ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
ElevenPaths GSMA IoT Security Champion: Award to our IoT Security team We have a lot to be happy about! Our IoT Security team, dedicated to cybersecurity specialized in the increasingly relevant world of the Internet of Things, has received a...
Gonzalo Álvarez Marañón Blockchain, Cryptocurrencies, zkSTARKs and the Future of Privacy in a Decentralised World In the Renaissance Italy, duels between mathematicians were common, but not by crossing steels, but by solving difficult problems. One of the hardest bones to crack at the time...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cybersecurity Weekly Briefing 26 September – 2 October The logistics giant CMA CGM affected by a cyber attack This week, the French logistics group CMA CGM, which operates in 160 different countries, reported via its website and social...
Gonzalo Álvarez Marañón Hiding Keys Under the Mat: Governments Could Ensure Universal Insecurity The doorbell rang. “Who will be ringing now?” asked Brittney Mills, as she struggled to get off the couch. Her eight months of pregnancy were beginning to hinder her...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
ElevenPaths Cybersecurity Weekly Briefing September 19-25 New attack vector for vulnerability in Citrix Workspace Pen Test Partners security researcher Ceri Coburn has discovered a new attack vector for the CVE-2020-8207 vulnerability in Citrix Workspace corrected in...
ElevenPaths Dumpster diving in Bin Laden’s computers: malware, passwords, warez and metadata (I) What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released...
46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD)Innovation and Laboratory Area in ElevenPaths 13 January, 2021 Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time we visit a website, we are asked whether we want to accept or (almost always indirectly) refuse cookies. Most users who arrive at this message looking for a service or specific information end up accepting all the cookies without knowing the real impact in terms of security and privacy. How many cookies are usually accepted? For how long? Do the websites respect the new law on cookies? In TEGRA, the Galician centre of innovation in information protection of the ElevenPaths innovation area and laboratory, we wanted to analyse the current use of cookies in Spain and their impact and compliance based on a representative sample of the most visited websites in Spain. To achieve this, we have developed and released a tool called Triki, which automates the navigation to a series of websites defined by configuration and performs different navigation flows. We have drawn interesting conclusions which we include in this report, which we will now summarise. Summary of Regulatory Updates to The 2020 AEPD Cookie Guide In collaboration with Govertis, we will explain what has happened in 2020 concerning cookies and their management. The Spanish Data Protection Agency (AEPD), following the entry into force of the European General Data Protection Regulation and several consultations with the European Data Protection Supervisor (EDPS), updated its guide to the use of cookies in July 2020, giving website owners a deadline to adapt to these policies until 31 October 2020. We could summarise the main updates in that the simple browsing is not valid as an expression of a user’s consent to the acceptance of cookies. The use of cookie walls is also prohibited if no alternative to consent is offered. Regarding the new features in the management of acceptance and revocation of consent, the most relevant is the removal of the option to obtain consent through the “continue browsing” option. Previously, the option “If you continue to browse, we consider that you accept its use” was allowed and now the ECDC has established that continuing to browse is not a valid way to give consent. As a general rule, some aspects are modified and clarified regarding the methods for informing users about the acceptance, refusal or revocation of consent, through the configuration that must be provided by the editor or common platforms that may exist for this purpose. Finally, regarding third-party cookies, information will be provided on the tools provided by the browser and the third parties and it should be noted that if the user accepts third-party cookies and subsequently wishes to delete them, he/she must do so from his/her own browser or the system enabled by the third parties for this purpose. Methodology To carry out this research on cookies, the 100 most visited domains in Spain have been selected, obtained through the alexa.com website. A tool called Triki has been developed to extract the information. With it, and a personalized configuration per domain, different types of information have been extracted. For each website, a series of flows have been tracked. In addition, for each flow, two types of extractions have been made: extraction without a blocker and extraction using a third-party cookie blocker. The different flows simulated with each type of navigation are: browse: the tool connects to the website without taking any action and extracts the cookies used. It is the part before the consent of the cookiesaccept: the tool connects to the website, consents to the use of all cookies and extracts them. This is the acceptance part of cookiesreject: the connection to the website is made and the necessary actions are taken to proceed with the rejection of the cookies. This is the part that rejects cookies. How Many Websites Does Each Flow Allow? More than 50% of the websites in our survey allow the rejection or configuration of cookies directly, which is ideal. 24% allow only acceptance and redirect the user to the browser’s own configuration for rejection, which increases the effort to perform the rejection. 