Monthly Archives: October 2015

GPEN Launches New Global Consumer Privacy Protection Initiative

On October 26, 2015, the Federal Trade Commission (“FTC”) issued a press release on the Global Privacy Enforcement Network (“GPEN”) Alert, a new multilateral information sharing system that would allow participating agencies to share information relating to an investigation in order to facilitate better cross-border coordination. The FTC, along with agencies from seven other nations, signed a Memorandum of Understanding at the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam. FTC Chairwoman Edith Ramirez stated that the “GPEN Alert is an important, practical cooperation tool that will help GPEN authorities protect consumer privacy across the globe.” Australia, Canada, Ireland, The Netherlands, New Zealand, Norway and the United Kingdom join the U.S. in their efforts to coordinate global consumer privacy protection.

The GPEN Alert technology uses the same technology as the FTC’s Consumer Sentinel Network, a database that stores consumer complaints made to the FTC and is accessible to participating U.S. law enforcement agencies.

UK Deputy Information Commissioner on Safe Harbor: “Don’t Panic”

On October 27, 2015, David Smith, the UK Deputy Commissioner of the Information Commissioner’s Office (“ICO”), published a blog post commenting on the ongoing Safe Harbor compliance debate in light of the Schrems v. Facebook decision of the Court of Justice of the European Union. His key message to organizations was, “Don’t panic.”

After engaging in a brief analysis of the implications of the decision, David Smith asked, “Where does this leave businesses that are using the Safe Harbor?” Smith sums up the ICO’s advice in three key messages:

  • Don’t Panic: The impact of the Schrems decision on other available transfer mechanisms and derogations (e.g. Standard Contractual Clauses, Binding Corporate Rules, consent, etc.) is still being evaluated.
  • Take Stock: Organizations should, as a first step, consider what personal data they are transferring outside of the EU, and what arrangements they have in place to ensure that data is adequately protected. Organizations should also consider the ICO’s guidance on international data transfers, and what alternatives are available in respect of transfers that were previously covered by Safe Harbor. Smith notes the possibility that a new, improved Safe Harbor may be agreed upon, and cautions against significant immediate changes in light of this possibility.
  • Make Up Your Own Mind: Smith highlights the fact that UK data protection law allows organizations to make their own adequacy determination in relation to particular transfers of personal data. Although this possibility is very fact dependent, the ICO confirms that this transfer mechanism remains open to UK-based organizations.

Finally, Smith notes that, although the ICO will consider complaints in relation to data transfers from affected individuals, it will continue to follow its previously published enforcement criteria. The blog post provides reassurance to UK-based organizations that the ICO will not rush to use its enforcement powers, particularly in light of the uncertainty around international transfers of personal data and the future of Safe Harbor. That being said, the ICO stands behind the previous statement issued by the Article 29 Working Party in relation to the Schrems decision, and did not rule out the possibility of enforcement action against organizations that have not taken steps to ensure compliance by January 2016.

NIST Releases Final Report on De-Identification of Personal Information

The National Institute of Standards and Technology (“NIST”) recently released the final draft of its report entitled De-Identification of Personal Information. The report stems from a review conducted by NIST of various de-identification techniques for removal of personal information from computerized documents. While de-identification techniques are widely used, there is concern that existing techniques are insufficient to protect personal privacy because certain remaining information can make it possible to re-identify individuals.

The final report follows NIST’s request for comments on its April 7, 2015 initial public draft, and generally covers the following:

  • an introductory overview of the concepts of de-identification, re-identification and data sharing models;
  • approaches for de-identifying structured data (i.e., data that resides in a field within a database) typically by removing, masking or altering specific categories such as names and phone numbers; and
  • challenges of de-identification for non-tabular data, such as free-format text, images and genomic information.

The report concludes that although it is not perfect, de-identification is “a significant technical control that may protect the privacy of data subjects.”

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits



The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.


It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29
Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e

Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

2016-03-12
Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset

Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge
Fiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zip

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
CVE-2015-7645 in Nuclear Pack on 2015-10-30
Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
Fiddler sent to VT

Magnitude:
2015-11-10
Magnitude trying to exploit CVE-2015-7645
2015-11-10
Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo Hirvonen
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.

Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well

Spartan pushing Pony and Alphacrypt via CVE-2015-7645
2015-11-12

Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) 
Fiddler sent to VT

Neutrino:
Most probably appeared 2015-10-16
Necurs being dropped by Neutrino via CVE-2015-7645
2015-11-17
Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff
(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )
Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)

Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro

Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

Senate Passes Cybersecurity Information Sharing Act

On October 27, 2015, the U.S. Senate passed S.754 – Cybersecurity Information Sharing Act of 2015 (“CISA”) by a vote of 74 to 21. CISA is intended to facilitate and encourage the sharing of Internet traffic information between and among companies and the federal government to prevent cyber attacks, by giving companies legal immunity from antitrust and privacy lawsuits. CISA comes in the wake of numerous recent, high-profile cyber attacks.

CISA is supported by the Department of Defense, the White House, the U.S. Chamber of Commerce and various financial industry groups. The Securities Industry and Financial Markets Association’s President and CEO Kenneth E. Bentsen Jr. stated, “The threat our economy faces from cyber attacks is real and information-sharing legislation will help the financial services industry to better protect our systems as well as the privacy of our customers.”

CISA, however, has come under attack by privacy and civil liberty organizations and technology companies who claim that CISA lacks appropriate privacy safeguards and does not do enough to limit the government’s use of users’ information. The Computer & Communications Industry Association, a technology industry trade group, stated, “[We] recognize the goal of seeking to develop a more robust system through which the government and private sector can readily share data about emerging threats. But such a system should not come at the expense of users’ privacy, need not be used for purposes unrelated to cybersecurity, and must not enable activities that might actively destabilize the infrastructure the bill aims to protect.”

CISA comes on the heels of two similar bills passed by the House of Representatives, H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 and H.R. 1560, the Protecting Cyber Networks Act. While CISA is similar to these pieces of legislation, a conference will be necessary to resolve differences between the House- and Senate-passed bills. Details on that conference, including who will be in attendance and whether the conference will be held on the House- or Senate-side, are not yet available but are expected to be resolved soon. One House aide reported that the conference would likely take place by the end of the year, saying, “We’re not expecting any fireworks or drama.” The Obama Administration has indicated support for the cybersecurity information sharing legislation, and President Obama is expected to sign the final bill.

