Monthly Archives: March 2016

NERC Report Highlights Lessons Learned from Ukraine Electric Utility Cyber Attack

On March 18, 2016, a report was released by a joint team from the North American Electric Reliability Corporation’s Electricity Information Sharing Analysis Center and SANS Industrial Control Systems. According to the report, the cyber attack against a Ukrainian electric utility in December 2015 that caused 225,000 customers to lose power for several hours was based on months of undetected reconnaissance that gave the attackers a sophisticated understanding of the utility’s supervisory control and data acquisition networks.

The report states that the attackers initiated their reconnaissance of the utility’s systems approximately six months before carrying out a coordinated series of attacks within 30 minutes of one another on December 23, 2015. Power was restored after several hours, but grid operators were forced to switch to manual mode to do so and remained operationally constrained for a substantial period of time after the attack.

The attack featured a wide range of sophisticated tactics, including spear phishing emails, variants of BlackEnergy3 malware, manipulation of Microsoft Office documents infected with malware, harvesting credentials and other information to gain access to the Internet Connection Sharing (“ICS”) network, operating ICSs through supervisory control systems, targeting field devices at substations, writing custom malicious firmware to render devices such as serial-to-ethernet convertors inoperable, and using telephone systems to generate thousands of calls to the company’s call center to deny access to customers reporting outages.

But the report found the level and extent of undetected reconnaissance to distinguish the attack: “[T]he strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack.” The report warned that such prolonged, undetected access can enable attackers to tailor attacks to individual systems’ weak points.

The attack was the first publicly acknowledged attack against an electric utility to result in power outages and, the report suggests, involved nothing that would prevent it from being replicated or adapted to critical infrastructure systems anywhere in the world. In response, the report showcased the ICS cyber kill chain mapping tool to help utilities understand how attackers formulate plans and target vulnerabilities, highlighting the value of basic cybersecurity practices.

“The mitigation recommended here is to understand where this type of information exists inside your business network and ICSs,” the report said. “Minimizing where the information resides and controlling access is a priority for an ICS dependent organization.…It is extremely important to note that neither BlackEnergy3, unreported backdoors, KillDisk, nor the malicious firmware uploads alone were responsible for the outage.…Each was simply a component of the cyber attack for the purposes of access and delay of restoration.…The actual cause of the outage was the manipulation of the ICS itself and the loss of control due to direct interactive operations by the adversary.”

Additional mitigation measures and recommendations are discussed in the report.

Hunton & Williams Receives Global Band 1 Ranking for Data Protection by Chambers

Chambers & Partners ranked Hunton & Williams LLP’s Global Privacy and Cybersecurity practice in Band 1 in the recently released 2016 Global guide. The firm has been recognized by Chambers Global as a Band 1 firm, global-wide, for data protection for the past nine years. As noted by Chambers Global, the team is a “[t]op-ranked firm with notable strength negotiating with regulators and advising on compliance programmes.”

Chambers also recognized the firm’s strengths, saying that the lawyers “are [authorities] in data protection and security. They are very practical and their global network makes it very efficient.” In addition, Hunton & Williams was recognized as a Band 1 firm, Europe-wide, for data protection.

Hunton & Williams’ award-winning global privacy and cybersecurity practice focuses on all aspects of privacy, data protection, cybersecurity, information governance and e-commerce issues for multinational companies across a broad range of industry sectors. The practice has extensive experience organizing, managing and coordinating compliance projects with both national and international dimensions. Together with the firm’s Centre for Information Policy Leadership, lawyers in the practice develop innovative, pragmatic approaches to privacy and data security policy that take into account business imperatives and address the concerns of individuals regarding the protection of their information.

Draft E-Commerce Standards Published for Comment in China

On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.

The Mobile E-commerce Specifications contain several provisions that require service providers in the e-commerce sector to take measures to ensure the security of operational data and service platforms. According to the Mobile E-commerce Specifications, “service providers in the electronic commerce sector” refers to platform service providers who provide e-commerce transaction platforms that are accessed over mobile devices. The Mobile E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics services providers, payment service providers and purchasers via mobile devices.

Under the draft specifications, platform service providers would be responsible for the handling of transaction information and relevant personal information from online sellers. The authorization of the data subject would be required before collecting and processing personal information. The collection of transaction information would have to be authorized by the parties to the transaction.

In addition, personal and transaction information may not be directly used for commercial purposes unless it has been desensitized. Platform service providers could, with the consent of an online seller, transfer, copy, transmit or process desensitized data from the online seller. Personal information would have to be encrypted before being transferred online. Also, a record must be maintained of any disclosures of personal and transaction data to administrative authorities, enforcement authorities or the judiciary.

Platform service providers also would be responsible for the management of the platform’s data security. Personal data from online sellers should be isolated on the platform, and only the data owner should have access to the data. Modifications to original data stored on the platform should be authorized only by the data subject. Platform service providers would be responsible for protecting personal data from online sellers from loss.

The Cross-border E-commerce Specifications would impose similar requirements and obligations in a separate, but closely related, category and would apply the same obligations under the Mobile E-commerce Specifications to e-commerce service providers who provide e-commerce transaction platforms for the purchase and sale of cross-border goods. The Cross-border E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics providers, payment service providers and purchasers of cross-border goods.

CIPL’s Bojana Bellamy Testifies on the EU-U.S. Privacy Shield to EU Parliament

On March 17, 2016, Bojana Bellamy, President of the Centre for Information Policy Leadership (“CIPL”), participated on a panel of experts at a hearing in front of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) about the new EU-U.S. Privacy Shield for commercial transfers of EU personal data to the U.S.

The Privacy Shield as an Effective Cross-Border Privacy Mechanism

Speaking as “a privacy professional” from the “trenches of corporate data privacy compliance,” Bellamy supported the Privacy Shield, arguing that it is an essential data transfer mechanism that will substantially strengthen data privacy in transatlantic data transfers and deliver effective protections to individuals. According to Bellamy, both European and U.S. companies need a wide spectrum of data transfer mechanisms, including the Privacy Shield, to reflect the diversity of today’s global data flows, companies and their transfer needs.

