4 Brazilian cities using data to plan urban mobility

AI of Things    19 December, 2017
 
Successful Urban Mobility Planning is a vital role of local governments around the world. In the EU, cities account for almost three quarters of the total population and since 2013, Sustainable Urban Mobility Plans (SUMPs) have been a requirement. This blog however looks at Brazil, and four success stories where data has been used to develop mobility plans that not only improve the quality of like of those living in the given city or municipality, but that also achieve the Federal Mobility Planning goals set by the Brazilian government.

 
Before exploring how these mobility plans had success, it is important to explain the technologies behind their creation. The key behind each of the following cases is the use of Origin and Destination (OD) Matrices, created by analyzing the data generated by mobile phones as people travel around the city. This data is aggregated, anonymized and extrapolated and then we draw out insights about population flows. For a more detailed explanation of our Smart Steps technologies, it is well worth watching our LUCA talk, ‘Using Mobile Data in the Transport Sector’. This webinar is given by two of our senior data analysts and explains perfectly the techniques behind our LUCA Transit solution.
 
 
Our first success story comes for the municipality of Guarujá, which is situated in the Sao Paulo state of Brazil. This region has a population of around 300,000 people and covers an area of approximately 55.44 square miles. A popular destination for internal tourists from the city of Sao Paulo, this area is a perfect location for real estate and tourism. Due to the importance of tourism, an urban mobility plan was needed. By using mobile CDRs (call detail records), LUCA developed an OD Matrix and geo-referenced maps of Guarujá, which Sistran Engenharia was able to use to build the mobility plan. The benefits of this project are varied. The OD Matrix was drawn up in only 2 months (when traditional methods would take between 6 and 12) and its cost was 1/3 of the average. Additionally, the data sample used was far larger, and this brought greater reliability, as well as the ability to differentiate between internal and external population flows.
 
The same process was used in the cities of Sao Luis and Jandira. The most notable difference between the various cities in which we work is their size The city proper of Sao Luis has a population of around 1 million people, with an extra 300,000 people in the wider metropolitan area. This makes the city over three times larger than Guarujá and is the 16th largest city in Brazil. In the municipality of Jandira, we worked alongside Tranzum, a Brazilian transport consultancy, to provide Jandira City Hall with the tool needed to coordinate their urban mobility planning. This city forms part of the wider Sao Paulo region and has a population of 120,000. The fact that an OD matrix is as effective in a city of one million people as in one of just over 100,000 shows that scale is no issue. In fact, in larger cities, where more data is created, the power of Big Data technologies is even greater.

 

Figure 1 : Cities in the wider Sao Paulo region are using data to plan urban mobility.
Figure 1 : Cities in the wider Sao Paulo region are using data to plan urban mobility.

 

The final case study reinforces the adaptable nature of an OD matrix, since the city of Votuporanga has a population that is over ten times smaller than Sao Luis. Votuporanga is known as the ‘city of soft breezes’ and has a long history with the Brazilian coffee trade, but 73.85% of the city’s GDP is generated by the tertiary sector. Using the same methodology of using mobile CDRs, LUCA developed an OD Matrix for the local government. Rather than explain the impact of this project ourselves, we will leave this quote from Antonio Alberto Casali, Transportation Secretary for Votuporanga:
 
“With the dataset from this project we can have our Mobility Plan ready. It is important to recall that this is a very advanced way to obtain the needed information with the same accuracy. This system replaces the old one which, manually, we would do by counting people and their displacement”.
– Antonio Alberto Casali
 
The benefits of a sustainable mobility plan are numerous. If implemented successfully, it will improve the accessibility of transport systems, lead to a more attractive urban environment, improve safety and reduce pollution. At LUCA, we passionately believe in our Smart Steps technologies and in the power that harnessing data can have in developing successful mobility plans. In order to stay up to date with the latest news, follow us on Twitter and LinkedIn, and sign up to our monthly newsletter

Don’t miss out on a single post. Subscribe to LUCA Data Speaks.

#CyberSecurityPulse: The Boom of JavaScript Miners

ElevenPaths    19 December, 2017

The most common question in recent months derived from the rebound in the value of numerous cryptocurrency is: Do I invest or not invest?

However, as we know, there are different ways to obtain cryptocurrencies and one of them is to start mining, but now it’s an expensive

option. It is at this point that the picaresque of certain attackers comes to light. Security researchers from F5 Networks spotted a

sophisticated malware campaign, tracked as Zealot campaign,

targeting Linux and Windows servers to install Monero cryptocurrency miners. Experts observed threat actors scanning the Internet for

particular unpatched servers and hack them with two exploits, one for Apache Struts (CVE-2017-5638) and one for the DotNetNuke ASP.NET CMS

(CVE-2017-9822).

