be strengthened, in particular when the processing of data involves processors and sub-processors. This can only be achieved if the controller has precise information on the locations where the processing takes place.
  • Although the C-SIG Group indicates that CSPs are not entitled to identify personal data on their service, the Working Party recommends that the Code contain references to personal data, articulated with the notion of anonymization. In addition, the Working Party notes that if references to pseudonymization are made in the Code, it can only be considered as a security measure and it does not exempt CSPs from their responsibilities as provided for under data protection law.
  • The Code should specify the conditions for the communication of personal data to a law enforcement authority located outside the EU, and in particular, should note that “transfers of personal data by a processor to any public authority cannot be massive, disproportionate and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.”
  • The Opinion states that the Code should elaborate further on the liability regime applicable to the parties involved in the processing of personal data in case of violation of their data protection obligations. In particular, the Code should prevent the use of terms and conditions that unduly limit the CSPs’ obligations and liability.
  • The Working Party encourages the C-SIG Group to include provisions regarding IT security in the Code, including the possibility to perform a security risk assessment and data protection impact assessment to implement security measures. In addition, the Code should encourage CSPs to establish different levels of protection depending on the nature of the data.
  • The right to audit given to data controllers should be strengthened as it allows control of the activities of the data processor by the data controller.
  • Reference to data portability should be made in the Code in order to facilitate interoperability and the transfer of personal data to new cloud service provider, while safeguarding data subjects’ rights.

Next steps

The EU Commission will continue working with the C-SIG Group on the Code. The C-SIG Group is encouraged to finalize the Code, taking the Working Party’s opinion into consideration, by the end of October.

SEC Announces Settlement Order and Publishes Investor Alert

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

The Order with R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) alleged that R.T. Jones violated Regulation S-P, the SEC’s version of the Gramm-Leach-Bliley Act’s Safeguards Rule, by storing sensitive personally identifiable information (“PII”) on its third party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Their server was attacked in 2013, which resulted in the exposure of PII of more than 100,000 individuals. Pursuant to the Order, R.T. Jones agreed to pay a $75,000 penalty, appoint an information security manager to oversee data security, and adopt and implement a written information security policy. The firm also agreed to (1) no longer store PII on its webserver, (2) encrypt any PII stored on its internal network, (3) install a new firewall and logging system to prevent and detect future attacks, and (4) retain a cybersecurity firm to provide ongoing reports and advice on the firm’s information security.

In announcing the Order, Marshall S. Sprung, Co-Chief of the SEC Division of Enforcement’s Asset Management Unit, noted that companies “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The Alert, which was published by the SEC’s Office of Investor Education and Advocacy, contains practical advice for investors on what steps to take if their investment accounts have been the subject of a data breach. These steps include:

  •  contacting the investment firm and other financial institutions immediately;
  •  changing online account passwords;
  •  consider closing compromised accounts;
  •  activating two-step verification, if available;
  •  monitoring investment accounts for suspicious activity;
  •  placing a fraud alert on their credit file;
  •  monitoring credit reports;
  •  consider creating an Identity Theft Report; and
  •  documenting all communications related to the incident in writing.

View the Press Release, Order and Alert.

U.S.-EU Data Transfer Agreement for Law Enforcement Nearing Completion

On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.

The Umbrella Agreement sets out a number of protections for personal information transferred between the EU and the U.S. for law enforcement purposes. The Umbrella Agreement applies strict limits on the purposes for which personal information can be used when transferred between one Party (the “Transferor”) and another Party (the “Recipient”) for law enforcement purposes. It imposes obligations on the Recipient to maintain the security and accuracy of the transferred personal information, and requires the Recipient to notify the Transferor in the event of a data breach affecting that personal information. The Umbrella Agreement also restricts the period for which the transferred personal information can be retained by the Recipient, and requires the consent of the Transferor for any onward transfers of that information to a third country or international organization.

Arguably, the most significant feature of the Umbrella Agreement is that it creates a right to “judicial redress.” This will allow, for example, EU citizens to seek redress in U.S. courts if U.S. authorities fail to comply with their obligations under the Umbrella Agreement. This provision is dependent upon the passage of Bill (H.R. 1428), currently before Congress, that would create a legal basis for such judicial redress under U.S. law.