In discussing the specific commercial privacy enhancements of the Privacy Shield over Safe Harbor, Bellamy pointed out that Privacy Shield certification requires companies to step up their privacy practices, oversight and compliance. Companies will need to implement a comprehensive privacy program within their organizations and remain accountable at all times. This, according to Bellamy, is a significant improvement and guarantor of effective privacy protection and compliance.

She also noted the new oversight, enforcement and redress mechanisms, as well as the mechanisms for ongoing review and updating of the Privacy Shield. Together, these elements make the Privacy Shield, both “on the books and on the ground,” a significantly more robust program than Safe Harbor, and one that meets the requirements of the Court of Justice of the European Union (”CJEU”).

In answer to those who claim the Privacy Shield is an unsatisfactory response to the CJEU decision, Bellamy called for pragmatism and argued that even if that were the case, the Privacy Shield includes a process for ongoing review and modification designed for further improving and perfecting the mechanism.

Bellamy also indicated that the Privacy Shield must not be viewed by itself, as it builds upon strong protections in the new EU General Data Protection Regulation (“GDPR”). For example, under the extraterritorial jurisdiction provision of the GDPR, U.S.-based companies must already comply with the European legal requirements if they monitor or target European citizens for products or services, regardless of Privacy Shield participation. Thus, the Privacy Shield, to a large extent, simply improves enforceability of these requirements, according to Bellamy.

The Privacy Shield as an Enabler of the Modern Digital Economy

Bellamy also placed the Privacy Shield into the context of the modern data economy generally, and the goals of the European Digital Single Market specifically.

She discussed the Privacy Shield’s role as an enabler for European business to be more efficient, productive and connected. It is in the interest of the European Digital Single Market objectives that Europe benefits from exchanges of data, ideas, innovation, talent and people across the Atlantic.

She also touched on the fact that in the absence of the Privacy Shield, businesses would be forced to rely on limited transfer mechanisms that are less than optimal for many of them, as well as for consumer privacy due to, for example, the challenges associated with executing mechanisms in a timely fashion or for future and ever-changing data transfers. Similarly, she emphasized the need to re-introduce legal certainty for businesses that rely on transatlantic data flows.

To illustrate the value of data flows to the economy, Bellamy cited the March 2016 McKinsey report entitled Global Data Flows – Digital Globalization: The New Era of Global Flows. This report, Bellamy indicated, shows that there has been a dramatic increase in global data flows, resulting in the transmission of information and ideas as well as increased innovation, all of which has impacted economic growth to a degree of magnitude that the report calls “quite striking.”

Quoting from the McKinsey report, Bellamy stressed that “[c]ountries cannot afford to shut themselves off from global flows” because the new opportunities that are associated with the digital economy “will favor locations that build the infrastructure, institutions and business environments that their companies and citizens need to participate fully.” Thus, “creating thoughtful frameworks that allow data to move both securely and freely across their borders” is imperative for reaping the economic benefits of the digital economy. Bellamy emphasized to the LIBE Committee that creating such an environment includes having a robust, reliable and stable legal framework for cross-border data flows and that the Privacy Shield is fits the bill as a “thoughtful framework” to enable cross-border data flows.

Thus, according to Bellamy, rejecting the Privacy Shield based on an ill-advised “fortress Europe” mentality would not only be unfavorable for privacy, but would undermine the EU’s ability to successfully participate in what the World Economic Forum calls the “fourth industrial revolution.”

CNIL Launches Work on Compliance Pack Regarding Connected Vehicles

On March 23, 2016, the Chairwoman of the French Data Protection Authority (“CNIL”) opened proceedings that will lead to the release of a compliance pack on connected vehicles.

The CNIL announced that the compliance pack will contain guidelines regarding the responsible use of personal data for the next generation of vehicles. It will assist various stakeholders in the industry prepare for the General Data Protection Regulation.

Compliance packs are a new toolkit developed by the CNIL to identify and disseminate best practices in a specific sector while simplifying the formalities to register the data processing for organizations that comply with such practices. Therefore, compliance packs may include practical guidance, compliance tests and decisions issued by the CNIL laying down requirements to benefit from a simplified registration procedure. Compliance packs are drafted after consultation with multiple industry participants. To date, the CNIL has published three compliance packs: one pack for smart meters, one for welfare accommodation and one for the insurance sector. Two new compliance packs are currently being drafted for the banking and social welfare sectors.

Where’s Jack, updated

A few changes and an addition- In the upcoming weeks and months I’ll be speaking at the following events:

InfoSec Southwest, Austin, April 8-10

Sayers’ #Curio Technology Summit, Chicago, April 13

BSides Calgary, April 28-29

ISSA-LA Summit, May 19-20

IT-PRO, Seekonk MA, June 15

ISSA-NE, Waltham MA, July 12

I will not be speaking there, but I will be at the NIST Cyber Security Framework Workshop at NIST in Gaithersburg, MD- if you’re going to be there please say hello if you see me.

And I’m sure I’ll be at a few more.  See you on the road.



CVE-2016-1001 (Flash up to and Exploit Kits

Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player and

I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash and

Angler EK :

The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)
2016-03-26 - Angler EK successfully exploiting Flash in Internet Explorer 11 on Windows 7

Fiddler sent to VT here.
Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15da

NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .
Selected examples I saw in the last 4 days : 
Teslacrypt (ID 20, 40,52, 74 ,47) , 
Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), 
GootKit b9bec4a5811c6aff6001efa357f1f99c, 
Vawtrak  0dc4d5370bc4b0c8333b9512d686946c
Ramnit 99f21ba5b02b3085c683ea831d79dc79
Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299
BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )
Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776
Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)
Andromeda (several instances)
and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)

Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

Debunking debunking, part 1

Things need to be proven, or disproven. Urban legends need debunking.  But unless you dig into the history and have some context you may be wasting your time.  And if you have the context, you can make your case more convincingly.

