Monthly Archives: July 2017

TOPransom: From eMail Attachment to Powning the Attacker’s Database

Hi folks, today I want to share a quick but intensive experience in fighting cybercrime. I wish you would appreciate the entire process from getting an email attachment to powning the ransom server trying to stop the infection and to alert everybody about the found threats. As a second step I would try to identify the attacker in order to give additional information to law enforcements, those actions would not be published. 

But, let's start by having a little bit of context:

During the past few days a colleague of mine (MarcoT.) gave me an interesting eMail attachment called: (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba).
By unzipping the attachment, it was interesting to see a single .vbs file. By double clicking a .vbs file the victim would run it through microsoft wscript.exe which fires up the infection process. The eMail belongs to a more complex spamming set spread over USA and coming few days ago to Europe as well.

The visual basic script was obfuscated, as you may appreciate from the following image, but the used obfuscation technique was quite weak to reverse. In fact only one round of packing was adopted and after few substitutions "clear text strings" were observable.

Obfuscated Dropper

Interesting techniques were introduced in this dropper. First of all a lot of junk code (apparently good code) was added in order to make reverse engineering process much harder. Very interesting the choice of such a code apparently taken from real droppers but not linked to the analized one. Another interesting adopted technique was on the "User-Agent" settings, which happened to be the key-factor to download the real payload.  The dropper per-se is not interesting anymore. It basically uses a romantic WScript.Shell to execute a 'MZ' file once downloaded from compromised websites (IoC later on). The Dropped file is returned directly into the HTTP response body and saved with a static name in temporary user folder: saToHxy.exe. The dropper file renamed VB objects and VB functions to make everything a little harder.

Saving Dropper into user temporary file with static name

As today the dropping URLs are the following ones:
As mentioned a romantic Shell.Run would execute the dropped payload. The Payload (sha356:6a51d0cd9ea189babad031864217ddd3a7ddba84) looks like a one-stager payload. No heavy encryption nor multi staging delivery is involved, clear and intuitive user functions within enabled debugging headers.

No Packing found

Firing up IDA and reversing the sample showed up small encoded payload through XOR and some anti debugging tricks such as the timing control and performance monitoring as follows:

Anti-Debugging tricks: Timing and Performante control
Following on the analysis it becomes clear the spread use of Secure Handler Exception Chain exploiting technique. By triggering exceptions the attacker calls modified exception handler functions able to decode the payload and to allocate it directly on the new memory pages, ending up on "call eax" section. The following image shows the decoding loop.

Decoding Loop on 0x3001220
Following a piece of decoded memory area (configuration file), decoded by 0x03001220.

Decoded Memory Area
Dynamic Analysis took out the evidence of a Ransomware payload. In fact following on the decoded payload by getting far on memory site the analyst could observe the ransom HTML page (next image). I would prefer to show out a rendered "ransom request page" rather than a junk of hexadecimal bytes. (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1) The ransom page looks looks like the following image.

Ransom Request Rendered File
I will call this Ransomware the "TOPransom" since the funny and evident mistake the attacker made in writing the ransom request file in where he suggested to download the TOP Browser rather then the TOR Browser :D (LOL). The TOPransom encrypts files and changes the file extensions with a alphanumeric extension, usually made of 3 characters (why "usually" ? Because looking at the attacker's db it looks like that, but I didn't find evidence on that). The modified extension is used as a hidden parameter in the ransom page. The following image shows some hidden features used by the attacker to bring informations to the control server.

POST request to buy the decrypter
Particularly interesting (at least in my persona point o view) the hidden input type called "FB" which looks like piggy backing two informations to the command and control (ransom server) such as: the extension and some hexadecimal content included in a crafted tag called "pre". By clicking on "Yes I want to buy" the victim POST such a data and are prompted to the following page asking for 0.18 BTC in order to get files back.

Request for ransom
 The FB hidden value "made me curious". By changing the first value (the one before the statement "pre") you would appreciate different BTC wallets with different asking prices. The following image shows the different results.

Request for ransom 2

This makes the system vulnerable to "balance enumeration" and to "denial of resources". In fact by enumerating the attacker wallet space I will perform a duplice action: if the wallet exists I'll take its balance, if the wallet does not exists the backend will create a new wallet, filling up the attacker reserved space for wallet creation. This action could block the new wallet creation ergo new infections.  So lets' write a simple dirty python script to force new wallet creation and money mapping.

Forcing New Wallets to limitate further infections (please do not consider this script as production ready script. Do not consider it as best implementation for such a goal)

Following on the analysis by playing a little bit further with that parameter (FB) I figured out it was vulnerable to SQL Injection. What a nice surprise !! The vulnerable parameter was the crafted tag called "pre" which vulnerable to code injection, which triggered SQLinjections.

SQLi on C&C server !

So let's try to pown the Attacker ! As first sight you may observe a MySQL error with not a latin characters. Google Translator says it is a Russian language ! Now we know that the attacker belongs, with high probability, to the Russian community. By investigating a little bit harder on the DB, only TOR availability and super slow, I found the botids and the relatives tasks. Please have a look to incremental ids and try to immagine how big was that network.

Bot Ids and relative locations

Another interesting topic was to investigate which were the system users(a.k.a the attackers). In other words the users of such a ransomware-as-a-service-platform" which happened to be the real attackers. Since It looks like a "Ransomware as a service" platform figuring out how many dollars the attackers were able to gain over time its my next goal. The following obfuscated image shows some of the found usernames, passwords (chipertext) and wallets the attackers used to gain profit.

Attackers Username, Passwords and Wallets
My attention ended up on that guy:
That guy is related to the following private wallet: 1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N

As you might guess there are two main wallet types:
- Public wallets which store the victim's money. They are the public available wallets, everybody got infected must now them in order to pay the ransom.
- Private wallets which are the "real ones" belonging to attackers.  Private wallets got money from public wallet once reached the end of the attack. Platform charges are applied during that transaction.

Having the private wallet means to have the possibility to track down transactions history. Transactions history is a great source to figure out if that guy made more illegal activity over the past months. Following the 's private wallet. We may observe interesting transactions as showed in the following image

Transaction From   1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N

That wallet which is DB-related to, made huge amount of transactions back on 2017-04-23 and 2017-04-20 by moving out from its wallet 81,87 BTC harvested by many small and similar transactions! If we include the harvested BTC from this attack which currently have balance 13 BTC,  he or she is close to 100 BTC transactions. How about 2017-04 (do you remember any famous attack on that time ? :P) With high probability the attacker looks like abusing illegal activities (such as ransomware activities) more then once a time, this boy/girl -- with a high probability -- is a recurring attacker. By investigating a little bit more on that email address it's easy to find heavy relations between and which is a Russian based Market Place where attackers buy and sell attacking tools, information and experiences.

After few more crafted SQL queries I was able to extract the "inst" talbe. Fields names are the following ones:


Yes come one ! This table records the infected clients, let's see if we can do something to help them ! 
A simple DB count showed me more 2k infections so far. Not bad for being a plain new ransomware  as a service. The Targets look like being very spread all over the world. So far it's possible to extract the following country distribution.

TOPransom Victims Distribution

I will not disclosure IP addresses in order to guarantee victims privacy. Another interesting data comes from the victim browser distribution (another parameter collected by the attacker). Curiously the most used browser on windows devices is Chrome as the following image shows. [remember] The infection vector wasn't through web browser but through wscript.exe which opens .vbs by double click on it. [/remember]

TOPransomware victims browser distribution

On this post I've been describing the activity that took me from an email attachment to drop the entire attacker's database on a Ransomware as a Service platform that I called TOPransom. I've being trying to enumerate attacker's income and to mitigate the spreading vector by filling up wallets creation per user by writing a quick and durty python script.

Following IoC for your detection systems. Have fun !

IoC (summing up):
  • dropper .vba (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba)
  • saToHxy.exe (sha256:6a51d0cd9ea189babad031864217ddd3a7ddba84)
  • RECOVER-FILES-html (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1)
  • Bot location:
  • Bot Location:
  • TOP Browser

CNIL Extends Scope of Authorization on Whistleblowing Schemes

On July 25, 2017, the French Data Protection Authority (“CNIL”) published their decision on the adoption of several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”). The amendments reflect changes introduced by French law on December 9, 2016, regarding transparency, the fight against corruption and the modernization of the economy, also known as the “Sapin II Law.”

Since 2005, companies in France have had to register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for the CNIL’s approval. Companies that self-certify to the Single Authorization make a formal representation that their whistleblowing scheme complies with the pre-established conditions set out in the Single Authorization. Until now, only the following types of issues could be reported under the CNIL’s Single Authorization: finance, accounting, banking and anti-corruption issues, anti-competitive practices, workplace discrimination and harassment, workplace health, hygiene and safety issues and environmental issues. The scope of whistleblowing schemes had to be limited to these areas in order to benefit from the CNIL’s Single Authorization.

Through the recent amendments, the CNIL has extended the scope of the Single Authorization to any reports relating to:

  • a crime or offence;
  • a manifest and serious infringement of an international commitment duly ratified or approved by France;
  • a manifest and serious infringement of an unilateral act of an international organization adopted on the basis of an international commitment duly ratified or approved by France;
  • a manifest and serious violation of laws or regulations;
  • a serious threat or damage to the public interest of which the whistleblower has had personal knowledge;
  • obligations defined by EU regulations and by the French Monetary and Financial Code or by the general regulations of the French Financial Markets Authority, which are monitored by the French Financial Markets Authority or the French Prudential Supervision and Resolution Authority;
  • the existence of behavior or situations contrary to the company’s code of conduct, in respect to corruption or trading in influence.

However, the revised Single Authorization does not cover issues covered by national defense secrecy, medical secrecy and legal privilege. Organizations allowing reporting on these issues must file a formal request for the CNIL’s approval.

The revised Single Authorization also specifies that whistleblowers may be staff members of the organization or external and occasional collaborators (such as consultants/contractors). Whistleblowing schemes open to other third parties (such as customers) will not fall within the scope of the Single Authorization.

Further, the revised Single Authorization notes that the whistleblower must identify themselves, and their identity must be processed under conditions of confidentiality. In this respect, the revised Single Authorization specifies that the information identifying the whistleblower may only be disclosed to judicial authorities and with the whistleblower’s consent. Similarly, information identifying the reported individual may be disclosed only to judicial authorities and when it is established that the concern is well-founded.

Finally, the revised Single Authorization adds that the privacy notice must explain how reports may be filed through the whistleblowing scheme and who will receive the reports.

Organizations that have already self-certified to the Single Authorization do not need to make a further representation that they comply with the revised version of that Single Authorization, but they must ensure that they meet its new conditions.

CNIL Fines Rental Car Company for Data Security Failure Attributable to Third-Party Service Provider

On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.

On October 15, 2016, the CNIL was informed of the existence of a security incident which resulted in the compromise of personal data on a French website related to Hertz France’s discount program. The CNIL carried out an online investigation and found that personal data of approximately 35,000 users was easily accessible from a URL address. The CNIL notified Hertz France of the issue, who in turn informed its service provider in charge of designing the website. The service provider immediately took corrective actions to stop the issue. The investigation revealed that the issue was due to a mistake made by the service provider during a server change operation. The CNIL concluded that Hertz France had been negligent in overseeing the actions of its service provider (acting as a data processor). As a result, the CNIL decided to impose a fine of €40,000 on Hertz France. In deciding the amount of the fine, the CNIL took into account the responsiveness of the company in remedying the issue, its initiative to conduct a security audit of its service provider and its appropriate level of cooperation with the CNIL.

This is the first fine imposed by the CNIL since the amendment of the French Data Protection Act by the French Digital Republic Act of October 7, 2016, which has strengthened the CNIL’s enforcement powers, pending the application of the GDPR. Prior to that amendment, the CNIL likely would have simply issued a public warning in such a case (i.e., a decision finding that the company failed to comply with its data protection obligations).

CAN Bus Standard Vulnerability

NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.

Singapore Submits Notice of Intent to Join the APEC CBPR and PRP Systems

On July 27, 2017, Singapore submitted its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system and the APEC Privacy Recognition for Processors System (“PRP”). Singapore would be the sixth member of the CBPR system, joining Canada, Japan, Mexico, the United States and the newest member, South Korea. The announcement was made by Dr. Yaacob Ibrahim, Minister for Communication and Information, at the Personal Data Protection Seminar 2017.

According to Dr Ibrahim, the direct value added to Singapore’s GDP by data connectivity in trade is around 40 percent, and this figure will only increase moving forward. This will lead to a demand for higher cross-border data protection standards. The APEC CBPR system will facilitate overseas data exchanges with Singapore and provide assurances that Singapore will use the data responsibly.

Singapore will align its DP Trustmark standards with the APEC CBPR and PRP systems, and companies that obtain the DP Trustmark standards will concurrently be certified under the APEC CBPR system.

The APEC CBPR system is a regional, multilateral cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPR system implements the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework.

As we previously reported, the APEC PRP system allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. The PRP also enables information controllers to identify qualified and accountable processors, as well as assist small- or medium-sized processors that are not widely known to gain visibility and credibility.

Combined, the CBPR for controllers and PRP for processors now covers the entire information ecosystem.

