Privacy Matters: GDPR Enforcement Actions Signal Regulators Focus, Experts Say

By Marilia Wyatt, CyberPrivacy

Companies looking to gauge how EU’s General Data Protection Regulation will be interpreted should monitor regulators’ decisions around fines and which privacy violations are considered the highest severity, said panelists on Thursday at the RSA Conference.

GDPR enforcement is still in early stages, experts say. “Enforcement is a toddler, so we need to buckle our seat belts to see what happens,” said Ruby Zefo, chief privacy officer at Uber.

Ms. Zefo predicts the ‘hammer’ will continue to fall on the things companies can control, including having proper data management and hygiene practices. She said while fines are pretty low, especially in Europe, once “those shoes start to fall” it sets a precedent for more.

“Enforcement actions will be indicative of what the regulators care about,” said J. Trevor Hughes, president and CEO at the International Association of Privacy Professionals, a nonprofit group supporting industry participants globally.

For instance, Mr. Hughes says, if companies see regulators talking about the 72-hour notice period for a data breach, and there is an increase in enforcement actions around that- it could signal that a company’s risk profile on notice of security breach has just increased significantly from the regulator’s perspective.  To manage the risk, firms should monitor enforcement actions through the remainder of 2019 and in the future as crucial, he said.

Kalinda Raina, senior director, head of global privacy at LinkedIn, noted enforcement actions become quasi-regulation in a sense. Companies, she says, can best understand how the privacy law is going to be enforced and interpreted by looking at regulators’ decisions and how they are appointing fines around them.

Under GDPR, companies need clear consent from users to process their personal data, The Wall Street Journal reported. Customers have the right to see what data companies store on them and request some of it to be deleted. Data breaches must be reported to authorities within 72 hours. Companies that violate the privacy law risk fines as high as 4% of their global revenue. A French regulator has recently fined Alphabet Inc.’s Google $57 million for violating GDPR- one of the highest profile regulatory actions – alleging the search-engine didn’t get a valid user consent to gather data for targeted advertising.

The panelists further highlighted a fundamental point: data privacy management is not just an issue for the legal department. It requires close cross-functional team collaboration company-wide. It’s everyone’s responsibility including cybersecurity, privacy, engineering, product strategy and design, technology, business units, among others to seat at the table.

The goal of having this multi-disciplinary approach is to manage potential privacy and cyberrisks holistically – where executive and working-level teams effectively work together to innovate responsibly by building products with security and privacy by design and to ultimately build brand trust and competitive advantage.


Digital Espionage: Understanding the Value of Smartphones and Apps

The CyberPrivacy Brief:

By Marilia Wyatt

  • As desktop security matures, mobile devices could become prime targets for attackers looking for access to valuable data and influence.
  • Executives could be uniquely at risk for mobile espionage attacks because they have access to the crown jewels of their company.

Mobile Phones Are Used as a Primary Attack Platform

A January 2018 report by mobile security firm Lookout and the Electronic Frontier Foundation revealed that spyware installed on mobile phones apparently stole troves of confidential data including personal data from thousands of unsuspecting victims’ phones spanning more than 20 countries. They called the campaign: ‘Dark Caracal.’

Source: Lookout/Electronic Frontier Foundation, 2018

Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight into each of the victim’s lives. It did this through a series of multi-platform surveillance campaigns that began with desktop attacks and pivoted to the mobile device. Stolen data was found to include personal messages and photos as well as corporate and legal documentation. In some cases, screenshots from its Windows malware painted a picture of how a particular individual spent his evenings at home.

Dark Caracal Cyber-espionage at a Global Scale, 2018

Social Engineering Was a Major Component in Dark Caracal Campaign

Attackers reportedly lured their victims to download the fake apps by sending spear phishing attacks via fake Facebook personas and popular communication apps targeting specific people to go a phony app store-like page (watering hole) where the malicious Android apps were and the attackers controlled. The watering hole distributed a malware called Pallas through the trojanized apps.

