Categories
Internet Security

How to set up a malware lab to analyze malware samples

Add Your Heading Text Here

Share it:

In this article, we will look at how to set up a lab to test or analyze malware samples statically.

Although Remnux advise malware analyst(s) can make use of its toolkit to reverse engineer malware, we will make use of another tool to reverse engineer malware.

We will make use of Remnux linux distribution(based on Ubuntu) to set up a malware lab.

With Remnux linux, we can:

  • Examine properties and contents of suspicious files
  • Investigate Linux and Windows malware
  • Examine browser malware
  • Analyze malicious document files

You can make use of the following steps to set up a malware lab:

Step 1:

You need to have Vmware on your windows machine or Virtual Box on your linux machine.

Step 2:

If you have installed and downloaded Vmware or VirtualBox, then you can perform the following to install Remnux linux and get it working.

If you are installing Remnux via Vmware, you can perform the following instructions:

(i) Open your Vmware and click on “Open a virtual machine” as shown below:

(ii) Afterwards browse to the download page and choose to the “Remnux Ova file” as shown below:

(iii) Choose a suitable name for the virtual machine and name for the storage path:

(iv) Click on the import button to import the new virtual machine.

(v) Finally power on the new virtual machine to start Remnux linux as shown below in the screenshot: 

Now we have successfully set up a lab to statically analyze malware samples.

In our next article, we will look at how to make the test lab air-tight before we test malware samples.

Author: Michael

Categories
Competitive research

Gutstuff malware targets Whatsapp, PayPal and Skype Users!!!

Add Your Heading Text Here

Share it:

Group-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its developer, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware, which since November 2017 has been attacking Android phones and stealing money using web fakes disguised as mobile apps of prominent international banks and payment systems. The price for leasing the «Gustuff Bot» was $800 per month.

The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of mobile Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India.

Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besides banking, crypto services and fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.

Gustuff infects Android smartphones through SMS with links to malicious Android Package (APK) file, the package file format used by the Android operating system for distribution and installation of applications. When an Android device is infected with Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators — it has a unique feature — ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.

The analysis of the Trojan revealed that the ATS function is implemented with the help of the Accessibility Service, which is intended for people with disabilities. Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.

After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including crypto wallets, online banking apps, messengers etc. The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70% of cases.

Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens — and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.

The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

You can check out in-depth technical analysis of Getstuff

Source: Group-IB(Singapore)

Categories
Competitive research

Silence 2.0 takes over Banking Institutions worldwide.

Add Your Heading Text Here

Share it:

Silence APT, a Russian-speaking cybercriminal group, known for targeting financial organizations primarily in former Soviet states and neighboring countries is now aggressively targeting banks in more than 30 countries across America, Europe, Africa, and Asia.

Active since at least September 2016, Silence APT group’s most recent successful campaign was against Bangladesh-based Dutch-Bangla Bank, which lost over $3 million during a string of ATM cash withdrawals over a span of several days

According to a new report Singapore-based cybersecurity firm Group-IB shared with The Hacker News, the hacking group has significantly expanded their geography in recent months, increased the frequency of their attack campaigns, as well as enhanced its arsenal.

The report also describes the evolution of the Silence hacking group from “young and highly motivated hackers” to one of the most sophisticated advanced persistent threat (APT) group that is now posing threats to banks worldwide.

Silence APT hacking group has updated their unique TTP (tactics, techniques, and procedures) and changed their encryption alphabets, string encryption, and commands for the bot and the main module to evade detection by security tools.

EDA is a PowerShell agent, designed to control compromised systems by performing tasks through the command shell and tunneling traffic using the DNS protocol, and is based on the Empire and dnscat2 projects.

Just like most hacking groups, Silence gang also relies on spear-phishing emails with macros Docs or exploits, CHM files, and .LNK shortcuts as malicious attachments to initially compromise their victims.

Once in a victim organization, the group leverages more sophisticated TTPs and deploy additional malware, either TrueBot or a new fileless PowerShell loader called Ivoke, both designed to collect information about an infected system and send it to an intermediate CnC server.

To choose their targets, the group first create an up-to-date “target list” of active email addresses by sending “recon emails,” which usually contain a picture or a link without a malicious payload.

Group-IB has published more detailed findings about Silence APT in its new report titled, “Silence 2.0: Going Global.” You can head on to its report for more information.

