ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths #CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United...
ElevenPaths Cybersecurity Weekly Briefing 23-29 May Critical-Severity RCE Vulnerability in Cisco Unified CCX Cisco has fixed a critical remote code execution bug in the Java Remote Management Interface of Cisco Unified Contact Center Express (CCX). This...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
ElevenPaths Technically analysing a SIEM… are your logs secure? The SIEMs are usually utilized within highly secure of regulated environments, where regular log monitoring and analysis is required to search for security incidents. They help to make...
ElevenPaths You’ve got mail? You’ve got malware A few weeks ago I was ‘compromised’. A well-known vulnerability was exploited and I was left financially exposed, with my reputation potentially at risk. “What happened?” I hear you...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Alberto Cuesta Partida We Acquire iHackLabs to Boost the Training of Our Ethical Hackers Telefónica Tech, through ElevenPaths, incorporates the platforms and knowledge about cyber security training of the iHackLabs startup.
ElevenPaths ElevenPaths at RSA Conference 2020 Once again, we return to the RSA Conference, the reference event in the cybersecurity sector. From February 24 to 27 we will be presenting our proposal under the claim...
Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10%Innovation and Laboratory Area in ElevenPaths 22 October, 2019 Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed the data of the last three and a half years with the aim of understanding who fixes what in the world of Microsoft products as well as the severity of these flaws. Thanks to this report we will gain an interesting insight into who really investigates Microsoft products, reports them in a responsible manner, as well as how many vulnerabilities are attributed to someone and how many are not (which might suggest that they are discovered by attackers). Over this report we will address the doubts as to how many flaws Microsoft detect in their own code, how severe they are, the trend they follow and how many flaws are found by third parties either through recognition programs or their own means. We have performed a very simple analysis. We have collected and processed all the information of attributed CVEs from March 2016 to September 2019. The source of information has been mainly the following webpage: These are the attributed vulnerabilities (that is, the ones reported by a given identifiable user, either individual or company). In 2019 (until September), we have analyzed 621 attributed vulnerabilities. 607 in 2018, 593 in 2017 and 310 in 2016 (only since April). This represents a total of 2,131 vulnerabilities analyzed. From all of them, we have extracted their severity through the NIST’s official CVSS. Nevertheless, these figures do not represent the total number of flaws discovered every month or year. Actually, we have also considered those flaws that were not directly attributed. We understand that most of these flaws may come from vulnerabilities found in 0-days or under other circumstances where the author is not known (and the vulnerability has not been reported anonymously). In such cases, Microsoft do not attribute the finding to anyone in particular. This difference between attributed and ‘non- attributed’ vulnerabilities (which is not the same as ‘anonymous’) is represented in the following chart. Executive Summary Google report over 17% of the vulnerabilities found in Microsoft products. Around 25% of the flaws are reported by the category ‘other’, that includes small companies that do not usually report, or freelance analysts.The third position is for Microsoft, since they detect more than 10% of their own flaws. They are followed very closely by the Chinese Qihoo 360, which nevertheless find more severe vulnerabilities than Microsoft.NCSC, iDefense and Check Point often report vulnerabilities with a severity over 5. In general, almost half of them are granted a severity degree of 8.In 2017 and 2018, Google led the number of vulnerabilities fixed in Microsoft products. Since 2016, the flaws found by Microsoft have been on the increase. However, during 2019 Qihoo 360 and ZDI have found a great number of vulnerabilities.Only 2% of attributes vulnerabilities are of maximum severity.In 2016, 25% of vulnerabilities were not attributed to anyone in particular. In 2019 (until September), only 9% of the vulnerabilities did not have a specific author. This may suggest that the number of flaws responsibly reported might have improved. We may conclude that most of the vulnerabilities found in Microsoft (most of them with a severity of 8) are discovered by four main actors: Google, Qihoo, ZDI (that include independent researchers) and Microsoft. Over the last years the roles have changed, since Google and Microsoft have handed the first positions over to ZDI and Qihoo. It must be also noted the significant drop of non-attributed vulnerabilities (which are found and reported in a non-responsible manner). From 25% in 2016 to 9% in 2019, which means a better vulnerability management ⸺indeed via platforms as ZDI, where researchers are rewarded and encouraged to report vulnerabilities in a responsible way. Discovering Microsoft's Vulnerabilities: Who is Who from ElevenPaths EasyDoH: our new extension for Firefox that makes DNS over HTTPS simplerEasyDoH Update Hot off the Press: New Improvements and Functionalities
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Innovation and Laboratory Area in ElevenPaths 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD) Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time...
Carlos Ávila WhatsApp Terms and Conditions Update: A Cheeky Move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...