5 LUCA events for your diary

Ana Zamora    27 January, 2017
It’s been a busy month here in LUCA HQ, with lots of things going on such as the presentation of our analytics dashboard to the Movistar cycling Team and our first webinar, which you can still attend by signing up here. So what is coming up this month and how can you get involved? We highlight our top 5 events:


1. Global Predictive Analytics and Big Data Management forum, Milan
We will be kicking off  February with the Global Predictive Analytics and Big Data Management forum, which will take place on the 2nd and 3rd of February in Milan. Theis forum is dedicated to data analysts, predictive analytics, business analysts, digital marketing, prescriptive analytics, sales and social media specialists who want to share their knowledge on Big Data. Our director of External Positioning & Data for Social Good, Richard Benjamins, will be one of the key speakers discussing the “New Vs of Big Data”.

Milan
Figure 1: Global Predictive Analytics and Big Data Management Forum, Milan.

2. Women in Data Science, Madrid
Our LUCA colleagues from Synergic Partners are working hard towards one of their first events of the year. Their CEO, Carme Artigas, has been appointed by Stanford University as an ambassador of Women in Data Science in Madrid. WiDS is a global conference which aims to inspire and educate data scientists, regardless of gender, and support women in the field. This initiative will take place on the 3rd of February at Stanford and an additional 50 locations worldwide and will be available via live-stream. If you want to know more about this event, you can read our blog post we published this week about it.

Carme Artigas
Figure 2: Carme Artigas, ambassador in the world of Women in Data Science.

3. UNWTO World Conference on Smart Destinations, Murcia
We will also be taking part from the 15th to 17th of February in the first edition of the Smart Destinations Event which focuses on technology in the world of tourismThe World Tourism Organization, the Spanish government and the local government in Murcia have partnered to organize this conference to lead and shape a new tourism model for the 21st century, based on Innovation, Technology, Sustainability and Accessibility. Our CEO of LUCA, Elena Gil, together with our Commercial Manager, Mario Romero will be there explaining our Smart Steps product and its benefits for the tourism sector.

UNWTO World Conference
Figure 3: UNWTO World Conference on Smart Destinations.
4. LUCA Talk #2, Online
Towards the end of the month, we will be hosting our second LUCA talk online. If you would like to find out more about our webinars, sign up for our newsletter and keep an eye on our social media channels.

First LUCA talk
Figure 4: Our first LUCA Talk next week, our second at the end of February.
5. Mobile World Congress, Barcelona

Last but not least, we’ll be heading to the GSMA Mobile World Congress, which will take place from the 27th of February until the 2nd of March in Barcelona. Mobile World Congress is the world’s largest gathering for the mobile industry featuring prominent leaders from mobile operators, device manufacturers, technology providers, vendors and content owners from all over the world. We are working hard ahead of MWC, where we’ll be showcasing LUCA’s most exciting technology to thousands of visitors over the 4 days.
GSMA Mobile World Congress
Figure 5: GSMA Mobile World Conrgess in Barcelona.
Want to know all about our latest events? Keep an eye on the events section of our website.

Movistar Team: the best cyclists, the best behind the scenes team, the best strategy and Big Data

AI of Things    26 January, 2017

By Mikel Zabala, PhD (Sport Scientist, Lecturer at Granada University and member of the team of trainers for the Movistar Team), Javier Carro (Data Scientest en LUCA), y Pedro A. de Alarcón, PhD (Data Scientist en LUCA). 

The best cyclists, the best technical body, the best strategy and Big Data. How will the Movistar Team continue being the best in 2017?   29th of August 2016 seen the 10th edition of the Tour of Spain moved to the lakes of Covadonga. A 40km stretch called “el Mirador del Fito” a top level port with which the Movistar team will be taking with force, trying to avoid letting one of the other teams run away with the title. The first surprise came jut 7km into the race when Alberto Contador gave Nairo Quintana a run for his money as they were battling it out for the lead, when finally 3.6km before the end Nairo managed to push ahead to to take the lead.        

This is the beauty of cycling, it is led by some of the most physically fit sportsmen, with high endurance who are strategically coordinated so that all these factors can lead to victory. Behind these sportsmen exist a dedicated technical team who deal with planning their training slots, recovery and their physical and mental health. All this hard work that goes in behind the scenes is definitely work it when we witness scenes like the race between Contador and Quintana.