Source: TheHackerNews

Categories
Internet Security

Introduction to Linux Malware Analysis (PART 2) : Object File and Executable/Binary file

Add Your Heading Text Here

Share it:

In our previous article, we looked at the different phases of gcc compilation and different type of output generated by gcc compiler .

In this article we will examine the contents of both object and binary/executable file and the difference between static and dynamic libraries.

Object File:

Object file contains machine code/instructions that are executable by the processor.

However there is a bit of work to do before it can be executed by the processor.

One main difference between object and binary file is that reference to both static and dynamic links are resolved or not known.

These references are not resolved because files are compiled independently(by the assembler) from each other.

We can view different sections of on object file using objdump tool.

Usage: objdump<option(s)> <file(s)>
 Display information from object <file(s)>.
Objdump tool can be used to disassemble a binary/executable file as well as extract section from an object file.

This command simply instruct the objdump tool to show read-only section from the object file(in ELF format).

objdump -sj .rodata example.o

example.o:  file format elf64-x86-64
Contents of section .rodata: 

0000 48656c6c 6f2c2077 6f726c64 2100  Hello, world!.

The .rodata section stores only constant values. Inside the .rodata section, we have the string value "Hello, World!"

We can also use the objdump tool to disassemble all the code in an object file in Intel syntax as shown below

objdump -M intel -d example.o

compilation_example.o:  file format elf64-x86-64

Disassembly of section .text:

00 0000 000 000 0000

 

0:55 push rdp 1:48 89 e5 mov rdp, rsp 4:48 83 ec sub rsp, 0x10 8:89 7d fc mov DWORD PTR [rbp-0x4],edi b:48 89 75 mov QWORD PTR [rbp-0x10],rsi f:bf 00 00 mov edi,0x0 14:e8 00 00 call 19<main+0x19> 19:b8 00 00 mov eax,0x0 1e:c9 ret 1f:c3 leave

 

As you can see, it has only one main function. You can check on wikipedia for in-depth information on assembly language.

Binary File:
Linker or the link editor is responsible for relocating or linking all object files to a particular/specific memory address. This process creates a binary executable file.

In a binary file, symbolic references to static libraries are resolved. Whilst references to dynamic libraries are resolved during runtime or when the binary file is loaded into memory.

The following command disassembles a binary file with objdump tool:

objdump -M intel -d a.out

a.out:     file format elf64-x86-64

Disassembly of section .init:

Disassembly of section .init:

0000000000001000 <_init>:

1000:   48 83 ec 08             sub    rsp,0x8
1004:   48 8b 05 dd 2f 00 00    mov    rax,QWORD PTR [rip+0x2fdd]        # 3fe8 <__gmon_start__>
100b:   48 85 c0                test   rax,rax
100e:   74 02                   je     1012 <_init+0x12>
 1010:  ff d0                   call   rax
 1012:  48 83 c4 08             add    rsp,0x8
 1016:  c3                      ret  

Disassembly of section .fini:

0000000011c4 <_fini>:
11c4:   48 83 ec 08             sub    rsp,0x8
11c8:   48 83 c4 08             add    rsp,0x8
11cc:   c3                      ret  

This not the complete content of a disassembled binary file. As you can see there are more sections in a binary file than in an object file.

We will need these sections to do a static analysis of an infection file.

In our next article, we will learn how to examine an infectious file via the static analysis method. 

Categories
Privacy

How malware steals autofill data from browsers

Add Your Heading Text Here

Share it:

Most browsers kindly offer to save your data: account credentials, bank card details for online stores, billing address, name, and passport number for travel sites, and so on. It’s convenient and saves having to fill out the same forms all over again or worry about forgotten passwords. However, there is a catch: All of this autofill data can be scooped up by cybercriminals if your computer gets infected by a stealer — a piece of malware that steals information, including from browsers.

Such programs are becoming increasingly popular with online scammers: In the first half of this year alone, Kaspersky’s security products detected more than 940,000 stealer attacks. That is a one-third increase from the same period of 2018.

Strictly speaking, stealers are interested in more than just browsers’ autofill data — they are also looking for cryptocurrency wallets and gaming data, and they steal files from the desktop as well (we hope you don’t store valuable information there, such as password lists).

