Mapping Korea's Personal Information Protection Act to the OECD 8 Principles

Introduction:

With the rise of the digital age, the protection of personal information has become a crucial concern for individuals, organizations, and governments worldwide. In response, the OECD developed a set of eight principles to guide the responsible handling of personal data. Korea has implemented its own Personal Information Protection Act (PIPA), which is closely aligned with the OECD's guidelines. In this blog post, we will examine how the PIPA maps to the OECD's 8 principles.

The OECD's 8 principles:

http://oecdprivacy.org/

1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law.
5. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
6. Openness Principle: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him i) within a reasonable time; ii) at a charge, if any, that is not excessive; iii) in a reasonable manner; and iv) in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
7. Individual Participation Principle: This principle gives individuals the right to access their personal data and to request corrections if necessary. This ensures that individuals have control over their personal data, and can ensure that it is accurate and up-to-date.
8. Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.

Korea's Personal Information Protection Act (PIPA)

Article 3 (Principles for Protecting Personal Information)

1. The personal information controller shall specify explicitly the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.
2. The personal information controller shall process personal information in an appropriate manner necessary for the purposes for which the personal information is processed, and shall not use it beyond such purposes.
3. The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.
4. The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject’s rights and the severity of the relevant risks.
5. The personal information controller shall make public its privacy policy and other matters related to personal information processing; and shall guarantee the data subject’s rights, such as the right to access their personal information.
6. The personal information controller shall process personal information in a manner to minimize the possibility of infringing the privacy of a data subject.
7. If it is still possible to fulfil the purposes of collecting personal information by processing anonymized or pseudonymised personal information, the personal information controller shall endeavor to process personal information through anonymization, where anonymization is possible, or through pseudonymisation, if it is impossible to fulfil the purposes of collecting personal information through anonymization. 
8. The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.

How the PIPA maps to the OECD's 8 principles

Now, let's see how each of these principles is reflected in the PIPA:

1. Collection Limitation Principle: Paragraphs (1), (6), and (7) of Article 3 of PIPA require that personal information should only be collected for a specific, legitimate purpose, and that individuals must be informed of the purpose for the collection. The Act also emphasizes the importance of minimizing the possibility of infringing the privacy of a data subject.
2. Data Quality Principle: Paragraph (3) of Article 3 of PIPA requires that personal information must be accurate and up-to-date, and that reasonable steps must be taken to ensure its accuracy.
3. Purpose Specification Principle: Paragraph (1) of Article 3 of PIPA requires that organizations clearly specify the purpose of collecting personal information, and that individuals must be informed of the purpose.
4. Use Limitation Principle: Paragraph (2) of Article 3 of PIPA requires that personal information must only be used for the purpose for which it was collected, and that individuals must be informed of the use.
5. Security Safeguards Principle: Paragraph (4) of Article 3 of PIPA requires that personal information must be protected by technical, administrative, and physical measures against unauthorized access, destruction, alteration, or leakage.
6. Openness Principle: Paragraph (5) of Article 3 of PIPA requires that organizations must disclose the purpose of collecting personal information, the method of collection, and the rights of individuals. 
7. Individual Participation Principle: Paragraph (5) of Article 3 of PIPA grants individuals the right to access and correct their personal information, and that organizations must respond to these requests.
8. Accountability Principle: Paragraph (8) of Article 3 of PIPA requires that organizations take responsibility for protecting personal information, and that they are held accountable for breaches.

Conclusion:

In conclusion, data privacy is a fundamental right that must be protected, and the OECD 8 principles and Korea's Personal Information Protection Act are important steps in that direction. By understanding and implementing these principles, organizations can ensure that personal data is collected, processed, and stored in a secure and ethical manner. As individuals, it is also our responsibility to be aware of our rights and to hold data controllers accountable for their actions.

South Korea's Special Cases concerning Pseudonymous Data

 

As mentioned in the previous post, the Personal Information Protection Act was implemented in South Korea in 2011.

In the age of the fourth industrial revolution, the promotion of new industries through the utilization of data as a crucial resource is becoming a national imperative. The need for establishing social norms for the safe use of data has become urgent.

However, the existing laws have divided the responsibility of overseeing personal information protection among various organizations, including the Ministry of the Interior and Safety, the Korea Communications Commission, and the Personal Information Protection Commission. Moreover, laws and regulations related to personal information protection are divided between the 「Personal Information Protection Act」 and the 「Act On Promotion Of Information And Communications Network Utilization And Information Protection」. This division of responsibility and laws has limited the protection of individuals' rights and the promotion of data utilization.