Nevada Enacts Website Privacy Notice Law

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

Nevada is the third state to enact legislation requiring website operators to post a public privacy notice, following California (enacted in 2004) and Delaware (enacted in 2016). The scope of Nevada’s law is narrower than the laws of California and Delaware in several key respects. Namely, the Nevada law limits its jurisdictional application to entities that purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. Additionally, the law is not applicable to website operators whose revenue is derived primarily from other sources than online services and whose website annually receives fewer than 20,000 unique visitors.

The Nevada law does not provide a private right of action, but grants the Nevada Attorney General the power to enforce compliance and provides for injunctive relief and a maximum authorized civil penalty of $5,000. The law is set to take effect on October 1, 2017.

FTC Launches Series of Blog Posts on “Reasonable Steps” to Protect Consumer Data

On July 21, 2017, the FTC announced its publication of “Stick with Security,” a series of blog posts on reasonable steps that companies should take to protect and secure consumer data. The posts will build on the FTC’s Start with Security Guide for Businesses, and will be based on the FTC’s 60+ law enforcement actions, closed investigations and questions from businesses. Every Friday for the next few months, the FTC will publish on its Business Blog a new post focusing on each of the 10 “Start with Security” principles.

Its first post, “Stick with Security: Insights into FTC Investigations,” is focused on themes common to investigations that the FTC has closed, and which did not result in enforcement actions. One main reason the FTC may close an investigation is if the company’s practices line up with the FTC’s 10 “Start with Security” principles. The FTC cites as an example having effective procedures in place to train staff, keep sensitive information secure, address vulnerabilities and respond quickly to new threats. The FTC also considers whether proceeding with the investigation is a good use of resources. For example, the FTC may not consider an investigation high priority if a company experiences a breach affecting only a small amount of non-sensitive information. Another consideration is whether the FTC is the right agency to pursue the investigation. Recognizing that it is the “primary cop on the beat” on data security matters, the FTC notes that it works with other agencies with similar missions (including the DOJ, HHS, CFPB and FCC), which may be more appropriate to handle an investigation, depending on the circumstances. Lastly, the FTC prioritizes privacy and security issues that pose a real, and not just theoretical, risk to data. An example of a theoretical risk that the FTC may not choose to pursue is a vulnerability in a mobile device that would require both possession of the consumer’s device and highly sophisticated tools to exploit.

The FTC’s next blog post, to be published this Friday, July 28, will focus on “initial steps to start with security.”

CJEU Declares Envisaged EU-Canada Data Transfer Agreement Incompatible with EU Law

On July 26, 2017, the Court of Justice of the European Union (“CJEU”) declared that the envisaged EU-Canada agreement on the transfer of Passenger Name Records (“PNR Agreement”) interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form. This marks the first instance where the CJEU has been asked to rule on the compatibility of a draft international agreement with the European Charter of Fundamental Human Rights.

The envisaged PNR Agreement authorizes the systematic and continuous transfer of all air passenger data to a Canadian authority for purposes of combating terrorism and other serious transnational crimes. The PNR Agreement permits the transferred data to be used, retained and possibly transferred to other authorities and non-member countries to achieve this aim.

The CJEU holds that while the interferences in question can be justified by the pursuit of public security, several provisions of the PNR Agreement are not limited to what is strictly necessary to achieve that aim:

  • Transfer and Retention of Sensitive Data: Parties to the PNR Agreement accept that sensitive data may be transferred to Canada. However, a transfer of sensitive data requires a solid justification based on grounds other than the protection of public security. In this instance, there is no such justification.
  • Use of PNR Data During Air Passengers’ Stay in Canada: Following verification of passenger data and permission to enter Canadian territory, the use of their data during their stay must be based on new circumstances justifying the use. As a general rule, the use of retained passenger data during their stay must be subject to a prior review carried out by a court or independent administrative body following a reasonable request by competent authorities submitted within the framework of procedures for the prevention, detection or prosecution of crime.
  • Continued Storage of PNR Data after Departure: The envisaged PNR Agreement permits the storage of passenger data for a period of five years. After a passenger (who has not been identified as presenting a risk relating to terrorism or serious transnational crime upon arrival and up to departure) has left Canada, there is no longer a connection between the data and the objective pursued by the PNR Agreement which would justify the retention of their data.

The CJEU notes that the PNR Agreement should:

  • Determine clearly and precisely certain passenger data to be transferred.
  • Specify that the criteria used for automated processing of passenger data will be non-discriminatory, reliable and specific.
  • Indicate that databases used will be limited to those used by Canadian authorities in the fight against terrorism and serious transnational crime.
  • Provide that passenger data may be disclosed by Canadian authorities to the authorities in a non-member country only if there is an agreement between the EU and the country in question equivalent to the envisaged PNR Agreement or a decision of the EU Commission in that field.
  • Provide air passengers with a right to notification if their data is used during their stay in Canada or after their departure, or if it is disclosed to other authorities or individuals.
  • Guarantee that an independent supervisory authority will oversee the rules relating to the protection of the processing of air passengers’ data.

Until changes are made to several provisions to ensure they are limited to what is strictly necessary to achieve the aim of the PNR Agreement, the CJEU concludes that the envisaged agreement may not be concluded in its current form.

Despite the ruling of the court, the EU Commission confirmed that it is moving forward with the implementation of an internal EU Passenger Name Record system which was adopted last year.

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

UPDATE 2 (Nov. 14, 2018): FLARE VM now has a new installation, upgrade, and uninstallation process, and also includes many new tools such as IDA 7.0, radare and YARA.

UPDATE (April 26, 2018): The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM GitHub for the most up-to-date installation instructions.

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years. To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM.

FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG.

How To Get It

You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself.

Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work):

After you navigate to the above URL in the Internet Explorer, you will be presented with a Boxstarter WebLauncher dialog. Select Run to continue the installation as illustrated in Figure 1.

Figure 1: FLARE VM Installation

Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time.

Figure 2: Boxstarter Password Prompt

The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages.

Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only mode so that malware samples would not accidentally connect to the Internet or local network. Also, take a fresh virtual machine snapshot so this clean state is saved! The final FLARE VM installation should look like Figure 3.

Figure 3: FLARE VM installation

NOTE: If you encounter a large number of error messages, try to simply restart the installation. All of the existing packages will be preserved and new packages will be installed.

Getting Started

The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4.

Figure 4: FLARE VM Tools

While we attempt to make the tools available as a shortcut in the FLARE folder, there are several available from command-line only. Please see the online documentation at for the most up to date list.

Sample Analysis

In order to best illustrate how FLARE VM can assist in malware analysis tasks let’s perform a basic analysis on one of the samples we use in our Malware Analysis Crash Course.

First, let’s obtain some basic indicators by looking at the strings in the binary. For this exercise, we are going to run FLARE’s own FLOSS tool, which is a strings utility on steroids. Visit for additional information about the tool. You can launch it by clicking on the FLOSS icon in the taskbar and running it against the sample as illustrated in Figure 5.

Figure 5: Running FLOSS

Unfortunately, looking over the resulting strings in Figure 6 only one string really stands out and it is not clear how it is used.

Figure 6: Strings Analysis

Let’s dig a bit more into the binary by opening up CFF Explorer in order to analyze sample’s imports, resources, and PE header structure. CFF Explorer and a number of other utilities are available in the FLARE folder that can be accessed from the Desktop or the Start menu as illustrated in Figure 7.

Figure 7: Opening Utilities

While analyzing the PE header, there were several indicators that the binary contains a resource object with an additional payload. For example, the Import Address Table contained relevant Windows API calls such as LoadResource, FindResource and finally WinExec. Unfortunately, as you can see in Figure 8 the embedded payload “BIN” contains junk so it is likely encrypted.

Figure 8: PE Resource

At this point, we could continue the static analysis or we could “cheat” a bit by switching over to basic dynamic analysis techniques. Let’s attempt to quickly gather basic indicators by using another FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality by presenting it with fake services such as DNS, HTTP, FTP, IRC and many others. Please visit for additional information about the tool.

Also, let’s launch Procmon from Sysinternals Suite in order to monitor all of the File, Registry and Windows API activity as well. You can find both of these frequently used tools in the taskbar illustrated in Figure 9.

Figure 9: Dynamic Analysis

After executing the sample with Administrator privileges, we quickly find excellent network- and host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s attempt to communicate with using HTTP protocol. Here we capture useful indicators such as a complete HTTP header, URL and a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact process communicating which is level1_payload.exe. This process name corresponds to the unique string that we have identified in the static analysis, but couldn’t understand how it was used.

Figure 10: FakeNet-NG

Comparing our findings with the output of Procmon in Figure 11, we can confirm that the malware is indeed responsible for creating level1_payload.exe executable in the system32 folder.

Figure 11: Procmon

As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible.

Have It Your Way

FLARE VM is a constantly growing and changing project. While we try to cover as many use-case scenarios as possible it is simply impossible due to the nature of the project. Luckily, FLARE VM is extremely easy to customize because it was built on top of the Chocolatey project. Chocolatey is a Windows-based package management system with thousands of packages. You can find the list here: In addition to the public Chocolatey repository, FLARE VM uses our own FLARE repository which constantly growing and currently contains about 40 packages.

What all this means is that if you want to quickly add some package, let’s say Firefox, you no longer have to navigate to the software developer’s website. Simply open up a console and type in the command in Figure 12 to automatically download and install any package:

Figure 12: Installing packages

In a few short moments, Firefox icon is going to appear on your Desktop with no user interaction necessary.

Staying up to date

As I’ve mentioned in the beginning, one of the hardest challenges of unmanaged Virtual Machine is trying to keep all the tools up to date. FLARE VM solves this problem. You can completely update the entire system by simply running the command in Figure 13.

Figure 13: Staying up to date

If any of the installed packages have newer versions, they will be automatically downloaded and installed.

NOTE: Don’t forget to take another clean snapshot of an updated system and set networking back to Host-Only.


I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM!

In these few pages, we could only scratch the surface of everything that FLARE VM is capable of; however, feel free to leave your comments, tool requests, and bugs on our Github issues page here: or


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

Hacking the Universe with Quantum Encraption

Ladies and Gentlemen of the Quantum Physics Community:

  I want you to make a Pseudorandom Number Generator!

  And why not!  I’m just a crypto nerd working on computers, I only get a few discrete bits and a handful of mathematical operations.  You have such an enormous bag of tricks to work with!  You’ve got a continuous domain, trigonometry, complex numbers, eigenvectors…you could make a PRNG for the universe!  Can you imagine it?  Your code could be locally hidden in every electron, proton, fermion, boson in creation.

  Don’t screw it up, though.  I can’t possibly guess what chaos would (or would fail to) erupt, if multiple instances of a PRNG shared a particular seed, and emitted identical randomness in different places far, far away.  Who knows what paradoxes might form, what trouble you might find yourself entangled with, what weak interactions might expose your weak non-linearity.  Might be worth simulating all this, just to be sure.

  After all, we wouldn’t want anyone saying, “Not even God can get crypto right”.


  Cryptographically Secure Pseudorandom Number Generators are interesting.  Given a relatively small amount of data (just 128 bits is fine) they generate an effectively unlimited stream of bits completely indistinguishable from the ephemeral quantum noise of the Universe.  The output is as deterministic as the digits of pi, but no degree of scientific analysis, no amount of sample data will ever allow a model to form for what bits will come next.

  In a way, CSPRNGs represent the most practical demonstration of Godel’s First Incompleteness Theorem, which states that for a sufficiently complex system, there can be things that are true about it that can never be proven within the rules of that system.  Science is literally the art of compressing vast amounts of experimentally derived output on the nature of things, to a beautiful series of rules that explains it.  But as much as we can model things from their output with math, math can create things we can never model.  There can be a thing that is true — there are hidden variables in every CSPRNG — but we would never know.

  And so an interesting question emerges.  If a CSPRNG is indistinguishable from the quantum noise of the Universe, how would we know if the quantum noise of the universe was not itself a CSPRNG?  There’s an infinite number of ways to construct a Random Number Generator, what if Nature tried its luck and made one more?  Would we know?

  Would it be any good?

   I have no idea.  I’m just a crypto nerd.  So I thought I’d look into what my “nerds from another herd”, Quantum Physicists, had discovered.


  Like most outsiders diving into this particular realm of science, I immediately proceeded to misunderstand what Quantum Physics had to say.  I thought Bell’s Theorem ruled out anything with secret patterns:

“No physical theory of local hidden variables can ever reproduce all the predictions of quantum mechanics.”  

  I thought that was pretty strange.  Cryptography is the industrial use of chaotic systems with hidden variables.  I had read this to mean, if there were ever local hidden variables in the random data that quantum mechanics consumed, the predictions would be detectably different from experimental evidence.

  Quantum Physics is cool, it’s not that cool.  I have a giant set of toys for encrypting hidden variables in a completely opaque datastream, what, I just take my bits, put them into a Quantum Physics simulation, and see results that differ from experimental evidence?  The non-existence of a detection algorithm distinguishing encrypted datastreams from pure quantum entropy, generic across all formulations and levels of complexity, might very well be the safest conjecture in the history of mathematics.  If such a thing existed, it wouldn’t be one million rounds of AES we’d doubt, it’d be the universe.

