CREDIT: Fir0002/Creative Commons

Ever since the news broke Monday of the Flame/Flamer/Skywiper malware toolkit, the mass media have been breathlessly chronicling this latest “super-virus.”

However, there are a lot of misconceptions being bandied about in the press about Flame/Skywiper, right down to what it’s called and who first discovered it.  Here’s what we know for sure so far.

Q: Flame, Flamer, Skywiper — what’s this thing’s real name?

A: All three names are correct. Different security companies often give the same bugs different names. It’s almost certain that the malware’s developers used yet another name, which we may never know.

['Skywiper' Keeps Cyber Arms Race Alive]

Q: Where do the names come from?

A: The names come from filenames found in the malware’s source code.

“FLAME” appears to be the name of a module that spreads the bug along internal networks, and Moscow-based Kaspersky Lab decided to call the entire package “Flame” because of that. Similarly, the Iranian government cybersecurity bureau MAHER decided to call it “Flamer.”

CrySyS, a cybersecurity research lab at Budapest University of Technology and Economics in Hungary, calls the entire package “sKyWIper” after “~KWI,” a filename the malware uses to store temporary files.

Q: Is Flame/Skywiper a virus?

A: Technically, no. Unlike viruses, Flame/Skywiper doesn’t infect already existing files. Its method of infection isn’t completely known yet, but it appears so far to be a worm in that it can spread independently using internal networks and USB drives.

Overall, though, Flame/Skywiper is a malware toolkit — a package of several different kinds of malware that combine to overwhelm the defenses as of many targets as possible.

Q: What sort of computers does Flame/Skywiper infect?

A: It infects machines running Windows XP, Windows Vista and Windows 7.

Q: Is there any chance that my computer could be infected?

A: It’s not likely, unless you’re a government official or weapons researcher in the Middle East.

Q: Is this really the biggest computer malware ever?

A: If you’re counting in terms of file size, yes. Depending on the configuration, Flame/Skywiper can reach 20 megabytes in size, which is enormous for a piece of malware.

Most pieces of malware take up less than one megabyte. For example, Stuxnet, which sabotaged an Iranian nuclear facility in 2010, was pretty complex, yet came in at about half a megabyte.

Q: Most news reports say a Russian security firm found Flame/Skywiper first.

A: That’s not entirely true. Three different research teams found Flame/Skywiper independently.

Kaspersky, the Russian firm in question, had been analyzing “Flame” for several weeks at the behest of the United Nations’ International Telecommunication Union. The ITU wanted to know more about a malware attack in March and April at Iran’s government oil ministry that deleted information from several computers.

CrySyS had been conducting its own analysis into “Skywiper” on behalf of “several parties” who “want to remain anonymous.”

MAHER, the Iranian government agency, had also been conducting an investigation into what it called “Flamer,” and was the first to publish its results in a blog posting early on Monday (May 28).

The MAHER posting forced Kaspersky and CrySyS to quickly put their own findings online later that day. Kaspersky posted a long QA about the malware, and CrySyS posted a very detailed 64-page technical report.

Q: When did Flame/Skywiper first appear?

A: The bug’s age is not clearly known, but the March/April malware attack at the Iranian oil ministry seems to be the first indication that something was up.

Q: Is Flame/Skywiper spreading rapidly?

A: No. It’s spreading very slowly. Only a few hundred computers, mostly in the Middle East, are known to have been infected. Flame/Skywiper seems to avoid the Internet and prefers to spread along an organization’s internal network. It hops from one internal network by catching rides on USB flash drives. (Stuxnet also used USB drives to spread.)

That’s really a very small malware infection, indicating that Flame/Skywiper is highly targeted and that most people will never have to worry about it.

Q: Which countries are affected?

A: Iran has been the most affected, with nearly 200 machines infected, according to Kaspersky’s figures, which also show about 100 machines are infected in Israel and the Palestinian territories, with lesser numbers in Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

CrySyS has also found evidence of infections in the United Arab Emirates and in unnamed European countries, as well as its own home country of Hungary.

Q: How long has Flame/Skywiper been around?

A: At least two years, according to Kaspersky, and possibly as many as eight years, according to CrySyS. Both teams analyzed archives of malware reports to reach those conclusions.

Flame/Skywiper’s creators also placed fake dates inside the software, which make it seem like some components date back to the early ’90s.

Q: What does Flame/Skywiper do to an infected computer?

A: Heck, you could ask “What DOESN’T it do?” It’s one of the most comprehensive spyware programs ever found.

Flame/Skywiper buries itself deep in the Windows operating system, makes sure it runs upon computer startup, tailors itself to hide from specific brands of anti-virus software, turns on the computer’s built-in microphone to record audio conversations, logs keyboard typing, changes the Bluetooth configuration to spy upon nearby cellphones, tablets and laptops, takes screenshots, monitors wired and wireless network activity and sends whatever information it’s gathered off to command-and-control servers in a dozen different countries. 

Q: Does Flame/Skywiper have a “kill switch” or expiration date?

It doesn’t seem to, but once its controllers have decided that a Flame/Skywiper installation on a specific target machine has served its purpose, they can remotely activate a “SUICIDE” command (that’s really what it’s called in the code) that deletes all the Flame/Skywiper files from the machine.