Figure 1: Movistar Team observing their insights from the LUCA dashboard platform.  

  In 2017, the Movistar team (directed by Eusebio Unzué) will be returning with Nairo Quintana and Alejandro Valverde as the leaders of a panel that mixes youth and experience (10 of the cyclists are younger than 26). We want as much information as we can get, we want our cyclists to use the data we generate not only for training but also during the actual race so they can improve individually and as a team. To give ourselves an idea of the sheer quantity of data, in the Tour of Spain alone we were able to track more than 25 million movements generated by the 8 cyclists from the team. The Big Data revolution has also been put to use by cycling and at LUCA we went to put this information to practice.  

The biggest cycling competitions like the Tour of Spain, Italy and France are all carried out across hundreds of kilometres, hours of hard work and when it comes to the finish line it’s only really a few seconds that separate first and second place. Taking this into account with a sport as competitive and technical as professional cycling it is key that we use as whatever tools we can to create tighter margins for victory.  


 Video: Chema Alonso, the CDO of Telefónica giving a brief speech at the presentation to the Movistar Team.

According to this Harvard Business Review article, it only takes a mere 1% improvement with the determined variables to impact a race. This was the case for the UK Olympic cycling record. This can vary from carefully analysing all aspects that can effect the cyclists performance (from how aerodynamic their helmet is, to their journey time from the olympic village to the track.) and this can make all the difference in producing a win for the team. LUCA’s input will be applying the power of Big Data and the science behind said data to identify areas in which the team can update and improve their performance. 

During the 2017 Movistar Team presentation, Chema Alonso, Chief Data Officer at Telefónica presented the findings alongside Mikel Zabala (professor at Granada university) who has a wealth of experience both professionally and academically in Sport Science who is also part of the technical team of trainers for the cyclists.   Mikel uses the computer generated data for both their off track training and to improve their track capabilities, like testing their strength or nutrition levels. This data allow Mikel to generate a series of complex variables and mathematical models that lead to the analysis of efficiency and wear and tear of each cyclist. This information is critical in terms of planning and personalization for each training plan. The end goal is to optimize the physical and mental perfomance of the cyclist throughout the race so that they can perform well as a team but also effectively recover.  

Presidente de Telefónica

Figure 2: The President of Telefónica with the Movistar Team  

To analyse the data taken from each bike´s computer we can find free and compatible programmes like GoldenCheetah or TrainingPeaks that work with most data formats. Both of these platforms provide valuable and technical information however, we want to take the analysis further. Creating an analysis tool adapted to the specific needs of the team that uses the most up to date statistic and technical Machine Learning models. This allows us give unique information to further push the team ahead of their competition. Some of this work that we are developing includes:

  • Time sensitive representation of the peak form of each cyclist; meaning we can predict and adjust training when it gets closer to each race.
  • Determination of the context of training variables (height profile, weather), This can help to impact the efficiency of training subject to these variables.
  • Contrasting the role of each cyclist: We can look at the efficiency and fatigue of each cyclist so that we can work on future race strategies and more effectively plan recovery periods.

2017 is there for the taking, so lets cycle towards victory!

LUCA at #HackForGood

AI of Things    24 January, 2017

Are you passionate about using technology to have a social impact? Do you believe in using hacking and data science techniques to change the world? Then put #HackForGood at the top of your list of events for 2017.

This year, from Thursday 9th to Saturday 11th March, “hackers” from all over Spain will take part in this initiative, organized by Telefónica, ETSIT (Universidad Politécnica de Madrid), MashMeTV and Fundación HazLoPosible.

Already in it’s fifth year, #HackForGood will focus on our “Data-Driven Economy”, encouraging participants to develop apps and services which use Big Data technology for Social Good in areas such as education, health, industry, digital economy, social inclusion and sustainability.

HackforGood 2016
Figure 1: Hack4Good 2016 brought together over 1000 students from all over Spain.

Teams from over 20 cities across Spain will take part simultaneously, selecting their own challenge from the hundreds posted by #HackForGood in the lead-up to the event. It is free to sign-up and the most successful teams will be awarded a range of prestigious prizes, so make sure you keep an eye on their website for more information over the next month.

