The latest from MWC21: connectivity, innovation and entertainment in Telefónica’s digital home

Kassandra Block    28 June, 2021

How are we reinventing the home at Telefónica? The pandemic has changed consumer habits and the home has become a space where we work, have fun and socialise.    

All of this was possible thanks to the connectivity that Telefónica offers with the most extensive fibre-to-the-home network in Europe. We have proven to be up to the task when our customers needed a fast and efficient network more than ever, enabling them to get the most out of their homes. Our connectivity is complemented by an ecosystem of services and devices. Thanks to Aura, our Artificial Intelligence, it provides unique digital experiences.   

And we continue to anticipate the needs and demands of our customers. We do so by focusing on innovation and entertainment in the home with new features and services. If you want to know all the news that we will showcase about the digital home in this edition of MWC21, visit our stand. You can also discover them virtually here. In this post you will find a brief summary of all you can expect.  

Managing home connectivity

At Telefónica we knew that offering excellent connectivity was not enough if it was not simple and accessible to our customers. That’s why we developed a market-leading service: Smart WiFi. Thanks to the Smart WiFi mobile app, which is free, customers can manage all their home connectivity directly from their smartphone. They can do so from inside or outside the home.   

Not only does it allow them to manage the devices that have access to the Wi-Fi network. They can also block, pause or allow Internet access to these devices. Additionaly, the app offers the possibility of optimising the Wi-Fi or activating services such as Conexión Segura to protect Internet browsing. It also allows them to create profiles to set parental control schedules. Moreover they can conveniently change the Wi-Fi password and even create an exclusive network for guests.  

It will soon include a new gaming feature to obtain the best online gaming experience with the highest speed and stability.   

Users will be able to play wirelessly and get the same experience as if they were connected via ethernet. The new feature also brings benefits for users of online services such as cloud gaming and multiplayer. 

TV-commerce and edutainmentLiving Apps at MWC21

In the last year, we have seen how online shopping has increased and how it has become a shopping preference for many users. That’s why we were the first Telco to create our own TV-commerce platform within the Living Apps ecosystem at Movistar+ TV. 

Our “Shopping” Living Apps catalogue allows companies to create their own online shop on television. That enables them to offer their products to more than one million customers. Our partners include Samsung, Debuencafé, tu.com and Niomia. For companies we have developed an online platform so that they can manage all their products and product information (description, price, stock) quickly and easily.  

For the customer we have also developed a crucial part when it comes to making purchases: reinforcing security. Thanks to our collaboration with CaixaBank, users can shop comfortably from their television and confirm payments with the double security factor on their mobile phone. In addition, they do not need to download or install any software to access the Shopping Living Apps.   

Edutainment: education and entertainment without leaving Movistar+

In our Digital Pact, digital education is a fundamental pillar to reduce inequality through training. For this reason, we offer content in our Movistar Campus Living App to complement the traditional educational offer. 

Movistar Campus has an edutainment offer that combines education with entertainment and offers customers the opportunity to reinforce professional and personal skills for all ages, in different formats, from television. There is language content, master classes in cooking, finance, photography and a wide range of proposals from platforms such as Magistral, Podimo, Duolingo, Vivlium and Zonavalue.   

At the same time, it offers edutainment creators the opportunity to make their educational content available to more than one million Movistar customers.   

Movistar Tokens at MWC21

Digitalisation is becoming increasingly ubiquitous and Telefónica wants to simplify the way in which people relate to technology. This is how Movistar Tokens came about, the programme that rewards our customers for being increasingly digital. 

When the customer performs certain actions, they generate tokens that can then be exchanged for an exclusive catalogue that includes new movie releases or data bonuses, among many other things. This way, they will get the most out of their Movistar world. Activation of this programme is free and very simple. The customer only has to download the Mi Movistar mobile app, access the “My products” or “Explore” section, and register for the programme.   

Privacy control with the Movistar Transparency Centre

Telefónica will present its Transparency Centre at MWC21, which is the result of a commitment to offer customers a more transparent and reliable relationship environment. It is an innovative space where customers can easily consult and manage the information they generate using our services. They will also be able to manage their privacy. 

The Transparency Centre is now available on the Mi Movistar mobile application, movistar.es and soon on Movistar+ TV. Through the mobile app, in the “Privacy preferences” section, users can manage the processing of their data. In the “Data query and download” section, they can view the data and download a transparency report with detailed information, for example, on the data consumption, calls, etc. All this without complicated technicalities, but in a simple and transparent way, so that our customers can be in control of their data! 

This is part of our Digital Home, if you want to know more about it and you are at MWC21 visit stand 3K31 in Telefónica’s Hall 3 or find out more here.  