19 of them (19%) do not allow to reject or accept, but they could be sites without cookies that must be notified. At the same time, 9 (37%) use analytical cookies (Google Analytics) and therefore do not comply with the need for express consent expressed by the regulation of cookies of the AEPD. How Many Cookies Are Used Per Site? 14% use more than 90 cookies. The average use of cookies is 27 cookies per website. We also compare our own cookies with third-party cookies. 44% of websites use the same or a greater number of third-party cookies than their own. In the worst cases, 90% of a website’s cookies are third-party cookies. On the other hand, 53% of websites use more than 10 cookies before consent. By using a third-party cookie blocker in the browser, it is shown that 96% of the sites use cookies of third parties as soon as the connection is made. Although it may be legal, it is at least rare that they require third-party cookies to ensure the technical functioning or personalisation of a page. In these cases, it is recommended to use a third-party cookie blocker. During our research we have analysed how many sites use Google Analytics cookies before accepting or refusing consent at the stage we have defined as “browse”. The results show that 46% of the sites use Google Analytics cookies before consent. We also wanted to check how many sites still maintain Google Analytics cookies after an explicit rejection by the user. The results show that 25% of websites continue to keep this type of analytical cookie even when rejected. Cookies and Expiration The AEPD, in its guidelines on consent, recommends as best practice the renewal of consent at appropriate intervals. This agency considers that the validity of a user’s consent to the use of a particular cookie should not exceed 24 months. Based on these indications, we have analysed our dataset to verify whether the extracted cookies comply with this 24-month maximum lifetime requirement for permanent cookies. Around 15% of cookies do not comply with this regulation by using expiry periods longer than 24 months. When we accept cookies from the site visited, we have found more than 100 cookies with a more than 3 years lifetime. The expiration of 50 of these cookies is greater than 20 years. Finally, we have concluded that 96% of the sites analysed use more permanent cookies than session cookies. On average, 86% of the total cookies used on a website are permanent cookies Secure Cookies We also wanted to analyse which security systems are implemented in the established cookies themselves. Let’s look at some of the methods analysed: Cookies Secure: if this flag is enabled in the cookie, it would only be sent to the server in an encrypted HTTP request via the HTTPS protocol (HTTP + TLS/SSL).Cookies httpOnly:enabling this flag in a cookie helps prevent cross-site scripting (XSS) attacks, since HttpOnly cookies are inaccessible from the Javascript document.cookie API. But there are more ways to secure a cookie. The __Secure- prefix makes a cookie accessible only from secure sites with the HTTPS protocol. This makes it impossible for an insecure site using the HTTP protocol to read or update cookies containing that prefix on its name. This security mechanism protects against attacks from tampering with secure cookies. The __Host-prefix does the same things as the __Secure- prefix, but at a higher level it restricts access only to the same domain in which it is configured. Only 2% of websites use the __Host-prefix. None of the websites use the __Secure- prefix. Can Cookies Be Rejected? Only 8% of the websites analysed allow you to reject directly from the main banner (see image). Of the remaining percentage, 22% do not meet the premise that it is “as easy to reject as to accept”, since more actions are needed to be able to disable the use of cookies. The remaining 70% who are compliant use marketing strategies to subtly induce the user to accept cookies. For example, with ambiguous buttons that make people think that cookies have been deactivated. The following graph shows the total number of cookies registered in all domains classified by stage, depending on whether or not third-party cookies have been blocked. Before consent, acceptance and rejection. As can be seen from the results, the simple use of a third-party cookie blocker results in a significant decrease in the number of cookies used. Even if all cookies have been rejected.We can conclude that 69% of the domains that allow cookies to be rejected do not completely eliminate the cookies of third parties when they are rejected with the browser. Conclusions None of the websites that only uses technical cookies and/or personalisation cookies gives any kind of warning to the user that this type of cookie is being used.The data indicates that 44% of the websites use the same or a greater number of third-party cookies than their own. In the worst cases, 90% of a website’s cookies are third-party cookies. In this case it is recommended to enable the blocking of the use of third-party cookies in the browser to limit the number of cookies.Even if all cookies are rejected completely, many of these third-party cookies are still used in the same way.The regulations indicate that session cookies should be given priority over permanent cookies. However, the data indicates that 96% of the sites analysed use more permanent cookies than session cookies. In addition, on average, 86% of the total cookies used by a website are permanent cookies.The regulations indicate that the life span of these cookies should not exceed two years, however, 15% of the cookies use expiry periods of more than 24 months.46% of the websites use pre-consent analytical cookies and 25% use them when still rejecting all cookies, so this is in violation of the AEPD policy. DOWNLOAD REPORT WhatsApp Terms and Conditions Update: A Cheeky Move?Homeworking: Balancing Corporate Control and Employee Privacy (I)
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...