Another recent case has been the one detected in the Starbucks of Buenos Aires where the clients’ computers were connected to their Wi-Fi and started to mine secretly. The notification to the company was made by the CEO of Stensul, Noah Dinkin, who made last December 2 a question through Twitter if they were aware of the situation. Dinkin commented in his tweet that JavaScript miner offered by Coinhive was being used to mine Monero cryptocurrency.


In this sense, ElevenPaths has recently published on its blog an investigation that explains why Monero is currently betting on and not Bitcoin, as well as which are the most attractive websites for those who want to take advantage of the computing capacity of third parties. Faced with this situation, projects have recently been published, such as NoCoin extension to detect if your computer is being mined. However, these efforts are still insufficient.

More information at ElevenPaths

Top Stories

FCC Killed Net Neutrality

3 out of 5 federal regulators voted last Thursday to hand control of the future of the Internet to cable and telecommunication companies,

giving them powers to speed up service for websites they favor or slow down others. As proposed this summer, the US Federal Communications

Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on

the Internet equally and prohibit them from blocking sites or charging for higher-quality service.

More information at The Hacker News

Pentagon Delays Deadline For Military Suppliers to Meet Cybersecurity Rules

The Pentagon will delay a Jan. 1 deadline for all of its suppliers to meet a set of new regulations largely designed to better protect

sensitive military data and weapon blueprints. By year’s end, companies must instead merely show that they have a plan in place to meet the

regulations. The new regulations are meant to prevent the theft of sensitive data, which have been targeted by hackers. In October,

U.S.officials acknowledged that hackers stole sensitive information about the F-35 Joint Strike Fighter from an Australian military

supplier.

More information at NextGov

Rest of the Week´s News

Suspicious Event Routes Traffic for Big-name Sites Through Russia

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider

Wednesday under circumstances researchers said was suspicious and intentional. Wednesday’s event comes eight months after large chunks of

network traffic belonging to MasterCard, Visa, and more than two dozen other financial services were briefly routed through a Russian

government-controlled telecom, also under suspicious circumstances.

More information at Ars Technica

Two Critical Zero-Day Vulnerabilities Discovered in vBulletin Forum Disclosed Publicly

Security researchers have discovered and disclosed details of two unpatched critical vulnerabilities in a vBulletin forum of which could allow a remote attacker to execute malicious code on the latest version of vBulletin application server. The

first vulnerability discovered in vBulletin is a file inclusion issue that leads to remote code execution, allowing a remote attacker to

include any file from the vBulletin server and execute arbitrary PHP code. The second vulnerability discovered in the vBulletin forum

software version 5 has been assigned CVE-2017-17672 and described as a deserialization issue that an unauthenticated attacker can exploit

to delete arbitrary files and even execute malicious code “under certain circumstances.”

More information at The Hacker News

Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager that silently

installs new “suggested apps” without asking for users’ permission. According to a blog post published Friday on Chromium Blog, Google

Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called “Keeper,” on his freshly installed

Windows 10 system which he downloaded directly from the Microsoft Developer Network. Ormandy started testing the software and took no

longer to discover a critical vulnerability that leads to “complete compromise of Keeper security, allowing any website to steal any

password.”

More information at The Hacker News

Further Reading

Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure

More information at FireEye

Lazarus APT Group Targets a London Cryptocurrency Company

More information at Security Affairs

Python Script Recovers Hidden Event Logs

More information at Github

Sign up for our newsletter!

The best-bits of Changing the Game with Big Data Valencia!

AI of Things    18 December, 2017

Last Thursday, the 14th of December, the finished our schedule of yearly events with the latest edition of Changing the Game with Big Data. This conference was created with the aim of presenting cutting-edge case studies from the transport, retail and tourism sectors. It’s a perfect chance to see first hand how Big Data helps organizations to evolve and accelerate their business. You couldn’t make it? Don’t worry, we’ll catch you up in this post.

Following the success of previous editions in Madrid and Barcelona, this time the event touched down in the Mediterranean city of Valencia. For all those who couldn’t attend the event, we reveal the stand-out moments of this morning of data.

The location chosen for this conference of the ‘Fundación Empresa’ (Business Foundation) in the center of the city, and attendees started to arrive at 10:30 in the morning. After registration, Bruno Bilasarau, Director of Digital Services and Public Sector for the Mediterranean region, welcomed those who were present.