Since many of those files use names identical or very similar to authentic Windows system files, it’s possible that the spontaneous deletion of information on Iranian oil ministry computers was a result of the “SUICIDE” command being activated.

Q: Who would want to create Flame/Skywiper?

A: Flame/Skywiper was almost certainly created by a national government with the resources to devote months, if not years, of expert programming and millions of dollars in expenses to create extremely sophisticated, multipurpose spyware. (Cybercriminals don’t have that much money or time.)

In the Middle East, which Flame/Skywiper clearly targets, the only countries with such capabilities are Iran and Israel.

Q: Doesn’t the United States have the capability to have developed Flame/Skywiper?

A: Yes, and so do Russia, China, Canada, Brazil, Germany, Britain, France and maybe even North Korea. But Flame/Skywiper doesn’t target those countries’ areas of interest.

For example, if Flame/Skywiper were a Chinese creation, you’d expect it to snoop on computers in Taiwan, Japan, India and the West. If it were American, it would be in many other areas of the world besides the Middle East.

Q: The Flame/Skywiper source code seems to use English-language filenames.

A: It does, and it even references American pop culture. One file is named “BEETLEJUICE.” That could mean the coders were American — or it could mean that they’ve watched a lot of American TV shows and movies.

Q: Were the Stuxnet creators behind Flame/Skywiper?

A: We don’t know. The two packages don’t share much code, at least not in the way the Duqu Trojan shared a lot of code with Stuxnet.

But Flame/Skywiper and Stuxnet share an otherwise unmatched degree of sophistication and complexity, and both target Iran, leading most analysts to presume that Flame/Skywiper may have been created in parallel to Stuxnet.

Q: Does this mean we’re on the brink of cyberwar?

A. No. There’s a big difference between espionage and outright warfare. No one’s been killed by Flame/Skywiper, at least not that we’re aware of.

Q: Can I protect myself against Flame/Skywiper?

A: Yes. The good news is that most of the major anti-virus software vendors, including Norton Symantec, McAfee, Bitdefender, TrendMicro, Sophos and Avast, have already updated their malware definitions to protect against Flame/Skywiper.

Bitdefender has also issued a Flame/Skywiper removal tool in case you think you’re already infected.

This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.

by Jürgen Schmidt

The spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread online-banking trojan Zeus.

What is Flame?

Flame is the code name for a spyware program that is built to be very modular and which is also known as Flamer and sKyWIper. Flame was just recently discovered, and it will be some time before all of its components are analysed. Anti-virus software companies estimate that Flame has infected about 1,000 computers, mostly in the Middle East.

What does Flame do?

The spyware specialises in getting hold of many different types of information. Not only can it steal files and emails from infected computers, but it can also turn them into bugging and surveillance devices using connected microphones and webcams. It is also able to record screenshots, keystrokes, and network traffic.

But all of that is already standard for a lot of malware. Does it have anything new?

One unusual feature is that Flame is able to connect with Bluetooth devices in the area. It’s not clear yet what exactly happens in this case, but it’s possible that headsets could be used for spying or that photos could be stolen from smartphones. Machines infected with Flame seem to also be able to broadcast as Bluetooth devices that offer services. More analysis is necessary to uncover further details.

Another unique feature is the LUA interpreter that is included, which can be used to easily extend the functionality of the spyware with scripts.

A modular concept, sophisticated spying features – we’ve already seen that with Zeus and SpyEye. How is Flame different from those online-banking trojan kits?

Flame explicitly waits for orders before it infects other computers

Source: Kaspersky Lab

Unlike with banking trojans, the individuals behind this program are not interested in spreading it as far and fast as possible – quite the opposite, in fact. As far as we know at this time, the worm didn’t try to spread itself at all at first, and if an initial analysis did not come up with anything useful on a system, Flame would even be deleted. Only when it received orders to do so – if the information it found looked promising – did Flame try to infect other systems using local networks, USB sticks, or other methods. And this would typically only infect up to a dozen computers. The final total of about 1,000 infected systems over the course of several years is minimal compared to Zeus and SpyEye, which each worked their way into millions of machines.

And how did Flame get onto the infected computers in the first place?

We do not know that yet, but we assume that the typical method for targeted attacks was used. In these cases, the perpetrators identify a group of people who have access to interesting information or can at least provide such access. These targets are then infected with the spyware, via specially crafted emails or USB sticks that someone has purposefully “lost” – or even by breaking into the victim’s apartment, where the software is manually installed on the targeted computer.

Who’s responsible for Flame? Israeli intelligence?

We don’t know – and we doubt we ever will. We do know that the software was developed by professionals, most likely by a whole team. In addition, it seems to have been repeatedly used in certain situations, mostly in the Middle East, with a particular focus on Iran. Conclusions could be drawn about the responsible parties, but it is important to keep in mind that we often only see what we are supposed to see in these situations.

Flame is often mentioned in the same breath as Stuxnet. Is there a connection there?

Both programs were used in a way that tends to suggest intelligence involvement, but technically they have very little in common. Stuxnet was a sabotage program that was very targeted and minimal, despite its wide range of functions; Flame, on the other hand, is a spyware program that is very powerful, universal and, at 20MB, somewhat bloated. The virus experts who analysed the spyware could not find any significant similarities in the code, and there are many potential explanations for why the two programs were spread in part using similar vulnerabilities.

Is Flame a prototype for a modern “cyber weapon”?