Figure 16. Shows Dark Caracal’s watering hole – the page looks like a regular page, but it’s phony and contains malicious apps controlled by the attacker.
Source: Lookout/Electronic Frontier Foundation, 2018

No Exploits Were Needed to Steal Mobile Data

Attackers compromised phone devices and accounts by exploiting unwitting user participation to download fake Android apps. Attackers retrieved the confidential data by exploiting the app permissions or privileges unsuspecting users granted when they installed the malicious spoofs of privacy and messaging apps Signal and WhatsApp.

The Victims Could Not Tell They Were Under Attack

The malicious spoofs of apps installed on the mobile devices worked like the legitimate ones by sending and receiving messages but provided functionality to retrieve photos, audio, location data and more. 

Smartphones Have Diverse Capabilities Attackers Can Exploit to Their Advantage

  • Flexibly carried everywhere and can be used to gather intelligence on company processes, sensitive data, and relationships to influence competitive advantage.
  • Smaller screens provide less real estate to spot attacks, determine what is real or fake, see if links are malicious and verify the authenticity of who is sending an enticing message over email, social media and communication app.
  • Sensors such as microphones and cameras and data exposed by RF signals (cellular, WIFI, and GPS) can be used to piece together information
  • Authenticate essential accounts and receive two-factor authentication (2FA) tokens if compromised, the layered security utility of 2FA will increase the risk of compromise.

Executives should think of their smartphones as attack platforms, tiny supercomputers with vast access to their personal and corporate lives which require robust security and proper app governance. 

Marilia Wyatt, CyberPrivacy

Mobile Devices Can Be Compromised in Two Ways

  • Legally through apps, untested code of unknown origin, cellular service provider contracts, and device/OS manufacturer agreements where executives accept the terms and conditions allowing sharing of data, tracking, and monitoring.
  • Illegally through attackers physically or remotely compromising smartphones with malware or where unsuspecting victims install trojanized apps and their devices which can reveal account credentials, personally identifiable information (PII), intellectual property, and even relationships in executives’ calendar to further a rival’s competitive advantage.

Commercial Intrusion and Spyware Trade Growing

While mobile-malware as a means to gather information from victims has existed for some time, in 2013 Citizen Lab security researchers detailed a growing industry for providing commercial intrusion and malware tools to spy on companies and individuals, according to their research report. They added that once only available to a few nation states, the commercial intrusion and monitoring tools are now being widely sold around the world for a cheap buck.

The use case of these products extends spying on competitive industries and companies to extract valuable information but also to chill dissent where oppressive governments target smartphones of journalists, human rights defenders, and to monitors citizens, Citizen Lab researchers said. These spyware tools raise serious privacy and security for executives and society in general, as people may lack awareness of their use and knowledge about ways to defend themselves. In Dark Caracal, for instance, attackers used FinFisher – a tool which is installed in various ways including, fake software updates, malicious email attachments and fake security updates from popular software.  

Commercial spyware companies have also incorporated in the design of their products certain techniques that involve spoofing legitimate companies—for example, by packaging their spyware alongside legitimate software such as Adobe Flash Player—in order to deceive a target, enhancing the likelihood of target infection and spyware persistence. The result is not only the infection of targeted individuals’ devices, but also the undermining of security of the wider digital ecosystem. Spyware companies have profited, while civil society and legitimate ICT businesses have borne the costs of foreseeable misuse of spyware products and services.

Citizen Lab, 2017

Suggested Further Reading:

Software Meant to Fight Crime Is Used to Spy on Dissidents, 2012

Surveillance Company Says It Sent Fake iTunes, Flash Updates, 2011

Accountability in the Commercial Spyware Trade: Coordinating a Holistic Response, 2017


Geopolitical Conflict Is Fueling the Increase in Destructive Attacks, Report Says

Destructive attacks are rising from nation-states as companies are caught in geopolitical crossfires, according to a November 2018 survey from cybersecurity firm Carbon Black.