This year, due to our passion about applying data for social good and young talent, LUCA will be taking part in several ways, so keep an eye on our blog to find out how you could end up collaborating with us.

Want to get the latest updates? Then follow @Hack_ForGood on Twitter and join their LinkedIn group to receive more information. You can also check out this digital brochure for more information.

Stanford University’s “Women in Data Science” to debut in Madrid

AI of Things    23 January, 2017

On February 3rd, Synergic Partners, the niche Big Data consultancy wing of LUCA, will organize the “Women in Data Science” conference for the first time in Madrid – in collaboration with Stanford University. This event, which will take place in the Wayra offices in Gran Vía, aims to bring together Data Scientists and Big Data professionals, inspiring more women to pursue careers in the field with training and mentoring opportunities from other females from all over the world.

In 2015, the conference’s 23 distinguished speakers attracted 400 attendees from 30 universities and 80 different companies, as well 6000 additional participants via live stream.  This year, this international event will take place in more than 50 cities all over the world, including New York, Paris, Berlin, São Paulo, Bogotá, Beirut and Singapore – among many others.

Women in Data Science, otherwise known as WiDS, provides a unique opportunity to bring together Data Science experts from a wide range of sectors to learn, collaborate and accelerate research in the field. This year, Stanford University have selected the CEO of Synergic Partners, Carme Artigas, to inaugurate the first Madrid-based event where she will also participate in the “Beyond Data Science” conference, as well as acting as a moderator in one of the roundtables.

As an ambassador for WiDS Madrid, I want to raise awareness about the Data Science discipline and show just how impactful it can be, not just for different industries, but also for society. I am also keen to ensure that women are heard in the field and will play a key role in this transformation,” said Artigas.

The Madrid event will bring together a wide range of experts from across Spain, including Amparo Alonso (Artificial Intelligence R&D Lab Director), Angela Shen-Hsieh (Product Innovation Director at Telefónica R&D) and Rosa María Sanz (Directora General de Personas y Recursos de Gas Natural).

Want to sign up? Find out how you can get involved here.

Our role in digitalizing Latin America with Big Data

AI of Things    20 January, 2017
This week, Telefónica and the International Development Bank (IDB) renewed their strategic alliance to continue promoting digital transformation and socio-economic development programs in Latin America from 2017 to 2020. This time, the Inter-American Investment Corporation (IIC) has also come on board, with the goal of strengthening collaboration with the private sector.
This new addition, broadens the scope of the alliance as well as the opportunity to take joint actions on economic, social and digital development projects in countries where Telefónica, the IDB and the IIC operate, in collaboration with governments, civil servants and the private sector.
The agreement was signed this week here in Madrid by José María Álvarez-Pallete, Chairman and CEO of Telefónica, and Luis Alberto Moreno, president of the IDB.  This unique collaboration will focus on six different areas within the Smart Cities area as part of the IDB’s Emerging and Sustainable Cities Program. These include:
  • Big Data projects focused on data analysis and public interest solutions.
  • Digital Economy.
  • Internet Accessibility and development of appropriate regulatory policies.
  • Entrepreneurial support as framed within the Telefónica Open Future program.
  • Development initiatives including the areas of education, health and security.
During the first period of this strategic alliance (2012-2015), various development projects in diverse areas such as ICTs and microfinance, education, Smart Cities, internationalisation of SMEs and social entrepreneurship, in addition to collaboration on regulatory studies and publications.
In LUCA, we are extremely excited about the opportunity to participate in Big Data projects in Latin America. We strong believe that using data for development is crucial in driving progress towards the 2030 Sustainable Development Goals, and for this reason we are regularly working with governments and NGOs to use our analytical capabilities for social good. In 2017, we will be taking part in a range of hackathons (like this one in Rio de Janeiro) to see how mobile data and open data can be applied to the most pressing social issues out there.

Millennials want to use data for social good, but will privacy stop them?

Ana Zamora    19 January, 2017

This article was originally posted by Florence Broderick on the WEF Live blog as part of the 2017 World Economic Forum Annual Meeting in Davos.