Notably, the Umbrella Agreement applies to all EU Member States except Denmark, Ireland and the UK. It will only apply to those jurisdictions if the European Commission notifies the U.S. Government in writing that they have opted in to the Agreement.

Shifu <3 Great Britain

I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic
I saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 

Apache Config

Data folder of the Apache installation

Customers of 4 financial institutions are targeted by the injects stored in the config.xml

The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)

So here we are: Shifu <3 GBR

Shifu <3 GBR
Side note : Here are some of the DGA in case main domain stop working.

Files : Password : malware

Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

Post publication Reading:
3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Hack Naked TV – September 23, 2015

This week on Hack Naked TV Beau talks iOS malware, Kaspersky vulnerabilities in their AV engine and more. Links to all stories are below.Android Screen Lock Bypass -

iOS malware -

Zerodium Million Dollar Bug Bounty -

Kaspersky Vulns -


Security Weekly Web Site:

Hack Naked Gear:

Follow us on Twitter: @securityweekly

Advocate General of the European Court of Justice Issues Opinion Regarding Safe Harbor

On September 23, 2015, Advocate General of the European Court of Justice Yves Bot issued his Opinion in the case of Max Schrems, which is currently pending before the Court of Justice of the European Union (the “CJEU”). In the opinion, the Advocate General provided his views concerning two key issues related to the U.S.-EU Safe Harbor Framework: (1) the powers of national data protection authorities to investigate and suspend international data transfers made under the Safe Harbor Framework and (2) the ongoing validity of the European Commission’s Safe Harbor adequacy decision (Decision 2000/520).

Powers of National Data Protection Authorities

The Advocate General stated that a decision by the European Commission on the adequacy of the level of data protection provided by a country outside of the EU does not eliminate or reduce the powers granted to the national data protection authorities (“DPAs”) under the EU Data Protection Directive 95/46/EC (“Data Protection Directive”). Consequently, national DPAs have the power to investigate transfers of personal data to a country outside of the EU (such as the U.S.) if the DPAs think the transfer undermines the protection of European citizens’ rights with respect to the protection of their personal data, regardless of the existence of an adequacy decision of the European Commission (such as the Commission’s Safe Harbor Decision). Where such investigation reveals systematic deficiencies in the level of data protection provided by the country to which the personal data are transferred, relevant DPAs must be able to take the necessary steps to safeguard the fundamental rights of EU citizens, such as suspending data transfers to the relevant country.

Validity of U.S.-EU Safe Harbor Framework

Although the question was not specifically referred to the CJEU, the Advocate General concluded that the CJEU also should make a decision on the validity of the Commission’s adequacy decision. The Advocate General stated that it is apparent from the findings of the Irish High Court and the Commission itself that the law and practice of the U.S. permit the large-scale collection of EU citizens’ personal data, without providing effective judicial protection to EU citizens. According to the Advocate General, this demonstrates that the U.S.-EU Safe Harbor Framework does not provide sufficient guarantees for the protection of the rights of EU citizens granted under the Data Protection Directive and the EU Charter of Fundamental Rights. Although the Safe Harbor Framework provides limited derogations allowing the use of transferred data for law enforcement purposes and the protection of national security, the Advocate General stated that the mass and indiscriminate surveillance carried out by U.S. intelligence services is a disproportionate interference with the fundamental rights of EU citizens. According to the Advocate General, the U.S.-EU Safe Harbor Framework also does not provide sufficient guarantees against such mass and indiscriminate surveillance as no independent authority in the U.S. is able to monitor breaches of the Safe Harbor principles committed by public authorities, such as U.S. security agencies. Therefore, the Advocate General concluded that the European Commission should suspend the application of the Safe Harbor Decision, as the level of protection provided by the U.S. for data transferred under the U.S.-EU Safe Harbor Framework is no longer adequate.

Next Steps

The CJEU will now begin its deliberation in the Schrems case and the final judgment is expected in the coming months. Although the CJEU will take into account the Advocate General’s opinion, it is not legally binding on the Court. It is yet to be seen whether the CJEU will reach the same conclusions as the Advocate General on the powers of the national DPAs, and comment on the ongoing validity of the U.S.-EU Safe Harbor Framework. After the CJEU has issued a final judgment, the Irish High Court will decide the Schrems case in accordance with the CJEU’s ruling.