By Marilia Wyatt, CyberPrivacy

Geopolitical tensions can create potential cyberrisks for organizations operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict.

The CyberPrivacy Brief:

  • Nation-states launched destructive attacks against organizations 32% of the time in Q3 2018, according to the survey based on data from 37 Carbon Black incident response (IR) partner firms. 
  • Financial and healthcare remain most targeted industries (78 and 59% respectively), followed by retail (43%), manufacturing (41%), and government (27%). 
  • These destructive attacks are intended to paralyze business operations by manipulating and destroying data and IT assets. Damages can potentially incur compounding operational and financial costs.

Trends: Organizations are being used as a point of entry into other networks: 50% of all attacks leverage ‘island hopping,’ to access an affiliate’s network/data. A growing number of attacks exploit enterprise Internet of Things vulnerabilities and organizations’ websites as a poisoned ‘watering hole’ to infect visitors with malicious software.  As companies’ IR strengthen, attackers, are evolving their capability to remain undetected inside corporate networks longer: 41% of respondents said network-based protections were circumvented and 51% saw counter-incident response tactics with 72% noting counter IR was in the form of destruction of logs.

Reasons for the attacks increasing: The report suggests attackers are growing “punitive” and armed with highly customized tools and services sold on dark web marketplaces providing them with new capabilities. Unlike generic attacks tools, services such as ‘attackers-for-hire’ – professional attackers offer economic espionage, precise data manipulation, DDoS attacks, and botnet rentals to disrupt and damage assets. Nation-states are running covert operations by increasingly using compromised infrastructures sold on the dark web as command and control posts.

Recommendations: The report advises organizations to gain greater visibility into their networks, which are home to a growing number of at-risk endpoints that IoT devices and cloud services produce. 

The CyberPrivacy Commentary & Analysis

While destructive attacks intended to destroy corporate assets or sabotage are not new, they’ve been increasing in frequency since late 2016, said Dr. Andrea Limbago, a computational social scientist.

In December, the Ukraine power grid was struck again with destructive malware, later attributed to Russian-linked Crash Override. Crash Override is a highly customized malware with a wiper component, and is compiled to control the grid circuit switches and breakers. A few weeks earlier, Shamoon 2.0 surfaced, targeting Saudi government entities, infecting thousands of machines and spreading to Gulf states. Shamoon 2.0 was followed by the discovery of Stonedrill, another destructive malware targeting Saudi entities, but has also been discovered in at least one European organization.

Source: The Escalation Of Destructive Attacks: Putting Dragonfly In Context, Endgame, 2017

While the Carbon Black report suggested China and Russia were responsible for nearly half of all cyberattacks, it wasn’t clear how it arrived at that in the report. Of 113 investigations,  47 stemmed from those two countries alone in Q3 2018. Iran, North Korea, and Brazil were also the origin of a significant number of recent attacks.

Mudding the water of attribution

Cybersecurity experts have said that just because malware is linked to China doesn’t mean that Chinese attackers are in the network.  Chinese attackers could be easier to false flag since their malware is widely publicized and anyone can potentially download builders. Attackers can use a range of deception techniques to muddy the water of attribution including planting malware, language strings, and false flag timestamps to operate under cover of existing groups.

The bottom line:  The increased use of politically motivated destructive attacks could cost organizations significant amounts of revenue and diminish their competitive advantage. These attacks are tailored to a target for various purposes, including shutting down corporate systems and denying incident response teams the access to data they need to investigate incidents. With greater counter-incident response tactics, companies must evolve as well and make their IR strategies stealthier to reduce damage and recover.  The increase in destructive attacks might not be an anomaly, but a current state of affairs for businesses operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict. Companies must prepare for crisis scenarios and have robust business continuity plans in place which they must prepare ahead of time for when mayhem strikes. 