EU Commissioner Announces Further Guidance on the Impact of the Safe Harbor Ruling and an Agreement “In Principle” on a New Safe Harbor Framework

On Monday, October 26, 2015, EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, gave a speech before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) on the recent ruling by the Court of Justice of the European Union (the “CJEU”) that invalidated the European Commission’s Safe Harbor Decision. The EU Commissioner welcomed the Article 29 Working Party’s statement and, in particular, its support for a new Safe Harbor framework by January 31, 2016. However, the EU Commissioner called for more clarity in the meantime. Accordingly, she announced that the European Commission will soon issue an explanatory document on the consequences of the CJEU’s ruling to provide guidance for businesses on international data transfers.

The EU Commissioner also provided a status update of the negotiations with the U.S. authorities on the new Safe Harbor framework. The EU Commissioner clarified that the aim of these negotiations is not to impose the same level of data protection in the U.S. as is provided in Europe, but to offer safeguards in the U.S. that are “globally equivalent” to European data protection standards. Several meetings have already been held and discussions will continue until the EU Commissioner’s visit to Washington in mid-November. The EU Commissioner also indicated that an agreement has been reached “in principle” on a new “self-certification” system with “effective detection and supervision mechanisms” that will transform the current system from self-regulating to a system with more oversight and enforcement. Under the new system, the interface and communication channels with EU data protection authorities (“DPAs”) and the U.S. Department of Commerce will be improved and EU DPAs will be more active and visible in their role in reviewing the functionality of the new system. However, the EU Commissioner explained that EU and U.S. authorities are still discussing how to ensure that these commitments comport with the CJEU’s ruling. Similarly, EU and U.S. authorities are still working to implement an annual joint review mechanism that will cover all aspects of the functionality of the new system, including the use of exemptions for law enforcement and national security grounds.

In addition, the EU Commissioner stated that some progress has been made towards more targeted and tailored surveillance by U.S. authorities and increased protection for EU citizens. For example, certain protections formerly reserved to U.S. citizens have been proposed to be extended to EU citizens. The European Commission is still assessing these safeguards and getting further clarification, but the EU Commissioner welcomed these new initiatives as encouraging elements for the negotiations. In particular, she welcomed the U.S. Bill of Judicial Redress that would extend judicial protection under the U.S. Privacy Act to EU citizens.

The EU Commissioner indicated that she will keep the LIBE Committee informed about the next stages of the discussions.

Federal Court: Attorney-Client Privilege and Work-Product Doctrine Upheld for Materials Associated with Internal Data Breach Investigation

On October 23, 2015, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.

The plaintiffs contended that the challenged information was not protected by the attorney-client privilege or the work-product doctrine because “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”

Target countered that there was a two-track investigation. The first track was an ordinary-course-of-business investigation, involving, among other things, a forensic investigator’s non-privileged report for the card brands. The second track, part of which included a different team from the same forensic investigator, was created at the request of Target’s in-house lawyers and its retained outside counsel. The purpose of the second-track investigation was to educate the attorneys about aspects of the breach so that they could provide Target with informed legal advice.

Although the same forensic investigator was used for both tracks, Target explained that it only claimed privilege and work-product protections for certain information related to the second-track investigation. Target provided evidence that the forensic teams did not communicate with each other about the substance of the second-track, attorney-directed investigation.

After an in-camera inspection, the court found that the majority of the information was shielded from disclosure. The most notable findings were:

  • Communications from CEO to Board of Directors. Neither the attorney-client privilege nor work-product doctrine applied to communications made by Target’s CEO to its Board of Directors.
    • Attorney-Client Privilege. The evidence did not show that the communications: (a) involved any confidential communications between attorney and client; (b) contained requests for, or discussion necessary to obtain legal advice; or (c) included the provision of legal advice.
    • Work Product. None of the materials appeared to be provided due to reasonably anticipated litigation within the meaning of Federal Rule of Civil Procedure 26(b)(3).
  • Emails related to Data Breach Task Force. The attorney-client privilege and the work-product doctrine protected emails regarding the work of Target’s attorney-directed Data Breach Task Force. The Data Breach Task Force informed Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and reasonably anticipated.
  • Emails from in-house counsel to client. Emails between a Target in-house attorney and his clients were created for the purpose of obtaining legal advice and made in anticipation of litigation. Therefore, they were protected by both the attorney-client privilege and work-product doctrine.
  • Emails regarding breach occurrence. Certain emails regarding how the breach occurred were protected by the work-product doctrine. Moreover, the plaintiffs failed to demonstrate that, without these work-product protected materials, they would be deprived of any information about how the breach occurred or how Target conducted its investigations. The court noted that Target produced information from which the plaintiffs could learn about how the data breach occurred and about Target’s breach response.
  • Emails regarding legal advice. Certain emails were protected by the attorney-client privilege because Target demonstrated the information in those communications was transmitted for the purpose of obtaining legal advice regarding the investigation.

The court did not cite the United States Court of Appeals for the D.C. Circuit’s 2014 and 2015 opinions about the application of the attorney-client privilege and work-product protection in corporate internal investigations. Although those decisions were outside the data breach context, this most likely was due to the double-track structure of the Target investigative teams, which helped to separate information that was protected and information that was not. In any event, the D.C. Circuit has previously held that blended reasons for a corporate internal investigation do not invalidate the privilege, as long providing legal advice was a “significant purpose” of the investigation.

German DPAs Issue Joint Position Paper on Alternatives to Safe Harbor

On October 26, 2015, the German federal and state data protection authorities (the “German DPAs”) published a joint position paper on Safe Harbor and potential alternatives for transfers of data to the U.S. (the “Position Paper”).

