How does a hybrid cloud work?

Telefónica Tech    28 November, 2022

When it comes to digitalisation and starting the “journey” to the cloud, most companies choose multi-cloud solutions or hybrid clouds as the main technology for safeguarding their databases and related tasks.

The use of hybrid clouds is one of the trends in information technology whose benefits are already beginning to be felt in large companies that have chosen to make use of them.

For this reason, before investing in a new technology for your company, you need to know exactly how a hybrid cloud works, the main characteristics that make it stand out and for which specific cases it is most recommended.

What is a hybrid cloud?

The hybrid cloud is the combination of a private cloud with other types of services from a public cloud that is managed by software specially created to unify both services and provide a response in a single control panel.

The company thus has access to hybrid cloud storage that will offer superior flexibility and respond to different specific demands.

In this sense, the definition of a hybrid cloud accounts for the security it offers companies in relation to their private data, while at the same time enjoying the technological resources offered by a public cloud, achieving this simultaneously.

Features of the hybrid cloud

Hybrid cloud storage has certain characteristics that make it clear how it works and how it could help you manage your business data:

  • Adaptability or scalability: one of the most outstanding characteristics is that its flexibility can respond to any business need automatically.
  • Compatibility and integration with existing systems: any hybrid cloud must have an architecture that can be combined with your company’s existing private cloud facilities and services.
  • High security: Being fully adaptable, it also offers the possibility of responding to any security requirement by integrating complex protocols specific to private clouds and specialised servers.
  • Savings: another of the most important features is that it does not require as much investment in infrastructure, applications, extensions or equipment.
The Formula for Successful Hybrid Working

How do hybrid clouds work?

The operation is essentially very similar to how public and private clouds are managed independently, as their protocols remain the same. However, you will perceive it as a single system with a single control panel, such as the Telefónica Tech Cloud Portal.

This is because hybrid clouds incorporate their own API and automation software that combines two options between application programming interfaces, virtual private networks or wide area networks, efficiently and successfully. It is this connection between the two services that distinguishes private, public and multi-cloud clouds from hybrid clouds.

It is important to note that the quality of the connection is very important in the performance of hybrid cloud functions, so the technologies interconnecting the services must be fully stable

When is a hybrid cloud needed?

While a hybrid cloud is an ideal technological leap to get the best of two great infrastructures, it is advisable to develop an assessment plan that makes it clear why you need to implement a hybrid cloud in your company.

The best way to start the assessment is with your current cloud situation as a baseline: when you realise that your current cloud or server is not meeting all your needs, and you have had to resort to impractical solutions that extend its functionality.

Should you need to store important, sensitive or private data, and at the same time need to have public databases positioned on the network, it is time to consider using a hybrid cloud solution.

Telefónica Tech
Telefónica Tech

Telefónica Tech is the leading company in digital transformation. The company offers a wide range of services and integrated technological solutions in Cyber Security, Cloud, IoT, Big Data and Blockchain.

Cyber Security Weekly Briefing, 18 – 25 November

Telefónica Tech    25 November, 2022

Exploit for ProxyNotShell vulnerabilities published

The first publications about new critical vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, which were named ProxyNotShell, were published at the end of September.

However, it was not until this November’s Patch Tuesday that Microsoft released patches for these security flaws, even though the company had confirmed that it was aware that malicious actors had actively exploited these vulnerabilities on 30 September through limited targeted attacks.

Security researcher Janggggg published an exploit for these vulnerabilities last week, which would be functional in Exchange Server versions 2016 and 2019, and even against 2013 with some modifications, according to confirmations made by security researcher Will Dormann.

Microsoft recommends its users to apply the patches as soon as possible to prevent possible future attacks against these vulnerabilities.

More info →  

Atlassian fixes vulnerabilities in Crowd and Bitbucket

The Atlassian team has released a new update in its Crowd Server and Data Center identity management platforms, as well as in Bitbucket Server and Data Center. This update is meant to fix two vulnerabilities considered serious by the company itself and which affected several versions of the aforementioned software.

These vulnerabilities are CVE-2022-43781 and CVE-2022-43782. In the first case, it is a command injection vulnerability in Bitbucket that allows the attacker to control the session in order to execute code under certain conditions and permissions. In the case of Crowd the flaw allows an attacker to bypass password checking during Crowd’s authentication process and gain privileges to make API calls to endpoints.

Regarding Bitbucket all versions from 7.0 to 7.21 are affected, as well as versions 8.0 to 8.4, unless they are instances running PostgreSQL or hosted on Bitbucket’s domain. In the case of Crowd affected versions range from 3.0.0 to 3.7.2 (which will not be fixed) and 5.0.0 to 5.0.2.