Suggested reading resources:  In his new book, “Cyber Mercenaries: The State, Hackers, and Power,”  author Tim Maurer, examines how states are now innovative in their deployment and use non-state attackers or ‘cyber mercenaries’ as proxies to carry out attacks and develop offensive capabilities to meet a foreign state’s objectives.

Wave Your False Flags! Deception Tactics Muddying Attribution In Targeted Attacks

Destructive and False Flag Cyberattacks to Escalate

CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations

Insecure Smart City Systems Could Threaten Public Safety

By Marilia Wyatt

When compromised smart city technology systems have a physical risk element, there is a lot at stake for public safety.

The CyberPrivacy Brief:

  • Smart city technology is being built without basic security protections and rolled out in cities with vulnerabilities, researchers say.
  • The flaws could enable attackers to take control of systems to manipulate data and significantly compromise public safety.
  • It’s easy to exploit the devices by readily finding their location, function, and minimal security protections they came with, they add.
  • An attacker with the intent to incite chaos could create far greater impact with minimal effort if cybersecurity of sensors and controls is not strengthened, they advise.

Why it matters: A smart city embeds information and communication technologies (ICT) within government systems and connect components within the city. They include Internet of Things sensors to open data collection and other smart technology capabilities to enhance services and increase operational efficiency. Sensors can monitor air quality, traffic, radiation, and water levels, and can automatically inform services like street lights, security systems, and emergency alerts. These systems might be highly interconnected and could have a physical risk element when compromised as they provide services to the public, making their robust security standards a matter of public safety.

Smart city and Internet of Things, wireless communication network, abstract image visual. Source: Information Age

17 vulnerabilities found and responsibly disclosed. The August 2018 whitepaper from security researchers at IBM X-Force Red and cybersecurity firm Threatcare revealed the systems lacked basic security protections and had various flaws but contained these three common issues:

  • Default public passwords that don’t require the users to create a secure password.
  • Authentication bypass flaws that would allow an attacker to skip log in page and set up administrative level menu to gain access that should not have been available to them.
  • SQL injection flaws that would allow malicious code to manipulate the database into revealing information it shouldn’t such as usernames, passwords, and confidential data.

‘Dangers’ of smart city hacking. The report highlights areas of potential risk and impact if smart city systems are compromised:

  • Attackers could send out false emergency alerts trigging citizens’ panic;
  • Compromise public safety by blocking warnings about real dangers;
  • Cause city officials to allocate resources to nonexistent issues.

The report further raises concerns about attackers borrowing strategies and tools they’ve used on industrial control systems (ICS) on smart city sensors and controls to cause damage to critical systems that run plants and utilities. “If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” said Daniel Crowley, research director, IBM X-Force Red in a blog post.

Recommendations: The report advises city leaders, manufacturers, and cybersecurity leadership to improve frameworks by taking action in the following areas:

  • Prioritizing cybersecurity by re-examining the vendors’ standard protocols.
  • Building adequate cybersecurity frameworks for these systems.
  • Developing standard best practices for patching software security flaws.
  • Vendors adding network port restrictions and stronger password controls to make sure the systems are accessible only by authorized users.
  • Vendors and city officials running security tests and IP scans on devices and networks to provide an extra level of protection against unauthorized access and manipulation.

There is no easy way to patch a smart city as devices are often connected to legacy operating systems that lack proper risk security audits before being connected to the internet, researchers say. But there are still proactive steps city officials and manufacturers should take. For instance, manufacturers should build products secure by design and city officials should have processes in place for vulnerability patching and ensure city vendors adhere to proper cybersecurity requirements and standards, the report says.

Commentary & Analysis

There is no silver bullet. As smart cities develop and increasingly grow, city officials should manage detailed incident response plans and practice them.  Preparation can benefit city officials by helping them identify gaps in plans, clarify roles and responsibilities, work out difficult decisions, and test policies and lines of communications when mayhem strikes.

