Monthly Archives: January 2016

CIPL Holds Safe Harbor “Essential Equivalence” Roundtable with Top European Voices

On January 28, 2016, the Centre for Information Policy Leadership (“CIPL”) held a special roundtable at Hunton & Williams’ Brussels office to examine the “essential equivalence” requirement for protection of data transfers to non-EU countries set by the Court of Justice of the European Union’s (“CJEU’s”) Schrems decision. The roundtable brought together leading lawyers, corporate privacy officers, legal experts, regulators and policymakers to discuss the critical issues and impact of the new “essential equivalence” requirement for global data transfers set by the CJEU, and its relevance to the current EU-U.S. negotiations of a new Safe Harbor agreement.

The roundtable discussion touched upon the following topics:

  • How should we interpret the CJEU’s clarification of adequacy, and what standards exist to protect EU citizens’ data against access by EU government surveillance and intelligence agencies?
  • What are the respective roles and the jurisdiction of the CJEU and the European Court of Human Rights, and how does the separation of competence between the EU and its Member States affect the protection of privacy in Europe?
  • How should we interpret the Schrems decision in light of the court’s role within the EU legal order, its relationship with the European Court of Human Rights, and EU Member States exclusive competence in matters of national security and intelligence?
  • What is the impact of the key criteria set forth in the Schrems decision on European and international businesses, cross-border data flows and the global economy?

The roundtable was a unique opportunity to hear from two of Europe’s leading voices: Geoffrey Robertson from the UK, and Noelle Lenoir from France. Both Robertson and Lenoir agreed that in determining whether the protection afforded to Europeans in the U.S. is “essentially equivalent” to those afforded by the EU legal order, one has to examine not only the laws and rules in force, but also administrative practices in effect in the country. They also emphasized that it is critical not to compare the two legal orders in abstract, but rather to focus on the protection of privacy in the context of government surveillance and national security. In Europe, that protection is firmly within EU Member States’ competence and hence subject to exemptions in the EU Data Protection Directive. Indeed, it is the European Court of Human Rights in Strasbourg, which is established under the European Convention on Human Rights, that has developed case law mandating eight safeguards for the protection of privacy in Article 8 of the Convention. Despite this mandate, both Robertson and Lenoir argued that most of the eight safeguards have not been fully implemented in all European countries.

Robertson concluded that, following the U.S. law and practice reforms enacted after the Snowden incident, U.S. citizens are significantly better protected against national security surveillance than EU citizens in Europe. Furthermore, based on the new administrative rules and practices, oversight arrangements, disciplinary provisions and right to remedies against improper use in the U.S., Europeans have at least equivalent protection in the U.S. as they do in Europe.

The roundtable discussion also turned to the role of national data protection authorities (“DPAs”) after the Schrems decision. Participants concluded that the DPAs will be required to look at each data transfer case to determine the existence of essential equivalence in data protection in a foreign country. In addition, the consensus was that because foreign laws and administrative practices may change over time, fresh assessments will be necessary, raising concerns over the ability of DPAs, the European Commission and data controllers to continually reassess these issues. Participants also believe the criteria for essential equivalence will have an impact on future adequacy decisions under the new EU General Data Protection Regulation, and potentially on other mechanisms for international data transfers, such as standard contractual clauses and Binding Corporate Rules. Lenoir suggested that there will inevitably be more cases and preliminary rulings by the CJEU, which will bring necessary clarification and further nuances to the criteria set out in the Schrems decision. The period of legal uncertainty is bound to continue for some time.

Finally, the discussion offered glimpses of future solutions, such as:

  • The U.S. signing the protocol to the International Covenant on Civil and Political Rights;
  • intelligence agencies adopting a code of conduct (an accountability-based framework) that would include privacy safeguards and protections for individuals;
  • European jurisdictions developing oversight bodies pass the test of the European Court of Human Rights and enable effective supervision of surveillance activities;
  • replication of solutions adopted in the SWIFT case; and
  • acceptance of mass surveillance, by allowing collection of data en masse subject to judicial restrictions and use and access limitations.

Security Weekly #448 – The Vulnerability Management Maturity Curve

Organizations tend to fall somewhere on a scale of 0 through 100 (with 100 being the best) when it comes to the maturity of their vulnerability management program. Starting at 0 for those who don't do any type of vulnerability management or scanning, to those higher up on the scale integrating 3rd party products and producing business-based metrics. Find out all the different levels, some of the pitfalls, and most importantly how go from 0 to hero in your vulnerability management program.

Security Weekly #447 – Interview with Chris Domas

This week on Security Weekly with Carlos, Jack, Michael, Joff, Paul and Larry talk about Windows updates, Sean Penn, WordPress XSS, Windows compatibility issues, TrendMicro's node.js password manager (now featuring arbitrary command execution), and a whole lot more!