More info

Cisco Secure Email Gateway Anti-Malware Protection Failure

The Cisco team confirmed today the existence of a filtering flaw in its Secure Email Gateway and IronPort Email Security Appliance Software versions 14.2.0, as reported by an anonymous researcher earlier last week after allegedly receiving no response from the company.

The researcher’s discovery consisted of several attack methods that can be used to bypass certain filters within Secure Email Gateway to send malware via specially crafted emails. This would be done via three different attack vectors that exploit a bug in the identification of emails and attachments, if they include malicious MIME Content-Type headers. The attack would be relatively easy to carry out and, according to the anonymous researcher, exploits exploiting the flaw have already been observed.

However, the company has denied that this is a vulnerability in its products and blames the flaw on a problem in the anti-malware scanning engines of Sophos and McAfee.

More info

Activity analysis of the Quantum Locker group

The Belgian company Computerland has shared information on the Tactics, Techniques and Procedures of the malicious actor Quantum Locker. The data comes as a result of the analysis conducted by the organisation during the latest attacks perpetrated by Quantum Locker against geolocated companies in Central Europe.

The researchers note that the actor’s targets include the complete takeover of Azure cloud services through root account compromise (T1531). In addition, the actor also focuses on locating and deleting all of the victim’s Azure blob storage in order to delete backups (T1485).

Computerland also warns that the main targets of its attacks are IT administrators and network personnel, so that it can gain access to their resources to collect credentials from the victim’s network and extend its attack (T1530).

Finally, it is worth noting that Quantum combines new and old techniques to distribute ransomware, such as modifying domain group policies (T1484.001) and exploiting the Any Desk tool as a remote access tool (T1219).

More info →  

Kaspersky researchers have identified a phishing campaign that uses Google Translate links to spread phishing pages.

The links are sent by email under various pretexts and end up leading to the attacker’s pages, but these are served via Google’s translation services which allow full web pages to be translated by entering the URL address.

The recipient will see a link to an apparently legitimate Google service ( the translate.goog domain) that translates the website on the fly and serves the content, in this case malicious content, through an apparently innocuous connection, but which could have the same unwanted effects as a conventional phishing scam.

More info

Artificial Intelligence in Fiction: The Circle (2017), by James Ponsoldt

Santiago Morante Cendrero    24 November, 2022

Plot

The film The Cricle by James Ponsoldt, based on Dave Eggers‘ novel of the same title, introduces Mae Holland (Emma Watson) as a young intern who joins The Circle company. A Big-Tech headed by Eamon Bailey (Tom Hanks) that develops everything from hardware to social media (any resemblance to big tech is purely accidental).

Dazzled by the company’s apparent modernity and openness, Mae attends the corporate event at which an innovative technology is unveiled to place, everywhere, cameras that broadcast in real time to social networks. From this point the plot descends hand in hand with the main character into the darker side of the loss of privacy and unregulated corporate practices.

The cult of IA technology

Somehow reminiscent of 1984, the main theme of the film’s plot is clearly that of privacy, which in the real world has been greatly affected, and even challenged, in the last decade, mainly due to social media.

If we have included this film in our section on Artificial Intelligence, it is not because the film is specifically about Artificial Intelligence (AI), but because of the cult of technology that underpins the plot.

Technology serves in the film, in an obvious way, as a lever for The Circle to gain power. But this would not be possible if it were not for the mass of users who support it wholeheartedly. Technology for technology’s sake. Technology as belonging to a group. The unquestioning defence of developments. And this is where it connects with AI.

There is a tendency to rely on Artificial Intelligence, particularly if they reinforce one’s previous opinion on a subject.

AI is difficult to develop, and it is even more difficult to understand why it makes the decisions it does, especially the new developments in Deep Learning.

That is why there is a tendency to rely on AI uncritically and assume the correctness of the results, particularly if they reinforce one’s previous opinion on a subject.

I believe it is necessary to put any technological development into perspective, no matter how modern, trendy, attractive and cool it may seem, because the basis of technology is to make people’s lives better. If it does not meet this objective, the technology is worthless. We should not develop for development’s sake. This is one of the clearest messages that the film sends us.

It is pointless to develop technology if it does not improve people’s lives.

Collective Intelligence as Artificial Intelligence

The technology presented in the film basically works by collective intelligence, i.e. many people looking at the images emitted by the cameras, such as the identification of people using all the cameras in the world that occurs in (spoiler alert!) one of the scenes.

It is a logical step that this work would end up being done by an AI, which the film does not address. In a sense, the mass of users performs the function of an artificial intelligence by not judging what it is doing and delivering results. This way of working, doing small jobs manually and aggregating the results, already exists in the real world and is offered by several platforms, which pay small amounts of money to many people who do small tasks and then aggregate the results.