Imagine a world where the billions of Google searches we make every year could be used to treat dengue fever. Imagine a world where our daily interactions with mobile networks could be used to help our local governments understand traffic to make our cities greener. Imagine a world where our social media updates could be used to predict crime hotspots. Today, all of the above (and much more) is possible.
Whether we like it or not, we are living through an era of exponential data explosion, and somehow, through responsive and responsible leadership, we must move from just using data for commercial benefit to also using data for social good.
As a Millennial working in the world of telecommunications, I see hundreds of opportunities to use the exabytes of information we create on a daily basis to improve the lives of people in both developed and developing countries. Our world’s great advances in Big Data and Artificial Intelligence have brought a remarkable level of sophistication to areas such as e-commerce, manufacturing and logistics, just to name a few examples.
After making these extensive investments, private sector organizations are now finding new use cases to re-apply their data and analytical capabilities to have a social impact – learning that actually, data philanthropy could potentially be just as powerful as traditional philanthropy in a world where (excuse the cliché), data is the new oil.
Cloud Data Philanthropy
Figure 1: Could “Data Philanthropy” become as powerful as traditional philanthropy?

However, there are a series of challenges facing those who are keen to drive forwards the Big Data for Social Good initiative in their companies. For example, many business leaders have only recently been told that data is their “greatest asset” and are therefore hesitantly holding back the key to their data lakes.
Equally, they are worried about cannibalizing other business opportunities. What impact could doing free or reduced Big Data projects have for their commercial pipeline in the public sector? This is precisely why it is so important for us to find sustainable business models for Big Data for Social Good, enabling serious and consistent collaboration between the private and public sector as well as NGOs.
Nicolas de Cordes, a pioneer in the field, said to me an interview the other week: “To scale up, we will have to make this profitable. However, we can’t make profit the main driver of our actions, the private sector has to take into account the indirect social benefits of making such projects work.” For this reason we need leaders who care about the big issues, not just their annual KPIs, who keep the Sustainable Development Goals at the back of their mind in their decisions and drive their organizations forwards responsibly, without forgetting the values we so desperately need in an increasingly divided and disobedient world.
Chief Data Officers are also concerned about the security risks associated with sharing data sets outside of their own infrastructure. What if the competition got their hands on the data? Or what if the anonymization processes of other parties are not as robust as those in place in their companies? This is something that projects such as OPAL are trying to address with their Open Algorithms approach.
Nonetheless, there is a much more complex challenge hanging over Big Data for Social Good: the dark cloud of data privacy. In recent years, the media spotlight on Snowden, Wikileaks and a string of high profile cyberattacks has led us all to ask questions about the way organizations use our data – and rightly so. But how will this evolve when the decision-makers in the boardrooms are Millennials or Generation Z? Will their differing attitudes to privacy affect the way they decide to use data even if it isn’t personal data being used anyway? Will their “data-savviness” and technological prowess allow them to find sustainable ways to convince consumers to let them exploit their anonymized data for social good?
Florence Broderick giving a speech
Figure 2: Florence Broderick giving her speech at the last One Young World Summit, in Ottawa.
At One Young World, I spoke about this very matter and I asked my 18 – 30 year old peers: how many of you would opt-in for your mobile phone data being used for social purposes? Overwhelmingly, the answer was yes – which perhaps has something to do with the supposed notion that 84% of Millennials consider it their duty to make the world a better place. But does this mean young people care less about privacy? Does it mean they are more likely to drive forwards the Big Data for Social Good in their respective countries?
The world’s most influential Millennial, Mark Zuckerberg, controversially said privacy is dead in 2010, painting a very negative picture for something which is in fact a fundamental human right. Of course, not all Millennials agree with the Facebook CEO, but it is true that they are less concerned about the privacy of their data than other generations. This is echoed in the fact that only 44% of them trust in companies to keep their personal information private, whilst only 32% of baby boomers do. Will future generations continue to care less about privacy and invest more trust in organizations? Or will their attitudes slide towards those of their seniors in the years to come as they build careers, buy houses and have children?
If we want to overcome the privacy challenge and grow the Big Data for Social Good initiative then we desperately need the leaders of today and tomorrow to reassure society by using data in a responsible way, as well as prioritizing cybersecurity so that our information is safe. If we can achieve this, then we will definitely see one-off exploratory Big Data for Social Good projects evolving into recurrent and impactful services. This will enable policy makers and NGOs to accelerate towards the 2030 Sustainable Development Goals with the responsible and responsive management of data. It’s time for data to drive our decisions and it’s time to harness the power of information for the good of mankind. 