We also interview Chris Domas. Chris is a researcher interested in reverse engineering and exploitation. He joins us to talk about visualizing binaries, accessing ring -2 and making reversers sad.

Senate Judiciary Committee Passes Amended Judicial Redress Act

On January 28, 2016, the Senate Judiciary Committee passed the Judicial Redress Act (the “Act”), which would give EU citizens the right to sue over certain data privacy issues in the U.S. The Act passed after an amendment was approved which would condition EU citizens’ right to sue on EU Member States (1) allowing companies to transfer personal data to the U.S. for commercial purposes and (2) having personal data transfer policies which do not materially impede the national security interests of the U.S. The vote was initially set to take place on January 21, 2016, but was delayed.

Passage of the Act may have an impact on ongoing post-Safe Harbor negotiations on trans-Atlantic data transfers from the EU to the U.S., as strengthened privacy rights for EU citizens are an important component to any new Safe Harbor agreement. As we previously reported, the Article 29 Working Party announced in October 2015 that if no Safe Harbor agreement is reached by the end of January 2016, national data protection authorities may decide to initiate enforcement actions against companies that continue to rely on the invalidated Safe Harbor agreement to transfer data to the U.S.

New Safe Harbor Deal Between EU and U.S. May Be Imminent

According to Bloomberg BNA, Paul F. Nemitz, Director for Fundamental Rights and Union Citizenship at the Directorate-General Justice of the European Commission, said at a privacy conference that he hoped a new U.S.-EU Safe Harbor agreement would be reached by the evening of Monday, February 1, 2016.

According to Nemitz, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality Justice, will go to Parliament on Monday evening to “inform member states…of the outcome [of the Safe Harbor discussions],” including whether or not an agreement has been reached. U.S. Federal Trade Commissioner Julie Brill, who spoke at the same privacy conference, would not confirm whether the agreement would be reached by Monday. She said, “[t]here’s absolutely a path to agreement. We need to get there. We can’t allow this to continue to be a stumbling block. But I don’t have a crystal ball.”

As we previously reported, the Article 29 Working Party announced in October 2015 that if no Safe Harbor agreement is reached by the end of January 2016, the individual national data protection authorities may decide to take coordinated enforcement actions against companies that continue to rely on the invalidated Safe Harbor agreement to transfer data.

Russian Data Protection Authority Releases 2016 Audit Plan for Localization Law

On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its plan for audits this year to assess compliance with Russia’s data localization law, which became effective on September 1, 2015. The localization law requires companies to store the personal data of Russians in databases located in Russia. The audit plan indicates that the Roscommandzor will audit large, multinational companies doing business in numerous jurisdictions and processing the personal data of Russian citizens.

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station.  Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation. 

Such acts are akin to terrorism  and punishable as a crime because of  its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits





While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),
- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)
- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)

Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28

Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !

CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory
2016-01-25
Fiddler sent to VT.
---
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :

CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)
from the widely spread and covered "crypt13x" actor thread - 2016-01-25

(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )

I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.
---
I spotted a thread serving a landing and an exploit to Firefox.
2016-03-23 Firefox pass with Sandbox escape :
Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305
Bedep successfully wrote its payload on the drive.
2016-03-23
Files : Fiddler in a zip (password malware)

Neutrino :
Thanks Eset for identifying the added CVE here.

Neutrino Exploiting CVE-2015-8651 on 2016-02-09
Here Bunitu dropped
Note: For some reason couldn't have it working with Flash 20.0.0.228.

Files : Fiddler here (password is malware)

Nuclear Pack:

Thanks again Eset for CVE identification here.
Nuclear Pack exploit CVE-2015-8651 on 2016-02-10



Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)

It seems Chrome won't save you if you do let it update.
2016-02-17 on DE/US/FR traffic

This is not something i can reproduce.

Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)

Files : Fiddler here (password: malware)

Magnitude:
2016-02-18
CVE ID confirmed by Anton Ivanov (Kaspersky)
Magnitude dropping Cryptowall via CVE-2015-8651
2016-02-18
Files : Fiddler here (Password is malware)

RIG :
Some days before 2016-04-06
Thanks FireEye for CVE identification.
CVE-2015-8651 successfuly exploited by RIG on 2016-04-07
Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02
( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)
Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)

Read More:
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook

Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

For the bored: Infosec Noir

Instead of doing productive things I’ve found a new outlet for self-entertainment, and I seem to be amusing a few others, too.

My newish Twitter account is @InfosecNoir, it is:

“The adventures of Jimmy Black. He decrements the TTLs of cybercriminals so you don't have to.

He has a drinking problem, but only when his glass is empty.”

It is pretty low volume, and is meant to entertain me.  If it entertains you, too, then maybe follow, or just check in occasionally.