Figure 1 : Image of the auditorium during #CTGValencia.
Figure 1 : Image of the auditorium during #CTGValencia.

Next, Miguel Ángel Diez Rincón, Go-To-Market Manager at Telefonica, showed that the LUCA offering for the retail, transport and tourism sectors brings together knowledge of Artificial Intelligence, Data Engineering and Data Science. Following on from this, Lourdes Cubero, Retail Business Developer at Telefonica, presented our LUCA Store solution for points of sale and service and showed us the keys for getting to know clients better and thus accelerate sales. Ladislao Aceituno, Senior Analytic Consultant at LUCA, was the respresentative to present LUCA Transit, and he showed the most recent innovations of transport planning.

Figure 2 : Image of the auditorium during the Q&A session.

After a coffee break and a spot of networking, Adrián Suárez, Big Data Consulting Team Leader at Synergic Partners, spoke to us about how Big Data can use be used to help businesses to strengthen the strategic value of their data with its consultancy services, showing various case studies from diverse sectors.

The finishing touch was given by Elena Díaz, Senior Analytic Consultant at LUCA, who showed very clearly how LUCA Tourism can Big Data can optimize touristic offerings. At the end of the event, the speakers answered questions from the audience before closing with a drink and a delicious Valencian paella.

At LUCA, we are already preparing the schedule of events for next year. Follow us on Twitter to be the first to hear about the latest information!

Don’t miss out on a single post. Subscribe to LUCA Data Speaks.

#CyberSecurityPulse: Army Launches Direct Commissioning Program for Civilian Cybersecurity Experts

ElevenPaths    12 December, 2017

The Army has approved a program to recruit experienced cybersecurity experts directly into the service as cyber officers in an attempt to bolster a growing field that military leaders see as vital to national security. However, this measure, approved by the Pentagon and Congress, is a pilot. At the moment, it seeks to bring five new officers every year for five years.

In Spain, several initiatives have also emerged to counteract the budgetary and training difficulties of Army. Specifically, the last measure was published last November from the Joint Cyber ​​Defense Command, which is expected to have a group of experts only in those situations necessary without any compensation in return.


The solution is not trivial. Despite efforts to relocate and train internal personnel from other areas to these positions, there are no procedures for recruiting civilian personnel (and those that are emerging seem not to be sufficiently attractive) to meet the needs of these public agencies. In any case, these types of procedures are hardly compatible with current models of recruitment. The reality is that the procedures for selecting this type of profile could conflict with the rigor of the controls required by certain security clearance and that would end up leaving out candidates with a high degree of specialization.

More information at Stars and Stripes

Top Stories

MoneyTaker Hacker Group Stole Millions from U.S. and Russian Banks

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia. According to the security firm Group-IB, the group, dubbed MoneyTaker, has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States). Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

More information at Group-IB

The Authors of the Orcus RAT Target Bitcoin Investors

According to the experts from Fortinet, the authors of the Orcus RAT have started targeting Bitcoin investors with their malicious software. The attack chain starts with phishing messages advertising a new Bitcoin trading bot application called “Gunbot” developed by GuntherLab. Fortinet warns that the actors behind the Orcus RAT implemented some changes to the malware download site, for example bltcointalk.com, which attempts to imitate Bitcoin forum bitcointalk.org.

More information at Fortinet

Rest of the Week´s News

OpenSSL Patches for the Fourth Time in 2017

The OpenSSL Project released the OpenSSL 1.0.2n version that addresses two vulnerabilities discovered by the Google researcher David Benjamin. The first “moderate severity” issue, tracked as CVE-2017-3737, is related to an “error state” mechanism implemented since OpenSSL 1.0.2b. The second flaw tracked as CVE-2017-3738 is an overflow vulnerability that could be exploited by an attacker to access TLS-protected communications. The flaw was rated as “low severity” because it is very difficult to trigger in a real attack scenario.

More information at OpenSSL

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Millions of Android devices are at serious risk of a newly disclosed critical vulnerability (CVE-2017-13156) that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions. Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

More information at Guardsquare

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details. The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

More information at The Hacker News

Further Reading

Mining Service Nicehash Hacked, $60 Million in User Funds Stolen

More information at The Register

Microsoft Accidentally Exposed a Dynamics 365 TLS Certificate and Private Key for at Least 100 Days

More information at Security Affairs

Severe Flaws in Most Popular Programming Languages Could Expose to Hack Any Secure Application Built on Top of Them

More information at Security Affairs

Sign up for our newsletter!