The Position Paper follows the Court of Justice of the European Union’s (the “CJEU’s”) ruling on Safe Harbor and contains 14 statements regarding the ruling, including the following key highlights:

  • In light of the Safe Harbor Decision of the CJEU, the German DPAs call into question the lawfulness of data transfers to the U.S. on the basis of other transfer mechanisms, such as standard contractual clauses or Binding Corporate Rules (“BCRs”).
  • To the extent that they become aware, the Position Paper indicates that the German DPAs will prohibit data transfers to the U.S. that are solely based on Safe Harbor.
  • When using their powers under Article 4 of the respective Commission Decisions on the standard contractual clauses of December 2004 (2004/915/EC) and February 2010 (2010/87/EC) to assess data transfers, the Position Paper indicates the German DPAs will rely on the principles formulated by the CJEU. In particular, the German DPAs will focus on numbers 94 and 95 of the judgment, which address recipient countries that compromise the fundamental right of respect for private life and lack respect for the essence of the fundamental right to effective judicial protection.
  • At this time, the Position Paper discloses that the German DPAs will not issue new approvals for data transfers to the U.S. on the basis of BCRs or data export agreements.
  • The Position Paper requests companies to immediately design their data transfer procedures in a way that considers data protection. Companies that would like to export data to the U.S. or other third countries should also use as guidance the German DPAs’ March 2014 resolutions on “Human Rights and Electronic Communication” and the October 2014 guidelines on “Cloud Computing.”
  • The German DPAs indicate that consent for the transfer of personal data may be a sound legal basis under narrow conditions. In principle, however, the data transfer must not be massive or occur routinely or repeatedly, according to the Position Paper.
  • With respect to the export of employee data and certain third party data, the German DPAs indicate that consent may only be a lawful legal basis in exceptional cases for a data transfer to the U.S.
  • The German DPAs request the legislators to grant them a right to file an action in accordance with the CJEU judgment.

In the Position Paper, the German DPAs also call upon the European Commission to push for the creation of sufficiently far-reaching guarantees for the protection of privacy during its negotiations with the U.S., including such protections as the right to judicial remedy, data protection rights and the principle of proportionality. Further, the German DPAs indicate it is essential to promptly adjust the Commission Decisions on EU model clauses to the requirements of the CJEU decision. To this extent, the DPAs welcome the deadline of January 31, 2016 set by the Article 29 Working Party.

Security Weekly #438 – 10 Year Anniversary Part 2

Bug Bounty and Responsible Disclosure

We bring back Samy Kamkar "Samy's My Hero," and bring on special guests Casey Ellis from BugCrowd and Katie Moussouris from HackerOne. We talk about the tough ethical questions and the future of bug bounties in 5 years.

Interview with Ron Gula

We interview Ron Gula, one of the first interviews conducted on Security Weekly. Ron is a leading cybersecurity thinker, innovator, and visionary in the information security industry.

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Security Weekly #439 – Making The Most Of Threat Intelligence

Special Segment: Making The Most Of Threat Intelligence

This week, Paul and Mike discuss the current state of threat intelligence. In this segment, Paul and Mike dive deep in using threat intelligence properly.

Security News: Chip and Pin Hacked

This week in the news we learn about how chip and pin was hacked in France and are you fooled by fake online reviews? For a full list of stories including links, visit the wiki http://wiki.securityweekly.com/wiki/index.php/Episode439#Stories_of_the_Week_-_7:00PM-8:00PM.

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Hack Naked TV – October 23, 2015

Today Beau talks about MITM NTP, chip and pin vulnerabilities. and encrypting all the things by default.

For a full list of stories discussed today, visit our wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_23_2015

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Hack Naked TV – October 20, 2015

Today Aaron talks about the E-Trade breach, China still hacking the US, CyberInsurance, and More.

Visit the wiki for a full list of stories: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_20_2015

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Putative Data Breach Class Action Against Uber Dismissed Without Prejudice

The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.

In the complaint, Antman alleged that the breach resulted in, among other injuries, an unauthorized attempt to open a credit card and ongoing monitoring expenses. He did not, however, allege any fraudulent credit charges or loss of use of credit. Antman brought claims under California law for: (1) unfair competition and (2) the failure to implement and maintain reasonable security procedures. Uber moved to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Below are highlights from the District Court’s ruling.

Lack of Standing under 12(b)(1)

The District Court found that the complaint failed to establish standing under both the “injury-in-fact” and “causal connection” inquiries. Although the court reaffirmed that the Ninth Circuit’s Krottner v. Starbucks decision remained controlling post-Clapper, it nevertheless rejected Antman’s injury-in-fact argument. Specifically, without the exposure of Social Security numbers (“SSN”), financial account numbers or credit card numbers, the court indicated “there is no obvious, credible risk of identity theft that risks real, immediate injury.” Likewise, the court believed that no causal connection existed because Antman did not allege that his SSN, which was required for the unauthorized credit application in question, was breached.

Failure to State a Claim under 12(b)(6)

Additionally, the court found that Antman failed to show a cognizable injury necessary to survive Uber’s 12(b)(6) motion based on statutory standing due to the lack of a causal relationship between the breach and the unauthorized credit card application. Further, while Antman alleged that he was a California resident when he was an Uber driver, he did not allege he was a California resident at the time of the breach. Given the standing rulings, the court declined to opine on the timing of his residency.

Antman will have 28 days to amend his complaint.

Security Weekly #438 – 10 Year Anniversary Part 3

Interview wth Peiter "Mudge" Zakto

Peiter C. Zatko, better known as Mudge, is a network security expert, open source programmer, writer, and a hacker. Peiter talks about his start in information security, rather him starting information security. Peiter talks about his early involvment in BGP and how to take down the internet.

Mobile Security and Privacy

We get Simple Nomad and David Schwartzberg to join us for a panel discussion on Mobile Security and Privacy. David Schwartzberg is a Sr. Security Engineer at MobileIron and Simple has been doing hacker and security-related things for over 30 years, wearing black, white, and gray hats at various points.

Hacker Jeopardy

Hacker Jeopardy includes popular topics such as famous hackers and decimal to binary conversions. Test your knowledge now!

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Security Weekly #438 – 10 Year Anniversary Part 1

Interview with Mikko Hypponen

To kick off our ten-year anniversary we interview Mikko Hypponen of F-Secure. We talk about the first virus discovered, reviewing printed viruses, and more.