Important note: While some of it is autobiographical, and some is “based on true stories”, much is pure fiction.  I’ll admit the first tweet is autobiographical,

image

after that, your guess is as good as mine.  And for the pedantic, it was Atorvastatin, not Lipotor™.  Yay generics.

 

Jack

Israel Postpones Possibility of Any U.S.-EU Safe Harbor Enforcement

On January 21, 2016, the Israeli Law, Information and Technology Authority (“ILITA”) announced that it would postpone for the time being any review or enforcement actions on data transfers from Israel to the United States that are based on the U.S.-EU Safe Harbor framework.

This contradicts an earlier statement by ILITA in October 2015 that it would not permit such data transfers following the Schrems decision by the Court of Justice of the European Union that declared the Safe Harbor framework invalid.

Israel’s privacy regulations permit the transfer of personal data outside of Israel under certain circumstances, including transfers made “to a country to which the European Union permits transfers.” Because of this, Israel relied on the Safe Harbor framework as a legal basis that enabled data transfers from Israel to the U.S. The Article 29 Working Party and others have urged regulators to adopt a new legal framework by January 31, 2016, to permit the transfer of personal data from the EU to the U.S. that complies with the requirements of the Schrems decision. It is not clear whether the impending deadline will be reached, so ILITA has decided that the best course of action will be to postpone any potential Safe Harbor-related enforcement until there is more clarity on this issue.

Cybercitizens, stay away from commenting or liking posts with terror ideologies

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people.  The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.  

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.

Senate Vote on Judicial Redress Act Delayed

On January 21, 2016, a Senate Judiciary Committee vote on the Judicial Redress Act, which would give EU citizens the right to sue over certain data privacy issues in the U.S., has reportedly been postponed. As reported by Forbes, the vote may have been delayed due to amendments to the fifth paragraph of the bill, which deals with litigation pursuant to the act. The vote was initially scheduled for today.

The delay could have a negative impact on the post-Safe Harbor negotiations on trans-Atlantic data transfers from the EU to the U.S., because strengthened privacy rights for EU citizens are an important component to any new Safe Harbor framework between the EU and U.S. European Data Protection Authorities gave the relevant EU and U.S. government negotiators until January 31, 2016, to reach a new agreement for transferring personal data. Failure to reach an agreement could pose issues for companies that previously relied on Safe Harbor to legitimatize their trans-Atlantic data flows.

Open Live Writer

Oh, hey- bloggy thing.  I know I should blog more, both here and over on my travel drinking blog, but you know…

Open Live Writer

One very nice recent development is that a team at Microsoft has created an Open Source fork of Windows Live Writer.  WLW used to be a really sweet, lightweight WYSIWYG blog tool for Windows- then it got Microsofted and bloaty, then abandoned.  Open Live Writer brings it back from the dead, updates authentication to work with modern platforms, and pulls out a lot of cruft.

It is still early in development, but so far it is working well for me and I do not miss any of the “missing” features.  I’m enjoying the speed and functionality of Open Live Writer, and I’m grateful that some folks at Microsoft have revived this great little tool.  If you are a blogger and Windows user, check it out.

 

Jack

Introducing the PIVOT Project

OK kids, this is cool.  Know a hacker or computer club or school that could use some free, community-contributed labs?

Pivot Cyber Challenges

 

From the website (pivotproject.org):

“People who earn great jobs in cyber security have mastered both academics and hands-on skills.  But where can people with a wide variety of skill levels get hands-on practice with real-world cyber security problems?  On January 12, the PIVOT project goes live to help meet that need. PIVOT makes it possible for students and others, all over the world, to build their hands-on skills in a fun, challenging, real-world cyber environment.  PIVOT provides exciting hands-on labs and challenges for student groups and associated faculty, completely free.  Through a variety of engaging downloadable materials, participants build their hands-on skills to help them pivot from academic studies to their future cyber security careers.”

To kick things off there’s a contest to get things moving and gather feedback:

“We’re launching PIVOT with a special contest and over a dozen prizes so you can help make PIVOT even better.  Prizes include gift cards, club pizza feasts, t-shirts, and more!

To participate in the contest and help us make PIVOT even better, all you need to do is have your group work through your choice of at least two of our current labs, and then have a student leader or faculty member fill out our contest form by February 15, 2016.  The contest form gathers information about your experiences with the labs and recommendations for additional PIVOT challenges.  From all submitted entries, we’ll select the top 5 with the most useful input to receive our grand prizes.  Then, from all submitted entries, we’ll select another 10 at random to receive a prize.”

Please check out PIVOT Project and spread the word, it is off to a great start but now we need to build the community.

