Jump to content

Wubi

Active Members
  • Posts

    893
  • Joined

  • Last visited

  • Days Won

    17

Everything posted by Wubi

  1. Fail ass fed, or the most retarded carder ever.
  2. data viitoare faci dump la baza de date, pentru a-ti hrani orgoliul de whitesange da-le si un mail si vinde baza de date daca e asa uriasa pe cum zici.
  3. 0Day HINT: Daca n-are bug bounty pune-i un java applet, sau vreun exploit in xss-ul ala + website clone + mail. Filmezi si demonstrezi toate astea infectand o masina virtuala. Atunci sigur or sa te ia in serios mai mult decat daca din pagina le tasneste un /XSS/. In cazul in care ai gasit SQLi sau echivalentul, te adresezi direct cu Good evening, admin:e369f3e21b31bbd96a6532a289ac72e2,
  4. Dupa ce citesti ce am scris mai sus ce zici daca cenzurezi cuvantul Hackyard din ACP si UPDATE `moloz` SET content=REPLACE(content, 'hackyard', 'ASDFG');
  5. Coaie, voi aveti o conceptie vaga asupra staff-ului si a catorva membrii. Habarn`aveti ce e acolo, decat sa va dati cu presupusul cenzurati cuvantul "hackyard" aici mai bine, nu ne intereseaza reclama voastra, nu monetizam traficul. De noi se vorbeste in alte parti, http://trojanforge.com/showthread.php?t=3424 http://trojanforge.com/showthread.php?t=1099&page=3&highlight=hackyard http://trojanforge.com/showthread.php?t=2725 Ontopic: a fost un simplu test, cat timp esti suficient de idiot si neglijent iti meriti soarta. Nu are nici o legatura cu ceea ce se afla inauntru.
  6. At the beginning of this article, I want to thank all those without whom this article would not exist. For starters, I’d like to thank Izabela Galazewska. You are a wonderful woman, and without your compassion towards me, there would be no article nor would I have a project. The second person is my brother, Luke. Thank you for your assistance with this publication and for the fact that I can always count on you. I also greet my son, Patrick. Remember, son, that no matter what, daddy loves you most in the world. Now we can begin. Quick introduction to jQuery A lot of times, as developers work daily on new versions of web pages, you’ll hear them say, “Good God, I thank you for giving me jQuery.” What is jQuery? It is a lightweight programming library for JavaScript. Its main task is to manipulate the DOM tree of elements. What does it really offer? Now, in exchange for a really small performance decrease compared to a professionally written code in JavaScript, we get the opportunity to achieve amazing animation effects on our website. In addition, we can also make dynamic changes and do all of the Ajax requests. In fact, most of the available jQuery plugins do not require any changes to the HTML source. Ok, that should be enough introduction. Let’s move on. Reasonable use of jQuery on () Event to prevent default user shares This problem is really very interesting. Wcielmy is a bad hacker. What happens if he can invoke the default action using jQuery? Can it therefore call any action on your website? Or maybe he can do something more? So, the jQuery creator gave us something extra as developers. And that is a function of a (), which we can use to prevent the default action of the user when the user clicks on the link. Previously, we were using one of the default values by clicking on the redirect link. These were the “#”, “javascript :/ /”, “javascript.void (0)”. Today, however, we are dealing with something a little different. Namely, we can capture all the events using event.preventDefault (), which is called in the middle of a function. This is perfectly illustrated in the code below: [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]/ / Be careful what parameters you give to the function on ()[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]/ / Note that we do the event within the function ()[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]$ (“# Something”). On (“click”, “a”, function (event) {[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]event.preventDefault () / / preventDefault ()[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]/ / Now we can do something[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]/ / It’s also advised to be careful and do not leave it on so the[/FONT][/FONT][/COLOR] [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]});[/FONT][/FONT][/COLOR] Note that the structure of the jQuery library has a lot of technical reasons why jQuery uses these options on the function (). To know more about the features on (), you can, of course, read the documentation for the jQuery library. Here is the link: .on() – jQuery API. Threats coming from Reply () This error is not really strictly from jQuery. After jQuery, everything related to JavaScript is running on the client side. So how does using Reply () become dangerous? Consider the specific case. If you’re using Reply and download data for a logged in user, you might have a problem. As an attacker, I can look into the code and see there the following. Now, notice that pass user id probably used in jQuery. It is enough that with a slight modifying of your script, I can type a different user id. But what if you want to hide anything? And when I use validation? Well, of course they are not bad habits, but I would not only rely on jQuery or JavaScript. In addition, I’d be sure to check again that everything on the server side is certainly OK. Really, this is particularly important when you start thinking about using Ajax and DOM tree elements. In addition, I would always be 100% sure whether it will work even when JavaScript is disabled. Again, notice what I wrote. Well, if you do not make server-side filtering relevant nor check permissions of your users, or if you do not check if we can perform a code injection, everything is invalid and this will not help you. Every time I would be able to manipulate your data as much as I want, and it will not really cost you too much work. But also note one more thing. Even when you are not using jQuery, if your template is a form POST, I can also do it. How do you use GET? My action is simpler; I just type your address with the appropriate parameters. So as you can see, this solution is not really related to jQuery, but with skills in programming. Errors in the old versions I’ll say this: oh, God. Why use an old version of jQuery? What are you really after? Note that in the case of web applications and the languages used in their construction, each new version gives a lot of great improvements. First, the new version will always include amendments that affect safety and performance. Tell me, what is the point of using the old version of jQuery for new projects? Do you know how many bugs can appear on a jQuery project? Check it out and see if it is related to security issues. Using the old version is justified, but only in one case only. Well, sometimes the customer may require the use of an outdated version. If the customer is paying for it, you should be sure to do so. But if you have an old project with an old version of jQuery, do not hesitate, just go ahead and change it to a newer version. Removal of errors that may occur will certainly be cheaper to implement than using outdated versions. The website has to load fast. What do I care if it has great visual effects if it takes an hour to load? JQuery storage of the root page template Another fundamental error: If an attacker knows how to get to the subject, he is able to make many changes to multiple files. It can also replace the local version of jQuery with its own. And then what? The whole can begin to act as the attacker wants. Really it can then be interesting. And how do we fix it for a client? The customer can take offense at us and will never take advantage of our services. This also shows one more very important thing. Well, it is better to take advantage of the global copy of the jQuery library, contained for example in a Google API. This solution also has a substantial advantage. Using jQuery from an external server, namely the Google API, allows the search engine to continuously monitor our site. Not only do we have access to all of Google’s information, such as the number of visitors, it’s also in the event of any problems with our site, Google will inform you about the infected site. We can even put the link: [COLOR=#333333][FONT=PTSansRegular][FONT=verdana]<script src=”//ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js” <script type=”text/javascript”></ script>[/FONT][/FONT][/COLOR] Always check each jQuery plugin before you throw it on your site Man, after all, jQuery is not that hard. Before you throw something on your site, I always see this code. Do not let even the best plugin which does great things with the graphics on your website cause a failure. Do not allow this to happen, or you would not know what exactly is happening on your website. As I mentioned, understanding jQuery is not difficult. But what in case if you write your own code? Then writing a good jQuery script can be terribly difficult. You must unfortunately rely on trial and error. And then what? Do you have to rely on trial and error to find out what is good and what is not? Does it have to be this way? Of course not. If you create your own design, you can easily reduce the risk by following some very simple tests. If you write a jQuery script, also be a quality engineer. Start by checking the size of the file that contains your jQuery script. If the value is