Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport19H1: 45,000 apps removed from Google Play, 2% of them detected by antiviruses Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just...
ElevenPaths ElevenPaths participates in AMBER (“enhAnced Mobile BiomEtRics”) project ElevenPaths participates in the AMBER (“enhAnced Mobile BiomEtRics”) project since 1st January 2017 as an Industrial Partner. AMBER is a Marie Skłodowska-Curie Innovative Training Network under Grant Agreement No....
ElevenPaths #CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack? A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution,...
Innovation and Laboratory Area in ElevenPaths Five interesting own tools that you may have missed (and a surprise) This time we are going to rehash a blog entry by gathering some of the own tools that we have recently developed and we consider of interest. We summarize...
Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
ElevenPaths #CyberSecurityPulse: The Last Disaster of Ethereum’s Most Important Wallets It is estimated that 587 wallets with around 513,774.16 ethers have been frozen after an anomaly in one of Ethereum’s most important wallets was detected. Parity Technologies, a company...
ElevenPaths New research: Docless Vietnam APT. A very interesting malware against Vietnam Government We have detected a malware sent to some email accounts belonging to a Vietnam government domain. This email is written in Vietnamese and is dated March 13th, 2019. It seems to...
Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport19H1: 45,000 apps removed from Google Play, 2% of them detected by antiviruses Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just...
ElevenPaths If you want to change your employees’ security habits, don’t call their will, modify their environment instead You’re in a coffee bar and you need to connect your smartphone to a Wi-Fi, so you check your screen and see the following options. Imagine that you know...
ElevenPaths The hugest collection of usernames and passwords has been filtered…or not (I) Sometimes, someone frees by mistake (or not) an enormous set of text files with millions of passwords inside. An almost endless list of e-mail accounts with their passwords or...
Facebook changes the logic of their TLS policy (partly due to our research), by implementing a ‘two-way’ HSTSElevenPaths 30 April, 2018 Facebook and privacy. The recent scandal from the social network within the last few weeks does not exactly make it the best example in regards of privacy or secure connections in general. Yet, this is not the issue now. It is certain that it has been the first website (or rather, ‘platform’) to take a very interesting and innovative step in the TLS renewal policy, which the internet has seen within the last few years. Which involves the reinforcement of the TLS concept in general on all fronts: “TLS Everywhere”, free and accessible certificates, HSTS, Certificate pinning, Certificate Transparency, in order to set aside the old protocols… This is a deep revision of the ecosystem in which Facebook (and Instagram) unite together with a more than interesting proposal. You already know what HSTS is all about… the server sends a header to the browser in order to remember that the redirection of the HTTP and HTTPS must be done ‘locally’ (through a redirect type 307), omitting the danger from a network abduction. The web which provides this header, should obviously, be available for HTTPS, and guarantees a minimum good practice with the authentication and encryption which TLS provides. So far, so good, we have talked about this issue a few times, but what if we turn the tables? This is what they thought from Facebook; therefore, they ended up with a more than interesting concept in order to improve overall security, which could be imitated by other platforms. HSTS has some gaps In its official security blog, Facebook announced a security update a few weeks ago from the Facebook links. So what did it consist of? In Jon Millican’s post (an engineer from Facebook’s data privacy team) he introduced the HSTS concept and following on from this, he announced a series of known HSTS weaknesses (they come as standard with the mechanism, practically), which they were going to try and cover up with this new approximation, which we can see here: Not all of the browsers support HSTS: although it is certain that the large majority of them do. It still is not a very strong argument, but it has some standing. The Preload is not so dynamic: of course, the preload is there to cover this ‘TOFU’ (Trust On First Use) gap which is the Achilles’ heel of HSTS. This first connection with a site, which is carried out in clear text, because they still have not sent the first HSTS header. This ‘preload’ list is embedded in the browsers, and it is certain that it will not result as dynamic as it should be. It is managed by Google, but many people use it and it is updated within the browser versions. Not all of the browsers implement HSTS how they should. Here they reference our research which was presented in the