 

Jack

Taiwan Amends Personal Data Protection Law

On December 30, 2015, Taiwan’s Office of the President issued an order to promulgate certain amendments (the “Amendments”) to Taiwan’s Personal Data Protection Law (the “PDPL”). The Amendments revise 12 articles in the PDPL. The Amendments concern the collection and use of sensitive personal data, the form of consent for the collection and use of non-sensitive personal data, and the imposition of criminal liability for violations of certain provisions of the PDPL. The Amendments are expected to become effective in the first half of 2016 on a date to be determined by the Executive Yuan.

With respect to non-sensitive data, the Amendments remove the requirement that government agencies or private sector entities obtain written consent to collect, process or use non-sensitive personal data. In addition, the Amendments require that “special personal data” be collected, processed or used with the written consent of the data subject. Special personal data is equivalent to sensitive personal data and includes medical records, information on medical treatment, genetic information, sexual background, health examination information and criminal records. These changes align the consent requirements under the PDPL with practices in many other jurisdictions, including Hong Kong. In cases where special personal data has to be collected, processed or used to fulfill a legal obligation of a government agency or private sector entity, proper security measures must be taken before or after such collection, processing or use.

Violations of certain important provisions of the PDPL will be subject to a fixed-term of imprisonment for up to 5 years and a fine of up to NT$1,000,000 (approximately $30,000 USD). These criminal penalties will apply only where the violation occurred with the intention to secure illegal interests for oneself or a third party, or to infringe upon the interests of others. Negligent violations of such provisions will not be subject to criminal liability.

Centre for Information Policy Leadership to Co-Host APEC Privacy Workshop in Lima, Peru

On February 22, 2016, the Centre for Information Policy Leadership (“CIPL”), together with TRUSTe, the Information Accountability Foundation and Information Integrity Solutions, will co-host a workshop on Building a Dependable Framework for Privacy, Innovation and Cross-Border Data Flows in the Asia-Pacific Region in Lima, Peru. The workshop will be held in the margins of the upcoming meetings of the APEC Electronic Commerce Steering Group and its Data Privacy Subgroup in Lima from February 23-27, 2016.

The workshop will begin with an introductory tutorial on the APEC Cross-Border Privacy Rules (“CBPR”) and APEC Privacy Recognition for Processors (“PRP”), followed by panels on accountability-based information management programs, key issues in the ongoing implementation of the CBPR/PRP system across the APEC region, current work on creating interoperable systems for cross-border data flows between APEC and the EU, and the applicability of the APEC Privacy Framework in the context of big data and other modern information uses.

The APEC CBPR are a privacy code of conduct for information controllers developed by the 21 APEC member economies for cross-border data flows in the Asia-Pacific region. The APEC PRP is a corollary system for information processors. The workshop is designed for those interested in the APEC CBPR/PRP, as well as for general privacy and information economy stakeholders, including companies of all sizes that might seek CBPR/PRP certification, organizations that might serve as third party certification organizations, privacy enforcement authorities in the Asia-Pacific region and APEC member economies that are currently in the process of (or considering) joining the CBPR system.

The workshop will be accessible to both APEC delegates and non-APEC delegates.

For inquiries or to register for this workshop, please contact Markus Heyder at mheyder@hunton.com by February 12, 2016.

European Court of Human Rights Issues Decision on Monitoring Employee Use of the Internet

On January 12, 2016, the European Court of Human Rights (“the Court”) ruled in Bărbulescu v. Romania that companies can monitor their employees’ online communications in certain circumstances.

The case concerned the dismissal of a Romanian engineer, Bărbulescu, by his employer, for the use of the company’s Internet and in particular, Yahoo Messenger, for personal purposes during work hours. The employer alleged that Bărbulescu was violating internal regulations that prohibit the use of the company’s equipment for personal purposes.

The employee argued that his employer violated his right to respect for private life, home and correspondence, as provided for in Article 8 of the European Convention of Human Rights (the “ECHR”) and therefore, his dismissal was unlawful.

The Court stated that “it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours,” and that Bărbulescu’s employer accessed its employee’s account on the belief that it contained client-related communications. In addition, the Court found that the employer’s monitoring was proportionate and within the scope of the company’s internal regulations, as the employer accessed only Bărbulescu’s Yahoo Messenger account and no other documents on the employee’s computer. Accordingly, the Court held that the employer’s monitoring did not violate Article 8 of the ECHR.

Read the Court’s press release.

Read the full text of the Court’s judgment.

FTC Settles with Dental Practice Software Provider over Charges of Misleading Consumers with Respect to Data Encryption

On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Dentrix G5 is a type of software that enables dentists to perform office tasks such as entering patient data and sending appointment reminders. The FTC asserted that, in 2012, the Dentrix G5 software incorporated a third party database engine that included a form of data protection that Schein advertised as “encryption.” According to the complaint, as early as November 2010, the database engine vendor notified Schein that the form of data protection used in Dentrix G5 was a “proprietary algorithm that had not been tested publicly, and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.”