  Besides, there’s plenty of quantum mechanical simulations on the Internet, using JavaScript’s Math.Random.  That’s not exactly a Geiger counter sitting next to a lump of Plutonium.  This math needs uniform distributions, it does not at all require unpredictable ones.

  But of course I completely misunderstood Bell.  He based his theorem on what are now called Bell Inequalities.  They describe systems that are in this very weird state known as entanglement, where two particles both have random states relative to the universe, but opposite states relative to eachother.  It’s something of a bit repeat; an attacker who knows a certain “random” value is 1 knows that another “random” value is 0.  But it’s not quite so simple.  The classical interpretation of entanglement often demonstrated in relation to the loss of a shoe (something I’m familiar with, long story).  You lose one shoe, the other one is generally identical.

  But Bell inequalities, extravagantly demonstrated for decades, demonstrate that’s just not how things work down there because the Universe likes to be weird.  Systems at that scale don’t have a ground truth, as much as a range of possible truths.  Those two particles that have been entangled, it’s not their truth that is opposite, it’s their ranges.  Normal cryptanalysis isn’t really set up to understand that — we work in binaries, 1’s and 0’s.  We certainly don’t have detectors that can be smoothly rotated from “detects 1’s” to “detects 0’s”, and if we did we would assume as they rotated there would be a linear drop in 1’s detected matching a linear increase in 0’s.

  When we actually do the work, though, we never see linear relationships.  We always see curves, cos^2 in nature, demonstrating that the classical interpretation is wrong.  There are always two probability distributions intersecting.


  Here’s the thing, and I could be wrong, but maybe I’ll inspire something right.  Bell Inequalities prove a central thesis of quantum mechanics — that reality is probabilistic — but Bell’s Theorem speaks about all of quantum mechanics.  There’s a lot of weird stuff in there!  Intersecting probability distributions is required, the explanations that have been made for them are not necessarily necessary.

  More to the point, I sort of wonder if people think it’s “local hidden variables” XOR “quantum mechanics” — if you have one, you can’t have the other.  Is that true, though?  You can certainly explain at least Bell Inequalities trivially, if the crystal that is emitting entangled particles emits equal and opposite polarizations, on average.  In other words, there’s a probability distribution for each photon’s polarization, and it’s locally probed at the location of the crystal, twice.

  I know, it would seem to violate conservation of angular momentum.  But, c’mon.  There’s lots of spare energy around.  It’s a crystal, they’re weird, they can get a tiny bit colder.  And “Nuh-uh-uh, Isaac Newton!  For every action, there is an equal and opposite probability distribution of a reaction!” is really high up on the index of Shit Quantum Physicists Say.

Perhaps more likely, of course, is that there’s enough hidden state to bias the probability distribution of a reaction, or is able to fully describe the set of allowable output behaviors for any remote unknown input.  Quantum Physics biases random variables.  It can bias them more.  What happens to any system with a dependency on random variables that suddenly aren’t?  Possibly the same thing that happens to everything else.

  Look.  No question quantum mechanics is accurate, it’s predictive of large chunks of the underlying technology the Information Age is built on.  The experiment is always right, you’re just not always sure what it’s right about.  But to explain the demonstrable truths of probability distribution intersection, Quantum Physicists have had to go to some pretty astonishing lengths.  They’ve had to bend on the absolute speed limit of the universe, because related reactions were clearly happening in multiple places in a manner that would require superluminal (non-)communication.

  I guess I just want to ask, what would happen if there’s just a terrible RNG down there — non-linear to all normal analysis, but repeat its seed in multiple particles and all hell breaks loose?  No really, what would happen?

   Because that is the common bug in all PRNGs, cryptographically secure and otherwise.  Quantum mechanics describes how the fundamental unstructured randomness of the universe is shaped and structured into probability distributions.  PRNGs do the opposite — they take structure, any structure, even fully random bits limited only by their finite number — and make them an effectively unbound stream indistinguishable from what the Universe has to offer.

  The common PRNG bug is that if the internal state is repeated, if the exact bits show up in the same places and the emission counter (like the digit of pi requested) is identical, you get repeated output.

  I’m not saying quantum entanglement demonstrates bad crypto.  I wouldn’t know.  Would you?

  Because here’s the thing.  I like quantum physics.  I also like relativity.  The two fields are both strongly supported by the evidence, but they don’t exactly agree with one another.  Relativity requires nothing to happen faster than the speed of light; Quantum Physics kind of needs its math to work instantaneously throughout the universe.  A sort of detente has been established between the two successful domains, called the No Communication theorem.  As long as only the underlying infrastructure of quantum mechanics needs to go faster than light, and no information from higher layers can be transmitted, it’s OK.

   It’s a decent hack, not dissimilar to how security policies never seem to apply to security systems.  But how could that even work?  Do particles (or waves, or whatever) have IP addresses?  Do they broadcast messages throughout the universe, and check all received messages for their identifier?  Are there routers to reduce noise?  Do they maintain some sort of line of sight at least?  At minimum, there’s some local hidden variable even in any non-local theory, because the system has to decide who to non-locally communicate with.  Why not encode a LUT (Look Up Table) or a function that generates the required probability distributions for all possible future interactions, thus saving the horrifying complexity of all particles with network connections to all other particles?

  Look, one can simulate weak random number generators in each quantum element, and please do, but I think non-locality must depend on some entirely alien substrate, simulating our universe with a speed of light but choosing only to use that capacity for its own uses.  The speed of light itself is a giant amount of complexity if instantaneous communication is available too.

  Spooky action at a distance, time travel, many worlds theories, simulators from an alien dimension…these all make for rousing episodes of Star Trek, but cryptography is a thing we actually see in the world on a regular basis.  Bad cryptography, even more so.


  I mentioned earlier, at the limit, math may model the universe, but our ability to extract that math ultimately depends on our ability to comprehend the patterns in the universe’s output.  Math is under no constraint to grant us analyzable output.

  Is the universe under any constraint to give us the amount of computation necessary to construct cryptographic functions?  That, I think, is a great question.

  At the extreme, the RSA asymmetric cipher can be interpreted symmetrically as F(p,q)==n, with p and q being large prime numbers and F being nothing more than multiply.  But that would require the universe to support math on numbers hundreds of digits long.  There’s a lot of room at the bottom but even I’m not sure there’s that much.  There’s obviously some mathematical capacity, though, or else there’d be nothing (and no one) to model.

  It actually doesn’t take that much to create a bounded function that resists (if not perfectly) even the most highly informed degree of relinearizing statistical work, cryptanalysis.  This is XTEA:

/* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */

void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9;
    for (i=0; i < num_rounds; i++) {
        v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
        sum += delta;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
    v[0]=v0; v[1]=v1;

  (One construction for PRNGs, not the best, is to simply encrypt 1,2,3… with a secret key.  The output bits are your digits, and like all PRNGs, if the counter and key repeat, so does the output.)

  The operations we see here are:

  1. The use of a constant.  There are certainly constants of the universe available at 32 bits of detail.
  2. Addition.  No problem.
  3. Bit shifts.  So that’s two things — multiplication or division by a power of two, and quantization loss of some amount of data.  I think you’ve got that, it is called quantum mechanics after all.
  4. XOR and AND.  This is tricky.  Not because you don’t have exclusion available — it’s not called Pauli’s Let’s Have A Party principle — but because these operations depend on a sequence of comparisons across power of two measurement agents, and then combining the result.  Really easy on a chip, do you have that kind of magic in your bag of tricks?  I don’t know, but I don’t think so.

  There is a fifth operation that is implicit, because this is happening in code.  All of this is happening within a bitvector 32 bits wide, or GF(2^32), or % 2**32, depending on which community you call home.  Basically, all summation will loop around.  It’s OK, given the proper key material there’s absolutely an inverse function that will loop backwards over all these transformations and restore the original state (hint, hint).

  Modular arithmetic is the math of clocks, so of course you’d expect it to exist somewhere in a world filled with things that orbit and spin.  But, in practical terms, it does have a giant discontinuity as we approach 1 and reset to 0.  I’m sure that does happen — you either do have escape velocity and fly off into the sunset, or you don’t, crash back to earth, and *ahem* substantially increase your entropy — but modular arithmetic seems to mostly express at the quantum scale trigonometrically.  Sine waves can possibly be thought of as a “smoothed” mod, that exchanges sharp edges for nice, easy curves.

  Would trig be an improvement to cryptography?  Probably not! It would probably become way easier to break!  While the universe is under no constraint to give you analyzable results, it’s also under no constraint not to.  Crypto is hard even if you’re trying to get it right; randomly throwing junk together will (for once) not actually give you random results.

  And not having XOR or AND is something notable (a problem if you’re trying to hide the grand secrets of the universe, a wonderful thing if you’re trying to expose them).  We have lots of functions made out of multiply, add, and mod.  They are beloved by developers for the speed at which they execute.  Hackers like ‘em too, they can be predicted and exploited for remote denial of service attacks.  A really simple function comes from the legendary Dan Bernstein:

unsigned djb_hash(void *key, int len)
    unsigned char *p = key;
    unsigned h = 0;
    int i;

    for (i = 0; i < len; i++)
        h = 33 * h + p[i];

    return h;

  You can see the evolution of these functions at , what should be clear is that there are many ways to compress a wide distribution into a small one, with various degrees of uniformity and predictability.

  Of course, Quantum Physicists actually know what tools they have to model the Universe at this scale, and their toolkit is vast and weird.  A very simple compression function though might be called Roulette — take the sine of a value with a large normal or Poisson distribution, and emit the result.  The output will be mostly (but not quite actually) uniform.

  Now, such a terrible RNG would be vulnerable to all sorts of “chosen plaintext” or “related key” attacks.  And while humans have learned to keep the function static and only have dynamic keys if we want consistent behavior, wouldn’t it be tragic if two RNGs shipped with identical inputs, one with a RNG configured for sine waves, the other configured for cosine?  And then the results were measured against one another?  Can you imagine the unintuitive inequalities that might form?

  Truly, it would be the original sin.


  I admit it.  I’m having fun with this (clearly).  Hopefully I’m not being too annoying.  Really, finally diving into the crazy quantum realm has been incredibly entertaining.  Have you ever heard of Young’s experiment?  It was something like 1801, and he took a pinhole of sunlight coming through a wall and split the light coming out of it with a note card.  Boom!  Interference pattern!  Proved the existence of some sort of wave nature for light, with paper, a hole, and the helpful cooperation of a nearby stellar object.  You don’t always need a particle accelerator to learn something about the Universe..

  You might wonder why I thought it’d be interesting to look at all this stuff.  I blame Nadia Heninger.  She and her friends discovered that about (actually, at least) one in two hundred private cryptographic keys were actually shared between systems on the Internet, and were thus easily computed.  Random number generation had been shown to have not much more than two nines of reliability in a critical situation.  A lot of architectures for better RNG had been rejected, because people were holding out for hardware.  Now, of course, we actually do have decent fast RNG in hardware, based on actual quantum noise.  Sometimes people are even willing to trust it.

  Remember, you can’t differentiate the universe from hidden variable math, just on output alone.

  So I was curious what the de minimus quantum RNG might look like.  Originally I wanted to exploit the fact that LEDs don’t just emit light, they generate electricity when illuminated.  That shouldn’t be too surprising, they’re literally photodiodes.  Not very good ones, but that’s kind of the charm here.  I haven’t gotten that working yet, but what has worked is:

  1. An arduino
  2. A capacitor
  3. There is no 3

  It’s a 1 Farad, 5V capacitor.  It takes entire seconds to charge up.  I basically give it power until 1.1V, and let it drain to 1.0V.  Then I measure, with my nifty 10 bit ADC, just how much voltage there is per small number of microseconds.

  Most, maybe all TRNGs, come down to measuring a slow clock with a fast clock.  Humans are pretty good at keeping rhythm at the scale of tens of milliseconds.  Measure us to the nanosecond, and that’s just not what our meat circuits can do consistently.

   How much measurement is enough?  10 bits of resolution to model the behavior of trillions of electrons doesn’t seem like much.  There’s structure in the data of course, but I only need to think I have about 128 bits before I can do what you do, and seed a CSPRNG with the quantum bits.  It’ll prevent any analysis of the output that might be, you know, correlated with temperature or power line conditions or whatnot.

  And that’s the thing with so-called True RNGs, or TRNGs.  Quantum Physics shapes the fundamental entropy of the universe, whether you like it or not, and acts as sort of a gateway filter to the data you are most confident lacks any predictable structure, and adds predictable structure.  So whenever we build a TRNG, we always overcollect, and very rarely directly expose.  The great thing about TRNGs is — who knows what junk is in there?  The terrifying thing about TRNGs is, not you either.

  In researching this post, I found the most entertaining paper:  Precise Monte Carlo Simulation of Single Photon Detectors (  It had this quote:

Using a simple but very demanding example of random number generation via detection of Poissonian photons exiting a beam splitter, we present a Monte Carlo simulation that faithfully reproduces the serial autocorrelation of random bits as a function of detection frequency over four orders of magnitude of the incident photon flux.

  See, here is where quantum nerds and crypto nerds diverge.

  Quantum nerds:  “Yeah, detectors suck sometimes, universe is fuzzy whatcha gonna do”


  Both are wrong, both are right, damn superposition.  It might be interesting to investigate further.