Thus, collective intelligence becomes the source of data that AI drinks from, with users tagging the data for AI to do its work. The users working for the AI, so that the AI can then work for the users. A curious circle that in the film remains a semicircle, addressing only the first part.

AI in Science Fiction Films: A Recurring Pattern of Fascination and Horror

Rating

The Circle is a dystopia that is not too far from our current reality. The film falls short of estimating the use of AI in technology, resorting to collective intelligence instead. In that sense it has been less ambitious than similar offerings such as Person of Interest.

Instead, it offers a stark view of why companies push technologies that dilute people’s privacy.

In order to be able to make a ranking of future films and series, we will rate the degree of realism of each technology presented, using a scale (out of 5):

  • Artificial intelligence: 1/5 (it underestimates its use)
  • Other technologies: 5/5 (social media and cameras everywhere)

Result: 3/5 technological realism

Availability: The Circle is available through Prime Video.

Santiago Morante Cendrero
Santiago Morante Cendrero

Doctor in engineering, teacher and researcher. Specialist in Data Science and Machine Learning. Currently Data Alliances and Solutions Development manager at Telefónica Tech IoT & Big Data.

“To be a hacker in life is to be a passionate, talented person who manages to influence the transformation of society”, Carmen Alonso

Marta Nieto Gómez-Elegido    23 November, 2022

They say that passion for a profession is forged at an early age. Our parents are our first and most important role models. So, it is not surprising that Carmen Alonso, Head of Financial Services, Leisure & Education at Telefónica Tech IoT& Big Data, is so passionate about what she does. Since she was a child, she has always been privileged to have technology close to her.

“You could feel a change taking place, it was something innovative that transformed people’s lives” she confesses, remembering her father and how, because of his work, she was lucky enough to have technology present early in her life.

Did you ever imagine when you were a child that you would be working in what you do today?

“I wanted to be so many things when I was a kid. I loved the woman on the news, but I also wanted to be an astronomer, a dancer…”, she laughs. Now, as she tells us, she does all sorts of things: many customers, different industries, different problems to solve… “In this aspirational desire to be many things, I have a lot of fun in my job because every day I am a different person”.

And it is this joy for what she does that leads her to speak with real passion when we ask her about her job. Something that makes her a genuine lady hacker.

What does it mean to you to be a lady hacker?

“To be a hacker in life is a way of being, of being passionate about transforming the world around us into something different, fairer, simpler and more humane, but at the same time sophisticated,” she says after shyly telling us that she has given this answer a lot of thought.

“My tool for changing society is technology and data, that’s my field.” A technological field where there is an increasing number of women and where Carmen has not noticed any inequality in her professional career.

Is the tech world becoming more inclusive?

She answers with a quick “I think so” because “nowadays in technology we need profiles of all kinds, multidisciplinary: sociologists, linguists, architects…” A series of very diverse profiles that, as Carmen assures us, “will equalise the quotas” of women and men who choose technological careers.

Technology and humanities are progressively going hand in hand, contributing joint value to society, something that will make a difference for our interviewee who, she is also sure that women “right now we have visibility, and we want to be there”.

A thought that she expresses with confidence, as well as another reality that for her is of great value: her colleagues. “There are excellent managers at Telefónica who value work and effort and are committed to giving it visibility. They see the value and promote it”.

When asked about inequality in technology careers, Carmen assures us that she has only felt it in terms of her age, but not in terms of gender. “In the end, meritocracy and effort must prevail, and in certain positions of responsibility you have to be willing to make certain sacrifices. Now women are free to choose and decide their priorities. It is the circumstances of life that allow your choices to be one way or another, but there is a great deal of female talent…”

Who has been or is your female technological reference?

She tells us that, for her, having just one point of reference is very complicated, because throughout her career she has met people who have influenced her a lot, but if she has to choose a point of reference in her life, she has no doubts. “For me, the person who has given me the values that need to be reflected in technology has been my mother: a transparent, fair, responsible, ethical woman…”, she describes proudly.

At this point, Carmen also reflects on the importance of knowing how to be in the background, contributing so much to society and transforming the world from behind, as many women have done throughout history. “Albert Einstein’s wife comes to mind”, creator of the mathematical basis used by her husband.

On this 8th March, International Women’s Day, we are also looking at future generations. Students who are passionate about technology and who find in profiles like Carmen Alonso’s an example to follow.

On Women’s Day, what advice would you give to girls and young women thinking of going into the world of technology?

“You have to dedicate yourself to what you consider to be different and, at the same time, what you are passionate about. If you are not having fun, you are not going to be good”, she assures us first of all.

Carmen believes that “the professional world is going to be completely transformed, new models of much more collaborative relationships where technology will be an essential part”, so, as a piece of advice, she considers that it is necessary to know it in its broadest scope and, above all, “learn a lot about a specific discipline and do not forget to understand the business”, always keeping your mind ready to continue learning.