Cyber Security Weekly Briefing June 19-25

ElevenPaths    25 June, 2021

SonicWall fixes a critical vulnerability that had been partially fixed

In October last year, SonicWall fixed a critical buffer overflow vulnerability in SonicOS under the identifier CVE-2020-5135, which affected more than 800,000 SonicWall VPN devices. This flaw allowed unauthenticated attackers to remotely execute code on the affected device or cause a denial of service by sending specifically crafted HTTP requests to the firewall. However, security researcher Craig Young now reveals that this patch left uncorrected a memory information exposure flaw, which has been identified as CVE-2021-20019 and had not been fixed until the most recent release of SonicOS.

More info: https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/

Zyxel alerts its customers of attacks against their devices

Zyxel has alerted customers via email about a series of attacks targeting VPN systems, firewalls and load balancers that the company offers and that have SSL-VPN-enabled remote management. Specifically, these attacks are said to target USG, ZyWALL, USG FLEX, ATP and VPN series network devices running the ZLD firmware on-premises. According to Zyxel, the attacker tries to access the device via WAN and if successful, attempts to bypass authentication systems and establish a VPN connection through an SSL tunnel with an unknown use a VPN connection through an SSL tunnel with an unknown user ((e.g. “zyxel_slIvpn”, “zyxel_ts”, “zyxel_vpn_test”) to manipulate the device’s configuration. At this stage, it is not known whether the input vector for these attacks is an old vulnerability present in unpatched devices is or whether it is a new 0-day vulnerability. Nevertheless, Zytel has shared a number of mitigation measures against this threat.

All the details: https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterprise-firewall-and-vpn-devices/

Matanbuchus: new Malware-as-a-Service

Researchers at Unit 42 in Palo Alto have published details of a new Malware-as-a-Service (Maas) called Matanbuchus Loader. This MaaS was first spotted in February this year on underground forums linked to  BelailDemon threat actor, who set a price of $2500 for its acquisition. The initial distribution vector for the artifact is an Excel document with malicious macros, which will execute a file downloaded from an external domain. Matanbuchus has multiple capabilities such as running .exe or .dll files in memory, leveraging the schtasks.exe scheduled task service for persistence, running PowerShell commands or using system executables to load DLL libraries. Palo Alto has identified several organisations affected by this malware in the US and Belgium.

Learn more: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

DarkRadiation: New ransomware targeting GNU/Linux systems with worm-like functionality

Trend Micro researchers have analysed the functioning of a recently discovered ransomware, which has been named DarkRadiation and targets GNU/Linux systems. It is fully implemented in Bash and most of its components target Red Hat and CentOS distributions, including to a lesser extent Debian-based distributions. This ransomware uses the Telegram API for communication with the C&C server and has worm-like functionality via SSH protocol. To evade detection it makes use of the open source obfuscation tool “node-bash-ofuscate”, with which the attackers obtain zero detections in VirusTotal. Researchers have observed that this ransomware is in continuous development, with multiple versions belonging to different campaigns.

More details: https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat–and-debian-based-linux-distributions.html

Telefónica Tech At MWC: Economic and Social Recovery Are Our Priorities

Bernardo Campillo    24 June, 2021

After a year of forced suspension due to health circumstances, in 2021 the world’s leading telecommunications and technology event will be held once again: the Mobile World Congress in Barcelona from the 28th of June to the 1st of July. It will be much smaller in size compared to previous editions, but it is sure to be a meeting point for the industry and a stage for the presentation of numerous technological innovations. In addition, this edition presents a novelty regarding all the previous ones and it is the possibility of visiting the congress in a virtual way through a Digital Twin.

Telefónica will be present both presential and in this new online format with the aim of highlighting our intention to act as a key catalyst in the economic and social recovery of the country, promoting the digital transformation of the business network in its key sectors and of society in general.

Telefónica’s presence is structured around three major blocks: Business, Society and Planet, where we deliver a message of hopeful present and how we see the evolution in each of them.

Within the Business axis, we focus on displaying

  • how we help to digitalise SMEs with specific proposals for Cloud, Cyber Security, improving the relationship with the clients through social listening and the discovery of their characteristics and needs, etc.,
  • what is the present and future of the so-called Smart Tourism, with a live demonstration of our predictive tourism occupancy modelling solutions,
  • the evolution towards Industry 5.0, displaying our predictive maintenance tools for industrial assets,
  • without forgetting Digital Security as a transversal feature of all Telefónica’s digital service proposals.

On the other hand, in the axis focused on Society, we offer our solutions for

  • digitalisation of sport, showing our Global Sport Platform and how it helps to monitor and improve the health of even the youngest athletes or how Artificial Intelligence simplifies the dissemination of sports content for all types of clubs,
  • Digital Home or how our clients can access in a new way to a universe of interactive content (e.g., Living Apps) or new and improved training possibilities (e.g., Edge Gaming, etc.)

