Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Sergio De Los Santos Conti, the Fastest Ransomware in the West: 32 Parallel CPU Threads, but… What for? Conti, the fastest ransomware, is just one example of how this threat is evolving. Discover what tricks it uses and why in this article.
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cybersecurity Weekly Briefing 30 May-5 June Security Breach in 8Belts vpnMentor researchers discovered in mid-April a data breach in the 8Belts language learning platform due to an improper configuration on an Amazon Web Services S3 bucket....
ElevenPaths #CyberSecurityPulse: The Attack Against the WPA2 Encryption that Poses a Threat to Our Wireless Security On October 16, a research has been published about an attack to the current recommended encryption standard for WiFi networks, WPA2. Although the risks to these networks are not...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cybersecurity Weekly Briefing 23-29 May Critical-Severity RCE Vulnerability in Cisco Unified CCX Cisco has fixed a critical remote code execution bug in the Java Remote Management Interface of Cisco Unified Contact Center Express (CCX). This...
ElevenPaths Cybersecurity Weekly Briefing July 18-24 New Emotet Campaign after 5 Months of Inactivity After several months of inactivity, Emotet is back with a massive sending of reply-chain and payment emails, among others, that include malicious...
46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD)Innovation and Laboratory Area in ElevenPaths 13 January, 2021 Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time we visit a website, we are asked whether we want to accept or (almost always indirectly) refuse cookies. Most users who arrive at this message looking for a service or specific information end up accepting all the cookies without knowing the real impact in terms of security and privacy. How many cookies are usually accepted? For how long? Do the websites respect the new law on cookies? In TEGRA, the Galician centre of innovation in information protection of the ElevenPaths innovation area and laboratory, we wanted to analyse the current use of cookies in Spain and their impact and compliance based on a representative sample of the most visited websites in Spain. To achieve this, we have developed and released a tool called Triki, which automates the navigation to a series of websites defined by configuration and performs different navigation flows. We have drawn interesting conclusions which we include in this report, which we will now summarise. Summary of Regulatory Updates to The 2020 AEPD Cookie Guide In collaboration with Govertis, we will explain what has happened in 2020 concerning cookies and their management. The Spanish Data Protection Agency (AEPD), following the entry into force of the European General Data Protection Regulation and several consultations with the European Data Protection Supervisor (EDPS), updated its guide to the use of cookies in July 2020, giving website owners a deadline to adapt to these policies until 31 October 2020. We could summarise the main updates in that the simple browsing is not valid as an expression of a user’s consent to the acceptance of cookies. The use of cookie walls is also prohibited if no alternative to consent is offered. Regarding the new features in the management of acceptance and revocation of consent, the most relevant is the removal of the option to obtain consent through the “continue browsing” option. Previously, the option “If you continue to browse, we consider that you accept its use” was allowed and now the ECDC has established that continuing to browse is not a valid way to give consent. As a general rule, some aspects are modified and clarified regarding the methods for informing users about the acceptance, refusal or revocation of consent, through the configuration that must be provided by the editor or common platforms that may exist for this purpose. Finally, regarding third-party cookies, information will be provided on the tools provided by the browser and the third parties and it should be noted that if the user accepts third-party cookies and subsequently wishes to delete them, he/she must do so from his/her own browser or the system enabled by the third parties for this purpose. Methodology To carry out this research on cookies, the 100 most visited domains in Spain have been selected, obtained through the alexa.com website. A tool called Triki has been developed to extract the information. With it, and a personalized configuration per domain, different types of information have been extracted. For each website, a series of flows have been tracked. In addition, for each flow, two types of extractions have been made: extraction without a blocker and extraction using a third-party cookie blocker. The different flows simulated with each type of navigation are: browse: the tool connects to the website without taking any action and extracts the cookies used. It is the part before the consent of the cookiesaccept: the tool connects to the website, consents to the use of all cookies and extracts them. This is the acceptance part of cookiesreject: the connection to the website is made and the necessary actions are taken to proceed with the rejection of the cookies. This is the part that rejects cookies. How Many Websites Does Each Flow Allow? More than 50% of the websites in our survey allow the rejection or configuration of cookies directly, which is ideal. 24% allow only acceptance and redirect the user to the browser’s own configuration for rejection, which increases the effort to perform the rejection. 19 of them (19%) do not allow to reject or accept, but they could be sites without cookies that must be notified. At the same time, 9 (37%) use analytical cookies (Google Analytics) and therefore do not comply with the need for express consent expressed by the regulation of cookies of the AEPD. How Many Cookies Are Used Per Site? 14% use more than 90 cookies. The average use of cookies is 27 cookies per website. We also compare our own cookies with third-party cookies. 