Let’s venture into automotive lore for two examples.  First, a simple one- there’s a longstanding belief that you should never place a battery on bare concrete or it will damage the battery, or at least cause it to discharge.  You regularly see shops with batteries on scraps of plywood to this day.  I had this “debunked” at a manufacturer’s tech training many years ago, one of the instructors put a fully charged battery on the bare floor and the beginning of a week of training and it was fully charged at the end of the week.  End of story, right?  Well, not quite. 

First, the school was new and well equipped, it even had infrared heating, so the concrete floors were always warm, as opposed to the cold, damp floors many garages have throughout the winter.  Putting a modern battery on a cold damp floor really won’t hurt the battery- but cold batteries don’t release their power as well as warm ones, so putting a marginal battery on the floor could make it weak enough that it won’t start a car without being charged.

Second, above I said:

“Putting a modern battery on a cold damp floor really won’t hurt the battery”

The word “modern” is key to this legend.  In ye olden days car battery cases were made of “sealed” wood, then of natural rubber- both of which were somewhat porous.  Concrete is very good at wicking moisture, so putting one of these old batteries on concrete could really discharge it and suck water out of the battery.  Knowing this backstory means you can make a more convincing argument when faced with this particular legend.

Later, I’ll dive into one that has been “debunked” on TV and in universities.  By people who apparently don’t get the significance of context.



Security Weekly #457 – Interview with Ferruh Mavituna, CEO of Netsparker

This week on Security Weekly, we talk with Ferruh Mavituna from Netsparker. He explains how he can scan 1,000 websites simultaneously and what he does with the information he collects from the websites. Ferruh gives advice on threat modeling and how to understand the surface. For this week's Tech Segment, Paul talks about scanning websites with Nmap.

HHS Launches Phase 2 of HIPAA Audits

On March 21, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it has commenced Phase 2 of the HIPAA Audit Program. Phase 1 of the HIPAA Audit Program ran from 2011-2012 and produced several notable findings, including that two-thirds of covered entities had not performed a risk assessment as required by the HIPAA Security Rule.

Phase 2 will launch with desk audits of covered entities. During these desk audits, covered entities will submit documentation via OCR’s secure online portal. The documentation, which must be submitted within ten days of the initial request, will help OCR auditors examine the entities’ compliance with specific requirements of the HIPAA Privacy, Security or Breach Notification Rules. Following these initial audits, OCR plans to conduct desk audits of business associates. After the desk audits have been completed, some covered entities and business associates may be selected for onsite audits that will be conducted over a three to five day period and will examine a broader scope of HIPAA requirements.

Although the Phase 2 audits are intended to help improve compliance, OCR has indicated that it may initiate compliance reviews if an audit report reveals serious issues. OCR has stated that the desk audits will be completed by the end of December 2016, but has not determined a completion date for the onsite audits since they are contingent upon the results of the desk audits.

View the details of Phase 2 of the HIPAA Audit Program, including a list of frequently asked questions about the program.

UK Government Proposes Elizabeth Denham as New Information Commissioner

On March 22, 2016, the UK government confirmed Elizabeth Denham as its preferred candidate to replace Christopher Graham as Information Commissioner. Subject to a pre-scrutiny hearing by the Culture, Media and Sports Select Committee and final approval from Her Majesty the Queen, Denham would begin her five-year term in mid-2016.

In announcing the selection of Denham as the government’s preferred candidate, Secretary of State for Culture, Media and Sport, John Whittingdale, referred to her track record and proactive approach to enforcing data protection law. Denham has held a number of senior leadership positions in the field of information rights in Canada, and currently serves as the Information and Privacy Commissioner for British Columbia. Her appointment as UK Information Commissioner will coincide with implementation of the General Data Protection Regulation, due to come into force in mid-2018.

HHS Announces Settlements with Health Care System and Medical Research Institute over Potential HIPAA Violations

On March 16, 2016, and March 17, 2016, respectively, the Department of Health and Human Services (“HHS”) announced resolution agreements with North Memorial Health Care of Minnesota (“North Memorial”) and The Feinstein Institute for Medical Research (“Feinstein Institute”) over potential violations of the HIPAA Privacy Rule.

North Memorial

The HHS’s Office for Civil Rights (“OCR”) began an investigation of North Memorial, a non-profit health care system based in Minnesota, after North Memorial filed a breach report indicating that in September 2011, an unencrypted, password-protected laptop computer containing the protected health information (“PHI”) of 9,947 individuals was stolen from a locked vehicle of an employee of its contractor, Accretive Health (“Accretive”). In 2012, Accretive entered into a $2.5 million settlement with the Minnesota Attorney General for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, and various Minnesota debt collection and consumer protection laws.

The resolution agreement requires North Memorial to pay $1.55 million to HHS and institute a corrective action plan to settle charges that it (1) disclosed the PHI of approximately 290,000 individuals to Accretive without entering into a business associate agreement (“BAA”) with Accretive, and (2) failed to conduct an organization-wide risk analysis to address the risks and vulnerabilities to the electronic health information (“ePHI”) it maintained, accessed and transmitted.

As part of its corrective action plan, North Memorial is required to:

  • develop policies and procedures related to business associate relationships, including entering into BAAs with each of its business associates prior to disclosing PHI to them;
  • conduct an organization-wide risk analysis and create a risk management plan with respect to all equipment and systems which contain, store, transmit or receive ePHI;
  • provide training to its employees regarding business associates; and
  • notify HHS of any employee-related violations of its policies and procedures related to business associate relationships.

In announcing the settlement with North Memorial, OCR Director Jocelyn Samuels noted that North Memorial had overlooked “[t]wo major cornerstones of the HIPAA Rules” by failing to enter into compliant BAAs and conducting a risk analysis.

