Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
ElevenPaths Cybersecurity Weekly Briefing August 1-7 Database of +900 Pulse Secure VPN Enterprise Servers An underground forum post has been detected showing the existence of a database containing data collected on more than 900 Pulse Secure...
ElevenPaths ElevenPaths has achieved AWS Security Competency status Telefónica Tech’s cybersecurity company has demonstrated deep technical and consulting expertise helping large enterprises to adopt, develop and deploy complex cloud security projects that protect their environments on AWS...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
Carlos Ávila Laboratory Information Management System (LIMS) and its Mobile Applications For scientists and researchers, optimising time in a laboratory nowadays plays a key role in processing and delivering results. There are applications that have specialised capabilities for R&D laboratories,...
ElevenPaths The Data Transparency Lab strengthens its work on data transparency after investing over one million euros in three years Barcelona becomes the permanent headquarters of the DTL Annual Conference, which will take place from 11 to 13 December. The DTL is a clear example of the various innovation projects...
ElevenPaths The Wannacry authors also want their Bitcoin Cash The 12th of May 2017 was a day for many of us which we will not easily forget. Wannacry was one of those incidents which had a major impact...
ElevenPaths 4 Tips to Secure Your Data We surf the Internet on a daily basis. Many of us are already considered digital natives. Yes, it is almost an extension of us, but are we really aware...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
ElevenPaths The hugest collection of usernames and passwords has been filtered…or not (II) Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing...
ElevenPaths Cybersecurity Weekly Briefing October 24-30 Critical vulnerability in Hewlett Packard Enterprise SSMC Hewlett Packard Enterprise has fixed a critical authentication evasion vulnerability (CVE-2020-7197, CVSS 10) affecting its StoreServ Management Console (SSMC) storage management software. HPE...
Facebook signed one of its apps with a private key shared with other Google Play apps since 2015Sergio De Los Santos 9 September, 2019 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version used a “Debug” certificate shared by other unrelated applications and in other markets. Moreover, within ElevenPaths we have verified that since 2015 such certificate was shared with Chinese apps on Google Play. This means that they shared private key and could even influence the original app. A few days ago, the owner of the Android Police page reported that the same certificate used to sign the app Facebook Basics was being used by many other apps in other markets, with no apparent relationship. Facebook has downplayed the issue by claiming that there is no evidence that the certificate has been exploited and that it has already been fixed. However, this is not so simple, so both consequences and potential causes are only bad news. Causes Android APKs must be signed with self-signed certificates. This breaches a little bit any rule from a chain of trust, but at least it preserves the integrity of the app and allows its updating. If you sign an app with a certificate and upload it to Google Play, you will never be able to change the certificate (or the package name) if you wish to update it. If you lose the certificate, you will have to create a different appꟷand this is what Facebook has done to “fix it”. Nevertheless, Facebook has not (supposedly) lost the private key of the signing certificate. They have done something different (worse?) what we can only speculate about. To begin with, they have used an ‘Android Debug’ certificate without real filled data. This, in addition to the bad image, means that they have left the typical test certificate at the production stage. How is it possible that third parties use this certificate? This certificate might be public. There are some cases, and some developers use it by ignorance or because they do not make efforts to develop high-quality apps… But they may have lost control over this certificate as well, which would imply a lack of security over its development. Another possibility is that the app had been commissioned to a third party (freelance?) and this one worked on it later by signing with the same key (which is strongly inadvisable). Furthermore, from ElevenPaths we have ascertained that the apps signed with the same certificate were not exclusively in other markets, but that already in 2015 (when Facebook Basics was released) we found Chinese applications signed and already taken down from the market. * App: af739e903e97d957a29b3aeaa7865e8e49f63cb0 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-20 to 2016-10-07. * App: 063371203246ba2b7e201bb633845f12712b057e Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-10-21 to 2016-06-22. * App: c6a93efa87533eeb219730207e5237dfcb246725 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-15 to 2015-09-16. Impact In addition to the poor image of Facebook (is there any area where privacy has not been brought into question?), an attacker could have taken advantage of this to fraudulently update the app of Facebook. How? Well, to update an app it just needs to have the same certificate and it is only necessary to have access to the Google Play account. It’s not easy, but with this Facebook was doing half the work to be performed by an attacker. Moreover, the work to perform a potential collusion attack in Android applications would be facilitated as well. These are well-known attacks involving different applications which are not malicious by themselves but working together may lead to an attack. An example is by adding permissions of two applications so that together the attacker can have more power on the phone, even if individually they seem harmless. To achieve this kind of attacks, such apps must be signed with the same certificate. Again, the necessary work was being provided to a potential attacker. On top of all this, Facebook did not want to reward the discoverer because he made it public on Twitter before reporting the issue. New tool: Masked Extension Control (MEC), don’t trust Windows extensionsEasyDoH: our new extension for Firefox that makes DNS over HTTPS simpler
ElevenPaths 4 Tips to Secure Your Data We surf the Internet on a daily basis. Many of us are already considered digital natives. Yes, it is almost an extension of us, but are we really aware...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
Carlos Ávila Laboratory Information Management System (LIMS) and its Mobile Applications For scientists and researchers, optimising time in a laboratory nowadays plays a key role in processing and delivering results. There are applications that have specialised capabilities for R&D laboratories,...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