“In the end it’s all about passion, instinct, going for what you like, selecting and having a broad mind. You have to learn and relearn a lot. You have to be able to adapt to whatever comes your way.”

Three principles for building a reliable Artificial Intelligence

Carlos Martínez Miguel    22 November, 2022

Artificial Intelligence allows machines to learn, both supervised and autonomously. The proliferation of Cloud technologies, the digitalisation of images, texts and audios and the development of IoT (Internet of Things) have made it possible to gather the large volumes of information that machines need to learn.

In this way, machines, through Artificial Intelligence, acquire the ability to find patterns and relate data, events or variations even imperceptible to the human eye; calculate what is going to happen in a certain area and even provide answers to questions thanks to data analytics, with the potential that this has to help us find solutions to some of the problems of our society.

Artificial Intelligence is already present in our lives much more than we realise.

Some everyday of Artificial Intelligence examples are the algorithms that recommend content on video-on-demand platforms, those that prevent and detect fraud by identifying anomalous use of bank cards, or those that recalculate the route in the car’s GPS based on traffic conditions.

Artificial Intelligence has also demonstrated its capacity in areas such as industry, where it prevents failures and breakdowns in machines and systems to avoid incidents or unforeseen stoppages; health, where it has numerous applications in both the diagnosis and treatment of diseases such as Alzheimer’s or cancer; or education, where it can anticipate school dropouts, detect talent, or personalise study plans based on the abilities and individual needs of each student.

Deep Learning: everything you need to know

Towards a responsible Artificial Intelligence

The benefits of Artificial Intelligence are therefore enormous. It allows us to reach far beyond what our human analytical capacity makes possible and opens up great opportunities in the use of data by companies and organisations.

The growing importance and influence of data in our lives makes it necessary to develop responsible Artificial Intelligence in which algorithms pivot around three essential principles: ethics, transparency and explainability.

  • Ethics: as algorithms acquire the ability to make or influence decisions, they need to respect social norms so that they are fair, inclusive, diverse and respectful of privacy.
  • Transparency: to avoid algorithms being “black boxes” in which we do not know what happens, we need to know how they are applied and how they work, being able to access the data sources used and the mathematical formulae employed.
  • Explainability: we need to be able to understand the “behaviour” of the algorithm, what results it is generating and why it is generating them, or why it makes a decision or arrives at a particular deduction and not another.

Ensuring that the data that will be used to train and teach the algorithm are free of bias and are shaped in a fair manner, aligned with human rights and in line with the rule of law, especially when dealing with personal data, is critical for an algorithm to be ethical.

Principles of ethics and transparency

In this sense, the European Union’s regulatory model is oriented in this direction and public bodies and large companies are focusing their efforts in this direction. One example is Telefónica, which published its Ethical Principles on the Use of Artificial Intelligence in 2018.

Children need to be taught about computational thinking, algorithms and Artificial Intelligence.

The key to complying with the aforementioned principles is to improve the population’s level of knowledge about Artificial Intelligence by investing in education in this area. Children need to be taught about computational thinking, algorithms and Artificial Intelligence, just as they are increasingly trained in programming and computer science.

These principles of ethics and transparency are critical to building a responsible and inclusive Artificial Intelligence that fosters equal opportunities and drives economic and social progress. In short, Artificial Intelligence at the service of people, which contributes to building a better society.

Cyber Security Weekly Briefing, 11 – 18 November

Telefónica Tech    18 November, 2022

Security updates for 35 Cisco vulnerabilities

Cisco has released a security update that addresses 35 vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Eight of the 35 vulnerabilities are of high criticality, the highest being CVE-2022-20946 and CVE-2022-20947 (both with a CVSS score of 8.6), which affect Cisco ASA and Cisco FTD products.

An unauthenticated attacker could exploit them to achieve a denial-of-service (DoS) condition. In addition, vulnerability CVE-2022-20927 (CVSS of 7.7), which affects the same products as the previous ones and could also lead an attacker to cause a DoS condition, also stands out.

Of the remaining bugs, 15 cross-site scripting (XSS) vulnerabilities in the Cisco FMC interface stand out. According to Cisco’s bulletin, there are no known active exploits against any of the newly patched vulnerabilities.

More info

* * *

Large-scale Fangxiao campaign impersonating hundreds of companies

The Cyjax team has published research into a sophisticated large-scale campaign in which malicious actors allegedly created and used more than 42,000 web domains.

According to the researchers, the Fangxiao group was behind the campaign, whose modus operandi consisted of sending links via WhatsApp that redirected the user to a domain controlled by the attackers, where known companies were impersonated. More than 400 impersonated companies in the banking, retail, energy, travel, etc. sectors have been detected so far.