54% of organizations now have Chief Data Officers, but should mine?

Richard Benjamins    18 January, 2017
With Big Data becoming such a big deal in the world of business, it is no surprise that the Chief Data Officer (CDO) has managed to wriggle its way into an extra seat around the boardroom table. Increasingly more organizations, in both the private and public sector, consider data to be a strategic asset, and for this reason, the most forward-thinking companies are appointing CDOs. In fact, according to this survey, 54% of firms now report having appointed a CDO, up from just 12% in 2012.

Until the appearance of this new role, Business Intelligence (BI) and Big Data initiatives had often been remotely dispersed throughout organizations, working in isolated departments – even if there was supposedly a central BI department keeping tabs on the overall company data strategy.

So, what kind of of questions will an organization be asking themselves ahead of appointing a CDO? We thought of a few:

  • How far should the CDO be from the CEO? CEO-1 or CEO-n?
  • If it is CEO-1, how does the CDO relate to the other officers, in particular the CIO and CTO?
  • If it is CEO-n, to what Officer should the CDO report to? The CIO, COO, CMO, CFO, the Chief Transformation Officer, or the Chief Digital Officer?

To leverage the full potential of data, the CDO is best placed in an area whose mission is cross-company and that represents a large chunk of the business. In this way, the value creation is not limited to one specific area (e.g. marketing), and the value is relevant for the business. Doing otherwise, creates a bias towards creating value only from data in a specific area, or in an area that doesn’t really matter.

Therefore, many argue that the best place to be for the CDO is at CEO-1 or at CEO-2 under the COO, which is cross-company. Having the CDO directly reporting to the CEO gets him or her a seat on the Executive Committee, which delivers a strong message both internally and externally. There are two alternative Officers who also ensure cross-organizational application and relevance: the Chief Transformation Officer and the Chief Digital Officer. While by nature those two roles have a temporary role (albeit for several years), they work in a cross-organizational manner and are tasked with the mission of adapting their business to the digital world, of which data is a pivotal part.

Of course, having the CDO directly reporting to the CEO is not necessarily suitable for all organizations at all times. It requires a level of “data literacy”, and is likely to be reserved for the more forward-looking organizations who really know and embrace the fact that they have to adapt to the digital world in a data-driven way.

So why may organizations not yet want a want a CEO-1 position for the CDO?

  • Some companies may be too immature from a data perspective (i.e. not fully data-literate) and therefore might want to place the CDO under the CIO with IT to make sure that there is sufficient quality data before starting to exploit it.
  • Some organizations have a very clear idea of where to start exploiting data, so they place it under the corresponding department. For example, companies in sectors such as FMCG with a strong interest in improving their consumer marketing might place the CDO under the CMO. Those who want to innovate with data might even place it under the CTO (R&D), whilst organizations which want to save money, might place it under the Global Resources Officer.

In general, if the CDO is placed within a specific area, it normally implies that the CDO inherits some of the objectives of that area. If  it is under marketing, then objectives will probably be phrased in terms of sales or revenues. If it is under Global Resources, then it will likely be related to savings. Helping areas outside of their specific area then becomes a best-effort thing, rather than a core responsibility – depending on the bandwidth of the area of the CDO. However, experience teaches us that it is challenging to see this kind of cooperation beyond the day-to-day corporate limits of KPIs.

So, if an organization decides to place the CDO under one of the Officers without a cross-organizational responsibility, they create an unnecessary limitation to value creation from data. But why then are most CDOs not CEO-1, but -2 or sometimes even CEO-3 or -4?  Below, we briefly list the pros & cons for why an organization might do it this way:

Pros & cons of CDO under:

Pro`s and Con`s of a CDO position
Figure 2: The Pro’s and Con’s of a CDO’s position in the org chart

Of course, whether a CDO is successful in his or her job does not only depend on how the role is placed in the organization, but it is an important factor. Other relevant factors are discussed in this article, such as business sponsorship or a lack of clarity on the role.

In Telefónica, the CDO function was introduced to the Executive Committee at the end of 2015 and is currently held by Chema Alonso, whilst 5 years ago it was between CEO-5 and -4. Three years ago it became -3, then two years ago -2 and now it is CEO-1 – showing just how fundamental data is in our strategy going forwards in our quest to put customers at the center of everything we do.