In the interim, it is likely that this Opinion will increase the pressure on U.S. and EU government authorities to reach agreement on a revised U.S.-EU Safe Harbor Framework. The U.S.-EU Safe Harbor Framework remains a valid mechanism for the transfer of personal data to the U.S. pending the decision of the CJEU.

View the full text of the Advocate General’s Opinion.

For a summary, please see the press release of the CJEU.

Target Data Breach Litigation: District Court Certifies Class of Financial Institutions

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

The plaintiff financial institutions assert claims for negligence, violations of Minnesota’s Plastic Security Card Act (“PSCA”) and negligence per se (based on the alleged violation of the PSCA). The alleged damages include the costs of providing replacement cards, and reimbursing fraud losses and other post-breach remediation expenses.

The focus of Target’s class certification argument and the court’s analysis was on the intertwined concepts of commonality and predominance. Target argued that: (1) choice-of-law issues would overwhelm the other issues; (2) there was no class-wide proof to support the PSCA and negligence claims; and (3) the calculations of damages on a plaintiff-by-plaintiff basis would predominate the litigation.

Choice of Law
The court dismissed Target’s argument that Minnesota law – including the PCSA – should not apply to the claims due to a lack of a significant nexus to Minnesota. Even assuming that conflicts existed between Minnesota and other states’ laws, the court determined that it could apply Minnesota law to the plaintiffs’ claims due to the “legion” contacts with Minnesota: “Target is headquartered in Minnesota; its computer servers are located in Minnesota; [and] the decisions regarding what steps to take or not take to thwart malware were made in a large part in Minnesota.”

Class-wide Proof
The court distinguished the class-wide proof required to establish injury and causation in a data breach for banks or credit unions and those required for consumers. Although future injury has been problematic in consumer cases, the financial institution plaintiffs reissued “nearly every card” that was subject to the breach alert. The court emphasized that this was not a “future harm.”

Judge Magnuson found such costs were not merely a “business decision” as opposed to an injury proximately caused by the breach, even when there is no contract, law or regulation requiring card reissue. Indeed, the court dismissed Target’s suggestion that financial institutions do nothing in reaction to a data breach as “absurd.” The court concluded that whether or not the remedial steps banks took in the wake of the breach to protect their cardholders were reasonable could be decided on a class-wide basis.

The court acknowledged that there may be difficulties establishing class-wide proof of damages. Such issues generally do not preclude class certification as long as the individual issues do not outweigh the class-wide issues. The court also left open the possibility that after class-wide liability is determined, damages questions may be left open for later resolution. Noting that the case of In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389 (D. Mass. 2007) was the only financial data-breach case to reach the class certification stage, the court also distinguished the TJX denial of class certification based on that case’s misrepresentation and consumer-fraud claims. “The reliance issue in TJX made proving class-wide liability impossible,” which the court found “very different” from the facts presented in the Target case. The court also rejected Target’s damages arguments under the Seventh Amendment. Additionally, the court found that reissuance and fraud damages could be calculable on a class-wide basis, based on an expert opinion proffered by plaintiffs.

Update: On December 2, 2015, Target agreed to a settlement of $39 million, most of which will be paid directly to class members.

SEC Issues Top Cybersecurity Priorities for Broker-Dealers and Investment Advisers

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

In addition to what we have previously reported, this Risk Alert is the latest in a series of announcements on cybersecurity from OCIE. Although OCIE’s jurisdiction within the SEC technically extends only to the examination of certain kinds of regulated securities entities and intermediaries, the Risk Alert also can be instructive to other businesses subject to SEC oversight. As OCIE’s knowledge and sophistication on the topic of cybersecurity continues to improve, we expect that an increasing number of OCIE inspections will lead to referrals to the SEC’s Division of Enforcement for more formal action.