Feinstein Institute

The OCR’s investigation of Feinstein Institute, a biomedical research institute based in New York, began after the institute filed a breach report indicating that in September 2012, an unencrypted, password-protected laptop computer containing the ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored on the laptop included the names of research participants, dates of birth, addresses, Social Security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

Among other findings, HHS’s investigation determined that Feinstein Institute:

  • impermissibly disclosed the ePHI of approximately 13,000 individuals;
  • lacked policies and procedures for authorizing access to ePHI by its employees;
  • failed to implement safeguards to restrict access to unauthorized users;
  • lacked policies and procedures to govern the receipt and removal of laptops containing ePHI into and out of its facilities; and
  • failed to encrypt ePHI or implement an equivalent mechanism.

The resolution agreement requires Feinstein Institute to pay $3.9 million to HHS and institute a corrective action plan to settle charges that its security management processes were limited in scope, incomplete and insufficient. As part of its corrective action plan, Feinstein Institute is required to, among other things:

  • conduct an organization-wide risk analysis and create a risk management plan with respect to all equipment and systems which contain, store, transmit or receive ePHI;
  • conduct an annual risk assessment for the next three years and document security measures implemented to reduce the risks and vulnerabilities to ePHI identified in each assessment;
  • annually review and revise its policies and procedures for the next three years to ensure they comply with the HIPAA Privacy Rules;
  • refuse to provide access to ePHI to any employee who has not signed the organization’s HIPAA policies and procedures;
  • notify HHS of any employee-related violations of its HIPAA policies and procedures; and
  • provide training to its employees regarding its HIPAA policies and procedures.

OCR Director Jocelyn Samuels stated that the settlement with Feinstein Institute sends a strong message that “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.”

What it means to be an OSCP reloaded

In our recent blog post  "What it means to be an OSCP" we asked OSCPs to share their experience of what it means to have earned this certification and we received many tales of hardship and reward. Mike Benich sent in an entry that we felt very much captured the essence of the Offensive Security mentality; that the path to OSCP is challenging, stressful, and demanding, but the results leave you with much more than technological expertise.

Kali Linux 2.1.2 ARM Releases

The time has come for yet another Kali ARM image release with new and updated images. Our collection of supported ARM hardware grows constantly with new images from Raspberry Pi 3, Banana Pi and Odroid-C2, with the latter being our first real arm64 image. We're really excited about our new arm64 build environment and hope to see more 64bit ARM devices running Kali in the future. Feel free to visit our Kali Linux ARM downloads page to get the latest goodness.

EU Council to Adopt Position at First Reading on the EU General Data Protection Regulation

On March 17, 2016, the Council of the European Union (the “Council”) published a Draft Statement (the “Statement”) regarding the Council’s position at first reading with respect to the adoption of the EU General Data Protection Regulation (“GDPR”). The Statement follows a political agreement on the draft GDPR reached by the Council on February 12, 2016.

The Statement provides an analysis of the Council’s first reading of the GDPR, including the Council’s general observations as well as key issues identified by the Council.

The Council’s key issues focus on the following topics:

  • scope of application of the GDPR;
  • principles related to personal data processing;
  • lawfulness of data processing;
  • empowerment of data subjects through reinforced data protection rights and obligations imposed on data controllers;
  • responsibility and liability for any processing of personal data by data controllers or processors;
  • transfer of personal data to third party countries or international organizations;
  • role of supervisory authorities;
  • cooperation and consistency mechanism;
  • remedies, liabilities and penalties; and
  • specific data processing circumstances, such as the processing of personal data in the workplace.

In the Statement, the Council confirms that its position at first reading reflects the compromise reached between the Council and the European Parliament (“Parliament”). Further, the Council invites the Parliament to formally approve the Council’s position, without amendments.

Next Steps

The Council will formally adopt its position during the next Justice and Home Affairs Council meeting on April 21, 2016. Once formally adopted, the Council’s position at first reading will be sent to Parliament. Then, the Parliament’s Civil Liberties Committee will vote on a recommendation on the Council position, as a basis for the Parliament’s second reading, to be voted in plenary session late May or early June.

Once adopted, the GDPR will be submitted for signature by the President and Secretaries-General of Parliament and the Council during the same plenary session. The GDPR will be published in the Official Journal shortly after the signing. Thereafter, the GDPR will enter into force 20 days after its publication in the Official Journal and is expected to be fully applicable two years after its entry into force.

ICO Issues Twelve Step Guidance on Preparing for the EU General Data Protection Regulation

On March 14, 2016, the UK Information Commissioner’s Office (“ICO”) published a guide, Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now. The guide, which is a high-level checklist with accompanying commentary, sets out a number of points that should inform organizations’ data privacy and governance programs ahead of the anticipated mid-2018 entry into force of the GDPR.

The twelve steps recommended by the ICO are described below.

  • Awareness. Ensure that decision makers and key members of the organization are aware that the law is changing, and that they appropriately anticipate the impact of the GDPR.
  • Information Held. Document what personal data is held, where it came from and with whom it is shared, and consider undertaking an information audit.
  • Communicating Privacy Information. Review current privacy notices and formulate a plan for making any necessary changes before the GDPR takes effect.
  • Individuals’ Rights. Review procedures to ensure organizations address all of the rights that individuals will have under the GDPR.
  • Subject Access Requests. Update procedures, plan how to handle requests within the new time frames and provide the required information.
  • Legal Basis for Processing. Review data processing activities and identify and document the legal basis for each type of data processing activity.
  • Consent. Review how the organization seeks, obtains and records consent, and consider whether any changes are required.
  • Children. Consider implementing new systems to verify individuals’ ages and to gather, where relevant, parental or guardian consent for the data processing activity.
  • Data Breaches. Make sure appropriate procedures are in place to detect, report and investigate data breaches.
  • DP by Design and DPIAs. Become familiar with ICO guidance on Privacy Impact Assessments and determine how and when they should be implemented.
  • DPO. Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance. Determine where the role will sit within the organization’s structure and governance arrangements.
  • International. If the organization operates internationally, determine which data protection supervisory authority will be responsible for its regulation.