Finally, in the part of our message to the Planet, we want to highlight our commitment to sustainability and the environment through two initiatives that are already running:

  • The commitment to develop increasingly green, sustainable and transparent digital services, with the EcoSmart branding of our Products and Solutions portfolio, showing all our clients how our services are increasingly environmentally friendly.,
  • and the application of technology to smart, efficient and sustainable farming or how IoT (Internet of Things) technologies help to reduce the footprint of water, energy and other resource use to make agriculture a tool towards a sustainable future in every sense.

As we pointed out at the beginning, all this content can finally be enjoyed in three ways: in person with the demos at the stand and the information provided live by our colleagues (the “gurus”), on-line through the stand’s Digital Twin with interactive access to the content of the demos and, finally, through the Digital Notebooks, an electronic distribution, also interactive, with our full detailed and in-depth message and vision.

Finally, we will also be present at more than 10 events organised by the GSMA (e.g., presentations, expert panels, sectorial round tables, etc.) where we will offer our vision in areas such as Industry, Mobility, Blockchain, Big Data/AI, etc. through our speakers selected by the GSMA.

Telefónica Tech, as the technological arm of digital services initiatives in such important ecosystems as IOT, Big Data/AI, Cyber Security and Cloud, has an important presence in all this deployment, with direct participation in all the demos of the physical stand (and its consequent reflection in the Digital Twin) and also providing content in almost all the Digital Notebooks that will be distributed to the general public.

In short, Telefónica is attending MWC2021 with the intention of showing innovative solutions that are already a reality and that can be a social and economic activation driver for a bright future for Business, our Society and the Planet in general.

So, see you at MWC2021!

Telefónica Tech was Present at Advanced Factories 2021 With Its Proposal For The Industrial Sector

Telefónica Tech    22 June, 2021

On the 8th, 9th and 10th of June, the 5th edition of the Advanced Factories event was held in Barcelona, a major event in Spain on industrial automation, robotics and Industry 4.0. In addition, within the framework of #AF2021, the Industry 4.0 Congress took place, the largest congress for southern Europe and especially at national level, where the latest trends for the industrial sector and success stories in the digitalisation of these companies were discovered. This year, Telefónica Tech was an official sponsor of the event, and we were present in the congress agenda to present our technological capabilities in Cyber Security, Cloud, IoT&Big Data and Blockchain and how we contribute to Industry 4.0 thanks to our powerful value proposition, together with other key participants such as Schneider Electric, Siemens, Omron and HP.

In the post we launched last week, our colleague Andrés Escribano told us about the definitive evolution towards the digitalisation of the industry and we reviewed the most important topics that would be addressed at the fair.

During the congress, the Telefónica Tech experts spoke about the extremely high speed at which the sector is transforming, which means that we are already starting to talk about Industry 5.0. There are two main reasons for this new industry: 

  1. Companies require the manufacture of digital products, with high customisation, simplicity and very short delivery times.
  • The COVID effect has accelerated the adoption of Industry 5.0 in terms of: 
     
  • Process automation. 
  • Remote operations to minimise impacts. 
  • Agile and flexible production lines that withstand peaks and lows and adapt efficiently to changes in consumer demand. 

This situation, also seen as a trend, makes it very important that technological partners with the characteristics of Telefónica Tech support clients in the sector.  

 
“We believe that only 10% of sensors in the industry are connected, so the opportunity is huge,” Gonzalo Martín-Villa, CEO at Telefónica Tech IoT & Big Data. 

In order to compete in the new Industry, enablers such as IoT, Big Data, Artificial Intelligence, Cyber Security, Cloud… are fundamental. In all of them, Telefónica Tech has important proprietary capabilities that we adapt to the client’s needs and that, together with those of an ecosystem of companies with specific knowledge of industrial processes, allow us to offer e2e solutions to the sector.

 
“If you are in the industry sector, you have to be already developing projects to digitalise processes, because it will be the differential that will allow you to compete”, Agustín Cárdenas, Director of Business Transformation at Telefónica Empresas. 

In this video, the experts who participated in Advanced Factories 2021 tell us where the sector is heading and why Telefónica Tech’s offer is unique in the market: 

Fraud Orchestration is Helping Financial Institutions Fight Fraud in Real-Time

Barry Bowen    21 June, 2021

Banking has gone digital. In 2019, financial institutions are leveraging technology more than ever to provide the type of customer experience being demanded by today’s consumer market. The financial services industry has been going through a digital transformation in recent years. Consumers are free to complete almost any financial transaction from a computer or mobile device, getting pre-approved for a home mortgage loan or depositing a check by taking a photo is now easier than ever.