Big Data: Revolutionizing Animal Conservation

AI of Things    11 December, 2017
Until recently not a topic that has captured the attention of many, animal conservation is a serious problem that needs addressing. Sustainable development goal number 15 from the United Nations entitled “Life on Land” refers to the promotion of biodiversity. According to the Red List Index, biodiversity loss is continuing at an alarming rate and the possibility of extinction for many animals is increasing uncontrollably. Something has to be done to prevent irreversible changes and damage to our planet. Along with the trade of weapons, drugs and human trafficking, illicit wildlife trading is one of the main illegal activities on a global scale.

Traditional Methods vs Data-Driven Solutions

Before the current era of data, animal conservation was conducted using small sample sizes, leading to predictions on the whole population. On a basic level, the traditional method can be explained as followed: from a sample of 10 animals, 2 contract a life-threatening disease, we can assume that the disease affects 2/10ths of the whole population. Evidently, there are various flaws in this system such as geographical location of the animals, whether or not the disease is contagious etc. 

Big Data analytics now have the capacity to examine unbelievably large data sets, with the aim of identifying patterns and correlations. Conclusions are based on this concrete data rather than assumptions, giving them a higher degree of accuracy and making them more meaningful. When discussing animal conservation, it is essential to act quickly. Big Data techniques are infinitely faster and more efficient than traditional manual methods with a similar degree of accuracy. Why is speed essential? If scientists are investigating a declining population, the faster they can receive the information, the faster they can take action.

Data-driven solutions are fast
Figure 2 : Data-driven solutions are fast… but this sloth is certainly not!
In addition to what is considered as ‘traditional data sources’ such as animal population numbers. Big Data analytics optimizes the power of social media data, emails, survey responses, mobile data, cameras, sensors attatched to animals etc. For example, sensors work to identify when an animal is killed through illegal poaching. In addition to this, the criminals are identified through cameras. Not only does this help to capture those responsible, but also it dissuades further poaching as hunters have greater fear.
Elphants with cut tusks
Figure 3 : Elephants with cut tusks. They are victims of the illegal ivory trade.

Innovative Data-Collection Methods

Some companies have created apps where their users collect data in exchange for information on species and access to the main database. An example of this is the company ‘Leafsnap‘ who have created an app to help the public identify tree species through photographs of their leaves or fruits. The app uses technologies such as visual recognition algorithms and machine learning. The data from the app can be used to understand the impact of natural and fabricated disasters on tree populations. This can also lead to a better understanding of animal populations as many creatures such as birds rely on fruit from trees for food or the branches and leaves as shelter. ‘Ebird‘, launched back in 2002, allows users to record bird sightings. Ultimately, this has led to the creation of ‘BirdCast‘, a tool that uses machine learning in order to provide real-time predictions on bird migration for the first time ever. Clearly, this will aid conservation efforts by allowing for better land planning and by giving us a clearer idea on populations. The data can provide sufficient basis to protect certain regions from industrialization due to the rich wildlife. In addition to all this, it is an incredible tool for avid bird watchers. These are both free services so that they can attract the largest amount of users and consequently data possible.
An area that has taken a huge focus on the incorporation of Big Data techniques is the protection of tigers in India. Some locals have the belief that tiger bones hold medical benefits for humans and as a result, a high price is demanded for the bones on the black market. A study published in the journal ‘Biological Conservation’ looked at the probabilities of tiger sightings in India and identified 73 hot spots. It was believed that with high tiger populations, hunters would not be far behind and greater conservation and prevention efforts can be made. An intelligence network has now been produced using more than 25.000 data points collected since 1972; undeniably a step in the correct direction towards the protection of one of the planet’s most valuable animals.
Figure 4 : Wild tiger numbers are growing.

Future Steps…

As already explained in this blog, we are certainly on the right path to addressing the issue. More data driven projects will inevitably take place in the coming months and years and hopefully more species shall be marked off the endangered list. This is and always will be the end goal: to ensure that human actions do not result in the loss of more species. Rather than industrial developments depleting animal numbers, here we see technological developments repairing the damage and building towards a better more biodiverse world in the near future. Here at LUCA we work on various Big Data for Social Good projects and we wholeheartedly believe that the future of animal conservation is data-driven. Data is playing a huge role today in society and it will only grow even bigger and it will only provide even more opportunities.

Don’t miss out on a single post. Subscribe to LUCA Data Speaks.