  You may have noticed throughout this post that I use the phrase randomness, instead of entropy.  That is because entropy is a term that cryptographers borrowed from physicists.  For us, entropy is just an abstract measure of how much we’d have to work if we threw up our hands on the whole cryptanalysis enterprise and just tried every possibility.  For experimental physicists, entropy is something of a thing, a condition, that you can remove from a system like coal on a cart powered by a laser beam.

  Maybe we should do that.  Let me explain.  There is a pattern, when we’re attacking things, that the closer you get to the metal the more degrees of freedom you have to mess with its normal operations.  One really brutal trick involves bypassing a cryptographic check, by letting it proceed as expected in hardware, and then just not providing enough electrons to the processor at the very moment it needs to report the failure.  You control the power, you control the universe.

   Experimental physicists control a lot of this particular universe.  You know what sort of cryptographic attack we very rarely get to do?  A chosen key attack.

  Maybe we should strip as much entropy from a quantum system as physically possible, and see just how random things are inside the probability distributions that erupt upon stimulation.  I don’t think we’ll see any distributional deviations from quantum mechanics, but we might see motifs (to borrow a phrase from bioinformatics) — sequences of precise results that we’ve seen before.  Course grain identity, fine grain repeats.

  Worth taking a look.  Obviously, I don’t need to tell physicists how to remove entropy from their system.  But it might be worth mentioning, if you make things whose size isn’t specified to matter, a multiple of prime integer relationships to a size that is known to be available to the system, you might see unexpected peaks as integer relationships in unknown equations expose as sharing factors with your experimental setup.  I’m not quite sure you’ll find anything, and you’ll have to introduce some slop (and compensate for things like signals propagating at different speeds as photons in free space or electronic vibrations within objects) maybe, if this isn’t already common exploratory experimental process, you’ll find something cool.

   I know, I’m using the standard hacker attack patterns where they kind of don’t belong.  Quantum Physics has been making some inroads into crypto though, and the results have been interesting.  If you think input validation is hard now, imagine if packet inspection was made illegal by the laws of the Universe.  There was actually this great presentation at CCC a few years ago that achieved 100% key recovery on common quantum cryptographic systems — check it out.

   So maybe there’s some links between our two worlds, and you’ll grant me some leeway to speculate wildly (if you’ve read this far, I’m hoping you already have).  Let’s imagine for a moment, that in the organization I’ll someday run with a small army dedicated to fixing the Internet, I’ve got a couple of punk experimentalist grad students who know their way around an optics table and still have two eyes.  What would I suggest they do?

  I see lots of experiments providing positive confirmation of quantum mechanics, which is to be expected because the math works.  But you know, I’d try something else.  A lot of the cooler results from Quantum Physics show up in the two slit experiment, where coherent light is shined through two slits and interferes as waves on its way to a detector.  It’s amazing, particularly since it shows up even when there’s only one photon, or one electron, going through the slits.  There’s nothing else to interfere with!  Very cool.

  There’s a lot of work going on in showing interference patterns in larger and larger things.  We don’t quite know why the behaviors correctly predicted by Quantum Physics don’t show up in, like, baseballs.  The line has to be somewhere, we don’t know why or where.  That’s interesting work!  I might do something else, though.

  There exists an implemented behavior:  An interference pattern.  It is fragile, it only shows up in particular conditions.  I would see what breaks that fragile behavior, that shouldn’t.  The truth about hacking is that as creative as it is, it is the easy part.  There is no human being on the planet that can assemble a can of Coca-Cola, top to bottom.  Almost any person can destroy a can though, along with most of the animal kingdom and several natural processes.

  So yes.  I’m suggesting fuzzing quantum physics.  For those who don’t know, a lot of systems will break if you just throw enough crap at the wall.  Eventually you’ll hit some gap between the model a developer had in his mind for what his software did, and what behaviors he actually shipped.

  Fuzzing can be completely random, and find lots of problems.  But one of the things we’ve discovered over the years is that understanding what signals a system is used to processing, and composing them in ways a system is not used to processing, exposes all sorts of failure conditions.  For example, I once fuzzed a particular web browser.  Those things are huge!  All sorts of weird parsers, that can be connected in almost but not quite arbitrary ways.  I would create these complex trees of random objects, would move elements from one branch to another, would delete a parent while working on a child, and all the while, I’d stress the memory manager to make sure the moment something was apparently unneeded, it would be destroyed.

  I tell you, I’d come to work the next day and it’d be like Christmas.  I wonder what broke today!  Just because it can compose harmlessly, does not at all mean it will.  Shared substrates like the universe of gunk lashing a web browser together never entirely implement their specifications perfectly.  The map is not the territory, and models are always incomplete.

  Here’s the thing.  We had full debuggers set up for our fuzzers.  We would always know exactly what caused a particular crash.  We don’t have debuggers for reality at the quantum scale, though wow, I wish we did.  Time travel debugging would be awesome.  

  I want to be cautious here, but I think this is important to say.  Without a debugger, many crashes look identical.  You would not believe the number of completely different things that can cause a web browser to give up the ghost.  Same crash experience every time, though.  Waves, even interference waves, are actually a really generic failure mode.  The same slits that will pass photons, will also pass air molecules, will also pass water molecules.  Stick enough people in a stadium and give them enough beer and you can even make waves out of people.

  They’re not the same waves, they don’t have the same properties, that’s part of the charm of Quantum Physics.  Systems at different scales do behave differently.  The macro can be identical, the micro can be way, way different.

  Interference is fairly intuitive for multi-particle systems.  Alright, photons spin through space, have constructive and destructive modes when interacting in bulk, sure.  It happens in single photon and electron systems too, though.  And as much as I dislike non-locality, the experiment is always right.  These systems behave as if they know all the paths they could take, and choose one.

  This does not necessarily need to be happening for the same reasons in single photon systems, as it is in long streams of related particles.  It might be!  But, it’s important to realize, there won’t just be waves from light, air, and water.  Those waves will have similarities, because while the mechanisms are completely different, the ratios that drive them remain identical (to the accuracy of each regime).

  Bug collisions are extremely annoying.

  I know I’m speaking a bit out of turn.  It’s OK.  I’m OK with being wrong, I just generally try to not be, you know.  Not even wrong.  What’s so impressive about superposition is that the particle behaves in a manner that belies knowledge it should not have.  No cryptographic interpretation of the results of Quantum Physics can explain that; you cannot operate on data you do not have.  Pilot wave theory is a deterministic conception of quantum physics, not incompatible at all with this cryptographic conjecture, but it too has given up on locality.  You need to have an input, to account for it in your output.

  But the knowledge of the second slit is not necessarily absent from the universe as perceived by the single photon.  Single photon systems aren’t.  It’s not like they’re flying through an infinitely dark vacuum.  There’s black body radiation everywhere, bouncing off the assembly, interfering through the slits, making a mess of things.  I know photons aren’t supposed to feel the force of others at different wavelengths, but we’re talking about the impact on just one.  Last I heard, there’s a tensor field of forces everything has to go through, maybe it’s got a shadow.  And the information required is some factor of the ratio between slits, nothing else.  It’s not nothing but it’s a single value.

  The single particle also needs to pass through the slits.  You know, there are vibratory modes.  Every laser assembly I see isolates the laser from the world.  But you can’t stop the two slits from buzzing, especially when they’re being hit by all those photons that don’t miss the assembly.  Matter is held together by electromagnetic attraction; a single photon versus a giant hunk of mass has more of an energy differential than myself and Earth.  There doesn’t need to be much signal transfer there, to create waves.  There just needs to be transfer of the slit distance.

Might be interesting to smoothly scale your photon count from single photon in the entire assembly (not just reaching the photodetector), through blindingly bright, and look for discontinuities.  Especially if you’re using weak interactions to be trajectory aware.

  In general, change things that shouldn’t matter.  There are many other things that have knowledge of the second photon path.  Reduce the signal so that there’s nothing to work on, or introduce large amounts of noise so it doesn’t matter that the data is there.  Make things hot, or cold.  Introduce asymmetric geometries, make a photon entering the left slit see a different (irrelevant) reality than the photon entering the right.  As in, there are three slits, nothing will even reach the middle slit because it’s going to be blocked by a mirror routing it to the right slit, but the vibratory mode between left and middle is different than that for middle and right.  Or at least use different shapes between the slits, so that the vibratory paths are longer than crow flies distance.  Add notch filters and optical diodes where they shouldn’t do anything.  Mirrors and retroreflectors too.  Use weird materials — ferromagnetic, maybe, or anti-ferromagnetic.  Bismuth needs its day in the sun.  Alter density, I’m sure somebody’s got some depleted uranium around, gravity’s curvature of space might not be so irrelevant.  Slits are great, they’re actually not made out of anything!  You know what might be a great thing to make two slits out of?  Three photodetectors!  Actually, cell phones have gotten chip sensors to be more sensitive than the human eye, which in the right conditions is itself a single photon detector.  I wonder just what a Sony ISX-017 (“Starvis”) can do.

You know what’s not necessarily taking nanoseconds to happen?  Magnetization!  It can occur in femtoseconds and block an electron from the right slit while the left slit is truly none the wiser.  Remember, you need to try each mechanism separately, because the failure mode of anything is an interference pattern.

   Just mess with it!  Professors, tell your undergrads, screw things up.  Don’t set anything on fire.  You might not even have to tell them that.

  And then you go set something on fire, and route your lasers through it.  Bonus points if they’re flaming hoops.  You’ve earned it.

  I’ll be perfectly honest.  If any of this works, nobody would be more surprised than me.  But who knows, maybe this will be like that time somebody suggested we just send an atomic clock into space to unambiguously detect time dilation from relativity.  A hacker can dream!  I don’t want to pretend to be telling anyone how the universe works, because how the heck would I know.  But maybe I can ask a few questions.  Perhaps, strictly speaking, this is a disproof of Bell’s Theorem that is not superdeterminism.  Technically a theory does not need to be correct to violate his particular formulation.  It might actually be the case that this… Quantum Encraption is a local hidden variable theory that explains all the results of quantum mechanics.


P.S. This approach absolutely does not predict a deterministic universe.  Laser beams eventually decohere, just not immediately.  Systems can absolutely have a mix of entropy sources, some good, some not.  It takes very, very little actual universal entropy to create completely unpredictable chaos, and that’s kind of the point.  The math still works just as predictably even with no actual randomness at all.  Only if all entropy sources were deterministic at all scales could the universe be as well.  And even then, the interaction of even extremely weak cryptosystems is itself strongly unpredictable over the scale of, I don’t know, billions of state exchanges.  MD5 is weak, a billion rounds of MD5 is not.  So there would be no way to predict or influence the state of the universe even given perfect determinism without just outright running the system.

[edit]P.P.S. “There is no outcome in quantum mechanics that cannot be handled by encraption, because if there was, you could communicate with it.”  I’m not sure that’s correct but you know what passes the no communication theory really easily?  No communication.  Also, please, feel free to mail me privately at or comment below.

OCR Releases Improved Data Breach Reporting Tool

On July 25, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced the release of an updated web tool that highlights recent data breaches of health information.

Entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify OCR when they experience a data breach. OCR publishes information it receives regarding data breaches affecting more than 500 individuals on its HIPAA Breach Reporting Tool (“HBRT”). OCR uses the HBRT to provide transparency to the public and HIPAA-covered entities by sharing information regarding reported data breaches, including (1) the name of the reporting entity; (2) the number of individuals affected by the data breach; (3) the type of data breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and (4) the location of the breached information (e.g., laptop, paper records, desktop computer).

In the email announcing its recent updates, OCR highlighted the following new features of the HBRT:

  • enhanced functionality that highlights data breaches currently under investigation and reported within the last 24 months;
  • an archive including all older data breaches;
  • improved navigation to additional data breach information; and
  • tips for consumers.

OCR stated that it plans to expand and improve the HBRT over time to add functionality and features based on the feedback it receives.


CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.

Nominate Hunton’s Privacy Blog for the ABA Journal’s Web 100 Amici Award

The ABA Journal has announced that it is accepting nominations for its Web 100 Amici award, which recognizes legal blogs. We hope you will continue to show your support for Hunton & Williams’ Privacy & Information Security Law blog by nominating the blog for this award.

Nominations are due on July 30, and you can access the form here. If you enjoy reading the blog, we would be grateful if you would take a few minutes to submit your nomination.

The Privacy & Information Security Law Blog was ranked as the top Cybersecurity and Information Privacy blog and #2 overall Best AmLaw Blog of 2016 by the Expert Institute, #1 Privacy & Data Security blog in LexBlog’s 2015 AmLaw 200 Blog Benchmark Report, and named PR News’ Best Legal PR Blog in 2011. One commentator noted that the Hunton “privacy blog influences global privacy and data security developments.”

The big secret behind Google Play Protect on Android

New Jersey Shopper Privacy Bill Signed into Law

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

  • to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item or requests a refund or an exchange;
  • to verify the person’s age when providing age-restricted goods or services to the person;
  • to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
  • to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • to establish or maintain a contractual relationship;
  • to record, retain or transmit information as required by state or federal law;
  • to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by the Fair Credit Reporting Act or certain other relevant federal laws; or
  • to record, retain or transmit information by a covered entity pursuant to the Health Insurance Portability and Accountability Act of 1996.