After completing an initial survey under the pretext of winning prizes, users are redirected again to other domains that are constantly changing, ending in the download of an application with the Triada trojan. In other cases, the fraudulent scheme redirects users to Amazon’s website via an affiliate link that results in a commission to whoever controls the final redirection.

Cases have also been detected where users are referred to a micro-payment SMS scam. Cyjax indicates that the campaign is aimed at users all over the world.

More info

* * *

Mozilla fixes multiple vulnerabilities

Mozilla has announced the release of a new version of the Firefox 107 browser in which numerous vulnerabilities have been fixed. A total of 19 vulnerabilities have been fixed with this new version, of which Mozilla has categorised nine as high impact.

Among these, the majority are due to bugs related to memory mismanagement that could lead to program crashes, among other bugs that could lead to disclosure of information or omission of notifications to carry out phishing attacks.

An example of this is the vulnerability identified as CVE-2022-45407, whereby an attacker could load a legitimate font file and trigger a crash, a flaw Mozilla calls a “potentially exploitable crash”. Another of the fixed vulnerabilities, identified as CVE-2022-45404, is described as “full screen notification bypass”.

It should be noted that these bugs have also been fixed in Mozilla Thunderbird with version 102.5.

More info

* * *

New details on the latest Emotet campaign

Following the detection of new Emotet infections at the beginning of November, numerous researchers have analysed in detail the latest campaign carried out between 2 and 11 November.

As initially reported by Cryptolaemus researchers, one of the most notable changes in this email campaign compared to previous campaigns is that the malicious actors (TA542) instruct victims to copy the malicious Excel attachment to the Templetes folder, where macro protection is not enabled.

In addition, new features have also been detected in the Emotet binary, as well as a return to the delivery functionality of other malware families, which have been found to be used to spread new variants of the IcedID loader or Bumblebee.

According to the research published by Proofpoint, this campaign has attempted to deliver hundreds of thousands of emails every day with different lures and written in several languages, which has placed victims in Spain, Mexico, Greece, Brazil, the United States, the United Kingdom, Japan, Germany, Italy and France, among others.

It is also estimated that, although no activity has been detected since the 11th, it is very likely that TA542 will soon distribute Emotet again as its network is once again fully operational.

More info

* * *

​Qbot changes to misuse Windows 10 control panel

The security researcher known on Twitter as “proxylife” (@pr0xylife) has uncovered a phishing campaign involving the Qbot malware, also known as Qakbot, which has been observed to have moved from exploiting a vulnerability in the Windows 7 calculator to exploiting a bug in the ‘control. exe’ executable in the Windows 10 control panel.

Qbot creates a malicious DLL file with the same name and in the same folder as the legitimate DLL, causing Windows to run it and download the trojan onto the victim’s computer.

In this way, it also manages to evade the protection of antivirus software, as it will not flag as malicious a program that has been installed from the Windows 10 control panel.

Once installed on the target computer, Qbot will steal emails for use in phishing campaigns or can even be used to download other types of malware such as Brute Ratel or Cobalt Strike.

More info

A matter of trust: The need for governance and control of a project

José Pedro Gómez    17 November, 2022

Why do I need management figures for the governance of my project?

Back in the 13th century, a philosopher once said that an arrow has all the power in itself to hit the target, but that in order to hit the bull’s-eye it cannot be a matter of chance, but must be intentionally aimed, and the same applies to our projects: an archer is needed to set the arrow in motion and to give the necessary direction and strength to hit the target.

In our time, the target is constantly moving, so we need to control the trajectory and force more intelligently than ever with a vision extrinsic to the arrow. If we manage to keep our arrow in flight on a recurring basis, we will have succeeded in setting up a service.

We are used to hearing that a client’s organisation is determined by business orientation, and this sounds good, but the truth is that sometimes we find it difficult to land that common space that establishes a framework for growth in which both parties feel comfortable. 

In all methodologies, what we call activity governance appears in some way and with more or less homogeneous nomenclatures, and which is traditionally determined in a pyramid with three levels of demand in which IT professionals must work in an aligned manner to provide the different services based on market standards with solvency in environments of all sizes..

This sounds great but, how do we determine who is responsible?

The responsible will be located in the top layer of the organisational pyramid and we must orient it towards the strategy and management of the business itself, which will be the client’s main concern, with a strategic alignment for the management of the infrastructure and clearly focused on the client’s activity, which will have the vision towards the applications it demands.

They will inherit from this layer all the policies and any necessary changes of direction for a common growth in which they will contribute in a real way to the fulfilment of the objectives of the organisation that demands the activity.