Visit our wiki for list of important links including the one that got him banned from Twitter: http://wiki.securityweekly.com/wiki/index.php/Episode438#Guest_Interview:_Mikko_Hypp.C3.B6nen_10:05_AM

 

L0pht Heavy Industries Panel

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future.

 

 

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

FTC Advertising Practices Division Chief of Staff Phyllis Marcus Joins Hunton

Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen understanding of the complexities of the revised regulations, as well as broader issues relating to student privacy, mobile applications and the Internet of Things.

Read the full press release.

CIPL Supports Theme of “Privacy Bridges” at 37th International Privacy Conference in Amsterdam

On October 27, 2015, Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) will conduct a joint workshop with Nymity on Bridging Disparate Privacy Regimes through Organizational Accountability. As a side event to the 37th International Privacy Conference in Amsterdam during the week of October 26, the workshop is specifically designed to support and further explore the theme of global “Privacy Bridges” that will be discussed at the International Privacy Conference. Organizational accountability is one of the proposed bridges in the Privacy Bridges Report which the international expert group released earlier this week.

At the workshop, regulators and business representatives will focus specifically on the “bridge” of organizational accountability, by (1) examining how accountability systems can help organizations achieve and demonstrate legal compliance, including in the cross-border context; (2) discussing the benefits of accountability systems from the perspective of regulators; and (3) considering emerging best practices in organizational accountability programs and information management programs.

The workshop also will feature a discussion of the aftermath of the Court of Justice of the European Union’s Safe Harbor Decision.

In conjunction with its workshop and the general themes of the International Privacy Conference, CIPL also has released two draft white papers in a series of three papers on protecting privacy in a world of big data: Paper 1, The Role of Enhanced Accountability in Creating a Sustainable Data-driven Economy and Information Society and Paper 2, The Role of Privacy Risk Management. These papers are intended for discussion purposes in Amsterdam and will be supplemented by a third paper in the series on reinterpreting long-standing privacy principles for purposes of big data, the Internet of Things, cloud computing and other modern information use contexts. All three papers will be released in final format at a later date.

Irish Data Protection Authority to Investigate Facebook’s Data Transfers

On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence.”

In 2013, Schrems complained to the Irish Data Protection Commissioner (“DPC”) that Facebook’s transfers of personal data to the U.S. were unlawful. The DPC declined to investigate Facebook, on the basis that such an investigation was outside the DPC’s remit. Schrems sought judicial review of that decision and, in the course of hearing Schrems’ complaint, the Irish High Court referred several questions to the Court of Justice of the European Union (“CJEU”). In response to those questions, the CJEU determined that the European Commission’s Safe Harbor Decision is invalid.

In light of the CJEU’s judgment, the DPC’s investigation is expected to conclude that Facebook cannot rely upon the U.S.-EU Safe Harbor Framework as a lawful basis for transferring data to the U.S. The wider consequences for Facebook and other businesses that had until recently relied upon the Safe Harbor, however, remain to be seen. Hunton & Williams has provided further insight into the practical next steps that organizations should consider at this stage.

EU and U.S. Privacy Expert Group Releases “Privacy Bridges” Report

On October 21, 2015, the EU-U.S. Privacy Bridge Initiative, a group of transatlantic privacy experts that was convened in April of 2014, released its report on Privacy Bridges – EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.

The group of 19 data protection expert members included President of Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Bojana Bellamy and CIPL’s Senior Policy Advisor Fred H. Cate.

The group’s report identifies ten “privacy bridges” that can serve as practical steps toward bridging the gap between the EU and U.S. approaches to privacy. The goal of these bridges is to create a high level of transatlantic privacy protection by “furthering the interests of individuals and increasing certainty for commercial organizations.” The bridges intend to accomplish this goal in a way that “respects the substantive and procedural differences between the two jurisdictions” and without requiring legislative changes on either side of the Atlantic.

The ten bridges are:

  • Formalizing the Working Relationship between the Article 29 Working Party and the Federal Trade Commission. The Working Party and FTC should engage in ongoing public dialogue and policy development coordination concerning key privacy challenges and should institutionalize their collaboration through a Memorandum of Understanding.
  • User Controls. Stakeholders should work together to develop user friendly mechanisms to express individual choice and consent concerning how their personal data is collected and used.
  • New Approaches to Transparency. The Working Party and the FTC should coordinate recommendations on privacy notices and encourage an international standardization process to develop more definitive guidance on transparency, which will be a precondition for developing effective user controls.
  • User Complaint Mechanisms: Redress of Violations Outside a User’s Region. Online services should provide contact information for filing consumer complaints and appropriate public agencies in the EU and U.S. should jointly create a public directory with information about how and where complaints can be filed.
  • Government Access to Private Sector Personal Data. Communication and Internet services should establish uniform best practices for handling information requests from their own and foreign governments and report on government access requests on a regular basis.
  • De-identification of Personal Data. EU and U.S. regulators should identify concrete and shared standards on de-identification.
  • Best Practices for Security Breach Notification. Relevant authorities should cooperate in dealing with multi-national breaches in terms of enforcement and establishing a more harmonized reporting regime.
  • Accountability. The Working Party and FTC should harmonize their approaches to accountability programs that improve data processing practices. The private sector should develop more effective means for external verification and scalability of such programs.
  • Greater Government-to-Government Engagement. EU and U.S. executive agencies and decision-making bodies should engage in dialogue and, where appropriate, effective coordination of their regulatory activity.
  • Collaborating on and Funding for Privacy Research Programs. To enable the growth of common perspectives on privacy, collaborative and multidisciplinary research should be fostered on both sides of the Atlantic.

The “Privacy Bridges” group was convened in 2014 on the initiative of Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, and jointly organized by the Massachusetts Institute of Technology Cybersecurity and Internet Policy Research Initiative and the University of Amsterdam’s Institute for International Law.

Bojana Bellamy welcomed the release of the report, saying “With the mounting legal uncertainty over transatlantic data flows and the increasing challenges of our digital society, there has never been a more pressing moment to collaborate on practical measures that can leverage our shared privacy values for the benefit of both our citizens and commercial organizations.”