In addition, the law limits the information which retail establishments may collect from the scanned identification cards. The information that may be collected from the card includes the person’s name, address, date of birth, the state issuing the identification card and the identification card number. The law also places restrictions on the retention, sale and sharing of such information and establishes security requirements for any information retained from the scanned identification cards. The law emphasizes that retailers must report security breaches of certain information collected from scanned identification cards pursuant to New Jersey’s security breach notification statute.

The law is set to take effect three months from the date of enactment.

Startup Security Weekly #47 – Cupcakes For Breakfast

Ronnie Feldman of Learnings & Entertainments joins us. In the news, how to be “customer first”, four components of a successful sales strategy, and updates from Symantec, Nok Nok Labs, Flashpoint, HyTrust, and more!

Full Show Notes: for all the latest episodes!

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Organizations are accountable for the data in their possession
Cross Border Personal information
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.

Pauls Security Weekly 523 – Hack My NAS

Almog Ohayon of Javelin Networks pits Javelin ADProtect against Microsoft ATA, Sven Morgenroth of Netsparker bypasses corporate firewalls, and we discuss the latest security news!

Full Show Notes:

Visit for all the latest episodes!

Looking for love on Matrimonial Sites! Watch out for the Fraudsters

On Oct 2014, I wrote a blog titled “Conmen use fake matrimonial profiles to scam prospective grooms seeking arranged marriages” warning cyber citizens on matrimonial scams. Unfortunately, since then it appears that these scams have become common and lucrative.

These scams earned between 4 lakhs to 1.2 crore rupees (6000 – 200000 USD). Victims were women in their 30’s who had posted their profiles on matrimonial portals. They were emotionally blinded and trusted the online relationship.

The scams used in reported cases in The Times of India, July 20, 2017, were custom harassment, gift clearance or urgent need of money due to a financial or medical emergency.

 31 year old nurse
Conned to accept a parcel that apparently was to contain 15000 GBP ( approx. 12 lakhs)
Paid Rs 4.2 Lakhs ( 6000 USD) to a fake courier company
40 year woman
Conned to bail her suitor out of a sticky payment at the  customs
Paid 74 lakhs (11000 USD) into several accounts
Young Woman
Conned to bail out her UK based suitor as custom officials had caught him carrying a lot of pounds
Paid Rs 4.8 Lakhs (7000 USD)
35 year old woman
Conned into supporting an allegedly US based suitor out of his financial difficulties
Paid Rs 1.2 Crore  (184000 USD)
40 year old woman
Conned into bailing out her UK suitor due to a sticky payment at customs
Paid Rs 4.65 Lakhs (7000 USD)

There will be a large number of unreported scams as they involve threats of defamation using explicit photos or video’s shared during the relationship.

I would again remind cybercitizens, that conmen actively target you, use social engineering techniques to gain your trust, and know how to hide themselves on the Internet. These conmen are often difficult to trace or it is simply too expensive to do so.

My recommendation is to use common sense when in an untrusted and unverified relationship. Any request for money should sound a loud buzzer in your brain. Do not also share content of sexual nature which could later be used against you.

Disgruntled Driver asks Share Ride Cab Company OLA to Pay Ransom for Kidnapped Passenger

A doctor called a shared ride cab to drive him to the private hospital where he worked. The shared ride arrived on time, but instead of taking the doctor to his destination, the driver threatened the doctor and kidnapped him.  The OLA cab driver, in turn posted a ransom request of Rs 5 Crore (750,000 USD) to the shared ride company, even calling up the hospital were the doctor worked to pressurize the company into paying. The Delhi police, were successful after a 13 day chase to free the doctor unharmed and nab the kidnapper.

The motive for the kidnapping was to teach the shared ride company a lesson as they were miffed due to alleged nonpayment of incentives.

The incident simply highlights the damage disgruntled employees can cause, many a times due to uncontrolled emotions. While the kidnapping seems to be one of a kind, incidents caused by employees in the workplace is quite common. In the early days, it used to be sabotage of plan and machinery, but in a digital world it is the theft of IP, data or even online defamation of the company and its personnel.

Cisco Unified Communications Manager 11.5(1.12000.1) Cross Site Scripting Bypass a restriction or similar Vulnerability

A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device. More Information: CSCvb97237. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.5(1.12029.1) 11.5(1.12900.11) 12.0(0.98000.369) 12.0(0.98000.370) 12.0(0.98000.398) 12.0(0.98000.457).

Hack Naked News #133 – July 18, 2017

Forgetting your Windows password, bidding farewell to SMS authentication, reviewing Black Hat USA 2017, Ubuntu Linux for Windows 10, and more. Jason Wood of Paladin Security joins us to discuss companies being breached due to misconfiguration on this episode of Hack Naked News!Full Show Notes: for all the latest episodes!

Unix: How random is random?

On Unix systems, random numbers are generated in a number of ways and random data can serve many purposes. From simple commands to fairly complex processes, the question “How random is random?” is worth asking.

EZ random numbers

If all you need is a casual list of random numbers, the RANDOM variable is an easy choice. Type "echo $RANDOM" and you'll get a number between 0 and 32,767 (the largest number that two bytes can hold).

$ echo $RANDOM

Of course, this process is actually providing a "pseudo-random" number. As anyone who thinks about random numbers very often might tell you, numbers generated by a program have a limitation. Programs follow carefully crafted steps, and those steps aren’t even close to being truly random. You can increase the randomness of RANDOM's value by seeding it (i.e., setting the variable to some initial value). Some just use the current process ID (via $$) for that. Note that for any particular starting point, the subsequent values that $RANDOM provides are quite predictable.

To read this article in full, please click here

Twelve Commandments that will never fail to Keep You Cyber Safe Online

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1)    Thou shalt not use a device with pirated software
Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)    Thou shall not download pirated movies, games and other such material
Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5)    Thou shall not use a site without trying to verify its authenticity
Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7)    Thou shalt not indulge or encourage cyber bullying online
A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online
Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.

Paul’s Security Weekly #522 – It’s a Nerdgasm!

Joe Desimone of Endgame joins us to discuss fileless attacks, Don Pezet of ITProTV delivers a technical segment on hardening weak software RNGs and hardware entropy sources, and we discuss the latest security news!

Full Show Notes:

Visit for all the latest episodes!

Podcast Notes – Six Point List for Dealing with Today’s Cyber Attacks

I was recently on a podcast (to be released in the next couple of weeks) discussing current events, especially recent reports related to Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. Towards the end of the podcast, I was asked for some closing thoughts, which I organized into a six-point list:

  1. Attacks are happening. Accept this as fact!
  2. Look internally at your People, Processes, and Technology (PPT), and assess how resilient your PPTs are against the types of attacks that are happening.
  3. Start taking steps -- or more likely, improve your current steps -- to prevent, but also to detect and respond (as prevention will only get you so far).
  4. Patch, patch, patch.
  5. Test, test, test.
  6. Finally, because it's only a matter of time, the last item is: drill baby, drill.

Information Security 101 with Lisa Sotto: Responding to a Data Breach

In the third segment of this three-part series, Lisa Sotto, head of the Global Privacy and Cybersecurity practice at Hunton & Williams, discusses with The Electronic Discovery Institute how to respond to a data breach. It’s necessary, says Sotto, to have appropriate processes in place before a breach occurs. The “most important first step is to ensure that, when an issue arises, it’s escalated appropriately.”

Watch the full video.

Lead Generation Business Settles FTC Charges That It Unlawfully Sold Consumer Data

On July 5, 2017, the FTC announced that Blue Global Media, LLC (“Blue Global”) agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure. According to the FTC’s complaint, Blue Global claimed it would connect loan applicants to lenders from its network of over 100 lenders in an effort to offer applicants the best terms. In reality, Blue Global “sold very few of the loan applications to lenders; did not match applications based on loan rates or terms; and sold the loan applications to the first buyer willing to pay for them.” The FTC alleged that, contrary to Blue Global’s representations, the company provided consumers’ sensitive information—including SSN and bank account number—to buyers without consumers’ knowledge or consent. The FTC further alleged that, upon receiving complaints from consumers that their personal information was being misused, Blue Global failed to investigate or take action to prevent harm to consumers.

The terms of the settlement prohibit Blue Global from misrepresenting (1) its ability to assist consumers in obtaining loans with favorable rates and terms; (2) that it will protect and secure consumers’ personal information and (3) the types of businesses with which Blue Global shares consumers’ personal information. The settlement further requires Blue Global to “investigate and verify the identity of businesses to which they disclose consumers’ sensitive information” and to obtain consumers’ informed consent for these disclosures. The settlement also includes a judgment for more than $104 million, suspended due to Blue Global’s inability to pay.

Hack Naked News #132 – July 11, 2017

Solving artificial stupidity, Petya’s decryption key is released, sleeping with the enemy, burned laptops for DEF CON, and more. Jason Wood of Paladin Security joins us to discuss the FTC shutting down a loan application firm on this episode of Hack Naked News!Full Show Notes: for all the latest episodes!

MS16-111 – Important: Security Update for Windows Kernel (3186973) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

China Publishes Draft Regulations on Protecting the Security of Key Information Infrastructure

This post has been updated. 

On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.

The Draft Regulations provide further details on the scope of what will constitute “key information infrastructure.” According to the Draft Regulations, this may include network facilities and information systems operated and managed by (1) government agencies and entities in the energy, finance, transportation, water conservation, health care, education, social insurance, environmental protection and public utilities sectors; (2) information networks, such as telecommunications networks, broadcast television networks and the Internet, and entities providing cloud computing, big data and other large-scale public information network services; (3) research and manufacturing entities in industry sectors such as science and technology for national defense, large equipment manufacturing and the chemical industry and food and drug sectors; and (4) news organizations, such as broadcasting stations, television stations and news agencies. To be counted as “key information infrastructure,” however, the infrastructure must still meet the criterion that severe endangerment of national security, the national economy and the people’s livelihood and the public interest would result if the infrastructure suffers destruction, loss of functionality or leakage of data. The Cyberspace Administration of China will work together with relevant government agencies to formulate materials for the identification of “key information infrastructure” in their respective industry sectors and fields.

The Draft Regulations reiterate the cybersecurity compliance obligations originally imposed under the Cybersecurity Law, such as obligations to formulate internal security management systems and operating protocols; to adopt technological measures to prevent against computer viruses and attacks and intrusions on networks; to monitor and record network operations and cybersecurity incidents; and to adopt security measures such as data classification, back-up and encryption of important data. At the same time, the Draft Regulations impose further cybersecurity obligations on operators of key information infrastructure, including obligations to: (1) designate a specific cybersecurity administrative department and persons responsible for cybersecurity, and conduct background reviews of these responsible persons; (2) conduct cybersecurity education, technology training and evaluation of the skills of relevant staff on a regular basis; (3) implement disaster recovery backup for important systems and databases, and adopt remedial measures to promptly address security risks such as system vulnerabilities; and (4) establish contingency plans for cybersecurity incidents and conduct regular rehearsals of these plans.

According to the Draft Regulations, operators of key information infrastructure should establish a system to inspect their key information infrastructure and evaluate its security aspects and possible risks. They may conduct this inspection and evaluation on their own behalf, or engage third-party cybersecurity service providers. They must conduct this inspection and evaluation at least once a year.

The Draft Regulations reiterate the original data localization requirements on the operators of key information infrastructure under the Cybersecurity Law, as well as related requirements under the Measures for Security Reviews of Network Products and Services. The Draft Regulations also require that the operation and maintenance of key information infrastructure should be performed within the territory of China. If overseas long-distance maintenance of key information infrastructure is truly necessary for business reasons, the operator should report in advance to both the relevant government agency that has the authority over the industry sector and the public security department.

View our English translation of the Draft Regulation.

Cyber Lessons from the 2017 Harvey Nash / KMPG CIO Survey Report

In May this year, Harvey Nash and KPMG released their 2017 CIO Survey report. The report looks at some of the key issues on CIOs’ radar, including how CIOs are handling changing times, the need for stable IT, the strategic influence of CIOs, issues leading to costly and failed IT projects, job satisfaction, and of course, the issue of cybersecurity.

We’ll cover the highlights of the report, and take a deeper dive on how the issue of cybersecurity which features prominently in the report, and share lessons on how CIOs can improve their organization’s posture.

Top (and Bottom) Priorities for CIOs

The top four priorities listed for CIOs are
  1. The need to deliver stable IT service to the business (63%, up 21% from 2016)
  2. Increasing operational efficiencies (62%, up 7% from 2016)
  3. Improving business processes (59%, up 3% from 2016)
  4. Saving costs (54%, up 8% from 2016)
In contrast, the bottom three priorities are:
  1. Reputation management via social media (5%).
  2. Achieving sustainable/green IT (6%).
  3. Investing in social media platforms (7%).