According to OCIE, areas of focus for upcoming examinations of broker-dealers and investment advisers include the following:

Governance and Risk Assessment: OCIE examiners may assess whether registrants have cybersecurity governance and risk assessment processes in place, whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

Access Rights and Controls: Examiners may review the manner in which firms control access to various systems and data via account management, authentication and authorization methods. For example, this review may include evaluating controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation and tiered access.

Data Loss Prevention: Examinations may include assessing how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners may also assess how firms monitor for potentially unauthorized data transfers and may review how they verify the authenticity of a customer request to transfer funds.

Vendor Management: Examiners may focus on firms’ practices and controls related to vendor management, such as due diligence, engagement, and monitoring and oversight of vendors. The examinations may include an assessment of how vendor relationships are incorporated into the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

Training: Examiners may focus on whether training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review whether procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

Incident Response: Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future events. This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.

SWAMP, the Software Assurance Marketplace


I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.



Changes to Policy Responsibility for the UK ICO

On September 17, 2015, Prime Minister David Cameron issued a Written Ministerial Statement, announcing that policy responsibility for data protection issues and the UK Information Commissioner’s Office (the “ICO”) will both be transferred from the Ministry of Justice (the “MoJ”) to the Department for Culture, Media & Sport, (the “DCMS”) with the changes taking effect on the same date. Existing data protection policy teams at the MoJ also will move to the DCMS.

The DCMS already has significant policy oversight of digital and Internet services in the UK, and is responsible for Ofcom, the UK’s telecommunications watchdog. The increasing relevance of data protection for these services appears to have been a key motivation for moving the ICO into the DCMS’ remit.

The Information Commissioner, Christopher Graham, emphasized the need for the ICO to remain free to advise policymakers on issues relating to data protection and freedom of information in his response to the changes. It likely will be some time before the full impact of the changes on the role or operation of the ICO becomes clear.

These developments follow the July 2015 announcement that policy responsibility for freedom of information matters will be transferred to the Cabinet Office. In addition, the government established the Commission on Freedom of Information, which will review the Freedom of Information Act 2000 and consider revisions to it, while reporting to the Cabinet Office.

Security Weekly #435 – Interview with Josh Pyorre and Exploding Chips

This week interview Josh Pyorre from OpenDNS on honeypots and malware. Josh  is a security analyst with OpenDNS. Josh has presented at Defcon, multiple Bsides across the USA and Source Boston.In this interview, we find Josh's secret weapon against attackers and why he goes second in ass-grabby-grabby.For links to Josh's blog and Twitter, visit our wiki: in the news we discuss an Apple iOS directory traversal vulnerability in AirDrop. Also in Security News is the Facebook 'Dislike' button. Not to be confused with with a downvote, more along the line of sympathy or empathy. Do you ever wish you could remotely detonate resistors? Well now you can (kind of).For a full list of stories, visit our wiki:

German DPA Fines Data Controller for Inadequate Data Processing Agreement

On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

The DPA stated in the press release that the data processing agreement did not contain sufficient information regarding the technical and organizational measures to protect the personal data. The press release noted that the agreement was not specific enough and merely repeated provisions mandated by law.

According to the German Federal Data Protection Act, data controllers must impose detailed data security measures on data processors in data processing agreements. The text of a data processing agreement must enable the data controller to assess whether or not the data processor is able to ensure the protection and security of the personal data.

According to the DPA, the law provides some flexibility for companies to determine which contractual obligations are appropriate for a particular engagement. The DPA stated that this choice may depend on the data security plan of the data processor and related data processing systems used. In all data processing agreements, however, the following controls must be specified: (1) physical admission control, (2) virtual access control, (3) access control, (4) transmission control, (5) input control, (6) assignment control, (7) availability control and (8) separation control.

ICO to Investigate Data Sharing for Marketing by UK Charities

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

The ICO’s investigation has potentially significant consequences for charities and other types of organizations that routinely share personal data with third parties for marketing purposes. The investigation highlights the ICO’s focus on ensuring that valid consent has been obtained before personal data is shared for marketing purposes. In its announcement, the ICO made clear that a mere failure to opt out is not sufficient to validate consent for these purposes. In addition, the ICO noted that it was unreasonable to rely on Rae’s failure to opt out given the significant amount of time that has passed since 1994. The ICO has stated that it will investigate the matter further before deciding what action to take.