greater than the base library, there really is something wrong. Then, recall the article which describes Firebug. Firebug allows you to quickly and easily find a place where something is wrong. Firebug also allows you to check if indeed everything is in place and is behaving as it should. In addition, it is necessary to test the site on all possible browsers, and do not forget that today everything is mobile. Really make sure that the plugin runs on the phone and was not the cause of the crash. Check it out on iOS, check it out for Android, and check it on Windows Mobile. The rest is irrelevant today. Please, go to OWASP This is another very important thing for you. Here you will find information on possible attacks on websites. Read the top 10 list on how you can manipulate the script and attach to their data, and particularly check that all the information is in order to manipulate the scripts, JavaScript, and DOM tree elements. Reviewing this may prevent you from making mistakes in the future. It is really important if you want to create secure applications. Everything you write, test You must test each function in jQuery you write. Select the limits for it, the max and min, and then do max +1, min +1. If the function to display images is in any order, make sure it is really safe. Test the function of equipment, if you have any arguments, so pointless arguments scratch those that just come up. This is the process of software testing. Do it when you write a script or plugin, and by the way you will save yourself a lot of time later. If you do, you can be sure that your application is sure to be safe, but it does not mean it would be vulnerable to external manipulation. Bug Tracker Be sure to see bug tracker for jQuery. Be sure to click on this link New Ticket – jQuery Core - Bug Tracker? redirectedfrom to see a list of bugs. There’s no point in leaving anything to chance. Also check the disadvantages of each version of jQuery you are using, and then see how it solved the problem. See if the same problem then occurs in other versions. This is extremely important. Sometimes using some version of jQuery could mess up something good on your computer. Remember that jQuery is a library of programming, based on JavaScript. That’s what you do with JavaScript, but faster and more efficiently done using jQuery. View this page Timeline – jQuery Core - Bug Tracker and see what the errors in jQuery are. Learn how to write scripts, as well as how to throw them onto the page. Always know what script or plugin loaded on your site and know what it is really doing. Summary This article shows not just the weakness of jQuery, but also how to write well and post jQuery scripts. It is actually the most common source of errors in this type of application: poorly written scripts, the scripts downloaded nowhere, a lack of knowledge on which the basis of the script works. Remember again that jQuery does not work on the server side. It works as JavaScript, on the user side, or on the side of the search engine. If you are not sure if it is worth exposing, turn off jQuery, Ajax and JavaScript. It’s your choice. Properly used, jQuery is not dangerous, but jQuery already used otherwise can be very dangerous. If you want me to show you how you can cleverly manipulate using jQuery and Ajax, just write to me. Or write to Rob and he would let me know if you want to. Believe me – you can really do more here than that if it was on the server side. Sursa InfoSec Institute Resources - How to Safely and Wisely use jQuery: Several Key Issues
  7. This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries. I. Transfer of personal data from EU to third countries A transfer of personal data to another country constitutes data processing so the EU National Data Protection Authority of the Member State (MS) must be notified where the transfer is being done, in the same way as other processing operations. No restrictions or other formalities apply in relation to transfer of personal data to: European Union (EU) Member States (MS); Member countries of the European Economic Area (EEA); Third countries (i.e. countries that are not Member States of the European Union) which are from time to time recognized by the EU Commission to have an adequate level of protection; and Organisations complying with the US Department of Commerce’s Safe Harbour Privacy Principles. i. The Council and the European Parliament have given the Commission the power to decide, on the basis of Article 25(6) of directive 95/46/EC, whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.: The Decision is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguards being necessary. The Commission has so far recognized Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, the US Department of Commerce’s Safe Harbour Privacy Principles, and the transfer of Air Passenger Name Record to the United States’ Bureau of Customs and Border Protection as providing adequate protection. ii. The organizations on this list have notified the Department of Commerce that they adhere to the U.S.-EU Safe Harbor Framework developed by the Department of Commerce in coordination with the European Commission. The U.S.-EU Safe Harbor Framework provides guidance for U.S. organizations on how to provide adequate protection for personal data from the EU as required by the European Union’s Directive on Data Protection. If interested in an organization that you are doing business with or considering doing business with, you could check out the list here: https://safeharbor.export.gov/list.aspx. II. Principles The Article 25, Directive 95/46/EC set forward the principles for data transfer from the European Union (EU) to third countries: 1. The EU Member State (MS), from where the personal data is transferred, should ensure that the third country that receives the personal data, provides an adequate level of protection for that personal data while being processed or when it will be processed outside EEA. An adequate level of protection refers to the same level of protection the EU has in place with regards to the processing of personal data (e.g. legislation as strong as the Directive 95/46/EC). 2. In order to determine if the level of protection is adequate or not, there should be an assessment of the circumstances for a data transfer operation, the nature of the data, the purpose and duration of the processing operation, the country of origin and country of final destination, the data protection/privacy legal framework (both general and sectoral) enforced in the third country in question and the professional rules and security measures that country complies with. 3. The MS and the EU Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of the previous paragraph. 4. Where the Commission finds that a third country does not ensure an adequate level of protection within the meaning of paragraph 2, the MS should take the measures necessary to prevent any transfer of data of the same type to the third country in question. 5. Subsequently, the Commission should enter negotiations with that third country, to try to remedy the situation and find a common solution, either to stop the data transfer or to help enable the third country to offer an adequate level of protection (e.g. data transfer mechanisms). 6. The Commission can decide if a third country ensures an adequate level of protection by considering its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in the previous paragraph, for the protection of the private lives and basic freedoms and rights of individuals. MS has to take the measures necessary to comply with the Commission’s decision. III. Derogations Article 26, Directive 95/46/EC provides that: 1. By way of derogation from Article 25, Directive 95/46/EC, Member States have to provide that a transfer of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that: (a) The data subject has given his consent unambiguously to the proposed transfer; or ( The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request; or © The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or (d) The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or (e) The transfer is necessary in order to protect the vital interests of the data subject; or (f) The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. 2. Without prejudice to the previous paragraph, a MS may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection, where the controller provides adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with regards to the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses. 3. The MS has to inform the Commission and the other Member States of the authorizations it grants based on the safeguards (e.g. contractual clauses). If a MS or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, then the Commission has to take appropriate measures to protect the individual rights and freedoms with regards to the protection of their personal data. MS have to take the necessary measures to comply with the Commission’s decision. 