Fred Cate, who also serves as Vice President for Research and a Distinguished Professor at Indiana University, stressed that “the key aspect of this initiative is that it is focused on practical, pragmatic steps that can actually be implemented even while countries on both sides of the Atlantic continue to debate data protection laws.”

“If U.S. and EU regulators, private sector leaders, academics, and others can work together to actually implement some or all of these ten bridges, the report will have done its job and nations, companies, and people on both sides of the Atlantic will benefit,” Cate said.

The report will be the one of the key topics for discussion at the upcoming 37th International Privacy Conference in Amsterdam in the week of October 26, 2015.

California Passes New Digital Privacy Law

On October 8, 2015, California Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (“CalECPA”). The law requires police to obtain a warrant before accessing an individual’s private electronic information, such as text messages, emails, GPS data and online documents that are stored in the cloud and on smartphones, tablets, computers and other digital devices. The government also must obtain a warrant before requiring a business to produce an individual’s electronic information.

The bill’s co-author, State Senator Mark Leno (D-San Francisco), hailed CalECPA as “a carefully crafted law that protects personal information of all Californians,” and noted that the law still ensures that police have the tools they need to battle crime. For example, pursuant to the CalECPA, the government may forego the warrant requirement if it (1) receives consent from the owner or possessor of the device or (2) has a good faith belief that an emergency involving potential death or serious physical injury necessitates access to the information.

The bill was co-sponsored by the American Civil Liberties Union of California, the Electronic Frontier Foundation and the California Newspaper Publishers Association.

Hunton Discusses the Safe Harbor Decision and Provides Next Steps

In an article published by E-Commerce Law Reports, Hunton & Williams partners Bridget Treacy and Lisa Sotto discuss the Court of Justice of the European Union’s (the “CJEU’s”) recent ruling invalidating the European Commission’s Safe Harbor Decision. The article, Maximillian Schrems v. Data Protection Commissioner, describes the facts of the case and the CJEU’s confirmation that “the national data protection authorities (“DPAs”) [can] conduct their own investigation into whether transfers of personal data are subject to an adequate level of protection.” Treacy and Sotto continue to discuss the impact of the judgment and the practical next steps organizations should take.

Read the full article.

Article 29 Working Party Issues Statement on Consequences of Safe Harbor Ruling

On October 16, 2015, the Article 29 Working Party (the “Working Party”) issued a statement on the consequences of the recent ruling of the Court of Justice of the European Union (the “CJEU”) invalidating the European Commission’s Safe Harbor Decision.

In its statement, the Working Party called upon the EU Member States and EU institutions to open discussions with U.S. authorities in order to find political, legal and technical solutions enabling transfers to the U.S. that respect EU citizens’ fundamental rights. According to the Working Party, an intergovernmental agreement providing stronger guarantees to EU data subjects and a new Safe Harbor could offer such solutions.

Importantly, the Working Party indicated that it will continue analyzing the impact of the CJEU ruling on other data transfer mechanisms, such as standard contractual clauses and Binding Corporate Rules. The Working Party confirmed that, during this period, businesses can still rely on these data transfer mechanisms to transfer personal data to the U.S. According to the statement, however, this does not exclude the possibility for national data protection authorities (“DPAs”) to investigate particular data transfers (e.g., following a complaint) and exercise their powers to protect individuals.

Furthermore, if no solution is found with the U.S. authorities by the end of January 2016, the DPAs may, depending on the outcome of the Working Party’s assessment of the other data transfer mechanisms, decide to take coordinated enforcement actions.

In any event, the Working Party states that businesses can no longer rely on the EU-U.S. Safe Harbor to transfer personal data from the EU to the U.S. To that end, the Working Party advises businesses to reflect on the eventual risks they take when transferring data and to consider putting in place any legal and technical solutions to mitigate these risks and to respect EU law. Meanwhile, national DPAs are expected to provide more information to businesses at a national level.

German Parliament Adopts Data Retention Law with Localization Requirement

On October 16, 2015, the German Parliament adopted a new data retention law requiring telecommunications operators and Internet service providers to retain customer Internet and phone usage data, including phone numbers, call times, IP addresses, and the international identifiers of mobile users (if applicable) for 10 weeks. The law requires user location data obtained in connection with mobile phone services to be retained for four weeks. Telecommunications and Internet service providers also are required to ensure that the retained data is stored within Germany.

The law now will be presented to the federal president. To become effective, it must be signed by the federal president and published in the Federal Law Gazette.

Hunton Ranked in Tier 1 in The Legal 500 United Kingdom Guide

Hunton & Williams proudly announces that the firm was ranked in Tier 1 in The Legal 500 United Kingdom 2015 guide for data protection. Bridget Treacy, head of the firm’s UK Privacy and Cybersecurity practice, and Rosemary Jay, senior consultant attorney, both received recognition as leading individuals for data protection.

The guide noted that our lawyers are “experts in breach management, the Internet of Thing (IoT) and the drafting and implementation of BCRs.”

The firm also was ranked in Tier 1 in The Legal 500 United States guide for privacy and data security for the sixth consecutive year, and in The Legal 500 EMEA in Tier 1 for privacy and data protection.

The Legal 500 is an editorial guide based on feedback from 250,000 in-house peers that is independently assessed by its researchers and staff “to help corporate counsel” research and select law firm counsel.

A DoubleClick https open redirect used in some malvertising chain



In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.

The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.

As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)

Earlier this year they were using https bit.ly,

2015-07-11 - bit.ly as https url shortener
tiny url

2015-07-11 - tiny url as https url shortener

or goo.gl url shortener



2015-06-12 - goo.gl as https url shorterner


 and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu

Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer
(how/why? same payload : Reactorbot  srvdexpress3 .com)
Different Legit part of the chain
2015-09-29
then 2 weeks ago mediacpm.com and wrontoldretter.eu )

https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.

Those days they are using a DoubleClick https open redirect.

VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK
GB - 2015-10-15

Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com

Doubleclick has been informed about the issue.