This will be the tip of the iceberg that will determine the success in the rest of the layers that will be applied in the management of our projects or services. At this point is the contractual relationship between both companies, assigning to the figures that are determined the roles of maximum responsibility.

6 common mistakes when quoting for a Cloud project

How do we ensure compliance? Who will be my reference? How do we land this?

All of this is developed at a second level, we must establish the bases for service level management, which is what we know as the tactical phase and where the client will designate the heads who will manage the budget and who will have a detailed development of the strategic policies and in a bidirectional manner with the generation of both executive and technical detail reports.

These roles will be responsible for the different Service Level Agreements (SLA) and will ensure their compliance with problem management analyses that will activate the improvement levers that guarantee the stability of the client’s infrastructure.

The best-known figure is the Service Manager in the operation phase and the Project Manager during the integration phases.

And what about the technicians?

In the layer closest to the client, we will find both change requests and incident support and even the user service centres in applicable cases, this being the main source of improvement actions that guarantee that the client’s productive environment can be considered stable in terms of the business continuity designed and with sufficient flexibility to be able to adapt to changes, security, growth or the adaptation of the systems.

We could call this phase operational, but it must be in line with the defined policies and with the capacity to extract metrics and different indicators that guarantee compliance with the contracted agreements and, if required, establish a direct relationship between the technical coordinators and the department managers, but always in accordance with what has been mentioned in relation to the upper layers.

Now it is time to sort all this out: The committees

In order to establish a logical order and for the machinery to function correctly, a series of committees will also be set up at different levels where the different aspects that will lead the project to an excellent execution in terms of time, stability and resources will be agreed, taking into account the maturity of the environment on the one hand and the needs for evolution and change on the other.

AI of Things (XII): OEM solutions for the connected car

Daniel García    15 November, 2022

We recently decided to renew our car at home by switching to a new one that is safer and more efficient. After the purchase process came the long awaited day of picking up our new car. When I sat in the car that afternoon and fiddled with the car’s settings, the section that caught my attention was the “Connected Services” section.

After activating them, which involved installing an app on my phone and giving permission several times in the car to share my data… BAM! I was in control of my car from my phone. I could see where I was, check my tyre pressures, check mechanical alerts and even unlock and lock the doors, all remotely.

This may seem like just another optional extra among the many accessories, but let me tell you, this changes the game. And it’s a reality.

What is telematics for or why should I connect my vehicle?

Fleet management services use telematics to monitor the use and status of fleet vehicles and optimise their use by improving fleet utilisation, safety and efficiency. This allows companies that market or use fleets to have better control of their fleets and greatly reduce operating costs.

Let’s take a practical case of a vehicle that is initially purchased by a renting or leasing company to rent it to other companies for 2-3 years and then resell it to a vehicle dealer who will sell it to the “end” customer for private use.

Telematics will give us confidence in the whole process. As the data is synchronised on the network, the possibilities of fraud or rogue traders are eliminated. It allows the leasing company to control that the use of the vehicle is in accordance with the contract. It allows the end customer to know that the vehicle he is buying really has the kilometres that it has.

Some other examples of how connected car generated data can be used to your benefit:

  • To contact emergency services in the event of an accident;
  • To “predict” when your vehicle will need maintenance or repair to avoid breakdowns;
  • To enable insurance companies to offer you tailored, or even lower, premiums (e.g. based on distance travelled, driving style and routes);
  • To provide “smart parking” information;
  • To automatically pay for parking or tolls;
  • To provide reliability on the condition and use of second-hand vehicles.
  • To advise you on the easiest and safest routes, avoiding traffic jams and road hazards;
Affordable fleet management for Spanish SMEs

The shift: from aftermarket device to OEM solutions

These services, which are many years old, have been based on “aftermarket” devices, which are purchased and installed in the vehicle using the OBD ports. The solution itself was part of the problem. The logistics of designing, manufacturing, installing and maintaining devices that work with the myriad of vehicles and manufacturers on the market are not insignificant.

As we discussed at the beginning of the article, vehicle manufacturers, known as OEMs (Original Equipment Manufacturers) are now starting to include telematics capabilities in their vehicles as standard from the factory, without the need to install any additional devices. This opens up a huge opportunity to deploy telematics services in both business (B2B) and consumer (B2C) environments that will allow us to improve all aspects of road communicatio.

The challenges: homogenisation and securitisation.

But it is not all so simple. While previously we had the challenge of integrating a hardware device with the different models and manufacturers of our fleet, we now have the challenge of integrating with the OEM telematics services that each of the different manufacturers provide, with different data, access and activation models. And at the same time it is critical to ensure that this information is shared in a secure, informed and authorised manner in line with data protection regulations.