44% of websites use the same or a greater number of third-party cookies than their own. In the worst cases, 90% of a website’s cookies are third-party cookies. On the other hand, 53% of websites use more than 10 cookies before consent. By using a third-party cookie blocker in the browser, it is shown that 96% of the sites use cookies of third parties as soon as the connection is made. Although it may be legal, it is at least rare that they require third-party cookies to ensure the technical functioning or personalisation of a page. In these cases, it is recommended to use a third-party cookie blocker. During our research we have analysed how many sites use Google Analytics cookies before accepting or refusing consent at the stage we have defined as “browse”. The results show that 46% of the sites use Google Analytics cookies before consent. We also wanted to check how many sites still maintain Google Analytics cookies after an explicit rejection by the user. The results show that 25% of websites continue to keep this type of analytical cookie even when rejected. Cookies and Expiration The AEPD, in its guidelines on consent, recommends as best practice the renewal of consent at appropriate intervals. This agency considers that the validity of a user’s consent to the use of a particular cookie should not exceed 24 months. Based on these indications, we have analysed our dataset to verify whether the extracted cookies comply with this 24-month maximum lifetime requirement for permanent cookies. Around 15% of cookies do not comply with this regulation by using expiry periods longer than 24 months. When we accept cookies from the site visited, we have found more than 100 cookies with a more than 3 years lifetime. The expiration of 50 of these cookies is greater than 20 years. Finally, we have concluded that 96% of the sites analysed use more permanent cookies than session cookies. On average, 86% of the total cookies used on a website are permanent cookies Secure Cookies We also wanted to analyse which security systems are implemented in the established cookies themselves. Let’s look at some of the methods analysed: Cookies Secure: if this flag is enabled in the cookie, it would only be sent to the server in an encrypted HTTP request via the HTTPS protocol (HTTP + TLS/SSL).Cookies httpOnly:enabling this flag in a cookie helps prevent cross-site scripting (XSS) attacks, since HttpOnly cookies are inaccessible from the Javascript document.cookie API. But there are more ways to secure a cookie. The __Secure- prefix makes a cookie accessible only from secure sites with the HTTPS protocol. This makes it impossible for an insecure site using the HTTP protocol to read or update cookies containing that prefix on its name. This security mechanism protects against attacks from tampering with secure cookies. The __Host-prefix does the same things as the __Secure- prefix, but at a higher level it restricts access only to the same domain in which it is configured. Only 2% of websites use the __Host-prefix. None of the websites use the __Secure- prefix. Can Cookies Be Rejected? Only 8% of the websites analysed allow you to reject directly from the main banner (see image). Of the remaining percentage, 22% do not meet the premise that it is “as easy to reject as to accept”, since more actions are needed to be able to disable the use of cookies. The remaining 70% who are compliant use marketing strategies to subtly induce the user to accept cookies. For example, with ambiguous buttons that make people think that cookies have been deactivated. The following graph shows the total number of cookies registered in all domains classified by stage, depending on whether or not third-party cookies have been blocked. Before consent, acceptance and rejection. As can be seen from the results, the simple use of a third-party cookie blocker results in a significant decrease in the number of cookies used. Even if all cookies have been rejected.We can conclude that 69% of the domains that allow cookies to be rejected do not completely eliminate the cookies of third parties when they are rejected with the browser. Conclusions None of the websites that only uses technical cookies and/or personalisation cookies gives any kind of warning to the user that this type of cookie is being used.The data indicates that 44% of the websites use the same or a greater number of third-party cookies than their own. In the worst cases, 90% of a website’s cookies are third-party cookies. In this case it is recommended to enable the blocking of the use of third-party cookies in the browser to limit the number of cookies.Even if all cookies are rejected completely, many of these third-party cookies are still used in the same way.The regulations indicate that session cookies should be given priority over permanent cookies. However, the data indicates that 96% of the sites analysed use more permanent cookies than session cookies. In addition, on average, 86% of the total cookies used by a website are permanent cookies.The regulations indicate that the life span of these cookies should not exceed two years, however, 15% of the cookies use expiry periods of more than 24 months.46% of the websites use pre-consent analytical cookies and 25% use them when still rejecting all cookies, so this is in violation of the AEPD policy. DOWNLOAD REPORT WhatsApp Terms and Conditions Update: A Cheeky Move?Homeworking: Balancing Corporate Control and Employee Privacy (I)
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...
ElevenPaths WhatsApp, Telegram or Signal, Which One? In the world of smartphones, 2021 began with a piece of news that has left no one indifferent: the update of WhatsApp’s terms and conditions of use. This measure,...
Sergio De Los Santos 26 Reasons Why Chrome Does Not Trust the Spanish CA Camerfirma From the imminent version 90, Chrome will show a certificate error when a user tries to access any website with a certificate signed by Camerfirma. Perhaps it is not...