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome. Our Black Hat research

ElevenPaths    11 December, 2017
We have been for a long time researching about HSTS, HPKP, certificate pinning and TLS technologies in general. As a collateral effect of this work, we have found some interesting weaknesses in the way Firefox, Chrome and IE/Edge implement both mechanisms HSTS and HPKP. With this research we applied to Black Hat Europe 2017 and went to talk in London last December 7th, in the briefings section. Here are some details about what we talked then, as a “digest” of the presentation itself which may be found here.

Introduction

Aside from vulnerabilities such as HeartBleed, CRIME, etc. usual attacks over SSL take advantage of: 

  • Rogue certificates: that’s when an attacker hacks into a certificate authority, plays in some way the CA role inside a network, or takes advantage of an procedural error, to issue her/him a certificate that looks just like the real certificate of an entity but it is fake. In the past few years we have plenty of these examples.
  • SSLStrip techniques: it consists basically in the interception of one initial unsecure connection and redirect from there all of the subsequent requests over HTTP and not HTTPS.

For the first problem, HPKP is one of the proposed solutions. It forces the browser to remember all the legitimate certificates served by the browser, because the server sends them over an HTTP header. For the second, HSTS is proposed. It consists of a header sent to make the browser remember that it always has to connect over TLS/SSL, so there is not any unsecure connection made after this header is sent.

We have analyzed how browsers implement these (relatively) new features and what we found (between some other minor mistakes) is:

Firefox

As we explained when PinPatrol was delivered, Firefox uses a TXT file with a limit of 1024 entries to remember HSTS and HPKP domains. It seems that they though it was unlikely that an user would store more than that but, anyhow, they implemented a concept of “score” for each domain too.

Firefox source code coment about 1024 limit

The score indicates how often the user visits that domain on different days. Score 0 means that the header is expired or it is the first day he has visited the site. Score goes to 1 next day if he visits it again. It would go to 2 next different day (not necessarily to be the day after) he visits that site. In a nutshell, the more often (in different days) the user visit the site the higher the score. In case of having to remove one of this 1024 entries to make space (free up a slot), the one with the lower score is removed.

What we did is a Bettercap JavaScript to inject and a special website. Both send a lot of HSTS headers (what we call “junk entries”) with different subdomains. Firefox, in less 2 minutes, fills up this 1024 table and starts removing legitimate domains with score 0.

Simple script to send headers from our site cloudpinning.com

What happens if a legitimate domain has a higher score and is less likely to be removed? To get that, we need to make this attack again in a different day, so our junk entries get a score of 1, and the legitimate ones with 0 score or 1 score, will probably go away. And so on.

Junk entries with Score = 0 have removed legitimate domains

If we do not want to wait a whole day, we may use a known technique by Jose Selvi called Delorean, speeding up the time in some Linux and Mac clients. Combined, we may likely evict HSTS and HPKP entries in Firefox for important domains in minutes.

Using Delorian to speed up the process, if you want to

Even if this does not work and we are not able to evict a domain from the table (evict a domain from that 1024 is equal to disable HSTS and HPKP for it and allows the Man in The middle attack), Firefox, because of this slot-based mechanism, will end up with just one single slot (the one that remains with score 0) to store HSTS entries, which will be constantly replaced by new domains with score 0 as well which, eventually, is like making HSTS useless.

If we get to fill up the 1024 entries with a score higher than 0, there will be just one slot left

 Chrome

Chrome has no concept of score. As we explained with our extension PinPatrol for Chrome, it stores HSTS and HPKP in a JSON file. If anyone sends a lot of HSTS and HPKP entries from a server or from a MiTM attack, Chrome will store all of them forever. Our approach here sends thousands of HSTS and HPKP requests due to the unlimited number of “pins” in Chrome for HPKP, where each request may be as large as a HTTP header may allow. Result: in about 10 minutes, this JSON file is 500 megabytes or more in the hardrive, and Chrome freezes. You can not even type a new domain anymore. The only choice is to try to delete all your settings (if you can) or remove this JSON. This attack can be done from any website that you can insert a javascript.

Lots and lots and lots of pins sent to Chrome

IE/Edge

Basically, the function or API that manages HSTS in Windows is located in the WININET.DLL library, and it is called HttpIsHostHstsEnabled, which seems not to have any official documentation. We understand that knowing the system in depth would require extensive reverse engineering and forensic work, which is beyond the scope of this report. In recent versions of Internet Explorer (and even Edge), Microsoft uses a type of proprietary database called Extensible Storage Engine (ESE) to store HSTS data among many others. The base file with the bulk of information is usually hosted in WebCacheV01.dat file under the user profile, in WebCache folder.