Highlights from five years of StopBadware work

The Cambridge-based StopBadware team is signing off this week after more than five years of community building and collaboration with some of the best people in the security business. As we turn full operations over to Dr. Tyler Moore and his excellent team at the University of Tulsa, take a look at some of the highlights of our work these past five-plus years. 


Security Weekly #434 – Interview with Micah Hoffman

This week Jack joins Paul in studio, Joff, Carlos, John, and Michael are on via Skype. Jack mixes up some fabulous cocktails and we are off.


Paul and the crew interview Micah Hoffman. Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations.


In the news, we talk about John McAfee for President, responsible disclosure, and 10 things to do before your laptop is stolen.


Show Notes:


Security Weekly Web Site:


Hack Naked Gear:

Hack Naked TV – September 11, 2015

Brought to you by Black Hills Information Security and Cybrary!


Today, Beau talks more about the Ashley Madison password dump, responsible disclosure to FireEye, and shiny new Android Ransomware. Also as promised on last week's episode, a quick demo of Powershell Empire.



Hack Naked TV Web Site:

Security Weekly Web Site:

Hack Naked TV – September 8, 2015

Brought to you by Black Hills Information Security and Cybrary!


This week Aaron talks about the OPM breach, Windows 10 data collection being back-ported, HP no longer sponsoring Pwn2Own, and vulnerabilities in FireEye's products being sold.


Hack Naked TV Web Site:



Security Weekly Web Site:


Twitter: @securityweekly

APEC Privacy Recognition for Processors Ready for Implementation

The APEC Cross-Border Privacy Rules (“CBPR”) system for information controllers received a significant boost during the recent APEC privacy meetings in the Philippines when APEC finalized a corollary certification scheme for information processors, the APEC Privacy Recognition for Processors (“PRP”). As we previously reported, the PRP allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. In addition, the PRP enables information controllers to identify qualified and accountable processors, as well as assist small or medium-sized processors that are not widely known to gain visibility and credibility. Combined, the CBPR for controllers and PRP for processors now covers the entire information ecosystem, promising to motivate additional APEC economies to join both the CBPR and PRP systems, as well as incentivizing larger numbers of controllers and processors to seek certification.

The APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), finalized the PRP during their latest round of meetings from August 25 to August 31, 2015, in Cebu, Philippines. The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams participated as an official “guest” of APEC. Completing the PRP system was one of the principal goals at these meetings. Although the substantive program requirements had already been finalized by APEC in early February this year, the PRP governance structure, as well as the details of how APEC economies could join and implement the PRP system, remained to be developed intersessionally in the months leading up to the August meetings in Cebu. Now that both the substantive requirements and the operational aspects of the PRP have been completed and officially endorsed by APEC, individual APEC economies and third party certifiers, or “Accountability Agents,” may join the PRP system. Following that step, information processors seeking PRP certification also can apply to Accountability Agents, similar to the current process under the CBPR system.

Other APEC items

Other key items on the DPS and ECSG agendas included (1) ongoing implementation of the CBPR across the APEC region, including adding more APEC economies and Accountability Agents to the system; (2) continuing the collaboration between APEC and the Article 29 Working Party to develop processes to streamline “dual certification” under the CBPR and EU Binding Corporate Rules; and (3) updating certain portions of the APEC Privacy Framework.

CIPL CBPR/PRP workshop

CIPL also held a well-attended, half-day workshop in the margins of the APEC meetings on “The Ins and Outs of the APEC Cross-Border Privacy Rules (CBPR) and their Role in Enabling Legal Compliance and International Data Transfers – A Workshop for Controllers, Processors and Regulators in the Asia-Pacific Region.” During the workshop, panelists from industry, governments and APEC privacy enforcement authorities, as well as audience members, discussed the benefits of the CBPR and PRP systems to Asia-Pacific-based information controllers and processors and the roles these codes of conduct and cross-border transfer mechanisms can play in an organization’s domestic and international compliance strategies.

Next APEC Privacy meetings

The next round of meetings will be held in Peru at the end of February 2016.