The ICO notes that organizations that currently comply with existing UK data protection law are likely to be largely compliant with the GDPR, but stresses that a number of the new requirements are more onerous for data controllers. The ICO recommends that organizations map out which parts of the GDPR are likely to have the greatest impact on their business models, and focus on those areas when planning compliance efforts.

Further guidance can be expected from both the ICO and the Article 29 Working Party. In the meantime, the ICO has stressed the importance of planning compliance efforts as early as possible in light of the need for policies and procedures that meet the standards of the GDPR.

Security Weekly #443 – Interview with Micah Zenko, Council on Foreign Relations

Micah Zenko, a senior fellow at the Council on Foreign Relations and author of the new book "Red Team: How to Succeed By Thinking Like the Enemy." We talk to Micah about techniques to prevent domestic terrorism, parallels between physical security and computer security and red teaming. They also discuss software security, how to create more secure code, legacy code, IoT devices and more!

Security Weekly Web Site:

Hack Naked Gear:

Follow us on Twitter: @securityweekly

Like is on Facebook:

Breaking Down the Malware Behind the Ukraine Power Outage

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to modular functional strategy implementation. The latest version of this Trojan is now capable of dropping rootkits, performing stealthy approaches and backdoor commands via a CnC server. It is also worth noting that it is highly speculated to be utilized by a group of attackers that are against the government of Ukraine. Since Stuxnet, this BlackEnergy cyberattack is another of its kind since it also managed to sabotage an industrial sector and that the group responsible for the power outage was also linked to the Trojan found in the mining and railway sector of Ukraine.

Industrial systems typically electrical, power, oil or water uses Industrial Control Systems (ICS), which are used for control, supervision and data collection. Usually, the ICS are on an isolated network and, although still part of the network, rarely have limited access to the internet. It is interesting how BlackEnergy managed to get inside these systems. Later during our analysis, we will gain insight on what happened and how the group managed to infiltrate the network from the initial stage of the attack via a phishing email.

This blog will focus on the analysis of BlackEnergy, parts of its core components, as well as how ThreatTrack’s ThreatAnalyzer and ThreatSecure provide us the information needed for data intelligence gathering. We’ll leave the analysis of the plugins that BlackEnergy utilized for another separate blog.

This research also aims to provide information on (1) how to emulate the attack by dissecting each stage of the process and (2) show how to utilize ThreatTrack’s newest line of threat identification products to mitigate and lessen the probability that these types of outbreaks might happen to you or your company. We’ll begin the analysis using the two samples that we have.

Md5: 97b7577d13cf5e3bf39cbe6d3f0a7732

  • Type: XLS (Microsoft Excel file)
  • First seen: 8/16/2015

Md5: e15b36c2e394d599a8ab352159089dd2

  • Type: DOC (Microsoft Document file)
  • First seen: 1/22/2016

BlackEnergy’s method of arrival is via a spear-phishing email containing a malicious attachment. We can emulate this by attaching the samples that we have on an email and send it inside our network. There has been a lot of debate as to how the attachment(s) was/were executed since, for this version of BlackEnergy, no exploits of Office have been seen. The only thing we know is that somehow a person inside executed the document file(s), whether by social engineering or an insider.

Using ThreatTrack’s ThreatSecure Network and ThreatSecure Email, we can see that it was identified as something malicious when entering the network and also via email. The system changes that it will be performing can be seen under behaviors. The IP entry indicates the IP address of a remote server that it is trying to beacon to. Since this sample is already a few months old, and news of this attack has already been widespread, it only makes sense that the server is already down.


Fig 1: TSN catching the XLS attachment


Fig 2: TSN catching the DOC file


Fig 2.1: ThreatSecure Email (TSE)


Fig 2.2: Submit for Remediation

A cool feature of ThreatSecure Network is that, once a threat has been identified, any connection made to the target computer will be monitored and can be seen in the ThreatSecure Network UI  called ThressionsTM. Using these Thressions, users will be alerted that an attack is happening or has happened and, depending on their settings, will be able to block a said network session. Fig 2.1 and Fig 2.2 above show that the file we are analyzing was caught by ThreatSecure Email, and upon user’s request can be submitted for remediation to remove the system changes done by the malware.

It is a good practice to find out what the malware does in overview prior to getting deep in the assembly breakdown. There are a couple of ways we can do this. You can use an infected machine and the tools available on the net to see what the malware does upon execution. But this would take time and effort to set up, and there’s a much faster and easier way we can do this: Use a sandbox.

ThreatTrack’s dynamic malware analysis sandbox ThreatAnalyzer reveals the behaviors not normally seen on normal programs.

We started with the DOC file (e15b36c2e394d599a8ab352159089dd2) and the XLS (97b7577d13cf5e3bf39cbe6d3f0a7732), and both showed the same behavior:

  • Dropped the following files
    • %Temp%\vba_macro.exe
    • LNK file (windows shortcut) pointing to the DOC file
    • %Application Data%\FONTCACHE.DAT
    • %User%\NTUSER.LOG
    • %Common Startup%\<adapter name>.LNK file
  • Creates a named pipe
    • Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}
  • Executed the following processes, some of the spawned multiple times
    • Vba_macro.exe
    • Cmd.exe
    • Attrib.exe
    • Ping.exe
    • Rundll32.exe %Application Data%\FONTCACHE.DAT, #1
    • %Program Files%\iexplore.exe
  • A screenshot showing what the document looks like when opened (DOC and XLS)
  • Created/Modified the following registry
    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery
  • Attempted to connect to a remote server
    • 5.149..254.114
    • Usage of RPCRT4.DLL

Fig 2.3: ThreatAnalyzer showing processes spawned by the DOC file

Looking a bit deeper

Now that we have an overview of what the samples are doing, we’ll do some classic reverse-engineering.