However, browsers have become a hub of work and play, including shopping, banking and more, and are often a source of far more confidential information than other programs. Let’s take a look at how stealers get their thieving hands-on browser data.

How malware steals data from Chrome

Google Chrome and other browsers based on the Chromium engine (such as Opera and Yandex.Browser) always store user data in the same place, so stealers have no problem finding it. In theory at least, this data is stored in encrypted form. However, if the malware has already penetrated the system, then its actions are done in your name.

Therefore, the malware simply puts in a polite request to the browser’s data encryption tool to decrypt information stored on your computer. With requests seemingly from the user considered safe by default, in response the stealer gets all your passwords and credit card details.

What happens to data stolen by the stealer?

Once the malware has the autofill data in plain text, it sends them back to cybercriminals. From there, either of two scenarios may unfold. The malware’s handlers can use it themselves or, more likely, sell it to other malefactors on the black market, where such products are always highly prized.

Either way, if usernames and passwords were among the stored information, the crooks will likely steal a couple of your accounts and try to finagle money out of your friends. If you saved bank card data in the browser, the losses could be more direct; your money will either be spent or transferred elsewhere

Stolen accounts can be used for many other purposes too, from spamming and promotion of websites or apps, to sending viruses and laundering money stolen from others (and if the police get involved, they may come knocking on your door).

How to protect data from stealers

  • Do not entrust important information such as bank card details to your browser for safekeeping. Instead, enter them manually each time — it takes longer but is safer. You can also store passwords in a password manager.

  • Most important: The best way to safeguard data is to prevent malware from getting onto your computer in the first place. To do so, install a reliable security solution that will keep infections at bay. No malware, no problem!

Source: Kaspersky Lab

Categories
Innovation

Introduction to Linux Malware Analysis

Add Your Heading Text Here

Share it:

In today\\’s era where malware otherwise known as malicious software have affected (and it is still affecting) companies all over the world, it is recommended to have the ability to analysis malware residing on both windows and linux platforms.

However we will focus only on how to analysis malware on linux platforms. You can make use of the same methods discussed here to analysis malware on Windows.

It is necessary as a malware analyst to understand how compilers such as gcc compiles a progam.

So We will look at the following sub-topics:

  • The four stages of binary compilation
  • Difference between an object file and executable file

Prerequisites:

  • gcc compiler
  • linux debian/kali
  • a simple C program to compile

Four Stages of Binary Compilation:

The four stages of c program compilation are as follows:

  • Preprocessing
  • Compilation
  • Assembly
  • Linking

By default, gcc compiler compiles a group of files/files as execuatble program as shown below:

gcc hello.c

The above command emits the following output:

a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2ae6a46529ec896b291cd7671dc19ee578abf8bf, not stripped

The gcc compiler automatically compiled our simple c program to an executable file.

Preprocessing stage:

In this stage, the c preprocessor which is a a separate program from the compiler reads the content of the system file header and insert it into a file with the .i suffix.

Execute the command below to read the system file headers

cpp hello.c > hello.i

Open the hello.i file to see the output. This is not the complete output.

hello.c # 1 \ # 1 \ # 31 \ # 1 /usr/include/stdc-predef.h 1 3 4 # 32 \ 2 # 1 hello.c # 1 /usr/include/stdio.h 1 3 4 # 27 /usr/include/stdio.h 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/libc-header-start.h 1 3 4 # 33 /usr/include/x86_64-linux-gnu/bits/libc-header-start.h 3 4 # 1 /usr/include/features.h 1 3 4 # 424 /usr/include/features.h 3 4 # 1 /usr/include/x86_64-linux-gnu/sys/cdefs.h 1 3 4 # 442 /usr/include/x86_64-linux-gnu/sys/cdefs.h 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/wordsize.h 1 3 4 # 443 /usr/include/x86_64-linux-gnu/sys/cdefs.h 2 3 4 # 1 /usr/include/x86_64-linux-gnu/bits/long-double.h 1 3 4 # 444 /usr/include/x86_64-linux-gnu/sys/cdefs.h 2 3 4 # 425 /usr/include/features.h 2 3 4 # 448 /usr/include/features.h 3 4 # 1 /usr/include/x86_64-linux-gnu/gnu/stubs.h 1 3 4 # 10 /usr/include/x86_64-linux-gnu/gnu/stubs.h 3 4 typedef unsigned char __u_char; typedef unsigned short int __u_short; typedef unsigned int __u_int; typedef unsigned long int __u_long; typedef signed char __int8_t; typedef unsigned char __uint8_t; typedef signed short int __int16_t; typedef unsigned short int __uint16_t; typedef signed int __int32_t; typedef unsigned int __uint32_t; typedef signed long int __int64_t; typedef unsigned long int __uint64_t;

Compilation Stage:

In this stage, we will cause the gcc compiler to emit or produce assembly file preferably Intel assembly syntax because it is more readable than AT&T syntax.