4. Where the Commission decides that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, MS shall take the necessary measures to comply with the Commission’s decision. IV. Personal data transfer mechanisms 1. Standard Contractual Clauses The use of standard contractual clauses is recommended in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection. According to the COMMISSION DECISION of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, the standard contractual clauses are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Article 26(2) of Directive 95/46/EC. STANDARD CONTRACTUAL CLAUSES (PROCESSORS) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection Name of the data exporting organization: Address: Tel., Fax, Email: Other information needed to identify the organization (the data exporter): And Name of the data importing organization: Address: Tel., Fax, Email: Other information needed to identify the organization: (the data importer) each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. Clause 1 Definitions For the purposes of the Clauses: (a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; ( ‘the data exporter’ means the controller who transfers the personal data; © ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; (d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; (e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; (f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Clause 2 Details of the transfer The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses. Clause 3 Third-party beneficiary clause 1. The data subject can enforce against the data exporter this Clause, Clause 4( to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. 2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. 4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. Clause 4 Obligations of the data exporter The data exporter agrees and warrants: (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; ( that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses; © that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract; (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; (e) that it will ensure compliance with the security measures; (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; (g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5( and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; (i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and (j) that it will ensure compliance with Clause 4(a) to (i). Clause 5 Obligations of the data importer The data importer agrees and warrants: (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to promptly inform the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; ( that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; © that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred; (d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorized access; and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so; (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; (f) at the request of the data exporter, to submit its data-processing facilities for audit of the processing activities covered by the Clauses, which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter; (h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent; (i) that the processing services by the sub-processor will be carried out in accordance with Clause 11; (j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter. Clause 6 Liability 1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor, is entitled to receive compensation from the data exporter for the damage suffered. 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities. 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses. Clause 7 Mediation and jurisdiction 1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; ( to refer the dispute to the courts in the Member State in which the data exporter is established. 2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law. Clause 8 Cooperation with supervisory authorities 1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor which has the same scope, and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case, the data exporter shall be entitled to take the measures foreseen in Clause 5(. Clause 9 Governing law The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely: Clause 10 Variation of the contract The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause. Clause 11 Sub-processing 1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (1). Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement. 2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. 3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely: 4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority. Clause 12 Obligation after the termination of personal data-processing services 1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. 2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1. On behalf of the data exporter: Name (written out in full): ……. Position: ….. Address: ……. Other information necessary in order for the contract to be binding (if any): (stamp of organization) Signature: …………….. On behalf of the data importer: Name (written out in full): ……. Position: ………….. Address: …………. Other information necessary in order for the contract to be binding (if any): (stamp of organization) Signature: ……………………………………………….. Appendix 1 to the Standard Contractual Clauses This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. Data exporter The data exporter is (please specify briefly activities relevant to the transfer):…….. Data importer The data importer is (please specify briefly activities relevant to the transfer):……….. Data subjects The personal data transferred concern the following categories of data subjects (please specify): ………………… Categories of data The personal data transferred concern the following categories of data (please specify):… Special categories of data (if appropriate) The personal data transferred concern the following special categories of data (please specify): ……………………… Processing operations The personal data transferred will be subject to the following basic processing activities (please specify): …………… DATA EXPORTER Name: …………………………………………………….. Authorized Signature: …………………………….. DATA IMPORTER Name: ……………………………………………… Authorized Signature: …………………………. Appendix 2 to the Standard Contractual Clauses This Appendix forms part of the Clauses and must be completed and signed by the parties. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5© (or document/legislation attached): …………………………….. 2. Binding Corporate Rules Binding corporate rules (BCRs) are internal rules such as a Code of Conduct that can be used by multinational companies to ensure that they are providing an adequate level of protection for the intra-group transfers of personal data from a country in the EU or the European Economic Area (EEA) to a third country. The use of BCRs requires, in principle, the approval of each of the EU or EEA National Data Protection Authorities from whose country the data are to be transferred. BCR provides a sufficient level of protection to companies to get authorization of transfers by national data protection authorities (“DPA”). BCR’s applicability is different than the Standard Contractual Clauses as the BCR do not provide a basis for transfers made outside the group. Art. 29 Working Party (The Working Party on the Protection of Individuals with regard to the Processing of Personal Data that has an advisory status and acts independently and examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures), provides a framework for BCR, which are not to be considered the official standard model of BCR. This framework ensures that the requirements of the Directive 95/46/EC are met by those multinational organizations when processing data outside EU or EEA: i. Scope A description of the scope of the BCR’s application and especially: - That they will apply to intra-group transfers and processing. - The geographical scope (only data processed in the EU and transferred outside of the EU or all data). - The material scope (e.g. type of processing: automated/manual, nature of data: customer/HR/suppliers). A general description of the data flows and the purposes of the processing including: - The nature of the data transferred, - The purposes of the transfer/processing, - The data importers/exporters in the EU and outside of the EU5 ii. Definitions A description of the main terms and their definitions: - The main definitions (personal data, sensitive personal data, data subject, controller, processor, processing, third party, Data Protection Authorities), - Other relevant definitions might be inserted in a glossary, such as data exporter, data importer, EU headquarters/EU Member with delegated responsibilities, members of the group, privacy officer/function. - A commitment to interpret the terms in the BCRs according to the EU Directives95/46/EC and 2002/58/EC. iii. Purpose limitation A description of the purposes for which the data are processed and transferred and confirmation that : - Personal data will be transferred and processed for specific and legitimate purposes. - Personal data will not be further processed in a way incompatible with those purposes. - Sensitive Data will be provided with additional safeguards such as provided by the EU Directive 95/46/EC. iv. Data quality and proportionality A commitment that: - Personal data must be accurate and where necessary, kept up-to-date. - Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed. - Personal data should not be processed for longer than necessary for the purposes for which they are obtained and further processed. v. Legal basis for processing A commitment that: - Personal data must be accurate and where necessary, kept