The FTC alleged that Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers (including most dentists) to protect patient data in accordance with guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption.  Similarly, HHS’ Breach Notification rule requires covered entities responding to a data breach to consider whether the compromised data was encrypted in accordance with the NIST Special Publication 800-111.

According to the complaint, the United States Computer Emergency Readiness Team issued a vulnerability note in June 2013 indicating that the form of data protection used in Dentrix G5 software was a “weak obfuscation algorithm.” In response, the database engine vendor agreed to rebrand the data protection method as “Data Camouflage” instead of “encryption.” Nevertheless, despite the alert and rebranding, Schein continued to distribute marketing materials stating that Dentrix G5 “encrypts” patient data and offers “encryption.”

The proposed Consent Order will prohibit Schein from misrepresenting whether, and to what extent, the product or service offers industry-standard encryption, helps customers meet regulatory obligations, or maintains the privacy, security, confidentiality and integrity of personal information. The Consent Order will require Schein to notify affected customers that Dentrix G5 uses a less complex encryption algorithm than AES, and provide the FTC with ongoing reports on the notification program. In addition, Schein will be required to pay $250,000 to the FTC.

Security Weekly #446 – Interview with Adrien DeBeuapre

This week we interview Adrien de Beaupre, a SANS instructor and Internet Storm Center handler. Adrien has been researching the security of HTTP/2 and even does a live demo! We put out a call to action for the security community to become more pro-active in researching this protocol.

In Stories of the Week Paul, Larry, John, Joff and special guest star Adrien talk about Juniper backdoors, the "biggest" security threats for 2016, axing Internet Explorer and Uber fines for data breaches.

 

China Enacts Administrative Measures for Online Payment Businesses

On December 28, 2015, the People’s Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People’s Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

The impact of the Measures will reach beyond the payment market itself to promote the development of the e-commerce and Internet finance sectors in China. The Measures will come into effect on July 1, 2016. Consistent with the 2010 Measures, the new Measures require NBPIs to take effective protective measures for the security of their clients’ personal information, and to adopt risk control systems. The Measures further restrict the storage of clients’ sensitive information, such as track information or chip information of their clients’ bank cards, their verification codes or passwords. In principle, NBPIs are not allowed to store the effective term of the bank cards, unless they are stored for special business needs or pursuant to authorization by the clients and the banks opening the bank cards. Further, this information must be encrypted prior to storage.

Under the Measures, NBPIs are required to collect, use, store and transfer clients’ information only to the minimum extent necessary, and to notify clients of the purpose and scope of their use of the information. The Measures restrict NBPIs from providing clients’ information to other institutions or individuals, unless otherwise required by laws and regulations, or unless the provision of each item was confirmed and authorized by the clients.

The Measures also impose responsibilities on the NBPIs to bind the merchants which are counterparties to their online payment services. NBPIs are required to sign agreements with the merchants, prohibiting the merchants from storing sensitive information of their clients, and to adopt supervisory measures, such as periodic checks and technical monitoring, as may be necessary. If the merchants store sensitive information in violation of the agreement, the NBPIs are required to promptly suspend or terminate their provision of online payment services for these merchants, and adopt effective measures to delete the sensitive information and to prevent disclosure of it. The NBPIs also may be liable for losses and liabilities caused by the disclosure of relevant information.

The Measures further require NBPIs to maintain online payment business processing systems that are safe and comply with normative specifications, and related backup systems, within the territory of China. When providing services for domestic transactions, NBPIs are required to complete the transactions using their domestic business processing systems, and to complete the financial settlement within the territory of China.

European Data Protection Supervisor Publishes Priorities for 2016

On January 7, 2016, the European Data Protection Supervisor (the “EDPS”) published his Priorities for 2016. The EDPS Priorities consists of a cover note listing the strategic priorities of the EDPS in 2016 and a color-coded table listing the European Commission’s proposals that require the EDPS’ attention, per level of priority.

In line with the EDPS Strategy 2015-2019 unveiled in March 2015, the EDPS will set his focus on the following areas of strategic importance:

Complete the Data Protection Framework

While an agreement has been reached on the data protection reform “package,” entailing the EU General Data Protection Regulation (the “GDPR”) and the Directive for data protection in the police and justice sectors, the EDPS will continue to support European institutions in their process to create a coherent data protection framework in Europe.

To that end, the EDPS will advise the European Commission in the revision of Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by community institutions and on the free movement of such data, and will ensure that the principles established by the GDPR apply to EU institutions and bodies.

In addition, the EDPS will participate in the review of Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector, also known as the e-Privacy Directive.