Although the two samples have different hashes and file formats (the one is a word document file and the other an excel sheet) they are, in basic sense, the same.

Both have a malicious macro script embedded in them and both are trying to deceive the user from disabling the macro security settings that is enabled by default. A fake Microsoft Office message appears in Russian, stating “This document was created by a newer version of Microsoft office. Macros must be enabled to display the content of the document.”

Depending on the security settings of Microsoft Office (high, medium or low), the image on Fig 4 will be displayed. If a user somehow chose to disable the macro security or is on a low security level, the malicious scripts previously mentioned will be executed immediately.


Fig 3: Security on medium settings

Looking inside the VB macro, the code are fairly straightforward:

  • Declares a series of byte array
  • Save it in a file located in the %TEMP% directory
  • Execute the said file using the function SHELL
Fig 4

Fig 4: Byte array declaration (MZ)


Fig 5: Byte array declaration (PE)

Fig 5: Byte array declaration (PE)

Fig 4 shows the value 77, 90 in array a (1). Converted to hex, that is 0x4D, 0x5A (MZ), which is a strong indicator that these sequence of array is an executable. This is further verified in Fig 6, where we see 80, 69 that, when converted to hex, results in 0x50, 0x45 (PE).

Automatic execution is achieved by doing the following:

Fig 6: Byte array declaration (PE)

Fig 6: Byte array declaration (PE)

Fig 7. Deobfuscated macro

To put it simply, Fig 7 tells us that it will save the byte array into a file named vba_macro.exe located in %TEMP% directory and execute it using the Shell function.


According to the results from ThreatAnalyzer, Vba_macro.exe will spawn a file named FONTCACHE.DAT and several other processes. Looking inside the vba_macro executable, it seems it is heavily obfuscated at its entry point. It is posing as a file with an original name of packet.dll and is exposing several functions similar to that of being used by WinPCap. The weird thing is that although the function names are similar to that of a legit packet.dll located at the system directory (assuming WinPCap is installed), the assembled code is garbage, except for the first function, which is probably the deobfuscator code.


Fig 8: Note the similarities and the difference between the two.

The primary purpose of this file is to stage the next part of the infection process, which is to execute FONTCACHE.DAT.

Upon execution, this file reconstructs its code in an allocated part of memory and writes parts of itself in a separate file, the FONTCACHE.DAT, in the Application data folder. The GetAdaptersInfo API is used to get the name of the network card in use, use that as a file name for the .LNK, which is a windows shortcut file that will execute another program indicated on its path. On this case, it uses this method to ensure that the program it points to %windir%\System32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\FONTCACHE.DAT” will always get started upon boot up.

It deletes the credential named MCSF_Config before executing FONTCACHE.DAT using rundll32 with #1, indicating to execute the first ordinal function. This version of BlackEnergy uses the said credential to store its configuration, and in order to ensure that it will have the latest config, it deletes it prior to executing FONTCACHE.DAT.


Fig 9: CredDeleteA and ShellExecute

It will call the following command line shell commands

cmd /s /c “for /L %i in (1,1,100) do (del /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

cmd /s /c “for /L %i in (1,1,100) do (attrib +h “%TEMP%\vba_macro.exe” & del /A:h /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)


Fontcache.dat is executed using rundll32, a way for Windows to run compiled libraries. It has an argument of #1, which means to run the first ordinal in its exported functions.

In an attempt to make a researcher’s life more difficult and in order to slow down the time to fully analyze the malware, the authors decided to obfuscate, again, this piece of malware.

We’ll get a bit deeper by trying to unpack the malware using old methods. It is common knowledge for malware analysts to set a break point to common memory allocating APIs, such as VirtualAlloc and LocalAlloc, and see whether the malware is trying to unpack part of itself in memory; however, this particular sample uses RtlAlloc and HeapAlloc to copy parts of itself little by little.

After decryption and some initializations, it will enter its main loop.


Fig 10: Chart of main function of FONTCACHE.DAT

(A) Attempts to read the current user’s credential named MCSF_Config using CredReadA API. The one that will be read is actually an encrypted buffer that will be written by the malware in function (B). This encrypted buffer will be decrypted twice and will contain information like the CnC server URL, bot version, build type and some other strings that will be appended to locally gathered data.


(B) Reads the data in the .CDATA section of FONTCACHE.DAT and overwrites the current user’s credential with that blob. This is achieved via CredWriteA API. This part also gathers local information about the target system and saves it for later use.

(C) Responsible for modifying the settings for Internet Explorer in the registry.

    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery

The function also creates a separate thread that initiates the RPC communication over named pipes. The mentioned named pipe is the method of communication of different BE 3 plugins over the same network.

      1. Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}

(D) Creates a file named NTUSER.LOG. Currently, due to the way it was programmed, it only creates a 0 byte file.

(E) Forms the message that will be sent over to its CnC server. It contains the following information:

      • B_id : BotID, comprises of <computername> _<unique bot identifier>
      • B_gen : generation of bot, on this case “release”
      • B_ver : Bot version, “2.2”
      • Os_v : target system OS version, “2600” (Build version of Windows XP)
      • Os_type: OS type, “0”

Using CryptBinaryToString, it “encrypts” the data that will be sent over the network and sent to its CnC server as POST data as the body parameter


(F) Creates an instance of Internet Explorer in the background using CoCreateInstance API. Since the settings of IE were already modified, no GUI will be seen, and it will be running under svchost.exe.

  • D30C1661-CDAF-11D0-8A3E-00C04FC9E26E using this GUID, an empty instance of IE will be called as it is the default handler of IWebBrowser2 interface.
  • Connects to as an RPC client to send the information to a remote server.