These financial organizations have opened new channels for customers to use, providing a sophisticated level of convenience, security, and timeliness when it comes to banking and online transactions. With convenience and timeliness to meet current consumer preferences comes the rise of digital fraud looking to take advantage of weaknesses in financial banking systems.

Fraud fragmentation is one of the biggest issues facing the financial services industry, an industry where the average cost of fraud grew 9.3% from 2016 to 2017. This article will take a closer look at current challenges facing financial institutions and how these challenges can be managed through a new form of fraud management known as “fraud orchestration.”

Current Challenges

A few challenges the financial services industry is facing when it comes to increased digital fraud includes multi-channel banking options, mobile dominant customers, and synthetic identity theft.

Multi-Channel Banking

Multi-channel banking refers to the array of services financial institutions provide their customers to manage their finances. Mobile is quickly becoming the dominant channel but customers can also access ATMs, physical branch locations, and telephone to service their banking needs. Providing more channels means providing more value for customers, however, unfortunately, it also creates a silo effect where fraudulent activities can be hard to manage across different channels.

The complexity and visibility into multi-channel fraud prevention is a major issue for financial institutions. Fraudsters are educated on the challenges of multi-channel banking and know how to exploit weaknesses for illicit gain. For example, a fraudster can steal personal information from one banking channel and use this information to commit fraud on another channel. If fraud prevention systems lack cross-channel communication and transparency, this provides a cloak for illicit activities to cultivate and adversely impact financial institutions.

Mobile Dominant Customers

Recent studies are showing banking customers are going mobile more than ever. A report by Fiserv shows that mobile is now the most heavily used banking channel, with customers accessing mobile banking an average of 8.4 times within a 30-day period. Financial institutions are pushing for more their customers to use mobile banking services as it is by far the most cost-effective method. For example, i2018 a retail bank spent roughly $4 every time a customer calls or visits a physical branch.

The exact same transaction costs just $.10 when completed via a mobile app. Not only is mobile banking more convenient for customers, who can manage their finances from anywhere at any time, it is also saving banks a significant amount when it comes to operational expenses. PwC also reported 15% of customers are now mobile dominant, up from 10% the prior year. A significant increase in customers going full-mobile when it comes to banking.

Synthetic Identity Theft

Synthetic identity theft is defined as a type of fraud where criminals parse together real and fake personal information to create a new identity, which is then used to open fraudulent banking accounts or make fraudulent purchases. This type of fraud has quickly become the fastest growing and hardest to detect form of identity theft to date. TransUnion found between 2015-2016 alone there was an increase in synthetic fraud balances of 68%. These fraudulent activities resulted in $800 million in credit card losses in 2017, an increase of 38% since 2015.

Synthetic identify theft is the most common type of identity fraud and is becoming a major source of losses for financial institutions. A big reason why is banking fraud systems are not sophisticated enough to catch the illicit activity before it is too late. Fraud detection can be made all the more difficult if multiple banking channels are siloed and unable to effectively communicate with one another. Financial institutions must be diligent in finding ways to prevent synthetic identity theft which is estimated to be the source of 80% of credit card losses in the industry.

Why Fraud Orchestration is the Answer

Fraud orchestration can be the answer to the many challenges facing financial institutions in this digital age. Fraud orchestration creates a centralized platform where fraud activity can be viewed across the entire enterprise, no matter how many banking channels exist. A fraud management mission control where all fraud activities are visible for fraud teams to address in real-time. A data-driven platform leveraging adaptive analytics to boost fraud performance and response actions. There are several advantages to fraud orchestration which include:

Increases operational efficiency

A centralized, anti-silo fraud management platform which improves communication between banking channels increasing fraud prevention optimization

Creates enterprise-wide transparency

Fraud orchestration creates a mission control where fraud activities are made transparent across the entire enterprise leading to real-time action to catch fraud in the act

Decreases operational costs

No need for additional staff or training monitoring countless fraud management systems, fraud orchestration brings all fraud systems onto one platform

Reduces customer friction

Faster fraud response equals less customer friction for financial institutions, it is that simple

Wrapping Up

Fraud orchestration is the future of fraud management in the financial services industry. This technology allows for financial institutions to stay ahead of fraudsters who are always searching for weaknesses in fraud prevention. Multi-channel offerings to customers does not have to come at a high cost when it comes to an increased risk of illicit activities. Let’s help all of our fraud prevention systems sing in unison through fraud orchestration.