As we can imagine this presents exciting challenges for the automotive industry, with two clear lines of work:

Photo: Chuttersnap / Unsplash
  • The first is to make data easily accessible, standardising both the platforms and the data itself and the quality of the data so that an application or service works the same on a SEAT, Renault or PSA vehicle.
  •  
  • The second is to generate trust, both in users (data generators and holders) and consumers (companies or services that want to access them).

Let’s imagine a case of “Telematics Insurance” where “You pay as you drive”. Only if I, as a user, make an informed and active decision to share my data with my insurance company, they will have access to it in order to be able to discount my policy.

And on the insurance company’s side they need the assurance that other competing companies (including manufacturers) do not know they are accessing this data and cannot analyse how it is used to compete unfairly.

The European Automobile Manufacturers Association (ACEA) has published a position paper will be of interest to anyone who wants to go deeper into this issue and which introduces a concept that aims to solve this problem.

Smart football stadiums: the world’s greatest show, made even better

The “Neutral Server” concept

The Neutral Server initiative, which was announced at the end of 2016, is sponsored by the European Automobile Manufacturers Association (ACEA) with support from the European Union and other relevant industry players, proposes a solution that makes vehicle data securely available to service providers:

What is a Vehicle Data Neutral Server?

A Neutral server is an infrastructure that allows service providers to access vehicle data without having to sign a contract with vehicle manufacturers.

These servers are completely “neutral”, meaning that they are not operated or funded by the manufacturers, but by an independent party. Of course, these neutral server operators are obliged to apply state-of-the-art security and data protection measures.

Neutral servers also guarantee customer choice. With a neutral server, vehicle users are free to obtain services from the vehicle manufacturer, its network of authorised repair shops or any other service provider of their choice.

Similarly, the neutral server facilitates access to data, particularly for small and medium-sized companies, by offering them access to multi-brand data on a single server, rather than forcing them to use multiple servers from different manufacturers.

Photo: Markus Winkler / Unsplash

Given the potential of this type of infrastructure, there are multiple companies and initiatives working to capture a part of the business: IBM, Otonomo, Wejo are some of the contenders in a market that is opening up right now.

A doorway to the future of connected car

Once these aspects have been solved, in the medium term, the OEM means the democratisation and standardisation of telematic data and the services that rely on them. An explosion of these services is expected in the coming years, both in business (B2B) and consumer (B2C) environments. 

The most obvious area is autonomous driving. Higher levels of vehicle autonomy, covering autonomous driving, depend on more vehicles becoming increasingly connected, exchanging real-time information wirelessly with other vehicles, with road users, with infrastructure and with third-party service providers.

Movistar Car: transform your vehicle into a connected car

Telefónica Tech and the OEM

Telefonica Tech has been working for some time with our vehicle solution partners to incorporate OEM telematics into our service portfolio. Some of our customers are already starting to deploy Fleet Management solutions more quickly and cost-effectively by eliminating the need to purchase and install a third party device. 

We are also working with some of the major players in the industry to develop and exploit the server-neutral concept.

And of course on our side we are developing and deploying the critical infrastructure that, like 5G networks with their lower latency, are critical to enable the advanced use cases we have discussed.

🔵 More content on IoT and Artificial Intelligence can be found in other articles in our series – the first article of which can be found here,

AI of Things (II): Water, a sea of data

Zero trust, a trend in the cyber security environment

César Cañada Alonso    14 November, 2022

Nowadays, the attack surface is larger than before, as there are now more applications, servers, users, etc. in companies. For this reason, it is necessary to limit access, granting only the permissions that are needed, to the ports that are essential and Just In Time (i.e. at the moment of connection).

This is possible with what is known as a Zero Trust environment. This has been one of the most widely deployed security solutions in virtualised and cloud environments for a fairly short time, although the concept first appeared in 2010.

The idea of Zero Trust is that nothing and no one is trusted, even if they are inside the company network, an employee of the company or a necessary communication flow between two applications, they are not given access to the environment by default. This idea is the complete opposite of the perimeter security model that many companies have today, where the main idea is “trust and verify”.

With this type of Zero Trust environment, security breaches are reduced and more protection is offered to the organisation by reducing the complexity of the infrastructure, together with constant monitoring of the environment to deal with possible alerts.

Edge Computing Made Simple

In the following image taken from Netrozome, we can see a graphical representation of a zero trust environment.

  • On the left you can see a traditional architecture where all computers, users and applications are trusted within the environment, and all connections are allowed. If an attack were to be launched against this environment and eventually gain access to a resource in this environment, it would give access to the rest of the organisation’s resources.
  • On the right you can see a Zero Trust environment where connections, computers, users and applications do not have that freedom to communicate with each other. In this way, if during an attack access is gained to any resource, it would be very difficult to attempt to access the rest of the elements of the environment, as the access and communications allowed are only those necessary and the rest are rejected.
Name the malware you have, and I’ll tell you which botnet you belong to

The following is a list of attacks that can be most easily stopped using a Zero Trust environment:

It is essential not only to protect the business, data or customers from the outside, but also from the inside. For this reason, cloud and virtualised environments are changing the approach to defining and implementing new network and security architectures.