up-to-date. - Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed. - Personal data should not be processed for longer than necessary for the purposes for which they are obtained and further processed. vi. Legal basis for processing sensitive data Processing of sensitive data is prohibited expect if: - The data subject has given his explicit consent to the processing of those sensitive data, except where the applicable laws prohibit it; or - The processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or - The processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or - The processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or - The processing relates to sensitive data which are manifestly made public by the data subject; or - The processing of sensitive data is necessary for the establishment, exercise or defense of legal claims; or - The processing of the sensitive data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those sensitive data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy. vii. Transparency and information right A commitment to make the BCR readily available to every data subject. Moreover, your BCRs shall describe the way the data subject is informed of the transfer and processing of their personal data. A commitment that before their data is processed data subjects will be given the following information: - The identity of the controller(s) and of his representative, if any; - The purposes of the processing for which the data are intended; - Any further information such as: i) the recipients or categories of recipients of the data, ii) the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject. Where the data have not been obtained from the data subject, the obligation to inform the data subject does not apply if the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. viii. Rights of access, blocking, erasure, rectifications of data A commitment that: - Every data subject has the right to obtain without constraint at reasonable intervals and without excessive delay or expense a copy of all data relating to them that are processed. Every data subject has the right to obtain the rectification, erasure or blocking of data in particular because the data are incomplete or inaccurate. - Every data subject has the right to object, at any time on compelling legitimate grounds relating to their particular situation, to the processing of their personal data, unless that processing is required by law. Where the objection is justified, the processing must cease. - Every data subject has the right to object, on request and free of charge, to the processing of personal data relating to him for the purposes of direct marketing. An explanation of how the data subjects can get access to their personal data. ix. Automated individual decisions A commitment that no evaluation of or decision about the data subject which significantly affects them will be based solely on automated processing of their data unless that decision: - is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or - is authorized by a law which also lays down measures to safeguard the data subject’s legitimate interests. x. Security and confidentiality A commitment that appropriate technical and organizational measures to protect personal data have been implemented against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. In this regard, sensitive data should be processed with enhanced security measures. xi. Relationships with processors that are member of the same group An explanation of how personal data are protected when using a processor who is a member of the group. In particular a requirement that: - The controller must choose a processor providing sufficient guarantees with respect to the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. - The controller shall instruct the processor by written contractual means in accordance with the applicable law and this contract will, among others, stipulate: i) That the processor shall act only on instructions from the controller; ii) The rules relating to the security and confidentiality to be incumbent on the processor. xii. Restrictions on transfers and onward transfers to external processors and controllers (not members of the group) An explanation of the measures in place to restrict transfers and onward transfers outside of the group and a commitment that: - External processors located inside the EU or in a country recognized by the EU Commission as ensuring an adequate level of protection shall be bound by a written agreement stipulating that the processor shall act only on instructions from the controller and shall be responsible for the implementation of the adequate security and confidentiality measures. - All transfers of data to external controllers located out of the EU must respect the European rules on transborder data flows (Articles 25-26 of Directive 95/46/EC: for instance making use of the EU Standard Contractual Clauses approved by the EU Commission 2001/497/EC or 2004/915/EC or by other adequate contractual means according to Articles 25 and 26 of the EU Directive). - All transfers of data to external processors located out of the EU must respect the rules relating to the processors (Articles 16-17 Directive 95/45/EC) in addition to the rules on transborder data flows (Articles 25-26 of Directive 95/46/EC). xiii. Training programs A commitment to provide appropriate training on the BCRs to personnel who have permanent or regular access to personal data, are involved in the collection of personal data or in the development of tools used to process personal data. xiv. Audit program A commitment to audit the group’s compliance with the BCRs and in particular that: - The audit program covers all aspects of the BCRs including methods of ensuring that corrective actions will take place. - Such audit must be carried out on a regular basis (specify the time) by the internal or external accredited audit team or on specific request from the privacy officer/function (or any other competent function in the organization) - The results of all audits should be communicated to the privacy officer/function (or any other competent function in the organization) and to the board of management. - The Data Protection Authorities can receive a copy of such audits upon request. - The audit plan should allow the Data Protection Authorities to have the power to carry out a data protection audit if required. - Each Member of the group shall accept that they could be audited by the Data Protection Authorities and that they will abide by the advice of the Data Protection Authorities on any issue related to those rules. xv. Compliance and supervision compliance A commitment to appoint appropriate staff (such as a network of privacy officers) with top management support to oversee and ensure compliance with the rules. A brief description of the internal structure, role and responsibilities of the network or privacy officers or similar function created to ensure compliance with the rules. For example, that the chief privacy officer advises the board of management, deals with Data Protection Authorities’ investigations, annually reports on compliance, ensures compliance at a global level and that privacy officers can be responsible for handling local complains from data subjects, reporting major privacy issues to the chief privacy officer and for ensuring compliance at a local level. xvi. Actions in case of national laws preventing respect of BCRs A clear commitment that where a member of the group has reasons to believe that the legislation applicable to him prevents the company from fulfilling its obligations under the BCRs and has substantial effect on the guarantees provided by the rules, he will promptly inform the EU headquarters or the EU member with delegated data protection responsibilities or the other relevant privacy function (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). In addition, a commitment that where there is conflict between national law and the commitments in the BCR and the EU headquarters, the EU member with delegated data protection responsibilities or the other relevant Privacy Function will take a responsible decision on what action to take and will consult the competent Data Protection Authorities in case of doubt. xvii. Internal complaints mechanisms A commitment to put in place a complaint handling process where: - Any data subject may complain that any member of the group is not complying with the BCRs. - The complaints will be dealt by a clearly identified department/person which must benefit from an appropriate level of independence in the exercise of his/her functions. xviii. Third party beneficiary rights A clear statement that the BCRs grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation (see articles 22 and 23 of the EU Directive). A statement that the data subjects can choose to lodge claims before: - The jurisdiction of the data exporter located in the EU, or - The jurisdiction of the EU headquarters/the EU Member with delegated responsibilities, or - Before the competent Data Protection Authorities. A commitment that all data subjects beneficiating from the third party beneficiary rights should also have easy access to this clause. xix. Liability A commitment that: - Either EU headquarters or the EU Member with delegated responsibilities accept responsibility for and agree to take the necessary action to remedy the acts of other Members of