Chema Alonso, CDO of Telefónica
Figure 3: Chema Alonso, CDO of Telefonica

Of course, this discussion is much more relevant for those organizations who are on their journey to becoming data-driven.  However, there are many companies who are already data companies (i.e. their business is the data) and in their case, the CDO has very different requirements. Gartner wrote a report on the four types of Chief Data Officer Organizations highlighting that in data companies, the CDO is even more critital. We think that in such companies the CDO might even be the CEO. We may not know what the future holds for big corporates, but we do know that it will be driven by data.

Leave a Comment on 54% of organizations now have Chief Data Officers, but should mine?
Richard Benjamins
Richard Benjamins

El Dr. Richard Benjamins es chief AI & data strategist en Telefónica. Durante su carrera profesional ha trabajado en el mundo académico, en distintas start-ups y en corporaciones multinacionales. Ha sido Chief Data Officer de AXA. Su pasión es crear valor a partir de los datos. Ha sido el fundador del área de Big Data for Social Good de Telefónica. Es cofundador y vicepresidente del Observatorio del Impacto Social y Ético de la Inteligencia Artificial, OdiseIA, y es miembro del grupo de expertos de la Comisión Europea sobre la compartición de datos entre empresas y gobiernos para el interés público. Es doctor en Ciencias Cognitivas por la Universidad de Ámsterdam y ha publicado más de 100 artículos científicos.

New Report: Most common errors when implementing HPKP, HSTS and preload conditions

Florence Broderick    17 January, 2017
We have collected and visited two different sources of domains and webpages, Alexa top million domains, and Shodan. These results come from November 2016 searches. From those domains, we have restricted the search to be able to determine which ones use HSTS or HPKP over HTTP or HTTPS, and even which of them uses different configurations for the headers. We have tried to determine not only the quantity but the “quality” of the implementation. Just 0,02% of most popular domains are implementing HPKP in the best possible way, and just 0,74% are doing so with HSTS. Even Whatsapp.com or Facebook.com have some errors.

We show now some excerpts from the report you cand find here.

Number of pins

When implementing HPKP it is important to respect the number of pins required. Despite the recommended values are using between 3 and 4 pins, some domains use from just one pin (violating the RFC) up to 17, which seems to be an irregularity that reduces the efficiency. Regarding Alexa top million domains, 282 out of 450 domains use 2 or 3 pins, which is correct. 89 (19,8%) use zero or just one, which is useless from the browser standpoint since it will ignore it.

Number of pins offered by top 1 million Alexa domains using HPKP.

Which certificate to pin

When using HPKP, choosing the right certificate to pin may be an important decision. Administrators may use whatever pin in the chain (root, intermediate or leaf) but this decision may impact directly in their usability and security from the administrator standpoint and user security. There is a tradeoff between security and maintenance.

  • Pinning the root offers less security, but an easier way for the administrator to deal with HPKP. This means that, as long as the administrator does not change its CA provider, no additional changes should be done, so less maintenance is required. But, on the other hand, if an attacker gets a fake certificate from the same CA, the browser would not detect the difference, since the root remains the same.
  • Pinning the intermediate certificate is the best choice, maybe. The attacker should get a certificate from the same subCA to make the “perfect” attack. The administrator, on the other hand, may change its leaf certificate as long as it comes from the same subCA with no extra cost of changing pins.
  • Pinning the leaf is the most secure way, but the most “dangerous” as well. If the certificate expires or for whatever reason the certificate changes (more specifically, the public key), even if issued by the same CA or subCA, the administrator has to modify its pins or use the backup one. On the other hand, an attacker may not be able to create a valid certificate (unless the private key is stolen) to create a man in the middle “perfect” scenario.

So we have checked what certificate does administrators pin, and this is what we have found. Most of them (73,65%) use the intermediate certificate to pin.

Pinned certificates in the trust chain for the top million Alexa domains using HPKP.