Security Weekly #433 – Outside The Echo Chamber

This week Larry and Jack join Paul in studio, Carlos is on via Skype without a shirt and none other than Google-Image-Search-John-Strand joins us...from his car none the less! 


Jack recently gave a talk at B-Sides Cleveland and was approached by a listener on how exactly you should talk to high-level execs about security, the DBIR and more. Then, well, tangents...


We talk about a recent article describing how to crack the passwords resulting from the Ashley Madison breach. Paul's prediction of UPnP being used for evil is in the news, this time the bad guys will turn all of your routers into a botnet, a bigger, better, faster botnet.


Show Notes:


Security Weekly Web Site:


Hack Naked Gear:



Follow us on Twitter: @securityweekly

CNIL Publishes Internet Sweep Results and New Guidelines for Websites Aimed at Children

On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.

The participating DPAs primarily verified:

  • the type of personal data collected;
  • the depth of information provided to children/teenagers and whether that information was tailored to them (i.e., whether children could understand the information); and
  • the presence of vigilance or control measures relating to young audiences (i.e., which precautions were taken).

The CNIL and other participating DPAs found the following:

A large collection of personal data and limited access for deleting accounts: The CNIL found that 87% of the websites audited (the average among participating DPAs was 67%) collect personal data, including IP address, mobile device identifier and location. The CNIL noted that one particular way websites collect personal data is by imposing an obligation on users to create an account. According to the CNIL, the collection of certain data is not necessary to provide the services offered by the website. Further, the CNIL found that only 39% of the websites audited by the CNIL provide users with an easy way to delete their account.

Lack of awareness among young audience about the collection of their data: The CNIL found that 71% of the websites audited include a privacy notice, but that only 33% of them tailor that notice to a young audience and include it on the form provided to the child or his or her parents.

Links to other websites, including e-commerce sites: According to the CNIL, on 63% of the websites audited, children could be redirected to other websites, including e-commerce sites, via simple hyperlinks.

No cookie banner: The CNIL noted that all of the websites audited placed cookies on users’ devices as soon as they arrived on the homepage, without obtaining users’ prior consent. In addition, 63% of the websites have still not posted the required cookie banner.

No notifications or warnings provided by most sites: The CNIL found that many websites (62%) do not provide warning messages or parental control options, such as an awareness message to children or an email sent to parents to (1) inform them about the collection of their children’s data, and (2) obtain their consent to such collection. According to the CNIL, 18% of the websites audited seek parental consent via a tick box, 15% verify the age of the user, 13% contain warning messages or notifications and 11% implemented a parental control chart when users register their account.

In light of these findings, the CNIL published new guidelines to help child-directed website publishers comply with French data protection law. The CNIL also announced that it will send a letter to the website publishers to remind them of their data protection obligations. The CNIL may then conduct further inspections and impose sanctions if website publishers do not cease their non-compliance.

Department of Defense Issues New Cyber Incident Reporting and Cloud Computing Requirements for Contractors

On August 26, 2015, the U.S. Department of Defense (“DoD”) published an interim rule entitled Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013–D018) (the “Interim Rule”), that streamlines the obligations for contractors to report network penetrations and establishes DoD requirements for contracting with cloud computing service providers. The Interim Rule amends the information security contracting framework set forth in the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement section 941 of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2013 and section 1632 of the NDAA for FY 2015, both of which impose cyber incident reporting obligations on contractors.

The Interim Rule requires DoD contractors and subcontractors to report cyber incidents that result in a compromise or have an actual or potentially adverse effect on a covered contractor information system or the covered defense information residing therein. Covered defense information includes controlled technical information, export controlled information, critical information and other information requiring protection by law, regulation or government-wide policy. Pursuant to the Interim Rule, contractors and subcontractors will be contractually obligated to report such cyber incidents to the DoD within 72 hours of discovery.

The Interim Rule also revises DFARS to implement policies and procedures for the acquisition of cloud computing services. Among the cloud computing policies and procedures added to DFARS, the Interim Rule requires that cloud computing service providers be contractually obligated to maintain all government data that is not physically located on DoD premises within the U.S. or outlying areas, unless otherwise authorized in writing by the contracting officer.