Europe Black Hat 2017, which demonstrated that Chrome, Firefox and Internet Explorer manage HSTS and HPKP in a questionable manner and also which assumes a problem which they try to resolve with a proposal. Facebook mentions our research as part of their argument to implement this improvement With these arguments at hand, they proposed a solution from their side. What if they are the ones in the almighty position, who add the “S” to any HTTPS links to other sites on Facebook and Instagram? HSTS… in both directions. Many people ‘live’ within these webs, and when they visit something, it goes from there and towards another bugged domain in the links which Facebook ‘accommodates’. Their precise idea is that Facebook adds ‘S’ to the protocol, even if the user who wrote it and is linked to it, did not do so. Thus, what they have decided is the following: In order for all of the domains presented in Facebook and Instagram to be ‘bugged’ by a user, and furthermore found in the official Google ‘preload’ list, they will add an ‘S’ so that it can be browsed in a safe way. Thus, they cover up potential users with a deactualized list or they use a browser which does not support it. They will “crawl” the web in general by themselves in search of sites which provide HSTS. If they are sure that they can be trusted (we do not know how), they will add more and more domains each time to their list, to add them from their own servers, the “S” and those users who click on it do not depend on their browser to benefit from a HSTS from the Facebook platform. In summary, a reverse HSTS which compliments potential mechanism gaps, should maybe imitate others by their simplicity in relation to their potential advantages. To work from the point of view of a platform purely in the server, as a result of something maybe intrusive but useful in the context of Facebook and Instagram, due to their diverse user profiles and their popularity. This laudable initiative was tarnished shortly after its announcement by the Cambridge Analytics scandal. HSTS… for everyone In regards to filling the gaps that HSTS could leave, let’s not forget that Google has already taken a very interesting step in this direction. In addition to everything we already know, Google is also a top-level domain registrar… as for example.gle, .prod, .docs, .cal, .soy, .how, .chrome, .ads, .mov, .youtube, .channel, .nexus, .goog, .boo, .dad, .drive, .hangout, .new, .eat, .app, .moto, .ing, .meme, .here and so on up to 45. In October, they announced that they will upload the preload list by default to anyone who registers a domain with them. This means in practice that it forces them to implement TLS from the outset since Chrome will access them through port 443 whether they want to or not. To conclude, we should not forget that this year Google also wants to flag up straight away anything via HTTP as “not secure” (for now it has the words “not secure” in the address bar, but the red cross will also be added in Chrome). Whereby the message would almost cease to exist for the unencrypted traffic; yet it is also an opportunity for certificate and CA creators… In the end, whichever HTTP link will be marked as not secure New PinPatrol versions Of course, speaking of HSTS, we have new PinPatrol versions for Chrome and Firefox; where you can control the HSTS and HPKP entries better from the browsers, also with usability and compatibility improvements. For Firefox: https://www.elevenpaths.com/es/labstools/pin-patrol-2/index.html For Chrome: http://blog.elevenpaths.com/2016/11/nueva-herramienta-pinpatrol-para-chrome.html Sergio de los Santos ssantos@11paths.com Innovation and Laboratory @ssantosv In search of improved cryptocurrency privacy with Dash, Zcash and Monero#CyberSecurityPulse: Monero and EternalRomance, the perfect formula
Innovation and Laboratory Area in ElevenPaths Five interesting own tools that you may have missed (and a surprise) This time we are going to rehash a blog entry by gathering some of the own tools that we have recently developed and we consider of interest. We summarize...
Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport19H1: 45,000 apps removed from Google Play, 2% of them detected by antiviruses Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just...
Sergio De Los Santos A government is known by the Apple data it requests Sometimes, governments need to be underpinned by huge corporations to carry out their work. When a threat depends on knowing the identity or gaining access to a potential attacker...
Sergio De Los Santos The attack against OpenPGP infrastructure: consequences of a SOB’s actions What is happening with the attack against OpenPGP infrastructure constitutes a disaster, according to the affected people who maintain the protocol. Robert J. Hansen, who communicated the incident, has...
ElevenPaths Your feelings influence your perception of risk and benefit more than you might think Security is both a feeling and a reality —Bruce Schneier Daniel Gardner starts his book The Science of Fear with the shocking history of US September 11 attacks: And so in...