Flame’s assignment has more to do with spying than with destruction. The spyware should therefore be labelled a “cyber wiretap” rather than a weapon.

What is actually special about Flame?

The spyware program seems to have been used for many years without being discovered, and until that happened, not a single anti-virus program recognised the malware. This situation shows once again how unsuitable anti-virus software is for protecting systems against targeted attacks. Anti-virus software focuses on defending machines against widespread, indiscriminate malware and is, for the most part, powerless against specialised software like Flame.

Add your comment

Who are the main witnesses the CBI hopes to rope in?

TR Kannan, director of Lakshmi Textiles Pvt Ltd, had been in business for about 40 years. Investigations led by the CBI revealed that Kannan was approached by the then chief minister YSR Reddy, to invest in the state during a meeting organised by the South Indian Mill Owners Association in Hyderabad in 2007.

Kannan later came in contact with Vijay Sai Reddy in 2008 and was ‘compelled’ to invest Rs 5 crore in Jagati Publications, in order to ‘have trouble free business of cement factory in AP.’

Till date, Kannan has not received any dividends on the investment.

Investigations also found out that Avanindra Kumar Danamudi was approached by Jagati Publications, and he invested close to Rs 10 core after being told about the ‘projected credentials’ of the company. He was issued 2,77,776 shares at a premium of Rs 360/share.

Madhav Ramchandra, a Dubai-based NRI, runs GBA products Company Ltd, a venture in cement and marine products. Upon investigating, it was found out that YSR Reddy had met him at a business mela in Dubai and asked him in invest in the state.

According to Ramchandra’s statement, he received a phone call from Jagati Publications in November 2008, and was asked to invest in the company. He was further persuaded and told a public issue of Jagati Publication was slated for launch.

In consequent investments, Ramchandra invested Rs 19,65,99,830 in the publication, and was in turn allotted 5,46,110 shares.

Click on NEXT for more…

When Ginny Hopkins filed her tax return, she expected a refund of $754 — money she really needs to fix her car, among other things.

Instead of that check, she found a check mistakenly issued for $434,712 in her mailbox.

“I have many best friends now, let me tell you,” Hopkins said, as she made her way from table to table at Johnny’s Downtown in Cleveland, where she has worked for almost 20 years.

And everyone has given her advice since the monster check arrived Tuesday.

“Some say cash it, and some say don’t,” she said.

Hopkins knew that cashing the check could get her in a whole lot of trouble.

“They’ll put me in Alactraz, waiting on the night shift at Alcatraz,” she said. “They’ll reopen the place.”

Hopkins thought about where she would go if the money were really hers.

“For years I’ve wanted to go to Hawaii and my whole family, too,” she said.

“We’d go to Hawaii, yes,” she finally decided, “and maybe Rio for the Mardi Gras. Would you believe I had my first vacation in 23 years last October?”

Hopkins made arrangements Wednesday to return the check to the IRS office at the federal building in downtown Cleveland.

Since Hopkins needs the money right away, her friends at the restaurant and WKYC-TV in Cleveland advanced her the money.

The IRS said sometimes mistakes like this happen, but it happens less often as more people file their taxes electronically. Hopkins should get her correct refund check in six weeks, the IRS said.

“It made a great story, didn’t it,” Hopkins said. “We’ll get many miles and many years out of this story of Grandma being queen for a day, rich for a day.”

Back

Green Party FAQ: What the media should know about the race for the Green presidential nomination, Green ballot lines, and the 2012 Green National Convention

GREEN PARTY OF THE UNITED STATES

http://www.gp.org

For Immediate Release:
Wednesday, May 30, 2012

Contacts:
Scott McLarty, Media Coordinator, 202-904-7614, mclarty@greens.org
Starlene Rankin, Media Coordinator, 916-995-3805, starlene@gp.org

2012 Green Presidential Nominating Convention, July 12-15 in Baltimore, Md. http://www.gpconvention2012.com
Media Credentialing page http://www.gpconvention2012.com/p/media.html

Green Party Livestream Channel, featuring videos of Green presidential candidates addressing the Iowa Green Party on May 26 http://www.livestream.com/greenpartyus

WASHINGTON, DC — The Green Party has compiled a list of the most frequently asked questions from journalists about the Green presidential candidates, 2012 Green National Convention, and the party itself. Greens invite journalists to use this FAQ guide as a resource for information throughout this election year and to contact us for more information.

Who are the candidates competing for the Green Party’s presidential nomination?

Roseanne Barr http://www.roseanneforpresident2012.org
Kent Mesplay http://mesplay.org
Jill Stein http://www.jillstein.org

Jill Stein is the frontrunner, having won 138 of the 184 delegates assigned so far. Roseanne Barr, in second place, has been endorsed by the Green Party Black Caucus and the Green Party of Philadelphia.

Greens have welcomed Kent Mesplay, now recognized by the Green Party as a presidential candidate, to the race.

See also:
Green presidential campaign news http://gp.org/2012/campaign-news.html
Candidates’ bios http://gp.org/2012/candidates.html
Results of state Green Party primaries, conventions, and caucuses http://www.gp.org/committees/pcsc/2012/documents/Delegate-Tracking-2012.pdf

How will the Green nominee be chosen?