Cyber Security Weekly Briefing June 12-18

ElevenPaths    18 June, 2021

0-day vulnerability in Chrome, the seventh so far this year

Yesterday, June 17, Google released version 91.0.4472.114 of Chrome for Windows, Mac and Linux, resolving a 0-day vulnerability classified as CVE-2021-30554. The exploitation of this flaw could lead to arbitrary code execution on systems running unsecured versions of Chrome. For its part, Google has not disclosed any further information about the security issue awaiting most users to update their browsers. This type of 0-day vulnerability has recently been exploited by the PuzzleMaker threat actor in order to exceed the browser’s framework and install malware on Windows systems.  Additionally, the update has addressed three other serious browser vulnerabilities, affecting the Chrome Sharing, WebAudio and TabGroups components, which have been identified as CVE-2021-30555, CVE-2021-30556 and CVE-2021-30557.

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

0-day vulnerabilities in Apple

Apple has issued security updates to address two 0-day vulnerabilities affecting its iOS 12 mobile operating system. The fixed flaws, listed as CVE-2021-30761 and CVE-2021-30762, are due to issues in the WebKit browser engine and could allow an attacker to execute arbitrary code when processing specially crafted malicious web content. The firm warns that these vulnerabilities are being actively exploited. The security update also addresses a memory corruption issue in the ASN.1 decoder, listed as CVE-2021-30737, which would allow remote code execution. The devices affected by these flaws are iPhone 5s, iPhone 6s, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation), all of which are patched with iOS version 12.5.4

https://support.apple.com/en-us/HT212548

Microsoft stops a high-impact BEC operation

The Microsoft 365 Defender research team together with the Microsoft Threat Intelligence Centre (MSTIC) have discovered and disrupted the infrastructure of a large-scale BEC operation. In their analysis, they expose that threat actors were exploiting various cloud-hosted web services to compromise email inboxes and add forwarding rules using different IPs, and adding time latency between actions in order to go undetected by security systems. To gain initial access to the victim’s host they would have exfiltrated credentials obtained through social engineering techniques, sending phishing emails where they would attach an HTML containing a JavaScript, to pretend to be a Microsoft login. Once the user’s credentials were compromised, they would access their mailbox and add forwarding rules with parameters such as “invoice”, “payment” or “statement”, which allowed them to access financial information, as well as having a persistent information exfiltration channel. They also allegedly created rules to delete mails that were forwarded to their infrastructure, adding complexity to the detection of their operations.

https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/

New malware evasion technique

Security researchers at Elastic have made public a new executable image manipulation technique, called “Process Ghosting”, which could be used by attackers to evade protections and stealthily execute malicious code on Windows. With this new technique, a threat actor could insert a malware component on the victim computer’s disk in a way that makes it difficult to detect. Such evasion takes advantage of the time lag from the creation of a process until the device’s security systems are notified of its creation, giving attackers a window to evade detection. The flow of the Process Ghosting attack would start by creating a file, changing its status to “delete-pending”, thus preventing access and reading, then assigning an image for the file on disk after inserting the malicious code and finally deleting it. The next step would be to create a process with the relevant environment variables, which would call a thread for execution. It is important to note that the success of this attack is due to the fact that calls from security systems, such as antivirus, are made when the thread is created, which will try to read an already deleted file, therefore bypassing security.

https://www.elastic.co/es/blog/process-ghosting-a-new-executable-image-tampering-attack

​Ataque a la cadena de suministro de un proveedor de CCTV

El equipo de Mandiant de FireEye ha publicado una investigación acerca de un nuevo ataque a la cadena de suministro. Los atacantes de este incidente, que han sido identificados como UNC2465, un grupo afiliado al ransomware DarkSide, habrían vulnerado un sitio web legítimo de un proveedor de cámaras de circuito cerrado de televisión (CCTV), y habrían implantado un troyano dentro de un instalador PVR de cámara de seguridad que los usuarios descargaban para configurar y controlar sus dispositivos de seguridad. Con la instalación del software malicioso también se iniciaba la descarga del troyano Smokedham o Beacon, entre otros. Los investigadores no detectaron la presencia del ransomware Darkside en las redes de las víctimas debido, principalmente, a que esta intrusión tuvo lugar entre el 18 de mayo y principios del mes de junio, y para ese momento, Darkside ya había anunciado el cierre de su actividad tras el ataque a Colonial Pipeline.

Attack on CCTV provider’s supply chain

FireEye’s Mandiant team has published an investigation into a new supply chain attack. The attackers in this incident, who have been identified as UNC2465, a group affiliated with the DarkSide ransomware. The attackers breached a legitimate website of a closed-circuit television (CCTV) camera vendor, and deployed a trojan inside a security camera PVR installer that users downloaded to configure and control their security devices. The installation of the malware also initiated the download of the Smokedham or Beacon trojan, among others. The researchers did not detect the presence of Darkside ransomware on the victims’ networks mainly because this intrusion took place between 18 May and early June, and by this time Darkside had already announced it was ceasing its activity after the Colonial Pipeline attack.