To address these issues, the Special Cases concerning Pseudonymous Data, also known as Article 28-2 through 7, were introduced. 

[Paper Review] Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks

 

https://www.sciencedirect.com/science/article/pii/S1742287617301986

DFRWS is a non-profit organization that organizes digital forensic conferences, challenges, and collaborations. Their goal is to promote transdisciplinary knowledge and growth in the field. Conferences include technical workshops, demos, and panels on digital forensics issues. DFRWS conferences provide a snapshot of the field's research and direction. The contents presented at DFRWS will be published in the journal Forensic Science International: Digital Investigation in the form of a paper.

This paper was written by Andrew Case, a well-known security thought leader. Andrew co-developed the NIJ-funded Registry Decoder forensics application and is a core developer of The Volatility Framework. He has published peer-reviewed papers and presented at conferences worldwide. In addition, he is the author of The Art of Memory Forensics, a popular book on memory forensics.

Paper Abstract:

Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and because of the increasing use of automation of memory forensics techniques, it is imperative that these tools be resilient to memory smear and deliberate tampering. Without robust algorithms, malware may go undetected, frameworks may crash when attempting to process memory samples, and automation of memory forensics techniques is difficult. In this paper we present Gaslight, a powerful and flexible fuzz-testing architecture for stress-testing both open and closed-source memory forensics frameworks. Gaslight automatically targets critical code paths that process memory samples and mutates samples in an efficient way to reveal implementation errors. In experiments we conducted against several popular memory forensics frameworks, Gaslight revealed a number of critical previously undiscovered bugs.

My Review:

The paper introduces the importance of robust algorithms in memory forensics frameworks to detect system state anomalies and prevent tampering by malware, discusses the common problem of memory smear and malicious tampering, and describes an automated fuzzing architecture called Gaslight, which efficiently and intelligently tests critical components of memory forensics frameworks without requiring modifications to the framework itself.

Several studies have been conducted on the topic of fuzzing for various purposes, including security vulnerabilities, forensics tools, and dynamic taint analysis. Fuzzing is a technique for testing software by feeding it with invalid or unexpected inputs. In the context of security, fuzzing is used to discover vulnerabilities in software by testing it with various input combinations. Fuzzing can also be used to test forensics tools to ensure they function correctly and to detect any potential issues. Additionally, dynamic taint analysis can be used to track and identify data flows through software systems, providing a means to detect vulnerabilities and improve security.

Chapter 3 of the paper describes the design goals and implementation of Gaslight, a powerful and flexible fuzz-testing architecture for stress-testing both open and closed-source memory forensics frameworks. The chapter explains that Gaslight was designed to support seamless testing of any memory forensics framework without modification to the framework and to automatically scale to utilize all available cores. The authors also discuss how Gaslight generates millions of fuzzing states, which are used to test the memory forensics framework's ability to handle different types of data and detect anomalies. Finally, the chapter mentions that current efforts are underway to support distributed fuzzing in Gaslight.

The experiment tested the Gaslight tool, which uses fuzzing to test memory forensics frameworks. The hardware used was commodity hardware, including an Alienware laptop and a desktop with Intel i7 processors and 32GB of RAM. Three operating systems were chosen for testing, including Windows 7 SP1 64-bit, Debian Wheezy 32-bit, and Mac OS X Sierra 64-bit. The testing was focused on two memory forensics frameworks, Volatility and Rekall. Results were given for the testing of various plugins for each operating system, detailing which plugins crashed or entered infinite loops due to mutations by Gaslight and which produced extremely large amounts of data. The study was not exhaustive, as only 10-12 plugins per operating system were tested, but the results demonstrate the potential of Gaslight for memory forensic testing.

The Gaslight paper describes a robust fuzzing architecture for testing memory forensics frameworks, which has been demonstrated to find crashes in numerous core Volatility plugins and can be utilized against other memory analysis frameworks. The next performance improvement for Gaslight is to automate scaling to as many systems as are available, with the development of a cluster-based, distributed implementation that will run a large number of tasks in a distributed computing environment in parallel and include a task manager to coordinate creation and management of individual fuzzing tasks across the cluster. Gaslight's eventual goal is to have it running 24/7/365 against a wide variety of memory samples and utilizing a wide variety of frameworks.

The Gaslight team is also reviewing the source code bases of Volatility and Rekall to identify which kernel versions of Linux, Mac, and Windows made changes that broke existing algorithms implemented by memory forensic plugins. Once this study is complete, the Gaslight team plans to generate memory samples for all the operating systems versions needed to fully test each plugin. Finally, after some code cleanup, Gaslight will be released as an open source project.