You can do by executing the following command:

gcc -S -masm=intel hello.c

It produces assembly file hello.s. You can open it and view the contents. We will look at the contents later .

vim hello.s

    .file   "hello.c"
    .intel_syntax noprefix
    .text
    .section    .rodata
.LC0:
    .string "Hello, World!"
    .text
    .globl  main
    .type   main, @function
main:
.LFB0:
    .cfi_startproc
    push    rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    mov rbp, rsp
    .cfi_def_cfa_register 6
    lea rdi, .LC0[rip]
    mov eax, 0
    call    printf@PLT
    mov eax, 0
    pop rbp
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE0:
    .size   main, .-main
    .ident  "GCC: (Debian 8.3.0-6) 8.3.0"
    .section    .note.GNU-stack,"",@progbits

As you can see, Intel’s assembly syntax is quite readable than AT&T shown below:

    .file   "hello.c"
    .text
    .section    .rodata
.LC0:
    .string "Hello, World!"
    .text
    .globl  main
    .type   main, @function
main:
.LFB0:
    .cfi_startproc
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    leaq    .LC0(%rip), %rdi
    movl    $0, %eax
    call    printf@PLT
    movl    $0, %eax
    popq    %rbp
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE0:
    .size   main, .-main
    .ident  "GCC: (Debian 8.3.0-6) 8.3.0"
    .section    .note.GNU-stack,"",@progbits

Assembly Stage

In this stage, the gcc compiler will convert the assembly file into an object file using the command below:

gcc -c hello.c

An object file can be describe as a relocatable file because files are compiled independently from each other.

Also at the time of compilation the assembler can not detect the memory address of files(most legitimate program consist of individual files).

Therefore it is makes it possible for the linker to to bring together all files as an executable

You can check whether a file is an object file by using the file utility described here:

file hello

hello.o: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped

Again we will look at stripped and non-stripped files in our next articles because these files are essential to a malware analyst.

Linking Stage

Here we will link together all the individual files to create an executable using this command gcc followed by the name of the c program.

At this stage it is possible to resolve symbolic references to static libraries. References to dynamic libraries are not resolved till the program is loaded into memory.

We will discuss symbolic references to static and dynamic libraries in our next article.

gcc hello.c

a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2ae6a46529ec896b291cd7671dc19ee578abf8bf, not stripped

The main difference between an object file and an executable file is references made to libraries are not resolved in an object file but are resolved in an executable file(except for dynamic libraries)

Now we understand how a gcc compiler compiles a program.

In our next article, we will take a look at contents of both object and executable file, static and dynamic libraries.

Written by: Michael Aboagye

Categories
Uncategorized

Do you want to learn how to analyze binary programs to detect Malware?

Add Your Heading Text Here

Share it:

In the month of August, we will begin a practical course on Linux binary analysis to help system/security engineers  learn how to analyze and detect hidden malware in binary programs running on Linux host.

You will need the following tools and knowledge to benefit greatly. We will add more tools or utilities as we progress:

  • gcc compiler
  • debian linux  (version 9)
  • can interpret basic Intel assembly code syntax
  • Understand basic linux commands
  • Vim friendly

Source:  ISA Security Team

Categories
Uncategorized

ISVM IS HERE AGAIN

Add Your Heading Text Here

Share it:

Cybersecurity is the latest trend in the I.T Industry and it is necessary for I.T professionals handling users or corporate data to be aware of modern day cyber-attacks.

Hence we invite you to be part of  our upcoming ISVM  training session specifically designed for security engineer, network engineers, penetration testers and IT professionals.