With lack of documentation, this is all you can “know” from how IE/Edge store their HSTS information

This is complex since a deeper research is needed. HSTS does not seem to work properly in this browser. We have discovered the tables where this information is stored, but it only seems to work with popular domains. Incredibly, it seems that it does not remember HSTS for not so popular domains. And furthermore, even removing the cache (not the HSTS storage system) seems to not affect this entry list. We have reversed some of the APIs that should be involked to store this information they are neved used. As a PoC, we called 131 times our https://www.cloudpinning.com site, and after restarting browser, and even computer, not a single change was made to HSTS permanent tables.

Some requests do not seem to have any impact in Internet Explorer

 
If you want to have a look and play around with this concept, we created this webpage (cloudpinning.com) and feel free to use it.

Innovation and laboratory

#CyberSecurityPulse: Injection and XSS, the Most Critical Web Application Security Risks

ElevenPaths    5 December, 2017

The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013 but not much has actually changed. According to the list the top vulnerability remains injection and cross site scripting (XSS) is still in the top ten despite it plaguing web apps for a decade and a half now. In this sense, Verizon’s Data Breach Investigations Report (DBIR) for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.

On the other hand, Black Duck’s 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it’s an inertia that’s proving very costly. Many organizations do not effectively track and manage open source, and as a result are not fully aware of the risks that accompany its use.

Modern risks move quickly, so the days of scanning or penetration testing an application for vulnerabilities once every year or so are long gone. Modern software development requires continuous application security testing across the entire software development lifecycle with the aim of dealing with the enormous volume of vulnerabilities that are found daily.

More information at OWASP

Top Stories

UK Government Launches ‘Cyber Discovery’ Programme to Find Next Generation of Cybersecurity Talent

The Department for Digital, Culture, Media and Sport (DCMS) has today launched its landmark cyber security training programme aimed at young people in school years 10-13. The initiative aims to help plug the UK’s cyber security skills gap by tapping into young and undiscovered talent with the ambition of stimulating and nurturing interest in cyber security as a future career path. Initially students are invited to register and work through a selection tool, CyberStart Assess. Successful students will go onto three challenging and exciting stages which will later include Face to Face camps with industry experts, and three live regional Capture the Flag events where parents and leaders can see the progress made by students. Cyber Discovery is being piloted in year one in England but is expected to expand to other parts of the UK in later years.

More information at Join Cyber Discovery

Bitcoin Gold Warning With Its Windows Wallet

Bitcoin Gold has warned that Anyone who downloaded the Windows Wallet file between November 21, 2017, 09:39 UTC, and November 25, 2017, 22:30 UTC, should not use the file in any way. If the file was used, the computer on which it was used should be addressed with extreme caution, the file should be deleted, the machine should be thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately.

More information at Bitcoin Gold

Rest of the Week´s News

Facebook Tool Will Let Users View Russian-placed Pages

After taking a pounding for its role in letting Russian bad actors gain influence on social media during the US presidential election, Facebook said it will offer a tool that will let users view the pages and ads created by a Russian troll farm operating under the moniker Internet Research Agency that engages in online influence operations on behalf of the Russian government.

More information at SC Magazine UK

Firefox Will Notify Users Who Visit Sites That Suffered a Data Breach

Firefox browser is going to introduce a new security feature to make the users’ experience online more secure. It will warn users if they visit websites that have experienced data breaches. The news was revealed by the Mozilla developer Nihanth Subramany and it was confirmed by the presence of a recently-released GitHub repo titled “Breach Alerts Prototype”. The developer has teamed with haveibeenpwned.com as data source related for data breaches.

More information at GitHub

Google to Block Third-Party Software From Injecting Code Into Chrome Browser

To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser. In this sense, Google announced its plan but there will be some exceptions with Microsoft-signed code, accessibility software, and IME software to inject code into your browsers.

More information at The Hacker News

Further Reading

PayPal Subsidiary Data Breach Hits Up to 1.6 Million Customers

More information at The Hacker News

Cryptocurrency Miners Hidden in Websites Run Even After Users Close the Browser

More information at Security Affairs

Vulnerability in CoinPouch Verge Wallets

More information at Security Affairs

RSA Authentication SDK Affected by Two Critical Vulnerabilities

More information at SecLists

Sign up for our newsletter!