State Green Parties have been participating in primary elections and hold statewide conventions and caucuses to apportion delegates for the nomination, which will take place on Saturday, July 14 at the Green Party’s 2012 National Convention in Baltimore, Md. (http://www.gpconvention2012.com). The convention runs from July 12 to July 15 will be held on the campus of the University of Baltimore.

During the one or more rounds of voting by delegates, the first presidential candidate to gain more than half of the votes will win the nomination.

The 50 states, District of Columbia, and US territories have widely varying rules for party status and ballot access, so the various state Green Parties have their own rules for choosing delegates. The Green Party is tracking the results of the state primaries, conventions, and caucuses (http://www.gp.org/committees/pcsc/2012/documents/Delegate-Tracking-2012.pdf).

Can the media attend the Green Party’s 2012 National Convention? What will be the highlights?

The Green Party invites and encourages journalists from all media to cover the convention. Bloggers are invited too. We urge journalists to let us know they will attend and cover the convention by registering on our Media Credentialing page (http://www.gpconvention2012.com/p/media.html), so that we can prepare for their participation and better accommodate them. Journalists can also register on site.

The Green Party will hold an introductory press conference on Thursday, July 12, at 4 p.m. More press conferences will take place on Friday and will feature Green candidates for state and local office and current Green officeholders.

On Saturday (nomination day), a press conference at 9 a.m. will introduce the presidential candidates. There will be a reserved media section for journalists in the auditorium where the nomination takes place. After the nomination, the Green Party will hold a press conference for the presidential and vice presidential nominees, probably beginning between 4 and 5 p.m. on Saturday afternoon.

The University of Baltimore venues for the press conferences and the nomination will be announced as the convention approaches, as will the names of Green state and local candidates and officeholders participating in press conferences and other convention details. We invite journalists at the convention to meet Green Party members, explore other events on the schedule, and get to know us.

How many ballot lines will the Green Party have on Election Day?

The Green Party of the United States is aiming for at least 46 state ballot lines. The party is currently on the ballot in 20 states. More information: http://www.gp.org/2012/ballot-access.html

Why does the Green Party run presidential candidates, when it’s so unlikely they will win on Election Day?

The most important reason is that Americans deserve a real choice on Election Day. Voters deserve the right to vote for whichever candidates best represent their interests, ideals, and values — without being told that their choice is restricted to two candidates. The Democratic and Republican parties together represent a narrow range of ideas and policies. Both established parties and their candidates accept millions of dollars in contributions from powerful corporate lobbies. The Green Party and Green candidates accept no corporate money.

The Green presidential ticket leads the party’s slate of candidates for all offices. The nominees express the party’s platform, principles, and positions and generate national attention for the Green Party. They also help raise publicity and contributions for state and local candidates during their campaign tours.

Some states use numbers of votes cast for a presidential candidate among their qualifications for party recognition.

What challenges do Green candidates face in their campaigns?

The greatest challenges are the grossly unfair and antidemocratic election rules in many states. Democratic and Republican politicians in such states have together enacted ballot access rules that privilege themselves and obstruct independent and alternative party candidates.

Pennsylvania in recent years has required Democratic and Republican candidates in statewide elections (for Governor, US Senator, President) to hand in ballot petitions with at least 2,000 valid signatures, while requiring a minimum number “equal to 2 per cent of the total vote of the highest vote cast in the state in the previous election” (ranging between 20,000 and 67,000 in recent elections) from alternative party and independent candidates, along with the threat of excessive, financially ruinous fees for trying to qualify for the ballot.

In Alabama, a party on the ballot by petition or by a previous statewide vote can retain ballot access through the next election by polling 20% for president. In Oklahoma and Virginia, the same process requires 10%. (See http://en.wikipedia.org/wiki/Ballot_access#State_ballot_access_laws) Greens, often in coalition with other parties, have worked to overturn unfair rules by petitioning state legislatures and filing lawsuits. There are current or pending lawsuits with the Green Party as a plaintiff in Alabama, Georgia, North Carolina, Oklahoma, Oregon, Pennsylvania, and Virginia.

Greens in Georgia, where 2008 Green presidential nominee Cynthia McKinney has announced her run for the US House, have filed a lawsuit along with the Constitution Party against their state’s ballot access laws, which have been called the most obstructive in the US (http://www.ballot-access.org/2012/05/25/georgia-ballot-access-lawsuit-filed/).

Green presidential candidates are routinely excluded from debates sponsored by the Commission on Presidential Debates (CPD), which is owned and operated by the Democratic and Republican parties. The CPD took over the debates from the League of Women Voters in 1988 for the purpose of barring other parties’ candidates, as internal memos from the CPD have shown.

Finally, Green candidates must sometimes deal with the mistaken belief among some voters that only Democrats and Republicans are the only “legitimate” candidates or that a two-party limit is enshrined in the US Constitution.

Are Greens concerned that a Green presidential candidate might affect the election outcome in 2012, after accusations that Ralph Nader gave us eight years of George W. Bush in 2000?

Al Gore very likely won Florida and therefore won the 2000 election. (“[A consortium of news organizations], looking at a broader group of rejected ballots than those covered in the court decisions, 175,010 in all, found that Mr. Gore might have won if the courts had ordered a full statewide recount of all the rejected ballots.” New York Times, November 12, 2001, http://www.nytimes.com/2001/11/12/politics/12VOTE.html)

The 2000 accusation is based on the idea that obstruction of voters, manipulation of vote counts, and a possible election theft by a major party (the GOP) are less dangerous to our democracy than the right of an alternative party to participate fair and square. The accusation suggests that some parties are entitled to votes and others are not.