CIO Good News

Among the list of positive news for CIOs was their self-reported increase in their strategic influence: when asked if their influence was growing, 71% of CIOs responded yes, up from 67% in 2016. Not surprisingly, 62% of CIOs now sit on the executive board, up from 57% in 2016, a number that was below the 50% mark for the decade ending in 2010. This increased visibility is also confirmed with 68% of CIOs reporting having attended a board meeting in the last quarter, a figure that goes up to 85% when considered over a 12-month window. However this picture is skewed towards the smaller organizations, where it appears that CIOs have an easier time getting access to the board (72%, versus 65% for mid-size, and only 45% for large organizations). Similarly, CIOs at smaller organizations are more likely to report directly to the CEO at 45%, versus 27% for mid-size, and 17% for large organizations.

Where a CIO sits in the organizational chart makes a difference in their perception of job satisfaction: 44% of CIOs on the executive committee reported their roles as very fulfilling, compared to 42% of CIOs reporting to CEOs, and only 38% of CIOs reporting to CFOs. On the salary front, CIOs reporting to the CEO or the board reported larger salary increases (36% for CIOs under CEOs, and 35% for CIOs on executive committee) than those under the CFO (32%).

Managing Change

Managing change comes with the territory for CIOs. When asked about how they had adapted their technology plans to deal with uncertainty, CIOs reported creating a more nimble technology platform (52%), finding a way to work with restricted budgets (49% average, but more pronounced in small organizations at 51%), and investing more in cybersecurity (45% average, but much more pronounced in mid-size and large organizations at 55% and 53% respectively) as their top three.

The Cybersecurity Issue

While cybersecurity figures in 3rd place in the aggregate picture, it is the #2 issue for both mid-size and large organizations, just behind the need for nimble IT. For mid-size organizations, nimble IT ranks in the top spot at 56% while security is just below at 55%, with a similarly close picture for large organizations with 54% for nimble IT and 53% for security. Not surprisingly, cybersecurity was a regular topic in the top five categories of topics discussed when CIOs interacted with boards, along with IT strategy, IT investments, and digital transformation.

The report introduces the cybersecurity issue thusly: “Everyone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.”
Top concerns for CIOs include organized cybercrime (71%), amateur criminals (52%), insider threats (48%), but also spammers (39%), foreign powers (28%), and competitors (19%). More worrisome, when CIOs were asked about if they were “well prepared” for detecting and responding to cyber-attacks, only 21% responded yes in 2017, compared to 22% in 2016, 23% in 2015, and 29% in 2014.

As can be expected, large organizations are more likely to report having suffered a major attack in the past two years (53%) compared to mid-size (41%) or small organizations (30%). However, the lower numbers for the smaller organizations may also be a reflection of their less mature detection and investigative capabilities.

Many CIOs are left wondering if their organizations are truly secure, or whether a false sense of security has been allowed to take hold, with potentially disastrous consequences. Bob Kalka, Vice President IBM Security Business Unit, wrote a three part series on Questions Every CIO Should Ask the Cybersecurity Leader: part 1, part 2, and part 3.

Much More in the Report

The report also points to an increasing trend where a larger share of the IT budget is controlled or managed outside of IT, 40% in 2017, up from 38% in 2016, and 34% in 2015. This trend puts increased pressure on CIOs’ ability to effectively manage the relationship with the rest of the C-suite and the board to exert influence on how that share of the budget is being spent.

Overall, the 56-page report provides a snapshot of where a CIO sits compared to their peers, as well as highlights important trends to be aware of and key areas they should be focusing on.

This post was brought to you by IBM Global Technology Services. For more content like this, visit

Startup Security Weekly #46 – All Black Everything

James Jardine of Jardine Software joins us. In the news, the hells of being a founder, killing projects before they kill you, intellectual property 101, and updates from Auth0, Upstream, Palo Alto Networks, Symantec, and more!

Full Show Notes: for all the latest episodes!

Toolsmith #126: Adversary hunting with SOF-ELK

As we celebrate Independence Day, I'm reminded that we honor what was, of course, an armed conflict. Today's realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray.
We live in a world of asymmetrical battles, often conflicts that aren't always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the topic, take the well spent time to read TJ O'Connor's The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare. If you're reading this post, it's highly likely that your front is that of 1s and 0s, either as a blue team defender, or as a red team attacker. I live in this world every day of my life as a blue teamer at Microsoft, and as a joint forces cyber network operator. We are faced, each day, with overwhelming, excessive amounts of data, of varying quality, where the answers to questions are likely hidden, but available to those who can dig deeply enough.
New platforms continue to emerge to help us in this cause. At Microsoft we have a variety of platforms that make the process easier for us, but no less arduous, to dig through the data, and the commercial sector continues to expand its offerings. For those with limited budgets and resources, but a strong drive for discovery, that have been outstanding offerings as well. Security Onion has been forefront for years, and is under constant development and improvement in the care of Doug Burks.
Another emerging platform, to be discussed here, is SOF-ELK, part of the SANS Forensics community, created by SANS FOR572, Advanced Network Forensics and Analysis author and instructor Phil Hagen. Count SOF-ELK in the NFAT family for sure, a strong player in the Network Forensic Analysis Tool category.
SOF-ELK has a great README, don't be that person, read it. It's everything you need to get started, in one place. What!? :-)
Better yet, you can download a fully realized VM with almost no configuration requirements, so you can hit the ground running. I ran my SOF-ELK instance with VMWare Workstation 12 Pro and no issues other than needing to temporarily disable Device Guard and Credential Guard on Windows 10.
SOF-ELK offers some good test data to get you started with right out of the gate, in /home/elk_user/exercise_source_logs, including Syslog from a firewall, router, converted Windows events, a Squid proxy, and a server named muse. You can drop these on your SOF-ELK server in the /logstash/syslog/ ingestion point for syslog-formatted data. Additionally, utilize /logstash/nfarch/ for archived NetFlow output, /logstash/httpd/ for Apache logs, /logstash/passivedns/ for logs from the passivedns utility, /logstash/plaso/ for log2timeline, and  /logstash/bro/ for, yeah, you guessed it.
I mixed things up a bit and added my own Apache logs for the month of May to /logstash/httpd/. The muse log set in the exercise offering also included a DNS log (named_log), for grins I threw that in the /logstash/syslog/ as well just to see how it would play.
Run down a few data rabbit holes with me, I swear I can linger for hours on end once I latch on to something to chase. We'll begin with a couple of highlights from my Apache logs. The SOF-ELK VM comes with three pre-configured dashboards including Syslog, NetFlow, and HTTPD. You can learn more in the start page for the SOF-ELK UI, my instance is There are three panels, or blocks, for each dashboard's details, at the bottom of the UI. I drilled through to the HTTPD Log Dashboard for this experiment, and immediately reset the time period for analysis (click the time marker in the upper right hand part of the UI). It defaults to the last 15 minutes, if you're reviewing older data it won't show until you adjust to match your time stamps. My data is from the month of May so I selected an absolute window from the beginning of May to its end. You can also select quick or relative time options, it's great to get comfortable here quickly and early. The resulting opening visualizations for me made me very happy, as seen in Figure 1.
Figure 1: HTTPD Log Dashboard
Nice! An event count summary, source ASNs by count (you can immediately see where I scanned myself from work), a fantastic Access Source map, a records graph by HTTP verbs, and one by response codes.
The beauty of these SOF-ELK dashboards is that they're immediately interactive and allow you to drill right in to interesting data points. The website is intentionally flat and includes no active PHP or dynamic content. As a result, my favorite response code as a web application security tester, the 500 error, is notably missing. But, in both the timeline graphs we note a big traffic spike on 8 MAY 2017, which correlates nicely with my above mention scan from work, as noted in the ASN hit count, and seen here in Figure 2.

Figure 2: Traffic spike from scan
This visualizes well but isn't really all that interesting or uncommon, particularly given that I know I personally ran the scan, and scans from the Intarwebs are dime a dozen. What did jump out for me though, as seen back in Figure 1, was the presence of four PUT requests. That's usually a "bad thing" where some @$$h@t is trying to drop something on my server. Let's drill in a bit, shall we? After clicking the graph line with the four PUT requests, I quickly learned that two requests came from AS32097: WholeSale Internet in Kansas City, MO and two came from AS37963: Hangzhou Alibaba Advertising in Hangzhou, China. This is well represented in the HTTPD Access Source panel map (Figure 3).

Figure 3: Access Source
The PUT request from each included a txt file attempt, specifically dbhvf99151.txt and htjfx99555.txt, both were rejected, redirected (302), and sent to my landing page (200).
Research on the IPs found that was on the "real time suspected malware list as detected by InterServer's intrusion systems" as seen 22 MAY, and was found twice in the AbuseIPDB, flagged on 18 MAY 2017 for Cknife Webshell Detected. Now we're talking. It's common to attempt a remote file include attack or a PUT, with what is a web shell. I opened up SOF-ELK on that IP address and found eight total hits in my logs, all looking for common PHP opportunities with the likes of GET and POST for /plus/mytag_js.php, noted in PHP injection attack attempts.
SOF-ELK made it incredibly easy to hunt down these details, as seen in Figure 4 from the HTTPD Discovery panel.
Figure 4: Discovery
That's a groovy little hunting trip through HTTPD logs, but how about a bit of Syslog? I spotted I likely oddity that could be correlated across a number of the exercise logs, we'll see if the correlation is real. You'll notice tabs at the top of your SOF-ELK UI, we'll use Discover for this experiment. I started from the Syslog Dashboard with my time range set broadly on the last two months. 7606 records presented themselves, sliced neatly by hosts and programs, as seen in Figure 5.

Figure 5: Syslog Dashboard
Squid proxy logs showed the predominance of host entries (6778 or 57.95% of 11,696 to be specific), so I started there. Don' laugh, but I'll often do keyword queries just to see what comes up, sometimes you land a pointer to a good rabbit hole. Within the body of 6778 proxy events, I searched malware. Two hits came back for GET request via a JS redirector to for your basic how-to based on "random websites opening in Chrome". Ruh-roh.
Figure 6: Malware keyword
More importantly, we have an IP address to pivot on: A search of that IP across the same 6778 Squid logs yielded 3896 entries specific to this IP, and lots to be curious about:
  • YouTube videos for hair loss
  • for "random pop-ups driving me nuts"
Do I need to build this user profile out for you, or are you with me? Proxy logs tell us so much, and are deeply worthy of your blue team efforts to collect and review.
I jumped over to the named_log from the muse host to see what else might reveal itself. Here's where I jumped to Discover, the Splunk-like query functionality inherent to SOF-ELK (and ELK implemetations). I did reductive query to see what other oddities might surface: AND dns_query: (* OR *.de OR *.eu OR *.info OR *.cc OR *.online OR *.website). I used these TLDs based on the premise that bots using Domain Generation Algorithms (DGA) will often use the TLDs. See The DGA of PadCrypt to learn more, as well as ISC Diary handler John Bambanek's OSINT logic. The query results were quite satisfying, 29 hits, including a number of clearly randomly generated domains. Those that were most interesting all included the .cc TLD, so I zoomed in further. Down to five hits with AND dns_query: *.cc, as seen in Figure 7.
Figure 7:. CC TLD hits
Oh man, not good. I had a hunch now, and went back to the proxy logs with AND squid_request:*.exe. And there you have it, ladies and gentlemen, hunch rewarded (Figure 8).

Figure 8: taxdocs.exe
It taxdocs.exe isn't malware, I'm a monkey's uncle. Unfortunately, I could find no online references to these .cc domains or the .exe sample or URL, but you get the point. Given that it's exercise data, Phil may have generated it to entice to dig deeper.
When we think about the IOC patterns for Petya, a hunt like this is pretty revealing. Petya's "initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc". This is not Petya (as far as I know) specifically but we see pattern similarities for sure, one can learn a great deal about the sheep and the wolves. Be the sheepdog!
Few tools better in the free and open source arsenal to help you train and enhance your inner digital sheepdog than SOF-ELK. "I'm a sheepdog. I live to protect the flock and confront the wolf." ~ LTC Dave Grossman, from On Combat.

Believe it or not, there's a ton more you can do with SOF-ELK, consider this a primer and a motivator.
I LOVE SOF-ELK. Phil, well done, thank you. Readers rejoice, this is really one of my favorites for toolsmith, hands down, out of the now 126 unique tools discussed over more than ten years. Download the VM, and get to work herding. :-)
Cheers...until next time.

Belgian Privacy Commission Issues Recommendation on Internal Records Under the GDPR

This post has been updated. 

The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) regarding the requirement to maintain internal records of data processing activities (the “Recommendation”) pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”).

The Recommendation aims to provide guidance to data controllers and data processors in establishing and maintaining internal records by May 25, 2018. As of that date, the internal records requirement must be complied with, and the Belgian DPA must be able to request that such records are made available to it.