SealSign integration with the Azure Key Vault

ElevenPaths    30 November, 2017
ElevenPaths and Microsoft, thanks to Gradiant technology, have integrated the Azure Key Vault into the SealSign platform. This partnership provides a server-based digital signature and certificate safekeeping service, based on HSM, with a high degree of security, scalability and performance.
SealSign integration with the Azure Key Vault
The use of secure cryptographic hardware or HSM (Hardware Security Module) provides a very adequate mechanism to safeguard and protect keys (in the fashion of a safe-deposit box). However, the cost and complexity related to installation and configuration hinder greater adoption of this hardware. For this reason, some as-a-service solutions have emerged, such as the Azure Key Vault, which offer the possibility of using HSMs as one more service within a public cloud.

SealSign® is a scalable, modular and complete enterprise platform developed by ElevenPaths providing electronic document and biometric signatures, digital certificate safekeeping, and long-term archiving of signed documents. This platform configures different cryptographic providers through a standard PKCS#11 interface. This makes it possible to securely access certificates and keys stored in HSMs and, thus, to electronically sign documents without compromising the security and privacy of sensitive information. 
Azure Key Vault possess an API REST (Representational State Transfer) through which it is possible to perform operations in applications. However, its position as a cryptographic service provider is weakened by its use of more low level protocols, such as PKCS#11. PKCS#11 is a cryptographic token interface (or crypto key) that defines a generic device access API (typically HSM). The PKCS#11 API allows applications to securely access “secrets” stored in devices, for example, to sign documents. 
For this reason, Gradiant developed the BlackICE Connect connector based on the PKCS#11 standard. The connector offers a library that incorporates the Azure Key Vault service as a cryptographic provider in SealSign. In this way, it is possible to electronically sign documents in applications and to securely safeguard digital certificates through the Azure Key Vault service. This solution was presented on the occasion of Security Innovation Day 2017, an innovative cybersecurity event organized by ElevenPaths.
This translates into significant savings as, instead of having to acquire and maintain HSMs, it is only necessary to pay for the use that is made of the service (typically based on the number of keys stored and the number of operations performed with them). 
The PKCS#11 connector – Azure Key Vault, simulates a cryptographic device environment that exposes a PKCS#11 standard interface to the application that is using it (for example, SealSign). It internally transforms calls to this interface into calls to the Azure Key Vault’s REST service while constantly maintaining the standardized data structures and the coherence of the communications through a virtual slot. In this way, Azure Key Vault behaves transparently as a transparent cryptographic service provider for the application. 

SafePost: Technology available to the user at any moment

AI of Things    28 November, 2017
Today SafePost was born, a new service that allows publication on social media and the sending of emails by using SMS. The mobile technology is building a better world and we can go beyond, for example helping in emergencies.

If you find yourself in a risky situation and need to send a message to the rest of the world, you can use SafePost to inform others about the emergency through your twitter or Facebook profiles. Furthermore, if you need to send an email without data coverage, you can use SafePost to send these updates through Gmail or Outlook.
The SafePost app, available on Google Play, uses SMS to post on social networks and send emails. The SMS sent through the SafePost application are encoded through a temporary passcode, generally called one-time passcode. This ensures that the privacy of the user is secure.
To use the service, you can register on SafePost’s website. Registration is made easy through Mobile Connect. Once the link has been secured, you will be able to use the SafePost application to post to social networks and send emails from authorized accounts. In the following video we show you the required steps to configure SafePost and its basic uses (Video in Spanish with option of English subtitles) :

When can I use SafePost?

Below, you can see a series of instances where SafePost is of use:
  • If you find yourself in a natural disaster, for example an earthquake or hurricane, and you do not have access to the internet, you can post through the SafePost app.
  • If you find yourself in a place without data connection and you need to communicate with the rest of the world, you can use the SafePost app.
  • If you need to communicate information with the rest of the world and you do not have the minimum required internet connection for whatever reason, you can use the SafePost app to carry on saying what you want to say.
Over the coming days, we will show you a practical way of how to get the most out of SafePost and the possibilities that it brings as a solution of emergency notification.
SafePost, technology in the hands of everyone, building a better world.

SafePost Team – Telefónica CDO

Don’t miss out on a single post. Subscribe to LUCA Data Speaks.

Dumpster diving in Bin Laden’s computers: malware, passwords, warez and metadata (II)

ElevenPaths    28 November, 2017
What would you expect from a computer network that belongs to a terrorists group?
Super-encrypted material? Special passwords? The Central Intelligence
Agency (CIA) on 1 November 2017 released additional materials recovered
in the 2nd May 2011 raid on Bin Laden’s compound in Abbottabad, Pakistan.  We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?

A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to “technical” issues. 8 days later, they released the
data back but now all Office documents were converted to PDF and EXE
files were “deactivated” removing their headers for “security reasons”.