the corporate group outside of the EU and to pay compensation for any damages resulting from the violation of the BCRs by the members of the group. - The burden of proof stays with either the EU headquarters or the EU Member with delegated responsibilities to demonstrate that the member outside the EU is not liable for the violation resulting in the damages claimed by the data subject. If the EU headquarters or the EU Member with delegated responsibilities can prove that the member outside the EU is not liable for the violation, it may discharge itself from any responsibility. x. Mutual assistance and cooperation with Data Protection Authorities A commitment that: - Members of the group shall cooperate and assist each other to handle a request or complaint from an individual or an investigation or inquiry by Data Protection Authorities. - Entities will abide by the advice of the Data Protection Authorities on any issues regarding the interpretation of the BCRs. xi. Updates of the rules A commitment to report any significant changes to the BCRs or to the list of members to all group members and to the Data Protection Authorities to take into account modifications of the regulatory environment and the company structure and more precisely that: - Some modifications might require a new authorization from the Data Protection Authorities. - Updates to the BCRs or to the list of the Members of the group bound by the BCRs are possible without having to re-apply for an authorization providing that: i) An identified person keeps a fully updated list of the members of the BCRs and keeps track of and records any updates to the rules and provides the necessary information to the data subjects or Data Protection Authorities upon request. ii) No transfer is made to a new member until the new member is effectively bound by the BCRs and can deliver compliance. iii) Any changes to the BCRs or to the list of Members should be reported once a year to the Data Protection Authorities granting the authorizations with a brief explanation of the reasons justifying the update. A commitment that substantial modifications to the rules will also be communicated to the data subjects. xii. Relationship between national laws and the BCRs An explanation that: - Where the local legislation, for instance EU legislation, requires a higher level of protection for personal data, it will take precedence over the BCRs. - In any event data shall be processed in accordance to the applicable law as provided by the Article 4 of the Directive 95/46/EC and the relevant local legislation. xiii. Final provisions - Effective date - Transitional period Documentation to be provided to the DPAs - Standard Application Form WP133. Click here: - Any documentation that may show that commitments in the BCRs are being respected, for instance: - Privacy policies per processing (e.g. Customer Privacy Policy, HR Privacy Policy) to inform data subjects (e.g. customers, employees) about the way the Company protects their personal data - Guidelines for employees having access to personal data so that they can easily understand and apply the rules prescribed into the BCRs (e.g. guidelines on how to respond to a complaint from a data subject, on how to provide information to data subjects, on appropriate security/confidentiality measures to be observed) - Data protection audit plan and program defined with relevant persons (internal/external accredited auditors of the company) - Examples and/or explanation of the training program - Documentation showing that the member that is at the origin of the transfer of data outside of the EU and either the EU headquarters or the EU Member with delegated responsibilities has sufficient assets to enable payment of compensation for damages resulting from the breach of the BCRs. - Description of the internal complaint system - List of entities bound by the BCRs - Security policy for IT systems processing EU personal data - Certification process to make sure that all new IT applications processing EU data are BCRs compliant Any standard contracts to be used with data processors (member or non member of the Group) processing EU data - Job description of data protection officers or other persons in charge of data protection in the Company. 3. Safe Harbor Agreement According to the Commission Decision 2000/520EC with regards to the Directive 95/46/EC provisions, the EU Member States have to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer. The “Safe Harbor Privacy Principles” issued by the US Department of Commerce on 21 July 2000, are considered to ensure an adequate level of protection for personal data transferred from the Community to organizations established in the United States, having regard to the following documents issued by the US Department of Commerce: (a) the safe harbor enforcement overview; ( a memorandum on damages for breaches of privacy and explicit authorizations in US law; © a letter from the Federal Trade Commission; (d) a letter from the US Department of Transportation . The Commission’s Decision requires that the following conditions shall be met in relation to each transfer of data: (a) the organization receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs; and ( the organization is subject to the statutory powers of a government body in the United States, which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs. FAQs could be accessed here. i. Safe Harbor Principles, as outlined in the Commission Decision 2000/520EC 1. NOTICE Individuals must be informed by organizations about: - the purposes for which their personal information is collected and used, - to whom their personal information may be disclosed, - how to contact the organization with any inquiries or complaints - how the organization limits the use and disclosure of their private information. The Notice should be provided in plain language to the individuals before the collection and use of data starts or if after, before the use of data which is not consistent with the collection purpose. 2. CHOICE An organization must: - offer individuals the opportunity to opt out whether their personal information is (a) to be disclosed to a third party;( to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected.For sensitive information (i.e. medical or health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), individuals must be: -given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected. 3. ONWARD TRANSFER To disclose information to a third party, organizations must apply the Notice and Choice Principles. The transfer of private information to a third party could take place if: - the third party subscribes to the Principles or is subject to the Directive 95/46/EC in order to ensure the same level of privacy protection as is required; - if the organization complies with these requirements, it should not be responsible if the third party processes it in a way contrary to any restrictions or representations, unless the organization knows this. 4. SECURITY Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. 5. DATA INTEGRITY Consistent with the Principles (which are similar to the Directive 95/46/EC), personal information must: - be relevant for the purposes, for which it is to be used, - an organization should not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual, - an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. 6. ACCESS Individuals must have access to personal information about them that an organization holds and be able to - correct, - amend, - delete that information, where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. 7. ENFORCEMENT Effective privacy protection must include: - mechanisms for assuring compliance with the Principles, - recourse for individuals to whom the data relate affected by non-compliance with the Principles, - consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include: (a) easily available and affordable independent recourse mechanisms by which each individual’s complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide;( follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; © obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. V. Conclusions Considering the legal requirements of the Directive 95/46/EC, Article 25… the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers: -Standard Contractual Clauses – for single Organizations or entities -Binding Corporate Rules – for multinational Organizations or entities -Safe Harbor Agreement principles – for Organizations or entities located in the U.S. To conclude, this Article provides Organizations or entities with all the available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones. Sursa InfoSec Institute Resources - Transfer mechanisms of personal data from EU to third countries