My critiques are as follows:

Firstly, the fuzzing mutation method employed in this study seems to be overly simplistic in its design

Secondly, despite the researchers' declaration in 2017 that they intended to make the related tool available as an open-source project, it has not been made public as of 2023.

Lastly, in 2020, a paper titled "Gaslight revisited: Efficient and powerful fuzzing of digital forensics tools" was published, featuring Andrew Case as a co-author. I plan to conduct a review of this publication in the near future.

South Korea's Personal Information Protection Act

 

South Korea's Personal Information Protection Act

In light of the Fourth Industrial Revolution, it is imperative to establish societal norms concerning the secure utilization of personal information and the advancement of emerging industries such as Artificial Intelligence (AI), Cloud Computing, and the Internet of Things (IoT), all of which rely on data as their fundamental resource. Consequently, the regulations entail guidelines for processing personal information that align with global standards, encompassing both public and private sectors. These regulations aim to safeguard the sanctity of individuals' private lives by reinforcing measures to alleviate harm resulting from personal information breaches, as well as ensuring the right to personal information and profitability.

This legislation embodies principles for handling personal data that are widely recognized internationally. The legislation drew upon eight principles of personal information protection from the 1980 「OECD Privacy Guidelines」, the 「Personal Information Protection Directive」 (95/46/EC, 1995) which established the legislative standards for EU member states, and the 2018 「General Personal Information Protection Act」 (GDPR). The legislation also considered the 2004 「APEC Privacy Principles」, for which Korea played a crucial role in the enactment process. Moreover, the legislation referred to the detailed principles of personal information protection in the 「Personal Information Protection Acts」 of the United Kingdom, Sweden, Canada, Hong Kong, Australia, and New Zealand.

The objective of this Act is to safeguard the freedom and rights of individuals by specifying matters concerning the processing and protection of personal information and to promote the dignity and worth of individuals. To this end, the legislation outlines fundamental principles of personal information processing, including the collection, use, and provision of personal information, procedures and methods for handling personal information, restrictions on personal information processing, management and supervision for safe processing of personal information, rights of information subjects, and remedies for personal information rights infringement. The Constitutional Court of the Republic of Korea has recognized the protection of personal information as a fundamental right derived from the first sentence of Article 10 of the 「Constitution of the Republic of Korea」, which ensures human dignity and worth, the right to pursue happiness, and privacy and freedom guaranteed under Article 17. Additionally, the Constitution guarantees the 'right to self-determination of personal information' as a basic right.

• Constitution Of The Republic Of Korea
• Article 10: All citizens shall be assured of human worth and dignity and have the right to pursuit of happiness. It shall be the duty of the State to confirm and guarantee the fundamental and inviolable human rights of individuals.
• Article 17: The privacy of no citizen shall be infringed.

The complete text of the Korea Personal Information Protection Act is accessible at the following website: https://elaw.klri.re.kr/kor_service/lawView.do?hseq=53044&lang=ENG.

[Paper Review] Windows 10 vs. Windows 11, What Has Changed?

 

https://www.sans.org/white-papers/windows-10-vs-windows-11-what-has-changed/

SANS is a widely recognized company that specializes in digital forensics. It provides a plethora of valuable white papers, including the article "Windows 10 vs. Windows 11: What Has Changed?" authored by Andrew Rathbun(Accepted: July 12, 2022). In this blog post, I intend to review and analyze the key insights and findings presented in the aforementioned article.

Paper Abstract:

Windows 10 was released on July 29, 2015. It has since become the most installed desktop operating system. More recently, Windows 11 was released to the general public on October 5, 2021, which served as an evolution of Windows 10. At the time of publication, there has not been a peer-reviewed, deep-dive comparison between the well known artifacts in Windows 10 and what changes Windows 11 have brought. Artifacts come and go with each new version of Windows, requiring a comparative analysis between the most recent version, Windows 10, and the next version, Windows 11. Security features also come and go as threat models evolve. This Gold Paper aims to provide an exhaustive look into the difference between Windows 10 and 11 as it relates to common artifacts and security features to provide actionable takeaways for digital forensic and incident response examiners and IT administrators alike.

My Review:

The Windows operating system dominates the global market share, with Windows 10 being the most widely installed version, and Windows 11 accounting for 8.45%. To aid digital forensic examiners in identifying the nuances between the two versions, this paper compares and contrasts the investigative artifacts and security features of Windows 10 and 11.

The experiment was conducted using the following version.

The experiment used VMware Workstation Pro, Kroll Artifact Parser and Extractor, Eric Zimmerman's tools, Beyond Compare, and NirSoft's RegistryChangesView.