Ensure Adequate Protection of Personal Data in International Data Transfers

Following the latest developments that have affected the transfer of personal data from the European Union to the United States, and in particular, the invalidation of the Safe Harbor framework by the Court of Justice of the European Union, the EDPS will focus on the EU-U.S. transatlantic dialogue and the need for a new legal framework for cross-border data flows. To that end, the EDPS will provide comments on the European Commission’s upcoming decision for a new arrangement for the transfer of personal data to the U.S. and on the European Commission’s decision regarding the powers of local data protection authorities with respect to existing adequacy decisions.

Further, the EDPS will also follow closely the negotiations on passenger name records agreements with third countries and the negotiations for a draft agreement between the U.S. government and the European Commission on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses, known as the Umbrella Agreement.

Protect EU Borders and Enhance Security

In light of the recent terrorist attacks in Europe, the EDPS recalls the importance to find a balance between measures taken in reaction to these attacks and the respect of fundamental rights and liberties.

In this context, the focus will be put on measures to strengthen controls of external borders and in particular, measures that are aimed at (1) upgrading the border control systems for the Schengen Member States, (2) implementing systematic registration and security checks of third-country nationals illegally entering the Schengen area, (3) revising the Schengen Borders Code with respect to systematic controls of EU nationals, and (4) updating the Council Regulation No. 2007/2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union

Initiatives Related to the European Commission’s Work Programme for 2016

The EDPS also will focus on several topics that have been identified by the Commission Work Programme as objectives for 2016, including the implementation of the Digital Single Market Strategy and embedding data protection in international agreements such as the Transatlantic Trade and Investment Partnership.

Read the EDPS’s press release.

FTC Releases New Report on Big Data

On January 6, 2015, the Federal Trade Commission released its report on big data entitled Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues. The report is a compilation of a seminar on alternative scoring products, the discussions at a big data public workshop held on September 15, 2014, and other recent research and public commentary on the issue.

The report begins with an overview of the life cycle of big data, from collection to use, and specifically focuses on the benefits and risks of big data analytics at various times through the big data life cycle. The benefits highlighted in the report include increased educational opportunities for disadvantaged students, better access to credit using non-traditional methods, better healthcare in rural and low-income areas and a more diverse workforce.

The risks of big data analytics include inadvertent discrimination based on inaccurate algorithms, exacerbating disparities between high and low income communities, the exposure of sensitive information, an increase in targeted fraud and scams, price discrimination and reductions to the effectiveness of consumer choice.

The majority of the report provides guidance for industry on how to mitigate the risks associated with big data when using big data for business purposes. The report also stressed that companies should understand and comply with existing laws that apply to big data, including the Fair Credit Reporting Act, equal opportunity laws and the FTC Act.

Finally, the report provides specific questions organizations should ask when applying big data analytics:

  • How representative is your data set?
  • Does your data model account for biases?
  • How accurate are your predictions based on big data?
  • Does your reliance on big data cause ethical or fairness concerns?

The report notes that the FTC will continue to monitor the use of big data and bring enforcement actions against companies that violate law when using big data practices.

A different kind of magic

Yesterday the world lost a good man, and the hacker community lost a great friend.  David Jones, better known to many as Rance, or @RevRance, ended his battle with cancer early yesterday morning, his suffering is over.


A great photo of Rance by Kevin Riggins
Throughout history we’ve called anything we don’t understand “magic”.  To those of us in technical fields we often think of Arthur C. Clarke’s third law:
“Any sufficiently advanced technology is indistinguishable from magic”
but many things we don’t understand other than technology have been called magic as well.

Rance had a special magic.  We may not have understood how he always seemed to know who needed a kind word, or how he knew exactly what the needed word was, but he did.  In the last couple of years it was sometimes hard to understand how he remained so kind, generous, and happy in the face of his cancer battles- but he did, because he was Rance.  That is a special kind of magic, and we will miss it dearly.

While we mourn our friend we can remember him best by trying to find a little of that special Rance magic in ourselves and each other.



Jack

Dutch Law Includes General Data Breach Notification Obligation and Larger Fines for Violations of the Data Protection Act

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

Under the law, data controllers are required to immediately notify the DPA of any data security breaches that have, or are likely to have, serious adverse consequences to the protection of personal data. In addition, data controllers are required to notify affected individuals if there is reason to believe the breach could lead to adverse consequences to those individuals, unless the compromised data is encrypted or otherwise unintelligible to third parties. On December 9, 2015, the DPA published practical guidance to help organizations identify cases when data security breaches must be reported to the DPA and data subjects.

The new Dutch law also empowers the DPA to impose fines of up to €820,000 for violations of the Data Protection Act, including failure to report data security breaches. Last October, the DPA published draft guidance that defines the different violations, the categories of sanctions and the level of fines.