Greens are less concerned about the Obama-Romney contest than with the fact that neither has an adequate jobs program, climate-change action program, or plan to halt home foreclosures; both have embraced military attacks without provocation on other countries; both join their parties in favor of the $600 billion “fiscal cliff” for the post-election lame duck Congress; both favor profits for the health insurance industry over the right of all Americans to quality health care (Medicare For All); both support indefinite detention without due process and other violations of constitutional and international law. Neither corporate-sponsored party protects our rights or addresses the crises we face.

Greens encourage Americans who want fair and open elections to help us replace at-large and winner-take-all voting with important democratic reforms like Instant Runoff Voting (also called Ranked-Choice Voting) and Proportional Representation. Ireland has used IRV since 1937. Runoffs were held in this year’s elections in France and Egypt.

What is the Green Party’s relation to the Occupy Movement?

The Occupy Movement is nonpartisan and does not support any party or candidate. Greens respect this principle and encourage Occupiers to do what they do best — build a popular movement against policies that have enriched and empowered Wall Street (the “one percent”) while hurting working Americans.

All three Green presidential candidates, as well as many other Greens, have participated in Occupy protests and on some occasions were asked to speak at Occupy rallies. The Green Party’s platform and positions are consistent with the Occupy Movement’s grievances about the growth of corporate power and US government’s descent into oligarchy, military aggression, and ecological irresponsibility. We encourage all voters who share these concerns to register and vote Green.

MORE INFORMATION

Green Party of the United States http://www.gp.org
202-319-7191

2012 Green Party Presidential Nominating Convention, July 12-15 in Baltimore, Md. http://www.gpconvention2012.com
Green candidate database and campaign information: http://www.gp.org/elections.shtml
News Center http://www.gp.org/newscenter.shtml
Speakers Bureau http://www.gp.org/speakers
Ballot Access Page http://www.gp.org/2012/ballot-access.html
Video Page http://www.gp.org/video/index.php
Green Papers http://www.greenpapers.net
Google+ http://www.gp.org/google
Twitter http://twitter.com/gpus
Livestream Channel http://www.livestream.com/greenpartyus
GP-TV Twitter page http://www.gp.org/twitter
Facebook page http://www.gp.org/facebook

Green Pages: The official publication of record of the Green Party of the United States
http://gp.org/greenpages-blog

~ END ~

So far, the economy has been strong enough to help President Obama‘s re-election prospects, if barely.

According to a widely followed forecasting model by Yale economist Ray Fair, who uses economic variables to predict political outcomes, Obama’s projected to win with 50.2% of the two-party popular vote. In state-by-state modeling by Moody’s Analytics, the president is on track for 303 electoral votes — more than the 270 he needs.

In Washington, economists who work closely with politicians believe job-growth numbers drive elections, absent a foreign-policy crisis. More formal forecasting models track economic growth through September of election years, changes in unemployment rates, and changes in income, Fair said.

Economists surveyed by Bloomberg News say the economy is expected to have added 150,000 jobs in May, with unemployment holding at 8.1%. That’s up from 115,000 new jobs last month, but below the 200,000-plus monthly gains this winter.

“It’s very close,” said Fair, who pointed out that his model says Romney will win if growth slows this year, as many economists expect. “The model has an average error of 2%.”

A look at old data supports the theory that midyear job growth is a solid election predictor. Employment grew strongly in the spring and summer of 1972, 1984, 1996 and to a lesser degree 2004 — and presidents won re-election. The opposite was true in 1976, 1980 and 1992, when incumbents lost.

Fair says the change in growth and employment matters more than the jobless rate: Ronald Reagan won 49 states in 1984 with unemployment at 7.4%.

That makes Friday’s jobs report for May the first of a series of critical readings, said Jared Bernstein, Vice President Biden’s economic adviser in 2009 and 2010.

“All of the reports will become increasingly important,” says Douglas Holtz-Eakin, Republican John McCain’s top domestic policy adviser in the 2008 presidential campaign.

[author: Tiffany Downs]

Executive Summary:  The Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury recently issued an additional guidance providing answers to frequently asked questions (FAQs) regarding the implementation of the summary and benefits coverage provisions of the Patient Protection and Affordable Care Act (PPACA)[1].  This guidance, entitled “FAQs about Affordable Care Act Implementation Part IX,” is available at: http://www.dol.gov/ebsa/faqs/faq-aca9.html.

The SBC requirements become effective for participants who enroll or re-enroll during open enrollment as of the first day of the first annual enrollment period that begins on or after September 23, 2012.  For participants or beneficiaries who enroll in the plan outside of open enrollment (for example, newly eligible employees or special enrollees), the effective date is the first day of the first plan year that begins on or after September 23, 2012. 