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

Critical vulnerability in ThroughTek supply chain

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical software supply chain flaw affecting ThroughTek’s software development kit (SDK). Successful exploitation of this vulnerability could allow unauthorised access to sensitive information, such as audio/video streams from security cameras. The flaw, listed as CVE-2021-32934 and with a CVSS score of 9.1, affects ThroughTek P2P products with versions 3.1.5 and earlier, as well as versions with the nossl tag and various firmware configurations.

https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01

Telefónica Tech, the new technologies blog

Telefónica Tech    18 June, 2021

They say that together we are stronger, and at Telefónica Tech we have realised about this. Good support is always a safe bet to strengthen the path, and if that support is called Cyber Security, Big Data, Cloud, Artificial Intelligence, IoT or Blockchain, things get even better.

At Telefónica Tech we know that together we are more capable and stronger to achieve great things. That’s why our technologies have joined forces for some time now to move towards a common goal: to provide the best technological services to our clients.

Now that union has also reached Think Big Empresas. We want to simplify our communications in order to enhance their quality and dissemination. One of our main commitments is to make the steps that our technologies are taking accessible. To achieve this, we have redesigned the covers of ElevenPaths and AIofThings and we are welcoming a new meeting place and information reference on technology. And so, the Telefónica Tech blog is born.

Cyber Security, Cloud, IoT, Big Data, Artificial Intelligence and Blockchain. Our technologies will generate a lot of buzz and we want to be the ones who, firsthand, keep you informed about the latest news, advances and success stories.

Do you want to know more about Telefónica Tech? Press PLAY!

IoTM Mobile Applications and The Relevance Of Their Security

Carlos Ávila    17 June, 2021

Almost a year ago in the article “Internet of Health I described how incredible is the amount of applications and devices that the medical industry has deployed and will be in the not so distant future being used by all of us. As has happened in other industries, perhaps this is the natural path for technologies and the medical industry to follow, with the aim of improving services and the quality of people’s lives.

With all these changes today, we find a new term known as IoMT or “Internet of Medical Things” which through IoT technologiesInternet of Things” are here to stay. IoMT is where through various sensors that are being embedded in traditional medical devices, combined with other technologies such as Big Data, they collect data that, when extracted and analysed, offer better service to patients and health professionals.

IoMT Mobile Applications And Functionalities

It is well known that hospitals around the world are becoming increasingly equipped with technological systems involving remote patient monitoring, insulin pumps, medication management, etc., all of which are connected to the hospital’s technological infrastructure.  

The idea of IoMT ultimately is to generate an interconnected health ecosystem with all these devices and technology platforms, and this is where mobile applications play a key role.

These mobile applications developed for IoMT are in many cases (directly or indirectly) managing devices and systems of the hospital infrastructure both within hospitals and externally. These applications start to execute actions or make data-driven decisions within a healthcare infrastructure because they will remain connected, for example, to smartwatches, patient wristbands, asthma inhaler monitoring, urology sensors, etc

Certain Findings On IoMT Apps

We have reviewed a few of these IoMT mobile applications from our mASAPP (mobile application continuous security analysis) platforms, as well as with physical devices with a very cursory review. It is important to mention that in any industry, and healthcare is no exception; they must constantly look for flaws, analyse their security and implement new security controls, since technology is continuously changing and so is the way to protect it.

Firstly, I can highlight that there are applications that when registering a user, allow the use of weak passwords without any password strength control. Also, these applications have a common characteristic: no 2FA controls were identified.

image 1: Does not validate key complexity in user registry (e.g., “password”)

Another interesting aspect is that we found easily readable structures between .plist files, which indicates a bad practice in terms of insecure storage of this data or inadequate review prior to uploading the applications to the shops.

image 2: Files with hardcoded data in .plist files
image 3: Hardcoded certificate files in apps

While applications establish secure communication channels (HTTPS) with their backends; we notice that developers often arbitrarily disable security features that strengthen client-side communication channels (App).

This is just a sample of the opportunities for improvement that these applications have. Likewise, we must not forget that many of these applications communicate directly through protocols such as Bluetooth or the internet with IoMT or IoT devices, expanding possible attack vectors for cybercriminals that we must be aware of to investigate and protect.

Challenges And Opportunities For Improvement

There are new challenges and attack vectors for administrators, manufacturers and security researchers alike as we are likely to see many more threats to hospital infrastructures through the IoMT ecosystem with the implementation of IoMT devices and their applications in facilities around the world.