Cyber Security Weekly Briefing, 5 – 11 November

Telefónica Tech    14 November, 2022

Robin Banks Phishing Platform Reactivated

Researchers at IronNet have published the second part of their investigation into the Robin Banks phishing-as-a-service platform. The platform was discovered in June this year following the detection of a massive phishing campaign against US financial institutions, after which it was blocked by Cloudflare and its operations were halted.

The platform is now reportedly back in business through Russian ISP DDoS-Guard, incorporating new features such as multi-factor authentication and Adspect redirectors, which would help avoid detection by redirecting suspicious traffic to legitimate-looking websites.

In addition, Robin Banks also makes use of Evilginx2, a proxy that captures victims’ session cookies and helps attackers evade protection measures such as two-factor authentication.

More info

* * *

Cybersecurity incident at an Orange provider

Orange has revealed that one of its suppliers had suffered a cybersecurity incident that resulted in the compromise of personal information of the telecommunications company’s customers.

According to the company’s statement, the incident at the provider occurred several days ago and involved unauthorised access to systems. As a result, the data of a limited number of customers, who have already been notified by Orange via SMS or email, have been compromised.

Some of the exposed data would be the name, postal address, email address, telephone number, ID number, date of birth, or bank IBAN code of the customers, although not all of this data would have been exposed in the affected cases. It should be noted that no passwords or credit card details were compromised.

The company proceeded to cut off access to the systems when they became aware of the attack, in addition to notifying the Spanish Data Protection Agency and the Central Technological Investigation Brigade (BCIT) of the National Police.

More info (PDF) →

* * *

Microsoft fixes 68 vulnerabilities including six 0-day vulnerabilities

In its latest security update, Microsoft has fixed a total of 68 vulnerabilities, six of them included actively exploited 0-day flaws:

  • CVE-2022-41128, a remote code execution vulnerability with a CVSS score of 8.8.
  • CVE-2022-41091, which would allow an attacker to evade Mark-of-the-Web (MOTW) security defences with a CVSS score of 5.4.
  • CVE-2022-41073 and CVE-2022-41125, which would allow a malicious actor to gain system privileges and have a CVSS score of 7.8.
  • CVE-2022-41040 and CVE-2022-41082, privilege escalation and remote code execution vulnerabilities in Microsoft Exchange with a CVSS score of 8.8.

These last two would be the vulnerabilities identified last September as ProxyNotShell. Other vulnerabilities categorised by Microsoft as critical and fixed in this latest update are CVE-2022-37966 and CVE-2022-37967 in Windows Kerberos, CVE-2022-41080 in Microsoft Exchange Server and CVE-2022-38015 in Windows Hyper-V.

More info

* * *

Critical vulnerabilities in Citrix Gateway and Citrix ADC

As part of its security bulletin released on Tuesday, Citrix has announced three vulnerabilities that users urgently need to patch affecting its Citrix Gateway and Citrix ADC software.

Of these vulnerabilities, CVE-2022-27510 (CVSS 9.8) stands out as a critical flaw that allows bypassing the authentication process by using alternative channels or routes when the application is configured as a VPN. The other two vulnerabilities are also considered critical by NIST, although Citrix has downgraded their criticality to high and medium respectively.

These are CVE-2022-27513 (CVSS 9.6 according to NIST, 8.3 according to manufacturer), which allows attackers to take control of the remote desktop via phishing by not correctly verifying the authenticity of the data when the RDP proxy is configured in VPN mode; and CVE-2022-27516 (CVSS 9.8 according to NIST, 5.6 according to manufacturer), a vulnerability that allows circumvention of the protection mechanism against brute-force login attempts.

This last vulnerability can be exploited in VPN mode or if configured as an AAA virtual server with a maximum number of login attempts. The company has already patched these flaws for customers of its cloud services, but users who directly manage this software will have to patch individually.

More info

* * *

StrelaStealer: new malware to steal email credentials

Researchers at DCSO CyTec have identified a new malware, named StrelaStealer, that steals email credentials from Outlook and Thunderbird.

The malware is distributed via ISO files attached to emails with different content. In one of the variants observed, this attachment was a polyglot file, which can be interpreted as different formats depending on the application with which it is opened.

In the case analysed, this file could either act by downloading StrelaStealer, or display a decoy document in the default browser.The campaign was reportedly first observed in November 2022 targeting Spanish-speaking users.

More info