In addition, the Interim Rule revises the DFARS solicitation provisions and contract clauses related to safeguarding covered defense information. Notably, the Interim Rule replaces the table of security controls based on the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800–53 in DoD solicitations and contracts with NIST SP 800–171, entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. This document is specifically tailored for use in protecting sensitive information residing in contractor information systems.

German Data Protection Commissioners Issue Position Paper on Proposed EU General Data Protection Regulation

On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:

Data Minimization

To limit interferences with fundamental rights, the Position Paper asserts that it is essential to limit the collection of data to only what is necessary to achieve legal and legitimate purposes. The Position Paper notes that unlimited collection of data creates numerous risks for individuals, including the risk of profiling individuals based on the acquisition of data from different aspects of an individual’s life. As such, the German DPAs request that the principle of data minimization be kept in the final version of the Regulation, as opposed to the Council’s version of June 2015.


The Position Paper asserts that the individual’s consent must remain his/her expression of self-determination and autonomy with regard to the processing of his/her personal data. Contrary to the Council’s proposal – which makes unambiguous consent sufficient – the German DPAs believe that only opt-in consent should be accepted as compatible with data protection principles.

Data Subjects’ Rights

The Position Paper maintains that in order to ensure effective implementation of the data subjects’ rights, actions taken per requests must be free of charge. This view is in opposition to the Council’s approach, which only explicitly provides the absence of fees for the right of access, therefore leaving the exercise of other rights uncertain. The execution of all data protection rights should instead be encouraged by the absence of fees, according to the German DPAs.

Purpose Limitation

In the Position Paper, the German DPAs suggest that purpose limitation strengthens the rights of individuals by ensuring transparency of data processing and helping to prevent data from being further processed in a way that is incompatible with the initial purposes for which the data was collected. In contrast, the Council’s approach allows the possibility to process data for reasons other than the purposes for which personal data was collected initially. The German DPAs indicate their opposition to the Council’s approach, which they believe would considerably weaken the principle of purpose limitation and put the individuals’ rights at risk.


The German DPAs consider the proposed rules on profiling in Article 20 of the Regulation to be inadequate to protect individuals effectively against the creation of personality profiles. As such, the Position Paper notes that by not making profiling itself subject to special requirements, but only to decisions based on automated processing or measure based processing, the provisions as proposed are inadequate to protect individuals. More specifically, the Council’s approach only covers a specific result of data processing, but not the essential questions relating to profiling, according to the Position Paper. In this context, the German DPAs propose that the following points be covered by the Regulation:

  • an approach covering all profiling or measures based on profiling, rather than only automated decision making;
  • a clear definition of the exceptions from the prohibition of profiling;
  • a high-level transparency and awareness of data subjects accompanying the processing of personal data for profiling purposes; and
  • the anonymization or pseudonymization of the data used to create and evaluate profiles as early as possible in the process.

Data Protection Officers

The Position Paper reiterates the importance of a concrete level of data protection in businesses and government agencies. To reach this level and create a sufficient local data protection culture, the German DPAs suggest the designation of mandatory Europe-wide data protection officers.

Cooperation among Data Protection Authorities (“DPAs”) in Europe

In the Position Paper, the German DPAs indicate their support for the so-called “one-stop shop, a consistency mechanism and a European Data Protection Board,” providing for the election of a lead DPA as a single point of contact for a business. The German DPAs, however, also ask the stakeholders involved in the trilogue to define practical rules for the model proposed, arguing that it is currently too complex for the supervisory authorities, particularly regarding time limits and administrative assistance between the DPAs.

Hack Naked TV – September 1, 2015

Brought to you by Black Hills Information Security and Cybrary!

This week Aaron talks about the Ubiquity email scam, the resignation of the Ashley Madison CEO, the NSA’s bulk collection extension, NSA backdooring encryption and MORE!

 Show Notes:

Hack Naked TV Web Site:

Security Weekly Web Site:

Hack Naked TV – Favorite Hacking Tools

This week on Hack Naked TV, Beau talks about his top 5 favorite pentest and hacking tools as seen at BlackHat/DefCon/B-Sides.


Also, be on the lookout for Chrome pausing all flash-based ads on September 1, 2015. You can read the full article at