Read the Dutch DPA’s press release.

Defense Department Issues Interim Rule Extending Time for Federal Contractors to Comply with Cybersecurity Regulations

On December 30, 2015, the Department of Defense (“DoD”) issued a second interim rule (80 F. R. 81472) that extends the deadline by which federal contractors must implement the new cybersecurity requirements previously issued by the agency.  This extension pushes back the compliance deadline to December 31, 2017.

The second interim rule builds upon the first interim rule previously issued by the DoD on August 26, 2015. As we previously reported, the first rule required federal contractors and subcontractors to implement the cybersecurity requirements contained in NIST Special Publication 800-171 entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Additionally, contractors were required to report cyber incidents that resulted in an actual or potential effect on a covered contractor information system. The reports were required to be made within 72 hours of discovery of the cyber incident.

Since the issuance of the first interim rule, industry representatives have voiced concerns about the scope of the rule, training required to comply with it and numerous other issues. As a result of those concerns, the DoD held a public meeting on December 14, 2015. Based on input received at that meeting, the DoD issued the second interim rule delaying the effective date for contractors to comply with NIST SP 800-171.

The second interim rule also amends DFAR Section 252.204-7012 (b)(1)(ii)(A) by requiring contractors to notify the DoD within 30 days after contract award of “any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or alternate but equally effective security measures…accepted in writing by an authorized representative of the DoD CIO.” If this amendment carries over into the final rule, contractors will be required to explain how they do not comply with the NIST requirements.

Comments on the second interim rule must be submitted in writing on or before February 29, 2016.

Anti-Terrorism Law Enacted in China

On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.

As its name suggests, the main goal of the law is to strengthen national security and to prevent terrorism. The law defines terrorism and declares it to be illegal, authorizing both civil and criminal sanctions. The law also takes certain actions that promote its objectives, such as (1) allowing for the designation of certain organizations as terrorist organizations, (2) establishing institutions such as a counter-terrorism intelligence agency and counter-terrorism units of the armed police forces and of the People’s Liberation Army to allow for the requisition of property in urgent circumstances, (3) mandating a system for incident response planning and (4) providing for international cooperation. It also empowers public security agencies to take actions such as launching investigations and even using weaponry in emergency or dangerous circumstances.

Certain provisions in the law require telecommunications system operators and Internet service providers to provide technical support and assistance, such as access to their technical interfaces and assistance with decryption, to public security and state security authorities which may be conducting investigations of terrorist activities or taking action to prevent them. The law also requires telecommunications system operators and Internet service providers to adopt network security systems and information content monitoring systems to prevent the dissemination of information containing terrorist or extremist content over their systems. If they discover information with terrorist or extremist content being disseminated over their systems, they must halt the dissemination, close the relevant websites, keep records of the incident and make a report to the relevant public security organizations. A fine of more than RMB ¥500,000 may be imposed on telecommunications system operators and Internet service providers who fail to provide technical interfaces, decryption and other technical support or assistance to competent government agencies, and the person in charge may be subject to a fine of up to RMB ¥500,000 and possibly detention of up to 15 days.

The Anti-Terrorism Law permits the People’s Liberation Army to get involved in anti-terrorism operations overseas. It also restricts the right of media of various types to report the details of terrorist attacks. For instance, social media cannot report on details of terror activities that might inspire copycat attacks, and cruel and inhuman scenes cannot be depicted in their reports.

The Anti-Terrorism Law contains several provisions that are significant in the context of personal information protection. For instance, the law requires railway, road, water and air transport operators and postal offices, couriers or other logistics operators to conduct an examination of the identities of their clients, and to perform security checks and visual checks on the articles they transport and deliver. An operator listed above which fails to comply with the foregoing obligations may face a fine of up to RMB ¥500,000 (approximately $76,250 USD at current exchange rates), and the person in charge may face a fine of up to RMB ¥100,000.

Service providers in certain industry sectors, such as the telecommunications, Internet, finance, hotel, long-distance passenger transportation and automobile leasing sectors, are required to conduct an examination of the identities of their clients as well. Service providers which fail to examine their clients’ identities, or provide services to those who refuse to make this examination, may be subject to fines of more than RMB ¥500,000. The person in charge may face a fine of up to RMB ¥500,000.

The law permits the collection of financial personal information, including information that would be considered sensitive personal information in other jurisdictions, for purposes of investigating suspected terrorist activities. For instance, during such investigations public security organizations have the authority to investigate the financial information of suspects, such as information relating to their bank deposits and stock and bond holdings. Also during an investigation, public security organizations are given the authority to collect information about suspects including their portrait, fingerprints, iris images and biological samples such as blood samples. In addition, government authorities and other entities or individuals that may be involved are required to keep in confidence any state secret, trade secret or private personal information which may be obtained during the performance of their anti-terrorism investigations.