Post Publication Readings :
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint
Let’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

German DPA Issues Position Paper on Data Transfer Mechanisms in Light of CJEU Safe Harbor Decision

On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).

In the Position Paper, the DPA disagrees with the European Commission’s (the “Commission’s”) opinion that alternative data transfer mechanisms may be used in place of Safe Harbor. According to the Position Paper, mechanisms such as consent and EU standard contractual clauses that are currently being discussed should be evaluated in a new way. This evaluation must focus on the principles established by the CJEU, in particular the comparable legal level of protection. The Position Paper indicates that a long-term solution would require a significant change in U.S. law. It is unknown whether other German DPAs will concur with the Position Paper.

It should be noted that the Position Paper is the opinion of only one DPA in Germany, which is known to be conservative. The Position Paper does not invalidate any prior adequacy decisions made by the Commission. As the CJEU held in Schrems v. Facebook, DPAs in the Member States cannot invalidate Commission adequacy decisions.

The Position Paper discusses the recent Schrems v. Facebook decision that invalidated the U.S.-EU Safe Harbor Framework as a data transfer mechanism. The Position Paper notes that there are limited options for the Commission to take with respect to data transfers to the U.S. in the wake of the Schrems decision. These options, however, would require the U.S. to implement comprehensive changes to U.S. law which may be unlikely in the short or medium-term.

With respect to alternative data transfer mechanisms, the Position Paper concludes the following:

  • Consent: The Position Paper notes that individuals must provide effective informed consent. According to the Position Paper, this entails providing individuals with comprehensive information on the lack of personal data protection in the U.S., including (1) the ability and wide-ranging power of the U.S. government to access their data, (2) the lack of data subjects’ rights, and (3) the general failure of the U.S. to adhere to the purpose limitation and necessity principles that are embedded in EU law. Given these issues, especially what it deems groundless mass surveillance conducted by U.S. intelligence agencies, the Position Paper concludes that consent may not be an option to provide a legal basis for data transfers to the U.S.
  • Performance of a Contract: The Position Paper notes that contractual and necessary data transfers between the data subject and the data controller, such as providing data to book travel arrangements, are permissible. The Position Paper, however, indicates that this legal ground would not provide a legal basis for transfers of employee personal data that may be processed in the U.S. for purposes related to employee performance or behavior control.
  • EU Standard Contractual Clauses: With respect to standard contractual clauses as a legal basis for transferring personal data to the U.S., the Position Paper refers to Commission decision 201/87/EU of February 5, 2010 (controller-to-processor data transfers) and Commission decision 2001/497/EC of June 15, 2001 (controller-to-controller transfers). In these decisions, a data importer must agree that it has no reason to believe that any applicable laws will prevent it from fulfilling the instructions and contractual obligations of the data exporter. If that is not the case, then the data exporter has the right to suspend the transfer of data and/or terminate the contract. Therefore, the Position Paper states that data exporters must consider exercising those rights.

Investigations by the DPA

The Position Paper indicates that the Schleswig-Holstein DPA is considering using the power granted to it by Article 4 of Commission decision 201/87/EU of February 5, 2010 to “prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data,” if the data importer is not able to comply with EU data protection law, or if the requirements of Article 13 of the EU Data Protection Directive 95/46/EC are not satisfied. The Position Paper further states that data transfers to the U.S. without a legal basis constitute an administrative offense and may be sanctioned with a fine of up to 300,000 EUR.

The Position Paper concludes by noting that the Schleswig-Holstein DPA will assess whether it has to issue administrative orders to prohibit or suspend data transfers and examine whether any offenses have been committed as a result of transferring personal data to the U.S. that does not guarantee an adequate level of data protection.

Hunton Sponsors 14th Annual Data Protection Compliance Conference

On October 15 and 16, 2015, Hunton & Williams is pleased to sponsor PDP’s 14th Annual Data Protection Compliance Conference in London. Bridget Treacy, Head of the UK Privacy and Cybersecurity practice at Hunton & Williams, chairs the conference, which features speakers from the data protection industry, including Christopher Graham, UK Information Commissioner, and Rosemary Jay, senior consultant attorney at Hunton & Williams.

The conference is designed to provide data protection professionals with information regarding the latest challenges in the data protection landscape, including managing crisis communications and the intersection of U.S. and EU privacy law. The second day of the conference includes in-depth and interactive workshops on topics ranging from the EU General Data Protection Regulation and cross-border data transfers to data breaches and social media.

For more information and to register, visit the PDP website.

Hack Naked TV – October 8, 2015

This week on Hack Naked TV, Aaron talks about breaches of LoopPay, Uber, and Dow-Jones.Visit our wiki for a complete list of articles and links covered in the show: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_13_2015Security Weekly Web Site: http://securityweekly.comHack Naked Gear: http://shop.securityweekly.comFollow us on Twitter: @securityweekly

Security Weekly #437 – Interview with Dafydd Stuttard

Interview with Dafydd Stuttard

This week, we interview Dafydd Stuttard the creator of Burp Suite and the author of the Web Application hacker's Handbook. We talk about the source of the name "Burp" and the future of webapp scanning.

 

Security News - Facebook Sex tapes and rooting the OnHub

This week in security news, we talk about Stagefright 2.0, how to root your very own Google OnHub, breaking SHA-1, and AWS WAF's.

For a full list of stories, vist our wiki: http://wiki.securityweekly.com/wiki/index.php/Episode437#Stories_of_the_Week_-_7:00PM-8:00PM

 

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

California Attorney General’s Settlement with Houzz Inc. Requires Company to Hire CPO

On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.

According to the Attorney General’s press release, the requirement of hiring a Chief Privacy Officer “is a significant step that is aligned with Attorney General Harris’ ongoing efforts to preserve California businesses’ ability to innovate while ensuring that consumers’ right to privacy is protected.”

QOTD – Cyber Guardians

Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins. 
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
-- Christian Byrnes, Managing Vice President at Gartner

Src: Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change - Yahoo Finance

UK ICO Issues Largest Fine to Date for Unlawful Automated Marketing Calls

On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.