  8. 1. Introduction Nowdays there are various threats in the wild that want to get malware installed on victim operating systems. Most of them use some kind of social engineering bundled together with some means to actually execute the malicious code, like JavaScript, malicious PDF documents, malicious Microsoft Office documents, etc. Of course, if we want the malicious code to execute, we must exploit some kind of vulnerability that exists in web browsers (if we’re propagating malware with JavaScript), Microsoft Word (if we’re propagating malware with .doc documents), Adobe PDF Reader (if we’re propagating malware with .pdf files), etc. All in all, we need to know that vulnerabilities are being exploited in all programs because of the malicious input data (all programs accept some kind of input data): web browsers accept web sites as input data, Microsoft Word accepts .doc documents as input, Adobe PDF Reader accepts .pdf files as input data, etc. Therefore, if we can construct a malicious input data that exploits the vulnerability present in some of these programs, we can execute arbitrary data. Here we’ll take a look at the malicious JavaScript code that tries to execute arbitrary instructions on the target operating system. 2. JavaScript JavaScript is pretty important when analyzing it, because we’re spending considerate amount of our time in web browsers. And since web browsers understand, accept and execute JavaScript, we can feed a URI to the victim and wait for him/her to click on it. Upon clicking on the URI, we can send arbitrary malicious JavaScript to the victim, which will be executed in the web browser. We’re not limited to JavaScript only; we can use any kind of language that web browsers understand, but we’re using JavaScript because we can do pretty much anything with it. If we’re using JavaScript, we’re not limited to the web browsers only. We can embed malicious JavaScript in any kind of input data being passed to the application that understands it. Thus, we can embed JavaScript into PDF document, SWF files, etc. Attackers will often obfuscate the JavaScript embedded in any kind of document to harden the analysis of it. In such cases we can use deobfuscator to beautify the JavaScript code in order to make it more readable and thus easier to understand. Spidermonkey is a stand-alone C library implementation of JavaScript interpreter. We can use it to analyze any JavaScript code, which is far safer than executing it directly in a web browser. 2.1. De-Obfuscating JavaScript Manually Usually, an attacker obfuscates their JavaScript code so it isn’t readable anymore. An example of such a code can be seen below: [TABLE] [TR] [TD=class: code]<script> function deobfuscate(input) { // deobfuscation code } eval(deobfuscate('23230433239 … ')); </script>[/TD] [/TR] [/TABLE] The code doesn’t actually do anything, but we can see what the code is doing: it’s passing the integer argument to the deobfuscate() function, which deobfuscates the integers into real JavaScript code and evaluates and executes it. It’s evident that we need to take a hold of the deobfuscated JavaScript hold that is executed every time the page is loaded, but how? The answer is by redefining the eval function, which becomes print function. This effectively prints the deobfuscated code rather than executes it. To do that, we need to copy the above code into a separate file (just the JavaScript code without the starting and ending <script> tag) and append the line below at the top of that file: [TABLE] [TR] [TD=class: code]eval = print[/TD] [/TR] [/TABLE] This redefines the eval function into print function. After that we can open that file with a web browser, but a better way is using the js command that comes with SpiderMonkey like below: [TABLE] [TR] [TD=class: code]# js example.js[/TD] [/TR] [/TABLE] The SpiderMonkey will then execute the deobfuscate() function and print the result on the screen instead of executing it. Now we can start analyzing the deobfuscated JavaScript code and take a look at what the attacker was trying to achieve. 2.1. De-Obfuscating JavaScript with Jsunpack Jsunpack can be used to de-obfuscate obfuscated JavaScript code automatically. It is a web application in which we can directly copy the obfuscated JavaScript code. The web application then analyzes the code and presents it back to us. There are multiple input elements that the web applications accepts. We can paste the JavaScript code directly to the input box, we can provide an URL to the webpage that uses obfuscated JavaScript, we can even upload the PDF, PCAP, SWF, HTML or JavaScript files that will be analyzed automatically. The private checkbox option can be enabled if we don’t want the code to be released to the public and be made generally available. The privacy link right beside it presents us with the full explanation of that option. At the bottom of the page there are also three links. The first one is named “Blog” and points to the Jsunpack blog. The second one is named “Source Code” and points to the Google Code website of the Jsunpack-n tool. The third link is named “Recent Submissions” and points to the obfuscated malicious JavaScript code that was recently submitted; On the left side are recent submissions that don’t contain any malicious JavaScript code and on the right side are malicious JavaScript code submissions. If we click on one of the examples, there will be a detailed description of the obfuscated JavaScript code with a download link, which we can use to download a zip archive that contains the malicious JavaScript code. Let’s download that PDF document, referenced as 61.4.82.210_37.pdf in the malicious uploads. Let’s download the zip archive. The first thing we want to do is to categorize the file based on the header information. We can do that with the file command, which says that the file is a PDF document: [TABLE] [TR] [TD=class: code]# file c41f10c79ccea7432987a9d7050604a3eb47 c41f10c79ccea7432987a9d7050604a3eb47: PDF document, version 1.2[/TD] [/TR] [/TABLE] After that it’s time to download the jsunpack-n program, which emulates browser functionality when visiting a URL. It can detect malicious code that can be used to exploit a web browser and browser plugins. After we’ve downloaded the tool and installed all dependencies (as noted in the INSTALL file), we can run jsunpack-n, which has the options presented below: [TABLE] [TR] [TD=class: code]# ./jsunpackn.py -h Usage: ./jsunpackn.py [fileName] ./jsunpackn.py -i [interfaceName] jsunpack-network version 0.3.2c (beta) [warning] pynids is disabled, while you cannot process pcap files or a network interface, you can still process JavaScript/HTML files Options: -h, --help show this help message and exit -t TIMEOUT, --timeout=TIMEOUT limit on number of seconds to evaluate JavaScript -r REDOEVALTIME, --redoEvalLimit=REDOEVALTIME maximium evaluation time to allow processing of alternative version strings -m MAXRUNTIME, --maxRunTime=MAXRUNTIME maximum running time (seconds; cumulative total). If exceeded, raise an alert (default: no limit) -f, --fast-evaluation disables (multiversion HTML,shellcode XOR) to improve performance -u URLFETCH, --urlFetch=URLFETCH actively fetch specified URL (for fully active fetch use with -a) -d OUTDIR, --destination-directory=OUTDIR output directory for all suspicious/malicious content -c CONFIGFILE, --config=CONFIGFILE configuration filepath (default options.config) -s, --save-all save ALL original streams/files in output dir -e, --save-exes save ALL executable files in output dir -a, --active actively fetch URLs (only for use with pcap/file/url as input) -p PROXY, --proxy=PROXY use a random proxy from this list (comma separated) -P CURRENTPROXY, --currentproxy=CURRENTPROXY use this proxy and ignore proxy list from --proxy -q, --quiet limited output to stdout -v, --verbose verbose mode displays status for all files and decoding stages, without this option reports only detection -V, --very-verbose shows all decoding errors (noisy) -g GRAPHFILE, --graph-urlfile=GRAPHFILE filename for URL relationship graph, 60 URLs maximium due to library limitations -i INTERFACE, --interface=INTERFACE live capture mode, use at your own risk (example eth0) -D, --debug (experimental) debugging option, do not delete temporary files -J, --javascript-decode-disable (experimental) dont decode anything, if you want to just use the original contents[/TD] [/TR] [/TABLE] Now we can run jsunpack-n on our malicious PDF file as follows: [TABLE] [TR] [TD=class: code]# ./jsunpackn.py c41f10c79ccea7432987a9d7050604a3eb47 [suspicious:5] [PDF] c41f10c79ccea7432987a9d7050604a3eb47 suspicious: PDFobfuscation detected Collab[ file: decoding_0c3be4288226f0bd341d8692d02a42652e9109e1: 78750 bytes file: original_f21cc41f10c79ccea7432987a9d7050604a3eb47: 13565 bytes[/TD] [/TR] [/TABLE] We can see that the original PDF file was written at a location temp/files/ original_f21cc41f10c79ccea7432987a9d7050604a3eb47, while the decoded JavaScript was written to temp/files/decoding_0c3be4288226f0bd341d8692d02a42652e9109e1. The suspicious function uses a string Collab and is presented below: [TABLE] [TR] [TD=class: code]function S7aL(u713,u714){Collab['\u0067\u0065\u0074\u0049\u0063\u006f\u006e'](u714+u713);}[/TD] [/TR] [/TABLE] If we translate the Unicode encoding into ASCII we get the following JavaScript code: [TABLE] [TR] [TD=class: code]function S7aL(a,{ Collab['getIcon'](b,a); }[/TD] [/TR] [/TABLE] But why is this suspicious? It’s only calling the getIcon() method. We can quickly get an answer to that if we Google a bit. There’s a remote code execution vulnerability in Acrobat Reader when calling Collab ‘getIcon()’ as can be seen here. It’s indeed the right choice to flag this PDF document as malicious. There are also various other options we can use when running jsunpack-n. One interesting option is the –timeout option that specifies the number of seconds for evaluation of JavaScript, which is useful if JavaScript is using heap spraying technique. The default timeout is 30 seconds, after which, if processing is still