You can check the image below for further details

Categories
Uncategorized

Data-driven businesses and data selling: The case of the Electoral Commission of Ghana and BSystems

Add Your Heading Text Here

Share it:

It is true that today’s society is driven by data and no doubt many people have tagged data as the new oil, it is the crucial ingredient of what has come to be accepted globally as the information economy, but wait! How does this even makes any sense?

Good! Now wake-up to the new world order of data supremacy; data is valuable because it tells governments and companies about their audience’s interests, allowing them to improve their targets’ experiences.

Companies, industry players, regulators, law enforcement and enthusiasts can derive value from their own data and they can also purchase it from other sources where permissible.

If you have high-quality data, you can also sell it to create a more direct economic benefit but this in some jurisdictions is restricted especially where personal data is concerned.

The energy to push data to the limits is evidenced with the emergence of Data-as-a-Service model businesses which are data infrastructure that powers human connectivity delivering the right insight into the right people at the right time and with data analytics driving this model.

The benefits have been enormous within varied aspects of human interaction; take for example medical practice, big data analytics is playing a role in interrogating the patient electronic health record toward improved clinical decision support, in the legal practice arena the conversation is around data-driven justice to determine outcome of legal disputes and big data is making it much easier to track relevant precedents across the world for this purpose.

Now this brings me to a crucial point of the write-up and that is the kind of data used under these circumstances; this may be personal or non-personal data, in the aspect of personnel data there are vigorous efforts to regulate what is taken, when it is taken, how it is taken, used, stored and disposed off with the consent of people of whom this data is collected.

It is to be understood in plain terms that data is any attribute that directly identify a person or such collection of attributes from whom a person can be identified. Therefore a CCTV footage may contain personal data if the optical analytics can identify the persons in such audio-visual footage.

The name, age, address, nationality of a person in a driver’s license database is construed as personal data once a unique and definite identity can be made from it. Let me also add that in most jurisdictions it is a matter of law as to what personal data involves.

It’s no secret that your personal data is routinely bought and sold by dozens, possibly hundreds, of companies the world over. What’s less known is who those companies are, and what exactly they do. Sometime in the first quarter of 2019, the Vermont General Assembly passed an Act, H.764 (Act 171), relating to data brokers and consumer protection requiring companies that buy and sell third-party personal data to register with the Secretary of State and currently a list of 121 data brokers operating in the U.S have registered.

It’s a rare, rough glimpse into a bustling economy that operates largely in the shadows, and often with few rules. The Vermont law doesn’t require data brokers to disclose who’s in their databases, what data they collect, or who buys it nor does it require brokers to give consumers access to their own data or opt out of data collection the converse is what happens here in Ghana, the Data Protection Act 2012 (Act 843) provides under its sections 88 and 89 a prohibition for the purchase and sale of personal data and proceeds to make such acts punishable by fines and imprisonment.

It has been argued by data-driven businesses that this is retrogressive and infringes on innovation, to the extent that digitization is essential to collect, share, and aggregate large volumes of heterogeneous data to support the discovery of hidden patterns, one can make the inference that the digital transformation, one that Ghana as a country is ferociously pursuing in the area of e-Government services, digital addressing, health among others will call into action the use of data whether personal or non-personal and therefore data protection regulations must be properly understood and interpreted to industry and individual data subjects; in fact the regulator of the space in the name of the Data Protection Commission is enjoined by law to make it known, guidelines and frameworks that will promote the observance of good practice to ensure compliance, failure which industry players and citizens will not appreciate what the law provides them.

Well, so when do we know that a particular act amounts to sale of data? In Ghana the law is that explicit about sale and purchase of data, the enabling Act does not provide explicit definition however to what would amount to the sale of data or otherwise data selling activities. The law however defined “business” to include trade or profession. A good attempt will be to look at it this way, data selling can be done directly between the parties and in this case data controllers to themselves or data processors or even to individuals or it can be done through what is presently well-known in the industry as data brokers, such was the motivation for the Vermont law mentioned above.

The data brokers are entities that collect information about consumers, and then sell that data (or analytic scores, or classifications made based on that data) to other data brokers, companies, and/or individuals. Even when consumers are aware of both the existence of data brokers and the extent of data collected, it’s difficult to determine which data they can control, for example, some data brokers might allow users to remove raw data, but not the inferences derived from it, making it difficult for consumers to know how they have been categorized. Some data brokers store all data indefinitely, even if it is later amended. A friend once asked me “are they data controllers under the law?“ the simple answer is “Yes”. The industry is incredibly opaque, and data brokers have no real incentive to interact with the people whose data they are collecting, analyzing, and sharing.