Additional information regarding this experiment is available on the following Github repository(https://github.com/AndrewRathbun/SANSGoldPaperResearch_FOR500_Rathbun).

The research discusses previously established forensic artifacts in Windows 10 and their existence in Windows 11. The artifacts analyzed in this section include LNK files/Jump Lists, $Recycle_Bin metadata files, Amcache, Registry hives, Windows Timeline, Prefetch, Event Logs, Shellbags, and Windows Search Index. Independent research conducted for each artifact indicated that there were no forensically significant differences between Windows 10 and 11 in most cases, except for changes observed in the Registry hives and Event Logs. However, more granular research needs to be conducted to determine the significance of these changes. The article also notes the presence of many SQLite databases in both versions and the existence of different files and folders between the two, as observed through a directory listing comparison provided in a GitHub repository.

The paper also describes new security features in Windows 11, such as requiring TPM 2.0 for all new and upgraded devices, passwordless authentication using TPM 2.0, and support for WPA3, WPA Enterprise 192-bit Suite B, and Opportunistic Wireless Encryption (OWE) for Wi-Fi networks. These features aim to improve the security posture of Windows 11 devices and reduce the risk of compromise.

From a DFIR examiner's perspective, Windows 11 has minimal differences compared to previous versions, but new features may lead to potential new artifacts for forensic examination. With yearly updates planned for Windows 11, the DFIR community will need to continually revisit and validate existing artifacts while searching for new ones that may provide reliable evidence of user activity.

https://mobile.twitter.com/EricRZimmerman/status/1404859472275779584

[Book Review] The Art of Mac Malware

 

Patrick Wardle, "The Art of Mac Malware", NoStarch, 2022

"The Art of macOS Malware" is a comprehensive guide to understanding the fundamentals of Mac malware. Part I of the book covers the basics of Mac malware, including infection vectors, methods of persistence, and capabilities. Chapter 1 explores the various infection vectors used by Mac malware authors, ranging from simple social engineering tricks to advanced remote zero-day exploits. Chapter 2 discusses the means by which malware installs itself on a system to ensure it will automatically re-execute upon startup, user login, or some other deterministic event. This chapter covers a myriad of surreptitious methods by which malware can achieve persistence. Chapter 3 takes a detailed look at the capabilities commonly found in Mac malware, such as surveying the system, escalating privileges, executing commands, exfiltrating files, ransoming user files, or even mining cryptocurrency. Together, these chapters provide readers with a comprehensive understanding of Mac malware and the techniques used by malware authors to infect and persist on systems. 

Part II of "The Art of macOS Malware" delves into the various techniques and tools used to effectively analyze Mac malware. The section is divided into six chapters, starting with the static analysis of non-binary file formats in Chapter 4 and continuing with binary triage and disassembly and decompilation in Chapters 5 and 6, respectively. Chapters 7 and 8 cover dynamic analysis tools, including debugging with LLDB, while Chapter 9 explores anti-analysis techniques that are commonly used by macOS malware authors to protect their creations from being easily analyzed. 

Part III of the book focuses on analyzing the EvilQuest malware using the knowledge gained in Parts I and II. EvilQuest is a complex Mac malware that employs anti-analysis logic, viral persistence mechanism, and harmful payloads. Chapter 10 starts the comprehensive analysis of EvilQuest by explaining its infection vector, triaging its binary, and identifying its anti-analysis logic. Chapter 11 continues the analysis by detailing the malware's methods of persistence, which ensure its automatic restart each time an infected system is rebooted. It also covers the different capabilities supported by the malware.

In summary, "Mac Malware Analysis" is an invaluable resource for anyone seeking to develop their skills in analyzing macOS malware. The book provides a comprehensive overview of macOS malware's infection vectors, persistence mechanisms, and capabilities, as well as practical approaches to analyzing malicious samples through both static and dynamic analysis. The book also includes a hands-on walkthrough of analyzing the EvilQuest malware, allowing readers to apply the concepts they've learned to a real-world example. While the book covers a lot of ground, it's important to note that it can't cover every aspect of macOS malware analysis. Nevertheless, it provides an excellent foundation for those looking to develop their skills in this area. Overall, "Mac Malware Analysis" is an outstanding resource that I highly recommend to anyone interested in the field.

Additionally, I would like to note that this book is available for free on the author's website, making it accessible to anyone who wants to learn about Mac malware analysis. Furthermore, it is worth mentioning that the author is currently planning a second volume, which has generated a lot of excitement in the cybersecurity community. I am eagerly anticipating its publication and look forward to reviewing it when it becomes available.