FTC Seeks To Expand Authority Over Corporate Data Security, Privacy Practices 

The CyberPrivacy Brief:

  • The U.S. Federal Trade Commission is seeking public comment by August 20, 2018, whether the agency should increase its enforcement power on corporate privacy and data security practices.
  • The notice follows FTC Chairman Joseph Simons comments at the July 18 House subcommittee on Digital Commerce and Consumer Protection hearing.
  • Mr. Simons urged Congress to give the agency greater authority and resources to address privacy and data security cases.

“Under my leadership, privacy and data security will continue to be an enforcement priority. The FTC will use every tool in its arsenal to address consumer harm,” Mr. Simons said at the hearing.

Beginning in September 2018, the agency will hold public hearings to consider whether “broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection law, enforcement priorities, and policy,” according to the notice, published in the Federal Register on Aug.6th.

These hearings are expected to continue through January 2019 and involve 15 to 20 public sessions in various locations in Washington, DC and in other parts of the country.

The Commission also seeks comment on increasing or evolving its authority in several other areas including big data and competition. Stakeholders include consumers, business representatives, economists, lawyers, academics, information technology professionals, and other interested parties.

According to HealthIT Security, the FTC seeks to “impose civil penalties in privacy and data security cases, authority over nonprofits and common carriers, authority to issue implementing rules under the Administrative Procedure Act (APA).”

Further Reading

FTC Seeks Greater Data Security, Privacy Authority

Oversight of the Federal Trade Commission

FTC Seeks Comment on Fundamental Privacy Enforcement Issues

Reddit Urges Users To Switch To Token-Based Authentication

The CyberPrivacy Brief:

  • The security incident disclosed Wednesday by social media network Reddit verifies how attackers can intercept text messages or SMS-based two-factor authentication that delivers unique code to compromise accounts. 
  • Impacted user data includes email addresses and a 2007 database backup that had old salted and hashed passwords.
  • Attackers also had read access to storage systems, including Reddit source code, internal logs, configuration files and other employee workspace files.

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said in its announcement.  “We point this out to encourage everyone here to move to token-based [two-factor authentication].”

For years, security researchers have said that phone authentication apps or hardware tokens that generate One-Time Password (OTP) in addition to the traditional credentials may be the more secure method of authentication than SMS-based authentication, which can be highjacked providing attackers access to accounts.

Read more

Further Reading:

Side-Channel Attacks on the Yubikey 2 One-Time Password Generator

Defending Politically Vulnerable Organizations Online

By Sean Brooks, The Center for Long-Term Cybersecurity (CLTC) at UC Berkeley.

Executive Summary

This paper provides an overview of online threats to civil society organizations and individuals— including non-governmental organizations, journalists, and activists—that are targeted for political purposes, and it explores the ecosystem of resources available to help these organizations improve their cybersecurity. The report describes different methods commonly used to attack “politically vulnerable organizations,” and it identifies gaps in support resources that must be filled to ensure these organizations can securely carry out their missions online. Politically vulnerable organizations, and civil society at large, are underinvesting in cybersecurity as attackers continue to expand their offensive capabilities.


Cybersecurity Policymaking is Out of Focus. Bureaucracy Hackers Can Help.

By Lisa Wiswell, CyberScoop

The cybersecurity industry is in desperate need of more “bureaucracy hackers” — individuals within federal and state governments who are authorities on the intricacies of policy creation and the nature of today’s rapidly-evolving technology and threat landscapes.

To understand why, look no further than Georgia State Bill 315: Introduced in the Georgia state senate earlier this month, the bill has the entire cybersecurity community shaking its head in disbelief. In short, the bill is modeled after the highly-controversial Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage. While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks.

Sen. Mark Warner’s IOT Improvement Act is another clear example: Drafted and supported by a bipartisan group of senators, the bill aims to protect increasingly “connected” citizens and their homes by introducing a baseline security standard for all internet-connected devices.

In principle, this is exactly the type of legislative action we want to see from lawmakers. It’s proactive, forward-looking and fully intended to keep citizens secure now and into the future.