Other issues to address are related to the standardisation of these devices and the communication protocols that are diverse and already implemented in healthcare technology environments. As we have seen with mobile applications focused on these devices, which is already happening and is likely to increase rapidly, so the security challenges in IoMT applicability are challenging and we should start to pay attention to it as a potential risk that attackers want to take full advantage of.

DevSecOps: 7 Key Factors for Implementing Security in Devops

ElevenPaths    16 June, 2021

DevSecOps, also known as SecDevOps, is a software development philosophy that advocates the adoption of security throughout the software development lifecycle (SDLC). DevSecOps is more than just a specific tool or practice; it promotes security automation, communication and scalability.

DevSecOps was born as an evolution of the DevOps methodology. Its main motivation is to automate security to respond to the acceleration in software release cycles promoted by the adoption of DevOps. DevSecOps not only adds security elements to DevOps cycles, but when applied correctly, makes security an integral part of the entire process, from start to finish. As a result, the security team becomes much more engaged with the other teams involved in the SDLC, including Development and Operations. This eliminates friction, as the natural tension between speed and security is shared by all teams.

Despite, or perhaps due to, its widespread adoption, the DevSecOps methodology is criticised for its lack of specificity or specific guidelines. In this post, we want to offer seven directly applicable tips that solve the most common problems we observe in teams adopting DevSecOps.   

1. Using IAST tools to avoid false positives and tuning SASTs

Application Security Testing (AST) tools, such as SAST and DAST, allow developers to find vulnerabilities without being security experts. The problem is that, due to outdated and unsophisticated approaches, these tools do not offer an ideal level of accuracy. To avoid this lack of accuracy, we recommend the use of a more accurate detection tool such as an IAST (Interactive Application Security Testing). IAST tools do not require ” tuning ” or manual checks as they do not generate false positives.

2. Integrating security flaws into collaboration tools to improve coordination

Integrate the bug tracker your team is using, e.g., Jira, with the security tools so that developers can view security bugs as regular tasks. The goal behind this recommendation is that developers do not move away from the environment they normally use.

3. Define metrics and thresholds to ensure quality if deployment rates accelerate

In the same way that compilation bugs halt deployment, so should security bugs. Known as “security controls”, these checkpoints ensure that code arriving at CI/CD respects security standards. Create automatic security checkpoints to meet quality objectives and halt the build if the number of vulnerabilities exceeds a threshold.

4. Automating design error protection to reduce manual verification (pentesting)

To mitigate the bottleneck of manually verifying these errors, we recommend automating validation using solutions and architectures that are secure from the start. Teams of pentesters are more productive when they have a clear picture of the areas to attack.

5. Adopt continuous reporting to gain visibility on security history

Continuous reporting involves the creation of security reports and metrics that track the evolution, number and severity of vulnerabilities for each release. The goal is to mitigate the lack of visibility into security history as new versions of the software are released. It is advisable to use tools such as Jenkins Reports or Web Reports and improve the reports by including the evolution of security flaws.

6. Integrating security into applications to improve cloud support

Adopting “security as code”, as opposed to hardware- or network environment-dependent approaches, means that applications remain secure wherever they go, without requiring configuration changes to adapt to a new deployment or a new version of the application.  

7. Ensuring linear scalability and affordable costs

Make sure your application security infrastructure is not a performance bottleneck. Look for security solutions that can scale steadily and linearly over time.

The seven recommendations we have outlined in this article are primarily aimed at empowering developers to create secure code by automating security. Hdiv Security was created by and for developers from the very beginning. The keys described in this article, and even our DNA as a company, have always pursued the DevSecOps philosophy even before the term existed. If you have any questions related to application security automation, please do not hesitate to contact us.

Security in video call applications: Microsoft Teams, Zoom and Google Meet

Antonio Gil Moyano    15 June, 2021

There is no doubt that instant messaging programmes have become an essential communication tool in our personal and professional lives. There is also no doubt that video calling applications, or the extension of this functionality to existing ones, have been a revolution during the pandemic, where they became the only form of visual communication due to the forced implementation of remote work.

There are many options, but in this article we are going to focus on some of the most professional ones, due to their connection with other applications and functionalities, always guaranteeing the security of the information shared and the privacy of communications.

Much has been written about this, including several publications that refer to a report last year by the US National Security Agency (NSA), which analysed the strengths and vulnerabilities of working remotely as a national security issue.

In our country, studies are also carried out by organisations concerned about national, citizen and business security, such as the National Cybersecurity Institute (INCIBE) or the National Cryptologic Centre (CCN) associated to the National Intelligence Centre (CNI).

We are going to focus on the report entitled Security recommendations for remote working situations and reinforcement in CCN-CERT BP/18 vigilance. In chapter 7 it talks about the security that should be applied to videoconferences and virtual meetings.