(G) Assuming a connection to the remote server has been made, it accepts 4 basic commands:

  • Delete – deletes a specified file
  • Ldplg – loads a plugin
  • Unlplg – unload a plugin
  • Dexec – download and execute a binary file

Using this, it has made itself modular as it can download and execute different plugin based on what type of attack will be performed. BlackEnergy has already been linked to several found plugins that also uses the named pipe mentioned above as inter-process communication, locally or even over the local network.

It is believed that these backdoor commands are the ones responsible for the attack that happened. The authors would upload new plugins, execute them and, after the damage has been done, delete the traces. These are (but not limited to):

      • Input/Output (IO) operations, deleting files and wiping away traces
      • Gathering system information
      • Keyloggers
      • Password stealers
      • Taking of screenshots
      • Remote access, SSH or RDP

After which, it will sleep for X number of seconds, depending on the one indicated on its configuration data and attempt to send the information and accept new commands from the CnC server.



Fig 11: Simplified overall flow of BlackEnergy 3

Point of entry is using a targeted spear-phishing email with a malicious attachment. Once it has been executed, the malware would be able to download and install new plugins. Communication between the core malware module and plugins are achieved through RPC communication. This is employed since most ICS are on an isolated network. Even if the target systems are on a network that does not have internet connection, the malware would still be able to ex-filtrate the data, install new plugins and control the systems using RPC named pipes over SMB. Simplified diagram on Fig 11.

The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Hunton Webinar on the EU General Data Protection Regulation

On March 9, 2016, Hunton & Williams LLP hosted a webinar regarding the impact of the EU General Data Protection Regulation (“GDPR”) on global companies. Partner Aaron Simpson moderated the session, and speakers included partner and head of the Global Privacy and Cybersecurity practice Lisa Sotto and partner Wim Nauwelaerts. Together, they explored the key components of the GDPR and discussed a roadmap toward compliance.

The webinar was the first segment in a two-part series, and Part 2 will be held in April.

View a recording of the webinar now.

CIPL Launches Project at Amsterdam Workshop on EU General Data Protection Regulation Implementation

On March 16, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP will co-host a one-day workshop in Amsterdam, Netherlands, together with the Dutch Ministry of Security and Justice, to kick off a new long-term CIPL project on the implementation of the EU General Data Protection Regulation (“GDPR”).

Under the title “Towards a Successful and Consistent Implementation of the GDPR,” the workshop will focus on GDPR issues that require further interpretation and guidance. More than 100 participants from numerous EU data protection authorities, the European Data Protection Supervisor, the European Commission, several government ministries, EU and U.S. businesses, as well as from academia and other organizations, will participate in the workshop.

The project aims to address the need for a constructive and expert dialogue between industry, regulators and key policymakers with the following specific objectives:

  • facilitating consistency in the interpretation of the GDPR across the EU;
  • informing and advancing constructive and forward-thinking interpretations of key GDPR requirements;
  • facilitating consistency in the further implementation of the GDPR by EU Member States, the European Commission and the European Data Protection Board;
  • examining best practices and challenges in the implementation of the key GDPR requirements;
  • sharing industry experiences and views to benchmark, coordinate and streamline the implementation of new compliance measures; and
  • examining how the new GDPR requirements should be interpreted and implemented to advance the European Digital Single Market strategy and data-driven innovation, while protecting the privacy of individuals and respecting the fundamental right to data protection.

According to Bojana Bellamy, the President of CIPL, “the GDPR signifies a new era in data privacy law and practice and will be a driver of significant change for all stakeholders – businesses, government bodies and DPAs.” Bellamy emphasized that “[n]ow is the time for organizations to begin their efforts to assess the impact of the new GDPR requirements, devise strategies for implementation, and to put into place company-wide change management programs. The Regulation leaves a significant margin for maneuver to the Member States, the Commission, and the new European Data Protection Board. It is essential that there be active and constructive engagement between the industry and data protection regulators and policymakers, to ensure consistent interpretation and implementation of the new rules as well as the success of the GDPR generally. Our project hopes to provide a forum for this engagement throughout the two-year implementation phase.”

The two-year project will consist of and result in a number of workshops, webinars, white papers and other relevant events and materials. The focus topics of the first workshop in Amsterdam will be (1) data privacy programmatic management, including the elements of accountability, the role of the data protection officer, assessing risk in the context of privacy impact assessments, privacy by design and breach notifications, demonstrating accountability externally, binding corporate rules, privacy seals and certifications and codes of conduct, and harmonization and consistent implementation; and (2) individual rights, including data portability, data erasure, right to object, and transparency to individuals.

Hunton Releases Management Guide to the EU General Data Protection Regulation

On March 9, 2016, Hunton & Williams’ Global Privacy and Cybersecurity practice lawyers released a management guide on the EU General Data Protection Regulation (“GDPR”), entitled “Overview of the EU General Data Protection Regulation,” addressing the key impacts the new law will have on businesses. This high-level management guide is intended to provide companies with a roadmap to the Regulation, focusing on topics such as expanded territorial scope, data breach notification rules, the One-Stop Shop concept and the right to be forgotten.

Later this month, we will be releasing “The EU General Data Protection Regulation: A Guide for In-house Lawyers,” which will provide more detail on the impacts to company decision makers.

Download the management guide.

CIPL, Hunton & Williams, TRUSTe to Represent U.S. Business on APEC E-Commerce Business Alliance Expert Council

During last week’s APEC privacy and e-commerce meetings in Lima, Peru, the APEC E-Commerce Business Alliance (“ECBA”) established its 2nd APEC E-Commerce Business Alliance Expert Council (“Expert Council”). The ECBA Expert Council is comprised of 32 e-commerce experts from government, academia and the private sector in the APEC region. The U.S. members are Markus Heyder, Vice President and Senior Policy Counselor at the Centre for Information Policy Leadership, Manuel “Bing” Maisog, partner at Hunton & Williams, and Joshua Harris, Director of Policy at TRUSTe.