Some of the significant issues addressed in the FAQs include:

Safe Harbor for Electronic SBCs

Previously, the departments discussed a safe harbor for providing the SBC to participants or beneficiaries covered under the plan who are able to effectively access documents provided in electronic form at the worksite.  The new FAQs state that SBCs may be provided electronically to participants and beneficiaries in connection with their online enrollment or online renewal of coverage under the plan. Additionally, an SBC may be provided electronically to participants and beneficiaries who request an SBC online.  In either case, the individual must have the option to receive a paper copy upon request.[2]

Clarification of when SBCs must be Provided

The regulations require health insurance issuers to provide an SBC upon application for coverage.  The FAQs clarify that an SBC must be provided as soon as practicable but no later than seven business days of the receipt of a substantially complete application for a health insurance product. 

The FAQs also state that if an individual, plan or plan sponsor is negotiating coverage after an application has been filed and the information contained in the SBC changes, a new SBC is not required to be provided until the first day of coverage (unless a new SBC is requested).

Additionally, if an SBC is provided prior to receipt of an application for coverage, the health insurance issuer is not required to provide a duplicate SBC upon receipt of an application.  If there have been changes in the information required to be included in the SBC, a new SBC must be provided as soon as practicable following the receipt of the application, but no later than seven business days of receipt of the application.  The FAQs also clarify that if an SBC is provided upon application, the health insurance issuer is not required to provide another SBC on the first day of coverage, unless there has been a change in the information required to be included in the SBC. 

Comparison of Benefit Package Options

The FAQs state that issuers and plans may display SBCs or parts of SBCs in a way that facilitates comparison of different benefits package options.  However, such documents do not fulfill the requirement to provide an SBC.  Full SBCs for all benefit packages included in the comparison documents must be made available.

Penalties for Failure to Provide SBCs or a Uniform Glossary

According to the FAQs, the departments are focusing on assisting (rather than penalizing) plans, issuers and others who are working diligently and in good faith to understand and come into compliance with the new law.  Accordingly, the departments will not impose penalties on plans and issuers that are working diligently and in good faith to comply.

The FAQs also state that the departments will not take any enforcement action against a plan or issuer for failing to provide an SBC before September 23, 2013 with respect to an insured product that is no longer being actively marketed for business, provided the SBC is provided no later than September 23, 2013 (at which time, enrollees and small employers will have new opportunities to compare coverage options available through an Exchange).

The Bottom Line:

We expect to see more guidance from the departments regarding the SBC requirement.  If you have any questions regarding this issue or other employee benefits related issues, please contact Tiffany Downs, tdowns@fordharrison.com, any member of Ford Harrison’s Employee Benefits practice group, or the Ford Harrison attorney with whom you usually work.

---

[2] In addition, for individual market issuers that offer online enrollment or renewal, the SBC may be provided electronically, at all issuances, to consumers who enroll or renew online, consistent with the regulations.

 

TIME WARNER FAQs:

1. Why would WDRB not be carried on the Time Warner system (formerly Insight Communications)?

After decades of permitting cable and satellite companies to rebroadcast its television stations for free, WDRB has completed agreements with the cable companies that carry its signals in which the cable companies have agreed to compensate WDRB for the excellent news, sports and entertainment programming its stations provide. The cable and telephone companies have also agreed to carry our additional over-the-air digital channels. Time Warner Cable is refusing to pay the fair market price for a FOX station. That amount is two cents per day.

2. If Time Warner drops WDRB won’t Time Warner simply make FOX Network programming available from another station?

There are rules in place to protect the local broadcasters’ programming.

3. If Time Warner agrees to WDRB ‘s request, won’t Time Warner simply raise my monthly bill?

WDRB  has no control over Time Warner’s, or any video provider’s, rates or any decision to raise rates. Time Warner is already charging subscribers for the local channels each month. In fact, out of the amount Time Warner charges for service, WDRB  receives less than 1/2%. You should judge on your own whether you think the profit margin Time Warner already makes on the local channels warrants an increase in rates. In 2011, Time Warner had record revenues and profits. You can always get WDRB ‘s signals for free with the use of an over-the-air digital antenna.

4. What are my options for getting any of WDRB and WMYO ‘s programming?

Other providers will continue to carry WDRB/WMYO  without interruption. We’ve listed those in another section of the web site.  Alternatively, you may use an antenna and receive our local TV stations over the air free of charge.

5. Is WDRB  being greedy by asking for an increase?

WDRB  is asking for the same amount they received from Insight Communications with increases in 2013 and 2014 to mirror the rate increases imposed by WDRB’s programmers which is based on the cable subscriber numbers. That is fair.

6. How do I get in touch with someone at TIME WARNER CABLE if I wish to express my views?

Note: Although TIME WARNER CABLE owns the local cable service, it is still branded locally as INSIGHT COMMUNICATIONS.

You can call INSIGHT COMMUNICATIONS’ customer service center 502-357-4400 (when prompted to dial “1,” you will be forwarded to a recorded message. To discuss this with a customer service rep, please dial “0.”)

Other means of communication:
Insight Communications E-mail

Insight Communications Facebook page

Insight Communications Twitter page

7. Do I need to call WDRB  again after contacting TIME WARNER CABLE?

No. While we appreciate your input, and welcome your comments, it is not necessary to contact us after you have contacted TIME WARNER CABLE. Just make sure your voice is heard at TIME WARNER.