not finished, the evaluation is terminated and the results gathered so far are presented. If we run the above analysis with a verbose flag set, we get the output below: [TABLE] [TR] [TD=class: code]# ./jsunpackn.py -V c41f10c79ccea7432987a9d7050604a3eb47 [malicious:10] [PDF] c41f10c79ccea7432987a9d7050604a3eb47 info: [decodingLevel=0] JavaScript in PDF 78663 bytes, with 87 bytes headers suspicious: PDFobfuscation detected Collab[ info: [decodingLevel=1] found JavaScript error: undefined variable DDGfx info: Decoding option app.viewerVersion=9.1, 0 bytes info: Decoding option app.viewerVersion=8.0 and app.viewerVersion=7.0, 56 bytes info: Decoding option app.viewerVersion=, 42 bytes malicious: Utilprintf CVE-2008-2992 detected malicious: Alert detected //alert CVE-2008-2992 util.printf length (7,undefined) info: [2] no JavaScript info: file: saved ../c41f/c41f10c79ccea7432987a9d7050604a3eb47 to (./temp/files/original_f21cc41f10c79ccea7432987a9d7050604a3eb47) file: decoding_0c3be4288226f0bd341d8692d02a42652e9109e1: 78750 bytes file: decoding_9ff1f85b784f0684a5ddae6d96d0c9da5302fab1: 56 bytes file: original_f21cc41f10c79ccea7432987a9d7050604a3eb47: 13565 bytes[/TD] [/TR] [/TABLE] Let’s compare the results with the online version of the jsunpack. The online analysis of the same PDF document. We can see that the detected vulnerabilities are not the same if we analyze the file with jsunpack-n command line tool and jsunpack online version. Why is that? It’s simply because the online version uses the -f argument, which improves performance by evaluating the PDF document with a limited range of PDF Reader version numbers. If we add that option to the jsunpack command line, we get the same output as we can see below: [TABLE] [TR] [TD=class: code]# ./jsunpackn.py -V -f c41f10c79ccea7432987a9d7050604a3eb47 [malicious:10] [PDF] c41f10c79ccea7432987a9d7050604a3eb47 info: [decodingLevel=0] JavaScript in PDF 78663 bytes, with 87 bytes headers suspicious: PDFobfuscation detected Collab[ info: [decodingLevel=1] found JavaScript error: undefined variable DDGfx info: Decoding option app.viewerVersion=9.1, 0 bytes info: Decoding option app.viewerVersion=, 42 bytes malicious: collectEmailInfo CVE-2007-5659 detected info: [2] no JavaScript info: file: saved c41f10c79ccea7432987a9d7050604a3eb47 to (./temp/files/original_f21cc41f10c79ccea7432987a9d7050604a3eb47) file: decoding_0c3be4288226f0bd341d8692d02a42652e9109e1: 78750 bytes file: decoding_4074b66fea076c2f3fba4f4c05eb3f7329f4bde4: 42 bytes file: original_f21cc41f10c79ccea7432987a9d7050604a3eb47: 13565 bytes[/TD] [/TR] [/TABLE] Now the same vulnerability is detected by both versions of the jsunpack tool. It’s not redundant to also present the contents of the decoded files. The first decoded file 0c3be4288226f0bd341d8692d02a42652e9109e1 We didn’t present the whole file, just the first part of it to be able to definitely say that the files are the same. If we look at the picture above, we can see that is starts with the “var BseFa”, which is exactly the same as the first decoded file in the previous picture. The jsunpack-n also decoded another file. This time the only content of the file is a comment about the Collab.collectEmailInfo vulnerability that was found in the malicious PDF document. I guess the decompression algorithm didn’t continue the way we want (with other files being found, as with the online version of the tool), because we have a different version of pre.js JavaScript script that isn’t as complete as the one used by the online version of the tool. The decompressed files above represent each iteration in the deobfuscation process. The first file that starts with c41f is the actual downloaded PDF document. If there is only one decoded file, it means that Jsunpack didn’t detect any decoded data and didn’t decode anything; it just displays the found contents on the screen. But if there are multiple extracted files, we can be sure that the data within the document was encoded somehow. Usually the attackers employ encoding of the data to hide their content when sending exploits to the target machines. If the attacker is trying to hide something he will create two or more decodings, which can be successfully detected by Jsunpack. The Jsunpack tool can detect up to five stages of decoding levels, which results in up to five files. The more levels there are, the more prominent is that the attacker is trying to hide something and that the document is indeed holding something malicious. 3. Conclusion We’ve seen that Jsunpack can be a great help with decompressing the decoded PDF files and should be a mandatory tool when analyzing possibly malicious PDF documents. Sursa InfoSec Institute Resources - Analyzing Malicious JavaScript
  9. Sex. De ce nu. Tricouri "Fan Wubi" care mai e interesat?
  10. Nu-i aceiasi stire? https://rstcenter.com/forum/53798-hackerii-anony-romania-prinsi.rst Pacat oricum, urmatorul lor plan era sa dea deface la presidency.ro in care sa puna IP-ul unui mare "dusman" de-al lor si sa modifice log-uri sa para ca respectivul ar fi fost in spatele "marsaviei". Aveau pana si no-logine pregatite pentru asta. Vai si-amar, am intrat odata pe canalul lor de IRC, unul intreba cum sa faca sa traduca un MD5.
  11. E in paint in pula mea.
  12. [TABLE=class: grid, width: 640] [TR] [TD]Published on Nov 5, 2012 by Technic Dynamic[/TD] [/TR] [TR] [TD]Howdy folks! It's amazing how quickly technology evolves nowadays... something you wouldn't even think could be possible, simply happens right before your eyes. Ten years ago, I first acquired my first computer and began making websites in HTML for fun, learning about web servers, programming etc.; back then, even to setup a simple local server was complicated for me. Fast forward ten years and we can carry a web server in our pockets and make changes to our website while taking a subway to central park. Click here to read more: http://technicdynamic.com/2012/11/android-web-server-php-mysql-port-forwardin... Port Forwarder: https://play.google.com/store/apps/details?id=at.bherbst.net&feature=sear.... NO-IP Update: https://play.google.com/store/apps/details?id=jf.actualizaip&feature=sear.... kWS: https://play.google.com/store/apps/details?id=org.xeustechnologies.android.kw.... KSWEB: https://play.google.com/store/apps/details?id=ru.kslabs.ksweb&feature=sea... Song [1]: Blackmill - Evil Beauty Song [2]: Blackmill - The Drift https://www.youtube.com/user/BlackmillMusic[/TD] [/TR] [/TABLE] Sursa YouTube
  13. When we talk about hacking, especially in today’s world, we hear the media giving us the stories of how hackers hack into a database and steal information from it, like this story. This is what the world hears about on a regular basis. How about the Stuxnet worm and Flame? Another example of malicious code hitting systems, stealing information, causing malfunctions, and the list goes on. The one thing society does not hear a lot about is how social engineering can play a huge part in hacking. In this article, we will look at how social engineering is one of the easier forms of hacking and what one can do to guard against these type of attacks. To borrow from the world renowned hacker Kevin Mitnick in his book “Ghost in the Wires”, Mr. Mitnick utilized social engineering throughout the book. Mr. Mitnick would call telephone companies and ask for access to their networks by playing different roles, and receive them effortlessly! Even as a kid he asked a bus driver where he could buy a punch used for punching bus transfer tickets. Then, he bought a punch and found partly used blank bus transfer stubs in a dumpster to ride around San Fernando Valley for free; yet another form of social engineering. Mr. Mitnick was a professional social engineer as a kid all the way up to when he was caught. Even today, he still performs social engineering in an ethical manner with his own penetration testing company which he talks about in the opening of “Ghost in the Wires.” Kevin Mitnick points something out to all of us: social engineering has been around for a while, and you only need to think about your surroundings and do reconnaissance on your target to figure out a way to get to information. People say, “It would never happen to me, I wouldn’t fall for something like that.” The scary part is, technology is becoming more sophisticated to the point of where we will give money away without a second thought. For example, I heard of a situation where a woman, I’ll call Shelly, was “called” by her grandson Ralph in Brazil stating he needed money to get out of jail. Shelly said it sounded just like Ralph and she went to get the money to transfer it to the account she was given for his release. When she went to the local grocery store to accomplish the transfer, she was stopped by the clerk who asked some questions before performing the transaction; coincidentally, there had been a couple of other customers getting ready to perform a similar transaction for a loved one to the same account. Shelly could not believe it; it sounded like Ralph on the phone call. Feeling very distraught, she phoned her son Ben and asked if Ralph was there, “Yes, he’s sitting right here next to me.” Shelly was relieved, but still could not believe she was almost lured into a scam. Shelly was fortunate the clerk questioned the transaction before it happened. She now knows the next time she receives a phone call like this, she will contact the person to verify