The APEC-ECBA was created in 2001 to (1) promote cooperation between the public and private sectors in the field of e-commerce, (2) provide a forum for information sharing between APEC member economies, and (3) develop e-commerce across different industry sectors. ECBA’s secretariat is based in the China International E-Commerce Center, a quasi-public agency under China’s Ministry of Commerce. The first ECBA Expert Council was formed in 2010 to strengthen and support ECBA’s mission through research, reports, training and other initiatives. ECBA holds annual conferences for the Expert Council and other APEC-based government and private sector stakeholders.

In late June or early July 2016, ECBA will hold its 6th APEC E-Commerce Business Alliance Forum called “Realize Inclusive Trade Through Cross-Border Electronic Commerce.” This three-day event will be held in China, either in Jinjiang, Fujian Province or Mianyang, Sichuan Province.

Ransomware.OSX.KeRanger samples

Research: New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer by Claud Xiao

Sample credit: Claud Xiao

File information








Consumer Financial Protection Bureau Imposes First Ever Data Security Fine

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.

In the consent order, the CFPB alleges that Dwolla mispresented that it “employ[ed] reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and that its network and transactions were “safe,” “secure” and compliant with the standards set forth by the PCI Security Standards Council. Specifically, the CFPB found that Dwolla failed to:

  • adopt and implement data security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information; and
  • practice secure software development, particularly with regard to consumer-facing applications developed on an affiliated website,

In addition to the $100,000 fine, Dwolla was ordered, for the next five years, to adopt and implement reasonable and appropriate data security measures to protect consumers’ personal information on its networks and applications, including:

  • implementing a comprehensive data security plan reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information;
  • conducting semiannual data security risk assessments;
  • conducting regular, mandatory employee training on (1) data security policies and procedures, (2) the safe handling of consumer’s sensitive personal information, and (3) secure software design, development and testing;
  • obtaining an annual data security audit from an independent, qualified third party, using procedures and standards generally accepted in the profession; and
  • implementing reasonable procedures for the selection and retention of service providers capable of maintaining security practices consistent with the consent order, and requiring service providers by contract to implement and maintain appropriate safeguards.

JIPDEC Named Accountability Agent for APEC Cross-Border Privacy System

On February 25, 2016, the Asia-Pacific Economic Cooperation (“APEC”) issued a press release announcing the decision by the Joint Oversight Panel of the APEC Electronic Commerce Steering Group to approve the Japan Institute for Promotion of Digital Economy and Community (“JIPDEC”) as a new “Accountability Agent” under the APEC Cross-Border Privacy Rules (“CBPR”) system. Along with TRUSTe, JIPDEC will now be able to independently assess the compliance of companies under the APEC CBPR system. With this approval, Japan is now a fully operational participant in the APEC CBPR system.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Although all APEC economies have endorsed the system, in order to participate, individual APEC economies must officially express their intent to join and satisfy certain requirements. Currently, the U.S., Mexico, Canada and Japan are participants in the APEC CBPR system. Other APEC economies are in the process of determining how and when they may join.

How to Safeguard Privacy and Data Security in Corporate Transactions

Personal information about consumers is the lifeblood of many organizations. Because of the potential value of the information, companies are increasingly focused on privacy and data security issues that arise in the context of mergers, acquisitions, divestitures and related transactions. In many corporate transactions, data is a critical asset that should be addressed as a key deal point. Unfortunately, too often personal data is transferred without consideration of the issues that otherwise might change the pricing of a deal – or kill it altogether. In a recent article published by Corporate Counsel, Hunton & Williams partner Lisa J. Sotto and associate Ryan P. Logan discuss the privacy and data security-related legal issues that arise in corporate transactions, and provide a how-to guide on addressing those issues during the various stages of a transaction.

Download a copy of the article.

HHS Releases Guidance on Health Apps and HIPAA Security Rule Crosswalk

Recently, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published two guidance documents related to HIPAA compliance. To help mobile app developers understand HIPAA compliance obligations, OCR published guidance on the use of mobile health apps (the “Health App Guidance”). OCR also released a crosswalk (the “Crosswalk”) that maps the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity Framework (the “NIST Cybersecurity Framework”) to the HIPAA Security Rule.

The Health App Guidance sets out several scenarios for health apps and analyzes whether the app developer would be a HIPAA business associate in each scenario. For example, when consumers download a health app that enables them to populate the app with information about their blood sugar levels and blood pressure, OCR indicates that the app developer would not be a business associate because the app developer is not creating, receiving, maintaining or transmitting protected health information (“PHI”) on behalf of a covered entity or another business associate. In contrast, OCR believes that an app developer who contracts with a health care provider to develop an app that enables the patient to input information and sends it to the provider to be incorporated into the providers’ electronic health records would be a business associate.

The Health App Guidance summarizes that an app developer is likely a business associate if it is (1) hired, or has the app paid for, by a covered entity or another business associate, and (2) directed by the covered entity or business associate to create, receive, maintain or disclose PHI. The app developer is likely not a business associate if (1) the app is independently selected by a consumer, (2) the consumer alone decides whether to transmit PHI to a third party, and (3) the app developer does not have a relationship with that third party (apart from an interoperability relationship).

The Crosswalk maps the administrative, physical and technical safeguards in the HIPAA Security Rule to a NIST Cybersecurity Framework Subcategory (or in some cases, multiple Subcategories). For example, the HIPAA Security Rule implementation specification for “Log-in mentoring” obligates entities to implement procedures for monitoring log-in attempts and reporting discrepancies. This is mapped to numerous NIST Cybersecurity Framework Subcategories, including those that require that “[t]he network is monitored to detect potential cybersecurity events” and “[m]onitoring for unauthorized personnel, connections, devices, and software is performed.” OCR cautions, however, that the Crosswalk is intended to be “an informative reference” rather than a guarantee of HIPAA Security Rule Compliance.

The Health App Guidance and Crosswalk should serve as valuable tools that will help both covered entities and business associates evaluate their potential HIPAA obligations and take steps to achieve compliance with those obligations.