8. Why is this happening with WDRB , but not the other television stations in the market?

We believe WDRB ‘s primary and digital channels of programming are as valuable to the viewers in your market as similar programming may be to viewers in other parts of the country. WDRB  is not privy to the negotiations with others in the market and perhaps in time, every station will have their time to negotiate with TIME WARNER CABLE. Congress has allowed this to occur knowing that the broadcasters’ content is what helps the distributors grow. TIME WARNER CABLE has been in operation for many years they have had the opportunity to cover their capital expenses with record profits and revenue. TIME WARNER CABLE messages may try to tell you that WDRB  is being greedy, but once you know the facts you can decide if two cents a day is fair. There was no charge imposed for continued carriage of WMYO and the digital multicast channels.

9. Is this about WDRB  making more money?

Money is important. Almost everyone expects to be paid for the work that they do. WDRB  is the exclusive outlet for local market network programming, local news and other entertainment programs. While anyone may use an over-the-air antenna to personally view the programming for FREE, we won’t allow anyone to take our signal and resell it to the viewers without fair compensation. TIME WARNER CABLE seems to think it should be allowed to take our programming and charge people to see it, without fairly compensating WDRB  for the programming. We are fighting to protect our rights. We are fighting to receive fair compensation in both fees and carriage of WDRB . We hope you understand our position.

10. How much of my TIME WARNER CABLE bill is actually paid to broadcasters in the WDRB  market?

TIME WARNER CABLE does not disclose how much it pays each broadcaster and we cannot provide specific details of our agreement with TIME WARNER because of contractual restrictions.  Let’s put it simply and clearly.  Less than two (2) pennies per day of your current bill to TIME WARNER CABLE goes to pay WDRB ‘s license fee.  If TIME WARNER CABLE accepts our current proposal, that rate would stay at two pennies per day and increase to less than 2 1/2 pennies at the end of our proposed agreement. TIME WARNER pays more to much less watched networks.   

The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread.

(Credit:
Securelist)

The Flame worm that has targeted computers in the Middle East is being called “the most sophisticated cyberweapon yet unleashed” by Kaspersky Lab researchers who discovered it. Lurking on computers for at least five years, the malware has the ability to steal data, eavesdrop on conversations, and take screen captures of instant message exchanges, making it dangerous to any victim. But a possible link to malware found on computers in Iran’s oil sector has experts saying it’s got to be the work of a nation-state.

CNET talked with Roel Schouwenberg, senior researcher at Kaspersky, the company that uncovered the malware, to find out who is behind it and how dangerous it really is.

What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”

“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”

How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It’s unclear what the initial point of entry is. “We expect to find a spear phishing e-mail with a Zero-Day exploit,” Schouwenberg said.

How long has Flame been around?
“We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that,” Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National’s International Telecommunication Union for help in uncovering malware dubbed “Wiper” that was stealing and deleting sensitive information on computers in Iran’s oil sector.

How does Flame relate to Wiper?
“Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental,” Schouwenberg said. “So, we have an open mind to Wiper being a Flame plug-in.” Iran’s National Computer Emergency Response Team (CERT), which is called “Maher,” said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran “could be the outcome of some installed module of this threat,” the center said, speculating that attacks in which data from Iran’s gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.

Why wasn’t Flame discovered earlier?
Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.

Who created the malware?
It’s unclear who wrote and distributed the malware, but Schouwenberg said researchers believe it was a nation-state or someone hired by a nation-state because of the advanced nature of the threat. Just because the code is in English does not mean that an English-speaking country is behind it, he said when asked if he thought the U.S. and/or Israel are behind this malware as is believed with Stuxnet. Meanwhile, liberal Jewish blog Tikun Olam cites an unidentified “senior Israeli source” as confirming that Israeli cyber warfare experts created Flame to “infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel’s secret police including military intelligence.”

Is it related to Stuxnet and Duqu?
Flame shares some characteristics with two previous types of malware that targeted critical infrastructure systems and which used the same technology platform: Stuxnet and Duqu. Schouwenberg thinks the same entities are behind Flame. For instance, Flame and Stuxnet both spread via USB drive using the “Autorun” method and a .LNK file that triggers an infection when a directory is opened. Flame also can replicate through local networks using a Windows-based shared printer vulnerability that was exploited by Stuxnet as well. Kaspersky hasn’t uncovered Flame using any previously unknown vulnerabilities, called “Zero-Days,” but since Flame has infected fully patched
Windows 7 systems through the network, there may be a high-risk Zero-Day being exploited. “We are operating under the assumption right now that basically Flame and Stuxnet were two parallel projects commissioned by the same nation-sate or states. The Stuxnet platform was created by one team or company and Flame by another team or company, and both teams had access to this common set of exploits,” he said. Flame is 20 times larger than Stuxnet, which was previously believed to be the most sophisticated piece of malware ever.

How serious is this?
Kaspersky researchers believe there is much more to Flame than they know now. “We operate on the assumption there are other modules we don’t know about, which could elevate Flame from cyber espionage to cybersabotage,” Schouwenberg said. “Given the conservative method of spreading, we assume that the vast majority of infections we are seeing are intended targets … The amount of manpower required to maintain this operation is very significant. Flame uses more than 80 CC (Command and Control) servers, which we haven’t seen before. This shows the amount of resources committed to this project.”

Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.