Analyzing registry files

Another interesting stuff left there, were the registry files. All kind of system files including not only hives but SYSTEM and SAMs raw files. That looked very interesting. Not just passwords for Windows but when they used to log in, installed services, programs, Microsoft licenses and much more. We retrieved all registry files and tried to get them back to life. These are some of the conclusions.
 
They all (ALNSER-81089E22, SHAED-PC and MASOOD-A4065887 (from Masood Khan)) used the same “public” Windows XP keys or lecenses (QW4HD-DQCRG-HM64M-6GJRK-8K83T and RHKG3-8YW4W-4RHJG-83M4Y-7X9GW).

One of the computers, alive since 2002

Since we had the SAM files, we could try to get passwords back again trying with a different method. We already did with the hiberfil.sys file, but just in case. SAMs, by default are encrypted with the SYSKEY… but no problem here. The necessary registry files to figure the SYSKEY out were there. But they were mixed. We did not know what SAM file was in what computer or what SYSTEM file came with what SAM file. So we had to make a simple brute force attack mixing all evidences found.

After bkhive, we used Cain just to double check

Some of the SYSKEY codes we found were 9e11eec3a1bdfa93caaa4691b08a372c, 09c6b06c839bb4bbda3d3d267f0316e4, d776321d44b86563039ae83db9becbea… we decrypted all of the SAMS files found with them… but no passwords were found either.

With some of the SYSTEM and user registry hives, we may know what programs were scheduled to run when the computer starts up (The common registry branch for programas and malware … in HKLM or HKCU and CurrentVersionRun).

Some examples of programs from two different computers

Here we found two examples from two different computers. Of course “Msn Messsenger” (with three “s”) does not exist, and regsvr.exe is probably malware. SCVhost.exe is not svchost.exe and in winlogon (Userinit) only explorer.exe should appear (not regsvr.exe)… they are all common symptoms of malware infections.

With this data, we may even get to know when they usually logged in (mostly during the afternoon). For example, was this login the last ever in the computer? It was done on May the 1st… and  CIA raid is dated May the 2nd.

Last login in the computer about 2 in the morning

Passwords and… passwords

We looked for some more possible locations of passwords for example in Firefox database, called
key3.db (plus some other JavaScript and sqlite files). But no luck in
there.

Firefox preferences with no password

We tried as well with Outlook Express passwords, since they are stored in the registry. Although we found a password, it was not real and was likely randomly set during installation time.

Fake Outlook Express configuration

There were no signs of any passwords managers in the drives. Even worse, we found a password written in a simple and plain TXT file with no context.

Plain password in a TXT file

And another one with some context… but, if investigated, it is just some sort of Office activation code.

Just a common Office activation code

Passwords for communications between terrorists

An interesting part are the passwords, but the ones used to communicate between terrorists. Thanks to Metashield Protector, we found this email [email protected] inserted in a Word document. But the context of the file was much more interesting than the email itself.

In this letters they send instructions for a “secure” communication

In this letter, the sender recommends that, because of the Internet being so insecure, the communication should be compressed with passwords files sent between one another. The password is something in English like “I have no objection to what I gave, and he is the open-minded“.

The letter is for “Mukhtar Abi Al-Zubayr”, the leader of the Somali militant group Harakat al-Shabab al-Mujahidin, which merged with al-Qaeida after Bin Laden’s death. The letter recommends to alert the receiver about the letter and to change the extension from ZIP to some multimedia file ( MP3 or something like that).

Metadata 

Thanks to some metadata, we could find one of the latest documents written from those computers. Date is set in the “future” January 2012 (or even more) for some of the documents found. We have to guess the date in the computers were not properly set.

Metashield Forensics shows the “life cycle” of a document

This particular letter was written a Sunday and printed in a Thursday. But before that, it was edited in some way.

First version of the letter above. Latter version below

“I had sent a previous letter via Sheikh Mahmoud I ask you your phone number to arrange with you my wedding order from the honorable Sheikh Abu abd al.Rahman…
Then, a few days later, this paragraph is added “For the phone number, please separate it in the message by arranging it in several parts as funds or objects

And they stored a hacking book

Despite the the malware, warez and lack of security measures found, they had a hacking book stored.


This book, created by the well known “Terrorist 007“, was somewhere in the hard drives. It is a quite simple, basic guide for hacking, created probably in 2006, with traditional tricks and “usual” hacks.

* Dumpster diving in Bin Laden’s computers: malware, passwords, warez and metadata (I) 


Innovation and Laboratory
[email protected]