The Anti-Terrorism Law defines circumstances in which state security organizations have authority to collect personal information. In such circumstances, when there is a conflict with other data privacy regulations that may otherwise prohibit collection, the Anti-Terrorism Law presumably would control. The Anti-Terrorism Law represents a further step in the sector-by-sector development of China’s data privacy framework.

FTC Issues Guidance on Native Advertising: Businesses Must Consider the Likelihood of Consumer Confusion

Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.

Native advertising is not a new concept — in the past, advertisers formatted direct mail pieces to appear as book reviews, or presented infomercials as feature TV programming. The advent of digital ads, however, has changed advertisers’ ability to more seamlessly integrate sponsored content into surrounding editorial content and consumers’ ability to share such ads. The FTC also mentions that digital advertising gives companies the ability to target natively formatted ads to individual consumers based on their known preferences.

The FTC’s Enforcement Policy Statement asserts that advertising and promotional messages that are not identifiable as ads are deceptive, and therefore violate the FTC Act, if they mislead consumers into believing the ads are independent, impartial or are not issued by the sponsoring advertiser. According to the FTC, the source and format of an ad, and not just its content, is important because: (1) knowing the source typically affects the weight and credibility consumers give an ad and (2) influences whether consumers will choose to interact with the ad.

The FTC indicates that its deception analysis will turn on whether reasonable consumers would recognize a particular ad as an ad; not all natively formatted ads will trigger agency inquiry. The following Do’s and Don’ts are distilled from the agency’s Guide for Business:

Do:

  • Be transparent. Native articles should not imply that they are anything but ads. The more a native ad is similar in format and topic to surrounding content, the more likely the advertiser will need to include a disclosure to prevent deception.
  • Make clear and prominent disclosures. Use terms such as “Ad,” “Advertisement,” “Paid Advertisement” or “Sponsored Advertising Content.”
  • Advertisers must ensure that their native ads are identified as ads before a consumer clicks through and arrives at the main advertising page (no deceptive “door openers”). But don’t make your disclosures too early, or consumers might miss them.
  • Disclosures should be near, above and to the left of a story headline.
  • Disclosures should remain when native ads are republished by others.

Don’t:

  • Assume that because a natively formatted article does not depict or mention your product it is not an advertisement. The FTC’s guidance includes several such examples of native articles that it considers to be ads.
  • Rely on terms such as “Promoted,” “Promoted Stories,” “More Content for You” or “From Around the Web.”
  • Be careful using terms such as “Brought to you by,” “Presented by,” “Sponsored by” or “Promoted by.” Consumers might misinterpret these to mean that the advertiser has funded or underwritten the ad but did not create or influence its content.

Kali NetHunter 3.0 Released

NetHunter has been actively developed for over a year now, and  has undergone nothing short of a complete transformation since its last release. We've taken our time with v3.0, and the results are a complete overhaul of the NetHunter Android application, with a more polished interface and a fully functioning feature set.

Through the amazing NetHunter community work led by  binkybear, fattire, and jmingov, we can now proudly look at NetHunter and confidently consider it to be a stable, commercial grade  mobile penetration testing platform. And so, we are really excited with todays release of NetHunter 3.0 - let the games begin!

Pew Research Center Issues Report on Attitudes Toward Sharing Personal Information with Private Sector

On December 30, 2015, the Pew Research Center released a report on the results of a recent survey that asked 461 Americans about their feelings toward sharing personal information with companies. The survey found that a “significant minority” of American adults have felt “confused over information provided in company privacy policies, discouraged by the amount of effort needed to understand the implications of sharing their data, and impatient because they wanted to learn more about the information-sharing process but felt they needed to make a decision right away.” When deciding whether or not to share personal information with companies, 50% of the respondents reported they felt confident that they understood what would be done with their personal information, while 47% said they were not confident they understood the repercussions.

The report also highlighted the following findings from the survey:

  • Men and women were equally likely to have experienced negative emotions around sharing their personal information.
  • Respondents who are better-off and less well-off financially were equally likely to have experienced negative emotions around sharing their personal information.
  • Respondents under age 50 were somewhat more likely than those over age 50 to say they have recently been impatient about providing personal information to a company.

The report follows on the heels of a November 2014 Pew Research Center poll which found that 91% of adults “agreed” or “strongly agreed” that they had lost control over how personal information was collected and used by companies.

What it means to be an OSCP

When a student earns an Offensive Security certification such as the OSCP, it is a testament to the personal investment they have made as part of a commitment to excellence. Like getting a degree from a university, no matter what happens in your life from that point forward, the fact is your earned that certification and it is yours to keep. Saying this, there are some hard truths behind the path to OSCP.