These data brokers do not have a direct relationship with the people they’re collecting data on, so most people aren’t even aware that the data is even being collected. Once data is collected and stored via whatever means, the data is sold through the direct transfer mostly through electronic means to the purchaser, it gives the purchaser an absolute ownership of the data contemplated in the said data sale contract and this shifts the responsibility of the what the data is used for to the new data controller and depending on the contractual outcomes and obligations, the initial data controller may also retain some responsibility in controllers controller or controllers processor relationship.

By now you are getting the picture that data brokerage can be an integral part of data selling so let’s take a minute and identify the various kinds of data brokers; firstly there are people search sites, where users can input a piece of data, such as a person’s name (or a phone number, city/state, email address, social security number, etc.) and get personal information on that person either for free or for a small fee, example that comes to mind include places like Spokeo, PeekYou, PeopleSmart, Pipl, and many more. Secondly there are data brokers that focus on marketing, such as Datalogix (owned by Oracle), or divisions or subsidiaries of companies like Experian and Equifax. They develop dossiers on individuals which can be used to tailor marketing. And finally there are data brokers such as ID Analytics that offer risk mitigation products to verify identities and help detect fraud.

Well, having kept you on a mini-lecture which is the ground on which I will discuss the subject matter; let me hint that the subject matter of this article is whether the Electoral Commission of Ghana sold citizen data to a private company called B Systems. The background to the issue is that of a news article making the waves under the headline; EC sold voters data to private firm without an agreement – Auditor-General and reported on the 27th of June 2019 by the graphic online newspaper portal www.graphic.com.gh and other media outlets. The graphic online news portal captured the story in part as follows;

There was no Agreement between the Electoral Commission and Bsystems Limited who obtains Electoral Data from the Commission and offers it to the Financial Institutions for a fee. We further noted that, Bysystem Ltd. failed to remit the 20% commission due the Electoral Commission, in respect of charges for accessing the data, for the 2016 and 2017 financial years, the report noted.

According to the report, the EC, in response to the findings, stated that, a Memorandum of Understanding (MoU) was signed between the Commission and BSystems Limited; but the MoU was suspended in the third quarter of 2016.”

For starters or probably as an appetizer, let’s determine how the Electoral Commission and BSystems relationship is established, BSystems as a private business identified an opportunity via a regulator’s requirement for banks and regulated financial institutions to have a Know Your Customer (KYC) routine done on its customers and this included ensuring that any nationally accepted identification card presented is verified to avoid fraud among others. This led the private business to develop a solution called GVIVE.

GVIVE® is an online Identity Verification System that integrates with ID database systems enabling true and real-time verification of people to curb identity theft etc. By its design the integration is done at an Application Programming Interface (API) level which actually means the solution queries the database of whichever entity is the data controller holding and determining the ultimate use of the said data. At best such a service do not engage a direct transfer of the data from one entity to the other in whatever form or provide a direct custody of the data from the holding entity to the receiving entity.

As I have come to understand it, the GVIVE system queries the electoral ID database hosted by the Electoral Commission, when Voter ID cards are submitted to the banks for the primary purpose of verification as required by the regulator’s directive to the banks and regulated financial institutions. It is important to note that this model is termed value-added data services and it involves multiple entities who still own and keep their data but gives minimal electronic access to that data for specific data processing purposes, it involves a machine-read-only access to the system hosting the data. This service will be needless if the financial institutions or the national ID regulator for instance can integrate directly to the electoral or any other ID database required.

Let’s proceed to have our main course, which is quite brief having had such an almost bellyful appetizer, I start off with the relationship between the Electoral Commission and BSystems, this is a data controller and a data processor relationship, access and its intended use is determined at law by the Electoral Commission who for all intent and purposes is responsible for the ultimate data protection obligations under the laws of Ghana, BSystems is a processor of the said personal data as must be directed by the data controller. It is clearly established that the purpose here is to ensure verification of the data. At this point it is important to also highlight that when a customer presents an identity card to the bank he or she has impliedly consented to verification, the very essence of the service rendered by GVIVE.