There’s just one problem: it won’t work.

In short, the bill calls for vendors to “certify” that there are no vulnerabilities in a connected device before goes to market. While that sounds reasonable, it’s completely infeasible. No one can ever say with absolute certainty that a product with more than 10 lines of code is free of vulnerabilities. That’s just not how software works.

There inlies the problem: the people we have drafting critical cybersecurity policies don’t actually understand the basics of software and computer code. It’s not their fault — but it’s also far too important to leave in their hands alone.

To create the right policy frameworks for 21st century cybersecurity, we must prioritize finding and activating more bureaucracy hackers. In doing so, we can provide policymakers with the domain expertise they so desperately need to make informed policy decisions. What’s more, they can also help the policy-making process become more agile and proactive — two key tenets of effective cybersecurity.

Most of the time, policymaking is a reactionary process: something breaks (often in a big and very public way) and then lawmakers scramble to fix it. By then, it’s already too late. Imagine if we had someone proactively culling through existing laws and policies to identify potential trouble spots down the road. That could change everything.

Granted, there is a long tradition of bringing subject matter experts into state and federal policymaking to help them better understand complex subject areas. But this approach clearly isn’t working. What we need are people with real skin in the game — individuals who are deeply invested in the outcomes, understand the difficulties of passing meaningful policy and legislation, and have the ability to work across stakeholder groups from within the federal government.

In many ways, this is a natural evolution. In recent years, the U.S. government has made great strides in bringing technical people with a policy background (and vice versa) into the fold through organizations like the U.S. Digital Service (USDS) and 18F. Now, it’s time to double down.

How do we do it? First, Congress needs to act. Specifically, they can start by articulating where bureaucracy hackers are most needed. That is to say, determining whether the roles are  government-wide (i.e., every federal agency has one) or agency-specific (i.e., DoD, DoJ, and/or DHS only) — or some other model entirely.

Next up: authorizing and prioritizing the roles. Generally, that means legislating and authorizing funding for them. Once it happens, agencies will take the effort seriously and begin to prioritize it.

Finally, we need to pick the right people for the job. Again, they can’t just be people with Silicon Valley expertise. They must have government experience as well, and likely an extremely nuanced and well-understood picture of the laws that govern this technical space. That generally requires more than just a few years of government experience, which for a lot of technical folks, can seem like a lifetime and hold them back.

That means the best candidates will likely come from within. Make no mistake: they’re already in our ranks — we just need to find and empower them.

The USDS and 18F are natural places to start the search. They can help identify and recommend individuals they’ve found working in agencies that have that the right skills. Here’s what to look for: individuals who have fought through government bureaucracy either from a policy role or technical one; who have real technical skill (i.e., they know how to code, not just who to call); possibly even a law degree or at least a real understanding of the relevant laws; and lastly, a proven track record of getting things done in the government — especially when all odds are against them.

This is how we build cybersecurity frameworks that are up to the challenges of today’s technology and threat landscapes — more expertise, more proactivity, more collaboration. To get there, we need to bring the bureaucracy hackers that already exist within the ranks of the government to the forefront and empower them to bring teams together and effect realistic change through policy today.

We cannot afford to wait.

Lisa Wiswell is a strategic adviser to HackerOne and a Principal at GRIMM, a cybersecurity research, engineering and consulting firm. 

The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation

February 2018


Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis. Countless more such applications are being developed and can be expected over the long term. Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed.

Click here to view PDF

The Use of Counterfeit Code Signing Certificates Is on the Rise

Organizations use the certificates to authenticate their software and protect it against tampering.

By Andrei Barysevich, Recorded Future

Key Judgements

We observed the earliest use of stolen code certificates in 2011, but it was not until 2015 that code signing certificates became widely available in the criminal underground.

Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers.

The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.

All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. We believe that legitimate business owners are unaware that their data was used in the illicit activities.

Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

 Click here to download the analysis as a PDF.