How widespread is Flame?
So far there are only estimates as to how widespread Flame infections are. Kaspersky researchers have seen between 300 and 400 infections on customer computers reporting back to them, but researchers speculate there could be more than 1,000 infected computers worldwide. Most of the infections are in Iran and other countries in the Middle East. There are a few in the U.S., and Schouwenberg said those could be due to someone in the Middle East using a virtual private network based in the U.S. to circumvent Internet filters in that country as opposed to genuine infections on U.S.-based computers. “We’re looking into sinkholing (taking control of) some of the Command and Control servers and getting data from there to have a more accurate reflection of infections,” Schouwenberg said.

Here are the countries with the most Flame infections discovered by Kaspersky.

(Credit:
Securelist)

Does it affect me?
Most of the major antivirus software now detects Flame, so updating your security software will protect you. Kaspersky also has offered tips for manually removing the malware. The software is not designed to steal financial data and does not seem targeted at consumers, so chances are your computer is safe.

What does this all mean?
While Flame represents another sophisticated cyber espionage attack, it’s not exactly a harbinger of cyberwar. Countries have been conducting cyber espionage for years, but it wasn’t until Stuxnet, with its links to the U.S. and Israel, that a Western country was fingered by researchers. Stuxnet is believed to have been designed to sabotage Iran’s nuclear program after diplomatic and other efforts had failed. That said, Flame does show that sophisticated attacks on critical infrastructure are happening, and succeeding. “The good news is that like Stuxnet, Flame appears to be highly targeted,” Eric Byres, chief technology officer and co-founder of Tofino Industrial Security, writes in a blog post. “But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.”

“You could call it military-grade malware, which is obviously a class above (other malware) and generally these are covert operations so remaining stealth is top-most priority,” Schouwenberg said. “In the end, it was anti-malware that found this type of attack.”

Updated 4:35 p.m. PT
with Tikun Olam report of source saying Israel is behind Flame.

Q: One of our employees will be absent for a serious health condition. However, the employee prefers to use his accrued sick days instead of FMLA leave. He has enough sick time to cover the absence. In this situation, can the employee choose not to take FMLA leave, either because he has not specifically asked for FMLA leave or because he simply does not want to use FMLA leave?

A: This is one of the most common questions I am asked in my practice, and it is due largely to the grand confusion caused by the Family and Medical Leave Act. There actually are several sub-questions contained in the nugget above, and I answer them below.

1. Does an employee specifically have to use the letters F-M-L-A when requesting leave protected under the Act? Heck no! Why? The U.S. Department of Labor says so. In its FAQs (pdf) on the FMLA, the DOL specifically states that when “an employee seeks leave for the first time for a FMLA-qualifying reason, the employee does not need to specifically assert his or her rights under FMLA, or even mention FMLA.” Rather, the employee need only provide “sufficient information” to make the employer aware of the possible need for FMLA leave. Note: After the employer has provided FMLA leave for this reason, however, the DOL tells us that “the employee must specifically reference either the qualifying reason for leave or the need for FMLA leave.”

Thus, it becomes critical that HR professionals and supervisors fielding the call-offs from employees be trained and in a position to identify situations where the employee has put you on notice of the need for FMLA leave.

2. If the employee qualifies for FMLA leave, can an employer make the employee use FMLA leave, even if the employee does not want to use it? Do not let your employees sweet-talk, bamboozle or bully you into not counting an absence as FMLA leave where the leave of absence is taken for an FMLA-qualifying reason. Take it from the regulations themselves:

The employer is responsible in all circumstances for designating leave as FMLA-qualifying, and for giving notice of the designation to the employee . . . When the employer has enough information to determine whether the leave is being taken for a FMLA-qualifying reason (e.g., after receiving a certification), the employer must notify the employee whether the leave will be designated and will be counted as FMLA leave within five business days absent extenuating circumstances. 29 CFR § 825.300(d)

The employer’s obligations under the FMLA are clear: once it has enough information to determine whether the leave is being taken for an FMLA-qualifying reason, the employer must notify the employee as to whether the leave will be designated and counted as FMLA leave. In other words, the employer has an obligation to designate leave as FMLA-qualifying as soon as the absence becomes an FMLA-qualifying event. Employees do not have the right to choose when they take FMLA leave. As soon as the leave of absence qualifies as FMLA leave, it should be designated as such — regardless of whether the employee wants FMLA to apply.

Failing to designate an absence as FMLA leave can have quite a negative impact on an employer’s operations. For example, if you fail to designate an employee’s 10-week absence as FMLA leave (when it rightfully qualifies as such), but instead allow them to utilize accrued sick leave from their sick bank, you effectively have allowed the employee leave that they otherwise are not entitled to by law. Although they will have exhausted 10 weeks of sick leave, they still have up to 12 weeks of FMLA leave available to them (instead of two weeks) because you did not designate the 10-week absence as FMLA leave.

3. Can an employer require paid leave to run at the same time as FMLA leave? Here, the employer’s policy governs. If the policy requires any accrued paid leave to run concurrently with FMLA leave, then an employer can require both FMLA leave and paid leave to run at the same time. 29 CFR § 825.207(a). In the absence of such a policy, however, the employee can decide whether to use paid leave in conjunction with FMLA leave.

In this situation, you run into the same troubled situation identified in Section 2 above — the employee can stack paid leave and FMLA leave on top of each other, resulting in more leave than the employee legally is entitled to. If your policy currently does not require paid leave to run concurrently with FMLA leave, discuss this with employment counsel to ensure your policy is consistent with your business objectives. The money you save in the long run will be well worth the advice.