HELM specializes in energy saving products and made automated telephone calls to potential customers with the aim of persuading them to purchase solar panels as part of the UK government’s “Green Deal,” a project encouraging homeowners to make energy-saving improvements to their homes. HELM admitted making in excess of six million automated calls. Between October 2, 2104 and December 12, 2014, the ICO received 242 complaints regarding the calls.

Sections 19(1) and (2) of the Privacy and Electronic Communications Regulations (“PECR”) state that automated calls may only be made to an individual for direct marketing purposes if that individual has given prior consent to receive such calls from the caller. The ICO found that HELM had contravened this requirement by failing to obtain prior consent from the recipients of the calls. HELM admitted that they were not aware of the PECR requirements noted above. The ICO considered HELM’s breach of PECR sufficiently serious to warrant a substantial fine, particularly because the automated marketing calls gave the misleading impression that the solar panels were available for free.

The ICO has stated that this fine should serve as “a warning to other companies to think before they launch into a campaign.” The ICO also has provided detailed guidance to assist companies in complying with PECR and other relevant legislation when conducting direct marketing campaigns.

Security Weekly #436 – Password Cracking with Larry

Password Cracking With Larry

This week on Security Weekly, we are joined by none other than Larry Pesce. After his recent DerbyCon talk, Larry gives us some insight on his 600 dollar password cracking machine.

 

Security News

Today in the news, Kevin recaps the T-Mobile breach. Do we now let the fox watch the henhouse? Larry dives into a Nest (TM) of IoT (drink) devices. Paul tries to keep it together with a blog post on MS08-067.

For a full list of stories and links, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Episode436#Stories_of_the_Week_-_7:00PM-8:00PM

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

CJEU Declares the Commission’s U.S. Safe Harbor Decision Invalid

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems v. Facebook case, following the Opinion of the Advocate General published on September 23, 2015. In its judgment, the CJEU concluded that:

  • The national data protection authorities (“DPAs”) have the power to investigate and suspend international data transfers even where the European Commission (the “Commission”) has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor Privacy Principles (the “Safe Harbor Decision”).
  • The Safe Harbor Decision is invalid.

Powers of National Authorities

The CJEU concluded that a decision of the European Commission on the adequacy level of data protection provided by a non-EU country cannot eliminate or reduce the powers granted to DPAs under the EU Data Protection Directive 95/46/EC. DPAs therefore can suspend international data transfers made under the Safe Harbor Framework following an investigation. The Court, however, also stated that the CJEU alone has the ultimate jurisdiction to examine the validity of a Commission adequacy decision.

Validity of U.S.-EU Safe Harbor Framework

In its judgment, the CJEU also assessed the validity of the Safe Harbor Decision. The CJEU observed that the Safe Harbor Framework solely applies to U.S. undertakings which adhere to it, leaving out of scope U.S. public authorities. In addition, national security, public interest and law enforcement requirements prevail over the Safe Harbor Framework. When a conflict arises with respect to these requirements, the U.S. undertakings are obligated to disregard the existing protective rules. The CJEU further concluded that U.S. legislation does not limit interference with individual’s rights to what is strictly necessary. Notably, the CJEU indicated that U.S. legislation authorizes on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbor Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.

Finally, the CJEU stated that the Safe Harbor Decision restricts the powers of DPAs to investigate the validity of the Decision and the Commission lacked competence to do so. For all of the reasons set forth above, the CJEU declared the Safe Harbor Decision invalid.

Next Steps

Following the judgment of the CJEU, the Irish DPA is required to examine, with all due diligence, whether the transfer of data of Facebook’s European users to the U.S. should be suspended given that the level of protection provided by the U.S. for data transferred under the U.S.-EU Safe Harbor Framework is no longer adequate.

The Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements on the CJEU’s judgment explaining that they will work with other EU DPAs to issue further guidance for businesses and clarify the impact of the judgment on businesses.

View the full text of the CJEU’s judgment.

For a summary, please see the press release of the CJEU.

CJEU Applies Broad Territorial Scope to EU Data Protection Law

On October 1, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Weltimmo v Nemzeti (Case C-230/14). Weltimmo, a company registered and headquartered in Slovakia, runs a website that allows property owners in Hungary to advertise their properties. The CJEU stated that, in some cases, Weltimmo had failed to delete the personal data of the advertisers upon request, and also had sent debt collectors to some advertisers despite their earlier attempts to cancel their accounts. The advertisers complained to the Hungarian Data Protection Authority (“DPA”), which investigated the matter and issued a fine of HUF 10 million (approximately 36,500 USD) against Weltimmo.

Weltimmo brought an action in the Hungarian courts, contesting the fine. It argued that Hungarian data protection law did not apply under the EU Data Protection Directive 95/46/EC (the “Directive”), because Weltimmo did not have a branch or office in Hungary, was not established in Hungary and none of the other bases for the application of Hungarian law under the Directive were applicable. The Hungarian courts referred the question to the CJEU.

The CJEU noted that Article 4(1) of the Directive governs the determination regarding which Member State’s law applies. The CJEU applied the classic formulation that the data protection law of an EU Member State applies to data processing activities “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” Nevertheless, the CJEU also observed that, as set out in its own judgment in Costeja, Article 4(1) should be interpreted broadly, and establishment is a “flexible concept.” It further stated that “the concept of ‘establishment’… extends to any real and effective activity — even a minimal one — exercised through stable arrangements.”

The CJEU took the view that the presence of a single representative in a Member State can be sufficient to create an establishment of the controller in that Member State. It concluded that Weltimmo was established in Hungary, on the basis of several factors:

  • Weltimmo’s website concerned properties that were physically located in Hungary, and the website was written in Hungarian.
  • Weltimmo had a “representative” in Hungary, on the basis that it had instructed local Hungarian debt collectors to act on its behalf.
  • The debt collectors used a postal address in Hungary and a Hungarian bank account to do business on Weltimmo’s behalf.

Consequently, the CJEU held that Hungarian data protection law applied to Weltimmo. The CJEU also clarified that the nationality of the advertisers (who were the data subjects in this case) was irrelevant to the question of applicable law.