Pins reuse

Reusing pins among different domains is not an invalid practice at all. Considering that most of the pins used in HPKP are “intermediate” pins mostly from subCAs, it is even absolutely normal to share some pins between domains. But this procedure brings a little risk. Thus, from an attacker standpoint, knowing which subCAs or even CAs are pinned may allow to plan a specific APT for that domain. For example, if a domain issues its intermediate certificates with a specific subCA and pins this intermediate certificate, an attacker that gets a rogue leaf certificate for that domain issued from the same subCA will still have a perfect MiTM situation, since the browser will not show any warning message. Therefore, from the attackers standpoint, if they are able to determine if a domain pins its intermediate certificate, and furthermore, which one is the pinned subCA, it allows him to know better who to target. Additionally, if the attacker wants to maximize its scope, he would try to get a rogue certificate signed by this “popular” subCA.

The following map represents which certificates (and its pins) are pinned with more domains. These are the top 25 most pinned certificates. Since the protocol allows to know just the pin and not the certificate itself, it is necessary to “unhash” the certificate. We have collected several millions of certificates and hashed them to compare it with the pins associated to the domains. The results show how an intermediate certificate from Comodo is the most pinned certificate (klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=). It pins 40 different domains from Alexa and Shodan.

Pins reuse map. Click to enlarge.

Preload

To avoid “Trust on first use” issue, “preload” mechanism was introduced. This preload works as a root CA embedded in the browser. It is basically a list of domains that are willing to be accessed with HSTS securely from the first time. This list is maintained by Google and some conditions have to be satisfied to belong to this list.

  • Have a valid certificate chain and redirect from HTTP to HTTPS in the same host (of course)
  • Serve all subdomains under HTTPS. WWW is mandatory if it exists in DNS server.
  • Serve HSTS header via HTTPS with this properties:
    • max-age is at least 18 weeks (10886400 seconds).
    • includeSubDomains directive must be included.
    • preload directive must be included.
    • If serving an additional redirect from the HTTPS site, it must still use the HSTS header (rather than the page it redirects to).

If all these conditions are satisfied, the domain owner may apply to the list in here: htstpreload.appspot.com and the domain will be eventually included in the list. This webpage allows as well to check if a domain satisfies or not all these conditions. There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.

Preloading status in Alexa’s top million domains

In the background, htstpreload.appspot.com uses a public API providing the reasons why a specific domain may be preloaded or not. We have checked all the top million Alexa domains against this API, to know if preloaded domains do really validate all this conditions to be preloaded. When a domain is checked against this API or preload list, the domain is visited in real time and errors checked. It is interesting to prove that, from those 2056 preloaded domains in top Alexa list, 662 contain some errors, thus, strictly speaking, they should not be preloaded. We have even detected that, 67 out of those 2056 preloaded domains in the list, do not contain the preload directive in the header, which as well violates the condition. Whatsapp.com and Facebook.com are domains that do not keep the mandatory conditions to be preloaded, but they actually are.

Conclusions

Although HSTS and HPKP protocols are intended to provide an additional layer of security to HTTPS communications, their implementation is not widespread. At server level, many of the most relevant Internet domains do not even implement them. Moreover, among the minority of domains that do use them, there exist a significant number of implementation errors, even a disregard of the recommendations of their respective RFCs. This situation shows both low level adoption and, somehow, some misunderstanding about how to take full advantage of these protocols. Some of the most interesting figures are:

  • From Alexa, we have collected 632648 HTTPS domains, and 901958 HTTP domains. We retrieved 30886979 HTTPS (port 443) domains and 45330802 HTTP (port 80) domains (a total of 76217781) from Shodan.
  • Only 1,9% of domains in Shodan use HSTS correctly over HTTPS, while just a 5,35% from the Alexa top million do so.
  • 4717 (roughly a 0.74%) of the top million domains in Alexa using HTTPS (632648) are implementing HSTS in the best possible way.
  • 175 of the top million domains in Alexa (a roughly 0,02%) using HTTPS (632648) are implementing HPKP the best possible way.
  • 20% of top Alexa domains using HPKP over HTTPS use zero or just one pin, which is useless from the browser standpoint since it will ignore it. Most of them (a 73,65%) use the intermediate certificate to pin.
  • 17% of domains in Alexa implementing HPKP are using a wrong or ignored max-age value.
  • The most used pin (a certificate from Comodo) pins 40 different domains from Alexa and Shodan.
  • There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.
  • From those 2056 preloaded domains in top Alexa list, 662 contain some errors if checked against the official preloading API, so, strictly speaking, they should not be preloaded. Whatsapp and Facebook are among those domains that do not keep the mandatory conditions to be preloaded, but they actually are.