Let’s have a look at some of these recommendations:

  • The App/software must come from verified and authenticated repositories such as the manufacturer’s repositories or the application repositories of the platform providers (Microsoft, Google, Apple, Samsung, LG, etc.).
  • User and password identification and authentication must meet minimum strength requirements (e.g., recommended minimum character length, combination of letters, numbers and special characters, maximum number of failed authentication attempts, etc.).
  • Incoming connections must be accepted by the user, there must be no possibility of auto-response.
  • They should offer the possibility to access the session with or without video/audio.
  • The video sessions must comply with at least the following requirements regarding communication security:
    • Use TLS 1.2 secure channels in encrypted calls for signalling and AES-128 or 256 for media traffic.
    • SRTP traffic recommended for audio, video and media with AES-128 encryption.
    • In UDP traffic ensure AES-128 encryption and ensure that the initial key exchange is over a secure TLS channel.
  • Document sharing must ensure the confidentiality of data and repositories, as determined by the National Security Scheme.

With these recommendations in mind, let’s look at how each of the 3 recommendations we have selected fits in.

Microsoft Teams

It certainly meets all the requirements you need for a “corporate” video conferencing solution, not only because it comes from a trusted manufacturer, but because all the security and functionality comes configured in Microsoft 365 and Office365.

This makes it robust, stable, but above all reliable, which is what companies and professionals need when using such a solution. 

In this guide published by Microsoft in October 2020  https://docs.microsoft.com/es-es/microsoftteams/teams-security-guide you can see in more detail all the aspects related to how Teams controls common security threats.

Attack using a known key

  • Denial of service network attack
  • Interception
  • Impersonation (IP addresses)
  • Man-in-the-Middle attack
  • RTP replay attack
  • Unwanted instant messages
  • Malware, virus…

 Zoom

Possibly the most widely used video conferencing solution in the professional and personal sphere, it became very popular during the lockdown, it is easy to use, low cost in use and even free of charge. However, there is room for improvement in terms of security.

The privacy and security section of their website provides advice on:

  • How to set up Zoom before starting a meeting.
  • Security settings to lock a meeting, expel, mute or report participants, disable file transfer or annotation, control screen sharing, disable private chat or recording control, among others.
  • In relation to protecting the data we share, it talks about AES 256 encryption of video, audio and screen sharing, audio signatures and watermarked screenshots, also local and cloud storage encryption of recordings, and file transfer.

It also talks about the different security certifications and concerning the privacy policy they talk about the different methods of authentication using existing applications or by password, also about two-factor authentication, attendee authorisation for recordings, basic technical information of the meeting participants, storage of basic profile information…

The last 3 paragraphs are quite striking, where they expressly warn that:

  • They have never had any intention of selling our information to advertisers and have no intention of doing so.
  • They do not monitor our meetings and their content.
  • They comply with all privacy policies, rules and regulations in the jurisdictions in which they operate, including the GDPR and the CCPA.

This relates to the CCN report on the use of Zoom and its implications for security and privacy. Recommendations and good practices published in the wake of the cyber-attacks suffered during the lockdown.

In its conclusions it states that with proper configuration and safeguards, Zoom offers a safe and secure virtual meeting environment, regardless of the fact that this software is currently being targeted by cyber attackers due to its popularity.

Google Meet

As well as Microsoft, it is the video conferencing solution integrated into G Suite and connects seamlessly with Gmail, Google Calendar, Docs, Drive, Jamboard, Chromecast and more.

Here you can see the security and privacy that applies to users like:

  • Security measures to protect video calls such as anti-hacker controls or preventing anonymous users (without a Google account) from joining the meeting, among others.
  • Encryption of all data by default, between the client and Google from both browsers and Android or iOS Meet applications.
  • Double-factor authentication.
  • On privacy and transparency, they say that we as users have control over our information, and that they apply data protection laws and other industry standards. They also say that they do not use our data for advertising purposes, nor do they sell the data to third parties, just as Zoom it is striking to find these “reassuring” messages for users.
  • Security best practices for a trusted and secure meeting experience.

In conclusion, we must choose the solution that best suits our needs as a company or professional, always taking into account the integration with the different tools we use for the development of our work. If we consider this a priority, we should choose between Microsoft and Google. If what we are looking for is an application exclusively for video calls, prioritising simplicity without many requirements, Zoom would be the best candidate.

Regarding security, as we know, no solution is 100% secure, although competition has meant that all of them have implemented security measures that they did not have before and, without a doubt, the objective is to generate the trust we need in order to work sharing our information, guaranteeing the confidentiality, integrity and availability of the same.