Key takeaways from the Recommendation are summarized below:

  • Responsibility in maintaining internal records. The obligation to maintain internal records applies both to data controllers and data processors (or their representatives, if the data controller or processor does not have an establishment in the European Union). The requirement to maintain internal records does not apply, however, to companies or organizations with fewer than 250 employees, unless (1) their data processing activities are likely to result in a risk to the rights and freedoms of individuals, (2) the processing is not occasional, or (3) the processing includes sensitive personal data or personal data relating to criminal convictions and offenses. Despite these exceptions, the Belgian DPA recommends that all controllers and processors maintain internal records. With respect to SMEs, however, the Belgian DPA is not opposed to the creation of internal records only for regular processing activities, and not for occasional processing activities.
  • Aim of such requirement. Maintaining internal records is a cornerstone of the accountability regime under the GDPR. Internal records must be made available to supervisory authorities. The requirement to maintain internal records replaces the requirement to file national registrations of data processing activities, which often was seen as inefficient and burdensome for companies. In this respect, the Belgian DPA notes that existing national registrations that were previously filed might be, to a certain extent, useful in creating internal records. However, companies must be aware of the differences between internal records and existing national registrations. Among others differences, the Belgian DPA notes that the obligation to file national registrations was applicable only to data controllers, and not to data processors.
  • Content of internal records. Internal records must cover all processing activities carried out on May 25, 2018, whether such processing activities were previously or recently initiated.
    • Internal records maintained by data controllers must contain the following information: (i) name and contact details of the controller and where applicable, joint controller and the controller’s representative; and (ii) name and contact details of the data protection officer (the “DPO”), if any (this does not exempt the data controller from the requirement to notify supervisory authorities of the name and contact details of the DPO); (iii) clear and detailed information regarding the purposes of the processing; (iv) a description of the categories of data subjects; (v) a description of the categories of personal data; (vi) the categories of recipients, whether internal or external, including recipients in third countries or international organizations; (vii) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; (viii) envisioned time limits for erasing the data, or, according to the Belgian DPA, the criteria used to determine the retention period; and (ix) a general description of technical and organizational security measures implemented.
    • Data processors, on the other hand, must maintain internal records containing the following information: (i) name and contact details of the processor and where applicable, the processor’s representative; (ii) name and contact details of each controller on behalf of which the processor is acting, and where applicable, the controller’s representative; (iii) name and contact details of the data protection officer (if any); (iv) categories of processing carried out on behalf of each controller; (v) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; and (vi) a general description of technical and organizational security measures implemented.

According to the Belgian DPA, nothing prevents controllers and processors from including other information in the internal records. In that respect, controllers and processors could take their past national registrations into account. In addition, the Belgian DPA recommends that controllers and processors consider including in internal records information about applicable legal basis, data protection impact assessments, and personal data breaches.

  • How to establish internal records. These records must be in writing and available in electronic form, and must be clear and understandable. The Belgian DPA recognizes some flexibility with respect to the format used to maintain the records. In addition, internal records must be kept up-to-date and the Belgian DPA recommends that controllers and processors keep them for accountability purposes, taking into account applicable statutes of limitation. The Belgian DPA also recommends that, in creating internal records, controllers and processors involve each member of their personnel working at an operational level who are capable of identifying the relevant processing activities.
  • Recipients of the internal records. Upon request, controllers and processors must make such records available to the supervisory authority. The Belgian DPA, however, notes that internal records are not intended to be viewed by data subjects or the general public.
  • Sanctions. The Belgian DPA states that failure to comply with the obligation to maintain internal records may result in an administrative fine of up to 10,000,000 EUR or 2% of the company’s global annual turnover, whichever is higher.

UPDATE: The Belgian DPA has released a template (in French and in Dutch) for the register of processing activities that can be used by companies. The template contains more information than what is required under the GDPR and companies are therefore not obligated to use it. Information that is strictly necessary to comply with the requirement of the GDPR to maintain internal records is highlighted in red.

More information on the requirement to maintain internal records can be found on the website of the Belgian DPA (in French and in Dutch).

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 2: The Land of the Cyber Startups

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is the second of three articles that I wrote following that experience;  the first article, explored the question of  “Why Israel?

[T]he prominence of Israel in the technological field and in the cyber field have made Israeli companies very, very attractive. So because we have a lot of speed chess players, because we have hundreds of startups, because we have demonstrable success in providing solutions in this rapidly changing sphere, Israel has become an attractive target for cyber security investment, and I think if I tally it roughly as we can see, in 2016 we have about 20% of the global private cyber security investment around the world.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

In a previous article, we explored some of the factors that have contributed to positioning Israel as a potential leader in the cybersecurity innovation domain. However, potential isn’t always realized, but in the case of Israel, there is strong evidence that the formula for leveraging their special mix of circumstances into cyber startups and investments is working.

Growing Alliances

One cannot hear the Prime Minister and deny that Israel is a country deliberately focused on cyber. There is a palpable deliberate effort by government sector, financial sector, industry sector, and academia to come together and collaborate. This effort is having an impact on the way the rest of the world sees Israel, as evidenced by Indian Prime Minister, Narendra Modi, who visited Israel in early July, the first visit by an Indian PM. In part thanks to its cybersecurity expertise, Israel is being courted by many countries according to its PM.

At CyberWeek, representatives from the US government were also in attendance, marking a new level of collaboration. Thomas Bossert, Assistant to the President for Homeland Security and Counterterrorism announced the creation of a bilateral cyber working group to “stop adversaries before they can get into our networks and hold bad actors accountable.” According to Reuters, the working group will focus “range of cyber issues — critical infrastructure, advanced R&D, international cooperation, and workforce.” Bossert went on to explain one of the reason for working together: "[t]he agility Israel has in developing solutions will innovate cyber defenses that we can test here and bring back to America.”

From Alliances to Startups and Vice Versa

The two high profile announcements about collaboration will likely be a boom for Israel’s continued ability to produce hundreds of cybersecurity startups. How many startups are we talking about exactly? Reuters quoted a figure of 400, while other sources put that figure closer to about 350 startups. Regardless of the exact number — as by their very nature startups come and go, sometimes in a matter of weeks or months — Israel is at the forefront of the global race to innovate in the cybersecurity space. Several (former) cybersecurity startups have now reached global name recognition; here are just a few, whose name you might recognize: IAI, Check Point, Verint, CyberArk, ECI, ByNET, CyberX, BGProtect, Clearsky, Safebreach.

The vibrant amount of activity in Israel hasn’t gone unnoticed by the global investment community and the US. A recently introduced piece of legislation, Senate bill S.719, entitled “United States-Israel Cybersecurity Cooperation Enhancement Act of 2017” introduced in March 2017 might help the US adapt Israel’s recipe for success to further energize US activity in this key sector. The bill “requires the Department of Homeland Security (DHS) to establish a grant program to support cybersecurity research and development, and the demonstration and commercialization of cybersecurity technology.” Grant eligibility requires that “a project must be a joint venture between: (1) for-profit, nonprofit, or academic entities (including U.S. national laboratories) in the United States and Israel; or (2) the governments of the United States and Israel.”

Most companies in the cybersecurity domain are enjoying great levels of attention and success. For example, Israel Aerospace Industries Ltd. (IAI), which is the country’s largest aerospace and defense company (and government-owned), recently announced that it ended 2016 with over $100 million worth of contracts in “cyber-intelligence, cyber-forensics and analysis, and cyberdefense centers.” Its President and CEO, Joseph Weiss, recently said: “[w]e consider cyber to be a strategic field of activity and a growth engine at IAI, and expect it to continue to expand significantly in the coming years” adding that “[w]e will continue to invest in cyber companies and research and development centers in order to continue to expand in this field.”

Fuel for Startups

While the Middle East is known for its fuel reserves, startups require a different kind of fuel — financial fuel. From a global cybersecurity investment perspective, PM Netanyahu during his CyberWeek address mentioned that Israel had garnered double-digits worth of private cyber security investment from around the world in 2016. Added to the generous incentives provided by the government, such as a 4% tax rate for cybersecurity startups (compared to 25% tax rate for regular businesses), as well as seed money that need only be repaid if the startup is successful, the environment is highly conducive to having academics and former military elites join with business leaders in rapidly creating startups.

Globally, investors have proven eager to invest billions of dollars into this domain. From 2012-2016, VCs reportedly invested $12.5 billion worth of seed money (in over 1,200 startups), from $1.32 billion in 2012 to $3.67 billion in 2015 (global figures). From an Israeli perspective, the country saw the creation of 65 new startups in 2016 — putting the total number of companies active in cybersecurity at 365 — and “maintained its leading position as a global center of cybersecurity innovation” according to a data by the nonprofit Start-Up Nation Central. The amount of investment flowing to Israeli startups was second only to the US, but managed to grab 15% of the global venture capital flows. The amount of capital raised by cybersecurity startups in 2016 was reported to be $581 million, up 9% from 2015.

The figures below, about the number of active Israeli cybersecurity companies and the exit deals, are produced by Start-Up Nation Finder™, a free online platform providing data and opportunities for collaboration with Israeli high-tech companies and start-ups. The tool was also used to analyze the data as part of a report by Start-up Nation Central on Israel's Cybersecurity Industry in 2016 (SNC report).

Figure 1 — Active Cybersecurity Companies in Israel (src: SNC report, used with permission)

Figure 2 — Exit Deals for Israeli Startups, 2014-2016 (src: SNC report, used with permission)

Human Capital and Academic Expertise

Although financial incentives and easy access to seed money makes for a frantic level of startup activity, it is the ability for these budding companies to tap into a well trained workforce and expertise from academia that helps buds turn into full-bloom flowers. We’ll focus on academia next, since our first article in the series already covered many aspects of Israel’s workforce.

While many countries have reasonably close ties between academia, few countries display the level of collaboration, cooperation, and freedom of movement between industry, the military, and academia as Israel. The country’s leading academic institutions, such as Tel Aviv University (TAU) and Ben-Gurion University of the Negev (BGU) are not only home to cybersecurity research centers, but figure also prominently at the center of a hive of activity around startups, applied research, and technology transfer.

One such center of activity, Beersheba (also spelled “Beer Sheva”), is located 70 miles South of Tel Aviv. Beersheba has been called the Silicon Valley of Israel, and being home to BGU, it also showcases this tight collaboration between VCs, academia, and the military as the Israeli Defense Forces move a large portion of their activities to Beersheba. A key center in Beersheba is CyberSpark, an Israeli Cyber Innovation Arena. CyberSpark describes itself as “a joint venture of the Israeli National Cyber Bureau in the Prime Minister’s Office, Beer Sheva Municipality, Ben Gurion University of the Negev and leading companies in the cybersecurity industry.” Beersheba is now home to R&D centers for many global technology firms including EMC/RSA and Lockheed-Martin (LM), and the close proximity to BGU further fuels exchanges between students, industry, and academia, as exemplified by its close work with Deutsche Telecom.

Closing Thoughts

A fellow journalist described Israel’s approach to nurturing cybersecurity startups as “a potent mix of tight government oversight and large-scale public investment in education, talent identification and development and R&D.” Other countries seem to agree, and so do international investors.

Reflecting upon my first visit to Israel just last week, I have found the country to be both an innovator and an incubator. Israeli companies seem to be able to move fast, innovate, and when things don’t go well, learn their lessons and adapt. With a strong ability to leverage expertise found in academic and military sectors, combined with a strategic directive from the government to invest in cyber — both as a matter of self-defense as well as to tap into this new burgeoning market — Israel has quickly risen to be a key player in the global cybersecurity market, and is likely to continue its leading role for decades to come.

Adobe Acrobat heap Execute Code Overflow Vulnerability

Adobe Acrobat is prone to a local code-execution vulnerability.This allows a local attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.

Information Security 101 with Lisa Sotto: Types of Security Threats

In the second segment of this three-part series, Lisa Sotto, head of the Global Privacy and Cybersecurity practice at Hunton & Williams, discusses with The Electronic Discovery Institute the types of security threats facing global companies. “No industry is exempt; every company faces this threat. The bottom line is that cyber attackers are not discriminating,” Sotto warns. In this segment, Sotto describes the various threat actors and types of attacks to which companies are most vulnerable.

Watch the full video.

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 1: Why Israel?

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is one of three that I wrote following that experience.

A few years ago I decided to establish Israel as one of the five leading cyber powers in the world and I think by all accounts, we're there. But, the jury in cyber security is always out. And it's a constant challenge.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

How does a small country — with about the same population count as Switzerland — position itself to compete in the fast-pace cybersecurity global marketplace? In this article, we’ll explore the factors that have enabled Israel to position itself as a key future player in cybersecurity. In a follow-up article, we’ll look at how Israel has leveraged that potential into action, creating a marketplace for venture capital and innovation, resulting in hundreds of security startups.


What is immediately noticeable when arriving in Israel is the number of young people around you. Unlike many of the largest countries and economies, Israel has a young, vibrant population, with over 43% of people aged 24 or under (CIA World Factbook). The median age is 29.7, compared to 37.9 for the US, 42 for Canada, and 42.7 for the entire European Union.

Population Chart for Israel, 2016 (src: CIA World Factbook)

Having a young population not only gives it a current and future stable workforce supply, it also means that a larger percentage of the population is going to be tech-savvy, having grown up in a world in which the Internet always existed, and being very comfortable with using and understanding technology, and the Web of Trust (WoT) that binds us all.

However, by itself, having a young population doesn’t mean that a country is poised to be a global player on the cybersecurity stage. So next, we’ll explore the role the government has played in shaping this nation to be a key player in cybersecurity.