Here is the whole report.

What does Big Data tell us about the way people move around Brazil’s favelas?

AI of Things    16 January, 2017
Brazil has seen its fair share of the world’s media spotlight in the past year, with positive storylines around the success of the Rio Olympics, as well as more negative headlines about its continued problem with corruption in politics and the pressure of its economic crisis with almost 12% unemployment and stubbornly high inflation.

In recent weeks, Brazilians have been protesting against the Senate’s attempt to implement a 20-year spending freeze, which the United Nations has criticised for hitting the countries poor hardest, forcing even more people into economic hardship and into the favelas of Brazil.
Although these urban populations are difficult to measure and monitor, according to official data from the Brazilian Institute of Geography and Statistics (IBGE), about 11.4 million people (6% of the population) live in 6329 favelas across Brazil.  Unsurprisingly, many of these people work in low-income jobs, with irregular schedules and multiple work locations, making it difficult for local governments to find the right datasets to support their urban planning around public transport and infrastructure. 
Paraisópolis
Figure 1: Paraisópolis is one of São Paulo’s largest favelas.
Our LUCA team in Brazil are currently working with the World Bank and the University of São Paulo to see how our Smart Steps mobile data product would enable decision-makers to obtain better data in a more efficient way, using Big Data for Social Good. By gathering Smart Transport Card data, mobile app data and data from a range of telecommunications carriers, the multidisciplinary team are investigating the movements of people living in Paraisópolis, a favela area with approximately 55000 inhabitants in the city of São Paulo.
Partnerships
Figure 2: Our partnership with The World Bank and the University of São Paulo.
In our Smart Steps analysis, we looked at a total of 2 months of data at municipality level for the metropolitan area of São Paulo and intramunicipality level for the 96 districts of the city of São Paulo.  In the district of Vila Andrade we divided the geographical area between Paraisópolis itself and the rest of the district. Our objective was to create an Origin-Destination (OD) matrix of trips between Paraisópolis and these other areas of the city – using anonymized and aggregated mobile event data to understand how people move around according to the day of the week and the time of the day –  as well as providing insights on their demographic profile and the purpose of their journey. 
Luiz Branquinho, our lead Data Scientist in LUCA Brazil reflected on the project: “Difficulty in access and lack of security has always been a challenge for field research, especially in communities suffering from poverty and crime. It is great to see that technology can help us to overcome this barrier, providing quality data that allows quality urban planning for the whole city.”

“It is great to see that technology can help us to overcome the barriers of poverty and crime, providing quality data that allows quality urban planning for the whole city.”

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.7px Calibri; color: #1f497d; -webkit-text-stroke: #1f497d; background-color: #ffffff}
span.s1 {font-kerning: none}

Our Business Development Manager in Brazil, David O’Keefe said “Our Smart Steps platform gives us unprecedented insights into how people move in and around cities. This project was an important opportunity to collaborate with the World Bank and USP to better understand the unique demands for urban mobility in Paraisópolis, providing insights that can improve the quality of life for residents of the community.”

See You at the RSA Conference 2017

Florence Broderick    16 January, 2017

The U.S. city of San Francisco is to host once again, as it does every year, one of the most important events worldwide in the field of security, RSA Conference. From 13 to 17 February, the most relevant players within the industry worldwide will gather, and ElevenPaths, Telefónica’s cyber security unit, will be there among them of course.

We offer you a pass to the exhibition area absolutely free of charge. To get your ticket you only need to register here using the code: XE7TELFNCA. Deadline for registration February 10th.

We look forward to seeing you at stand #410 in the South Hall of the Moscone Center, where you will discover: 

  • Enjoy a one-on-one ElevenPaths’ senior executives and cyber experts.*
  • Join our Cyber Security lovers’ day party on Tuesday 14 February at 3:00 p.m.

Remember! We look forward to seeing you from 13 to 17 February at the RSA Conference in San Francisco, at the Moscone Center, South Hall, stand #410.

*In order to book your one-on-one with our experts you should complete the mail with your name, surname, title, availability schedule, company, meeting purpose. Deadline for booking February 9th.