how legitimate the phone call is. She could also have asked to get the phone number from where the call originated and called it back to verify it was legitimate, or asked the phone operator where the number originated from. Another example of social engineering for account credentials is receiving an email with a link from a seemingly legitimate person or source (i.e. Bank of America). The email states you need to verify your credentials for your account and to click on the link which typically takes the user to a website that looks exactly like the website the user would see for their bank. However, if one were to look closer, it is not their bank’s website, but has a very close resemblance to it. Something as simple as www.bankof america.com could actually be www.bank0famerica.com; the only difference between URLs being the zero (0) in the “of” on the second URL. The reality is, people don’t look that close at the URL and I don’t blame them; however, the thought should cross a person’s mind to try calling the banking institution or individual to verify they really need this kind of information – they should not. At some companies, employees are required to wear a badge, and if there is classified information behind closed doors, a personal identification number (PIN) may be required as well. In these situations, if the social engineer knows someone behind the door, they can always wait for someone with access to use their badge and say, “Hi, I’m Jane Doe and I’m doing business in there with Sam Smith, but I don’t have my badge with me today; can you let me through? It’s just this once.” Most people that I have witnessed will just let the person through the door without a second thought to help them out; they won’t even follow Jane Doe to her destination to ensure Sam Smith knows her…this can be a mistake. Of course, if no one questions Jane Doe while she is in the area, no one is the wiser for letting her go about her business. However, if the person badging through states, “Let me find Sam Smith, I know where he sits, and I will have him come get you.” This will likely case Jane Doe to think twice, and there is a good chance Jane Doe will not be there when Sam Smith goes to the door wondering who she is. Another example of badge entry is one Mr. Mitnick utilized in his book where he searched the Internet to find the company’s website he was doing a penetration test for. Mr. Mitnick copied the company’s logo to make a very similar looking badge to the one worn by the employees. Utilizing his badge, he waited for the smokers to head in from their break. He went up tailgate the last smoker going inside, presented his badge, and was inside the building. The person looking at his badge did not really look up close; had he done so, Mr. Mitnick may not have gained access to the building. An excellent way to social engineer and gain access to potentially valuable information is via USB thumbdrive. I’ve heard of a situation where a person wanted to get access to information from a company and just left USB drives around in the parking lot. Why? Inevitably, a naïve employee of the company will pick it up and want to know what is on the drive or who it belongs to. So, they decide to plug it into a company computer to look…voila, malicious code inserted and, if no HIDS or HIPS or antivirus detects anything; the person could have more than just one computer! They could own the network! If this happens to an employee, they should at least take the device to their security personnel and report what happened. Social engineering is ever present on social media such as Facebook. People LOVE Facebook to the point of letting everyone know, “Going to Mom’s for the weekend! See you tonight Mom!” A person doesn’t even have to ask when they are going to be out of town or when they are leaving. Perfect opportunity to do some snooping around the house, try breaking in, etc. One other thing to notice, most people do not lock down their accounts, so you can peruse their friends and friends of friends, etc. to determine the ultimate target. Use a search engine such as Google to identify who they really are, such as CEO of a company (if they haven’t already posted that on their Facebook profile); find out their interests and hobbies; and potentially steal their identity. People would say that no one would go to that length to get money from someone; you’d be surprised at how easy it can be as pointed out by the website Seven Easy Steps to Steal Someone's Identity | site.uspystore.com Blog . Lesson on this one is do not tell the world you are leaving town for the weekend (or whenever); ensure your account is locked down to where only your friends can see your posts and tell your friends to lock down their accounts too for the same reason. Another security feature to consider enabling (under account settings from the drop down arrow, then select Security to the left hand side, and menu will drop down in the middle) is the Recognized Devices setting which allows you to restrict access to the account from only a specified computer(s) vs. from any computer…if a hacker gets your credentials, they can log on from anywhere and do whatever they want to your account. If a user clicks on the down arrow to the right of the home button and clicks on Help, Facebook actually provides valuable information on account settings for security and privacy settings. I actually had an instance of social engineering for money happen to me a while back. I was trying to sell items on Craigslist and put pictures out for people to look at them. I would let them email me and then I would send my phone number to them if they were interested in an item. I had an item listed for about two weeks with no hits, then I finally got one. The person said they were interested, so I sent my phone number and said to call me to discuss looking at the item. The response was something to the effect of if you send the item to this state (California, I believe), I will send you the money once it is received…yes, OK, not going to happen. No, I did not respond, and coincidentally, neither did the other person (surprise). Another instance of potential social engineering that I encountered comes from, in my opinion, small state/town mentality. I was staying at a hotel for a couple of days and went down to the bar one night to have an adult beverage. I paid for the beverage in cash, drank it, and went back to my room. Later when I returned from my trip, I was filing a voucher to cover trip expenses and looked at the hotel receipt. The receipt had a $20 charge for the hotel bar. Confused, I called the hotel and explained the situation; fortunately, they said they had mistakenly charged my room for a drink from another customer in another room. My coworker stayed at the same hotel and I explained what happened to which he responded, “Oh yeah, at the bar, all you needed to do is tell them your room number and they will charge it to the room.” So, if I were the social engineering type, I could have just watched someone go to their room, then ordered a drink and charged it to that room…how far I could go before the bartender said something or asked for my room number, who knows. A more network savvy way of social engineering is utilizing applications like Wireshark to monitor a person’s wireless network activity. Observing the websites they visit and anything unencrypted can give clues to their interests and hobbies. This could give a social engineer enough information to spam an email or contact the person via phone and follow up with an email. Again, another potential entry way into the person’s computer and/or network. However, with some encryption on the wireless router and a good password, as well as password protecting the router’s administrative access, can divert the social engineer to another unprotected wireless network. One final example of social engineering comes from the book, “Spies Among Us” by Ira Winkler. Mr. Winkler and his assistant were hired to do a penetration test for a nuclear power plant. In this account, Mr. Winkler and his assistant were able to obtain badges from the front desk of the headquarters facility without anyone verifying who they were or who signing off on the paper work for their badges. Then, they traveled to the actual nuclear reactors facility where, once inside the nuclear reactors facility, Mr. Winkler’s assistant plugged into the network and downloaded billions of dollars worth of nuclear information utilizing server names which Mr. Winkler obtained with a little more social engineering. Summary In summary, there are numerous ways to social engineer people including dressing and talking like company personnel. All workers should be schooled in how they can protect the company assets from being stolen by a slip of the tongue, giving into emotion, or feeling like they do not have the time to check a person out before giving them access or information. Now, granted we are all human and make mistakes, especially in the fast paced world we live in today. However, just caring and thinking about what one is doing can be enough to ask the person on the phone, “You want Mr. Doe? May I ask who is calling and get a number to have him call you back at?” Asking these questions could be enough to deter the social engineer to look for a different target. Sursa InfoSec Institute Resources - The Easier Form of Hacking: Social Engineering
×
×
  • Create New...