Cyber — A Government Focus & Priority

While a growing number of governments around the world are proclaiming their desire to boost their cybersecurity workforce, nowhere is it more evident than in Israel. Attend any cybersecurity conference in Israel and you’ll inevitably run into dozens of key government leaders, from multiple sectors including the economy, import/export, the military, but also education and academia. Don’t be surprised if the head of the country pops in to make a short speech about the importance of the cyber domain to Israel’s future, as Prime Minister Netanyahu did on June 26th at the start of the CyberWeek conference at Tel Aviv University:

Cyber security is serious business. It's serious business for two reasons: the first reason is that it's a serious and growing threat. And it's a growing threat everywhere because everything, every single thing is being digitized. And the distinction between hi-tech and low-tech is rapidly disappearing. And as that happens in one country after another, in one industry after another, in one critical infrastructure after another, and as we enter the world of the internet of things the need for cyber security is growing exponentially.
Our decision in this case was to create a national cyber defense authority and we are organizing them around the cyber net so that everybody has secure information between the government and the various organizations and the business organizations. We can communicate in a secure way and the parties inside the net can communicate with each other. Not only to respond to attacks but to prevent them, to prevent them by early warning, to prevent them also by guidance, by teaching a systemic doctrine to the extent that you can be systemic in this business.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

A Military Affair

The government’s role in leading the effort to position Israel as a leader in this space is undeniable. However, growing a cybersecurity workforce comes much easier to Israel than to the rest of the world, due to Israel’s need to protect itself from what they call “not so friendly neighbors.”

In many developed countries, the workforce supply in the cybersecurity domain is stretched thin, often with minimal or negative unemployment rates in the field, leading to many companies poaching the best security folks from their competitors, and leaving the government sector with a near-empty pool of applicants as government salaries are much lower, often on the order of 20%, 30%, even 40% lower, and the barriers to entry much higher (i.e. advanced degrees, clean record, drug tests, etc). A 2016 Indeed article compared the salary, adjusted for cost of living differences, of an information security specialist with three years of experience in Minneapolis ($127,757) with that of someone in Arlington VA ($74,254). The numbers speak for themselves.

In Israel the cyber workforce situation is much different; the Israel Defense Forces (IDF) provide the country with a fresh, auto-renewing supply of talented youths that have often signed up for extra tours of duty in some of the elite units of the IDF (e.g. the famous unit 8200, where many of today’s cybersecurity entrepreneurs once served). According to Wikipedia, the number of people reaching military age annually (estimates for 2016) is 60,000 males and another 60,000 females. While that number is by no means large, the experience instills in the conscripts many key values that lasts for decades after they’ve left their defense units and integrated the workplace.

One of the most privileged spots in the IDF is unit 8200 which is often referred to as Israel’s equivalent to the NSA. Unit 8200 is an intelligence unit, responsible for collecting signal intelligence (SIGINT) and code decryption. Unit 8200 is just one of several sought after units in the Israeli Intelligence Corps, which is “responsible for collecting, disseminating, and publishing intelligence information for the General Staff and the political branch” and also to engage “in counter-intelligence and information security work, and presents general assessments.” Several alumni of unit 8200 “have gone on to found leading Israeli IT companies, among them CheckPoint, Imperva, Incapsula, CloudEndure, Cybereason, ICQ, LightCyber, NSO Group, Palo Alto Networks, indeni, NICE, AudioCodes, Gilat, Leadspace, EZchip, Onavo, Singular and CyberArk.”

However, unit 8200 is just one of the many valuable units where young men and women can serve, and in the process gain valuable training and experience that can be of use in the business world.

Other Factors

Of course, there are other factors at play that have helped Israel position itself as a leader in this domain, beyond the young population, beyond the deliberate focus and support of the Israeli government, and beyond the fairly unique military apparatus which provides valuable training and experience.

These other factors include cultural aspects of resilience and innovation, access to academia for subject matter expertise, economic support for investments and growth in this space, and a startup mentality highly tolerant of failures — and more importantly lessons learned — to name a few.

In Israel, all of the factors mentioned above have contributed to creating a capacity for innovation and excellence in the cybersecurity domain. Just as importantly, the political and military leadership of the country are fully cognizant of that capacity and have decided to make it a national priority. As Dr. Eviatar Matania, Head of the Israel National Cyber Directorate, put it, “cyber is like the industrial revolution… We are just at the beginning of the cyber revolution… But we are going to be a cyber nation… as cybersecurity is a necessity to prosper.”

And as they say, the rest is history.

Our second article, “The Land of the Cyber Startups,” delves into the determined ways that Israel has been encouraging the growth of its cybersecurity sector.

VirusTotal += Cylance

We welcome Cylance scanner to VirusTotal. In the words of the company:

“Cylance is the first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity to prevent the most advanced security threats in the world. Using a breakthrough predictive analysis process, CylancePROTECT® quickly and accurately identifies what is benign and what is a threat, and prevents malicious code from ever executing on a targeted system. By coupling advanced machine learning and artificial intelligence with a unique understanding of an attacker’s mentality, Cylance provides technology and services that are truly predictive and preventive against the most advanced threats.”

Cylance has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by NSS Labs, an AMTSO-member tester.

The ancient Microsoft networking protocol at the core of the latest global malware attack

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

To read this article in full, please click here

New Data Protection Enforcement Provisions Take Effect in Russia

As reported in BNA Privacy Law Watch, on July 1, 2017, a new law took effect in Russia allowing for administrative enforcement actions and higher fines for violations of Russia’s data protection law. The law, which was enacted in February 2017, imposes higher fines on businesses and corporate executives accused of data protection violations, such as unlawful processing of personal data, processing personal data without consent, and failure of data controllers to meet data protection requirements. Whereas previously fines were limited to 300 to 10,000 rubles ($5 to $169 USD), under the new law, available fines for data protection violations range from 15,000 to 75,000 rubles ($254 to $1,269 USD) for businesses and 3,000 to 20,000 rubles ($51 to $338 USD) for corporate executives.

Additionally, the law allows the Russian data protection authority (Roskomnadzor), to initiate administrative enforcement proceedings for alleged data protection violations. Previously, enforcement of the data protection law was undertaken by the Prosecutors’ Office.

Former Head of Shin Bet on Current State of Cybersecurity

This article explores what the former head of Shin-Bet, Israel's internal security service (equivalent to Britain’s MI5 or the FBI in the US), thinks of the current state of cybersecurity in the world today, and what can we learn from his warnings?

In June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. Among the key people we met and interviewed was Yuval Diskin, who headed Shin Bet (aka Shabak) from 2005 to 2011. Yuval is currently the Chairman of CyMotive, a company focusing on cybersecurity in the automotive industry. CyMotive was born out of a partnership with Volkswagen, which issued a press release in September 2016, touting the important role this new company would play for Volkswagen and the automotive industry:
The age of the connected car enables customers to use a variety of features inside modern vehicles. However, with increasing connectivity comes an increasing risk. Aspects such as intelligent and autonomous driving increase the number of interfaces in the vehicle and thus the risk of malicious attack.

Mr. Diskin quickly set the tone when it comes to the state of cybersecurity today, stating “attackers are very dynamic; defenders are very static, passive.” He went on to say that “interconnectivity is one of the biggest challenges” and that to prevent or detect attacks, you must extend your scope beyond the perimeter. The current approach deals with layers of defenses and incident response preparations, but both of those approaches require the organization to wait until an attacker has successfully compromised systems in order to react.

His approach? Leverage behavioral science to identify attackers, even before they’ve found you and successfully penetrated your defenses. “Behind every cyber attack, there is a human being…” he said, then explaining that the goal is to connect the dots to identify the humans behind the attacks. He coins his approach as “intelligence driven offensive defense” and warns that many organizations and leaders prefer “naive” solutions to their cybersecurity problems, alluding to the patchwork of controls that many organizations have deployed today, with 36% of banks reportedly using between 51 and 100 security tools.

“There is a real reason to be frightened by the potential of a cyber attack” he said, alluding that current activity is equivalent to child’s play (i.e. how a child explores his ability to impact the world around him, and test boundaries). So what are organizations to do? Instead of looking for new (cybersecurity) solutions he said, organizations should ensure that their cyber processes are consistent and maturing, and that the controls are effective.

So what are you waiting for? Go test your controls, before someone else does.

VirusTotal += MAX

We welcome MAX scanner to VirusTotal. This scanner was developed by Saint Security Inc, headquartered in Seoul, South Korea. In the words of the company:

“MAX is a machine learning and cloud-based next-generation antivirus engine that identifies malware with AI. MAX, as a part of the Project launched by Saint Security in 2014, is designed to detect malware by using intelligence data from It identifies various malware by nature, maximizes detection rate and minimizes false-positives with multi-layer and whitelist learning. In addition, MAX detects various types of files such as Windows binary files (32bit, 64bit), Linux elf files, mobile APK files, etc.”

Saint Security has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SE Labs, an AMTSO-member tester.

Article 29 Working Party Releases Opinion on Data Processing at Work

The Article 29 Working Party (“Working Party”) recently issued its Opinion on data processing at work (the “Opinion”). The Opinion, which complements the Working Party’s previous Opinion 08/2001 on the processing of personal data in the employment context and Working document on the surveillance of electronic communications in the workplace, seeks to provide guidance on balancing employee privacy expectations in the workplace with employers’ legitimate interests in processing employee data. The Opinion is applicable to all types of employees and not just those under an employment contract (e.g., freelancers).

The Working Party notes that the availability and rapid adoption of new workplace technologies, the lower costs of implementing such technologies and new forms of data processing have contributed to increased, systematic and potentially invasive employee data processing. In light of such developments, the Working Party emphasizes the importance of taking into account the fundamental data protection principles of the EU Data Protection Directive when processing data in the employment context.

The Working Party states that the Opinion also looks toward the additional obligations placed on employers by the upcoming EU General Data Protection Regulation (“GDPR”). The Opinion considers data protection by design, data protection impact assessments and Article 88 with respect to processing employee data.

The Opinion highlights the risks of unfettered monitoring technologies used to process employee personal data, including: chilling effects on confidential communications between employees, incompatible further processing of employee data, unjustifiable and intrusive employee surveillance, and obstructing an employee’s ability to report colleagues’ and superiors’ illegal actions.

The Opinion identifies nine different data processing at work scenarios where new technologies have, or may have, the potential to result in high risks to employees’ privacy. These include processing operations (1) during the recruitment process, (2) resulting from in-employment screening, (3) resulting from monitoring ICT usage at the workplace, (4) resulting from monitoring ICT usage outside the workplace, (5) relating to time and attendance, (6) using video monitoring systems, (7) involving vehicles used by employees, (8) involving disclosure of employee data to third parties, and (9) involving international transfers of HR and other employee data.

Key takeaways from the Opinion include:

  • For the majority of data processing at work, consent cannot form a valid legal basis because of the imbalance of power between employers and employees. Valid grounds may include: processing necessary for the performance of the employment contract (e.g., to pay the employee) or processing data in connection with obligations imposed by employment law (e.g., processing for tax calculation and salary administration).
  • To rely on the legitimate interest ground to process employee data, the processing must be strictly necessary for a legitimate purpose and must be proportionate to the business need. A proportionality test should be carried out prior to the deployment of any monitoring tool to consider whether all data are necessary, whether the processing outweighs the general privacy rights that employees have in the workplace, and whether appropriate measures have been put in place to ensure a balance with the rights and freedoms of employees.
  • In the context of recruiting, employers are allowed to collect job applicants’ personal data only to the extent that such collection is necessary and relevant to the performance of the job. Employers also must be able to justify a legitimate interest to inspect applicants’ social media profiles, taking into account whether it is related to business or private purposes.
  • Employees must be informed of the existence of any monitoring and the purposes for the monitoring. Policies relating to workplace monitoring must be clear and readily accessible.
  • Data processing at work must be a proportionate response to the risks faced by an employer. For example, if it is possible to block websites, instead of continuously monitoring all communications, blocking should be chosen.
  • With regard to Bring Your Own Device (“BYOD”) policies, employers should implement measures to prevent extensive device monitoring, as processing in this context may be unlawful if it captures data relating to the employee’s private and family life.
  • Health data processed by wearable devices should be accessible only to the employee and not the employer. The reason for this is that data in this context is unlikely to be truly anonymous and employees are not able to provide “free” consent to an employer.
  • Employers should refrain from the use of facial recognition technologies in the context of video analytics at the workplace, as this may be deemed disproportionate.
  • The employer should inform employees about the use of vehicle telematics, collecting data both about the vehicle and the employee using the vehicle (e.g., GPS tracking, driving behavior), and offer an opt-out (e.g., ability to temporarily turn off location) when the private use of a professional vehicle is allowed. In addition, event data recorders used to prevent accidents should not result in the continuous monitoring of the employee driver.
  • Employers must take the principle of data minimization into account when deciding on the deployment of new technologies. Information should be stored for the minimum amount of time necessary and deleted when no longer needed, and the employer should have a specified retention period.
  • Use of most cloud applications will result in the international transfer of employee data. Any transfers to third countries may take place only where an adequate level of protection is ensured, and data shared outside the EEA and accessed by other entities within the organization must remain limited to the minimum necessary for the intended purposes.

Paul’s Security Weekly #520 – Pickle Your Python

Moses Hernandez of Cisco Systems joins us, our friends at Javelin Networks discuss admin hunting and methods of credential theft for high privileged accounts, and we discuss the latest security news!

Full Show Notes:

Visit for all the latest episodes!