The consequences of this judgment are potentially significant for businesses. In practice, if a business has “even a minimal” presence in an EU Member State, it is likely that the data protection laws of that Member State will apply to that business. There is no “bright line” test, and the CJEU appears comfortable relying on a broad range of factors in order to make a finding of establishment.

CIPL and Instituto Brasiliense de Direito Publico Host Global Data Privacy Dialogue in Brazil

On October 6 and 7, 2015, the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”), a global privacy policy think-tank based in Washington D.C. and London, and the Instituto Brasiliense de Direito Publico, a legal institute based in Brazil, will co-host a two-day Global Data Privacy Dialogue in Brazil, at the IDP’s conference facilities.

The conference will bring together Brazilian and international privacy experts from government, industry and academia to discuss how to achieve effective privacy protection for individuals, while at the same time enabling technological innovation and the beneficial uses of personal data in the age of Big Data and the Internet of Things. The Global Data Privacy Dialogue is part of an initiative to facilitate and support international expert engagement with key Brazilian stakeholders during Brazil’s ongoing process to develop a comprehensive privacy law.

During the conference, participants from Brazil, Uruguay, Colombia, Europe, the United States and Canada will discuss:

  • the realities of modern information technology and information uses;
  • Brazil’s draft privacy legislation and other important global developments in data protection;
  • how to govern global data flows;
  • how to apply core privacy principles such as consent in the modern information age;
  • how to design effective organizational privacy compliance programs and best practices; and
  • the role of a national data protection authority.

“Achieving the dual goal of privacy and beneficial use of data is imperative, and we don’t need to sacrifice one for the other. Our hope is that we can bring to bear the tremendous wealth of experience that already exists around the world on the many important privacy policy issues currently being considered in Brazil,” said Bojana Bellamy, CIPL’s president. “Brazil is an important economy and whatever happens in Brazil on privacy legislation will have a global impact.”

Laura Schertel Mendes, IDP Researcher, and Sérgio Alves Jr., IDP Executive Secretary, welcomed the collaboration with CIPL. Schertel noted, “Brazil has achieved global attention as a leader in internet policymaking by liaising national and international communities of academics, governmental agencies, private companies and civil society.”

“We expect this Dialogue will contribute to the discussion on how to improve the Brazilian legal framework with effective, updated, and enforceable privacy protection tools and policies,” Alves added.

Speakers for the Dialogue include: Virgilio Almeida, Secretary for Information Technology from the Ministry of Science, Technology and Innovation; Peter Hustinx, former European Data Protection Supervisor; Juliana Pereira da Silva, National Secretary of the Consumer in Brazil’s Ministry of Justice; Maximiliano Martinhão, Secretary of Telecommunications, Ministry of Communications; and David Smith, Deputy Commissioner and Director of Data Protection, UK Information Commissioner’s Office.

View the agenda.

Recruiter and SEO response templates

I’m normally sympathetic to technology recruiters, but some are just hopeless.  These, I have no sympathy for.  An the SEO spammers, no sympathy for any of them.  Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.

For the recruiters:

[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed.  As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.

I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers.  That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time.  Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.

The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:

I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm.  We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.

In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course.  If not, please remove this, and every other Security BSides affiliated email from your lists.

Yes, I can be a bit of an ass, but it is occasionally justified.

Jack

Hack Naked TV – October 1, 2015

Today Aaron talks about BitPay, OPM, Volkswagen, and new TrueCrypt Flaws. For a full list of stories, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_1_2015#Aaron.27s_Stories

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Centre for Information Policy Leadership Webinar on the APEC Cross-Border Privacy Rules

On September 29, 2015, the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”), a global privacy policy think-tank based in Washington D.C. and London, hosted a webinar on The Ins and Outs of the APEC Cross-Border Privacy Rules (“CBPR”) and their Role in Enabling Legal Compliance and International Data Transfers. CIPL Vice President and Senior Policy Counselor Markus Heyder moderated the session. Featured speakers included Josh Harris, Director of Policy, TRUSTe; Anick Fortin-Cousens, Program Director, Corporate Privacy Office and Privacy Officer for Canada, Latin America, Middle East & Africa, IBM; Caitlin Fennessy, Policy Advisor, International Trade Administration, U.S. Department of Commerce; and Melinda Claybaugh, Counsel for International Consumer Protection, Office of International Affairs, FTC. Together the speakers presented an overview of the APEC CBPR system and practical issues relevant to companies that are interested in seeking CBPR certification.

View a recording of the webinar now.

FCC Cites Lyft Inc. and First National Bank Corp. for TCPA Violations

On September 11, 2015, the Federal Communications Commission (“FCC”) announced that Lyft Inc. (“Lyft”) and First National Bank Corporation (“FNB”) violated the Telephone Consumer Protection Act (“TCPA”) by forcing their users to consent to receive automated text messages as a condition of using their services. The FCC warned that these violations could result in fines if they continue.

The TCPA is a federal privacy law that requires companies to obtain their users’ prior express written consent before using autodialing systems to send marketing or advertising through phone calls or text messages. Companies may not condition use of their service on such consent.

The FCC found that although Lyft’s terms of service required users to expressly consent to receiving autodialed communications and gave them the option of opting out of automated text messages, such opt-out representations were “illusory” because there was no easy way to fully opt out from receiving the messages. Furthermore, if a user did opt-out of the automated text messages, the user would be barred from receiving security text messages necessary for log-in purposes, and could no longer use Lyft’s services. Thus, the FCC held that Lyft was conditioning use of its service on consent to receive automated text messages, and was therefore in violation of the TCPA.

The FCC found that FNB’s Online Banking Service Agreement explicitly required users to receive automated marketing emails and text messages in order to use FNB’s online banking platform, but unlike Lyft, did not describe any way for users to opt out from receiving such communications. Thus, the FCC held that FNB was conditioning use of its service on consent to receive automated communications, without giving its users the option to opt out, and was therefore in violation of the TCPA.

In a statement announcing the citations, Travis LeBlanc, the Chief of the FCC Enforcement Bureau said, “Consumers have the right to choose whether they want marketing calls and texts to their cell phones. Today, we again make clear that such calls and texts are unlawful without express written consumer consent. We urge any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.”