The data processor in the name of BSystems is required to adhere to the requirements of the personal data protection laws of Ghana and to the contract under which it operates with data controllers in this specific case the Electoral Commission, the Commission is also required to ensure data protection best practices are visible requirements in its engagement with any processor or controller, for instance the registration of the other party under the law, evidence of a data protection program and policy, privacy impact assessment reports and possibly technical security assessment report of the system meant for this engagement, it must be the business of every regulator and/or private data controllers must make it a benchmark to demand and ensure data protection best practices when engaging entities in data-driven model business.

The primary question of whether data selling as taken place or data selling activities can be identified under the two breakdowns of data selling which is a direct BSystems of data between parties or the use of brokerage strategies, this cannot be said to have happened since BSystems has not received direct transfer of data and its model does not qualify as a brokerage. One is tempted to believe that BSystems operates on the third level of data brokerage which is that they offer risk mitigation products to verify identities and help detect fraud as done by GVIVE; the flaw with that argument is that BSystems on the current issues only integrates to the existing database and do not own it in any form, data brokers own their data.

Noteworthy to this article is the fact that the regulating bodies undoubtedly enjoy some exemptions under the Data Protection Act 2012 and these include the Electoral Commission; however let me sound a caveat found in the letter of the law, this is to the effect that exemption is given for the “processing of personal data”, which means the framers anticipates that whilst the exemption holds true an entity exempted will ensure that the protection mechanism are still in place for the personal data it holds. It will be an absurd interpretation of the law to say that because there is an exemption then an entity can for instance go out of its way and treat personal data with disdain, it defeats the spirit of Act 843 which was brought to life from the 1992 Constitution of Ghana and a matter of protecting fundamental human rights to privacy albeit the limitation of guaranteed rights under the Constitution.

I express the view that BSystems’ current model is one that is adding value to data stored without modifying or owning it; in this light the verification services rendered however as a data processor by BSystems is required under the laws to comply with data protection principles and ensuring that at all times it does not infringe on the privacy rights of individuals; the exemptions do not extend to BSystems as a value-add service provider . The Electoral Commission is however expected to have in place a data-transfer policy (where needed), data-use policy with its third-party service providers and without sounding unnecessarily legal the players in the industry must make the effort to shed some sunlight and transparency on an industry that’s traditionally been pretty opaque as it is the only way to balance the act of data protection regulations and data-driven business models which are heavily commercialized.

According to lotame.com an online data business portal, the world produces an estimated 2.5 exabytes, or 2.5 billion gigabytes, of data every day. Of that data, 90 percent was created in the last two years. The amount of information available to use is growing — and growing fast. That data comes from a variety of sources including online transactions, social media, search engines, web traffic and more. The data-driven business models are here to stay and will influence all other aspects of endeavors, equally privacy laws are not going away so long as individuals become more aware of the control and power they have to make determinations concerning the use of their data.

The balancing act is crucial between the data protection regulator, the data controllers, processors and data subjects.

Israel D. Esq 

Categories
Uncategorized

Should Linux Geeks Move to Windows ?

Add Your Heading Text Here

Share it:

Source: The Hackernews

Microsoft is taking another step forward to show its love for Linux and open source community by shipping a full Linux kernel in Windows 10 this summer.

No, that doesn’t mean Microsoft is making its Windows 10 a Linux distro, but the company will begin to ship an in-house custom built Linux kernel later this year starting with the Windows 10 Insider builds.

Microsoft announced the move in a blog post while unveiling Windows Subsystem for Linux version 2.0 (or WSL 2) that will feature “dramatic file system performance increases” and support more Linux apps like Docker.

So, to support this entirely new architecture for the WSL 2, Windows 10 will have its own Linux kernel.

Although this is not the first time Microsoft has shipped a Linux kernel as the company has already shipped its own custom Linux kernel on Azure Sphere last year, this is the first time a Linux kernel is shipped with Windows.

Unlike Windows Subsystem for Linux version 1.0 (WSL 1) which used a Linux-compatible kernel, the first WSL 2 release will be based on the latest long-term stable Linux release, i.e., version 4.19 of Linux at Kernel.org.

By making the switch to using the Linux kernel itself, Microsoft is getting all of Linux’s features like Docker containers for free and promising “noticeably faster” performance, with faster boot up and lesser use of memory.

You can see a preview of Windows Subsystem for Linux version 2.0 in the given video.