Cyber Security Weekly Briefing April 24-30

ElevenPaths    30 April, 2021

BadAlloc – Critical Vulnerabilities in Industrial IoT and OT Devices

Microsoft security researchers have discovered 25 critical remote code execution (RCE) vulnerabilities, collectively referred to as BadAlloc, affecting a wide range of devices, from consumer and medical IoT to industrial control operational technology (OT) systems. An attacker could exploit the flaws to bypass security controls and execute malicious code on the devices or cause the system to crash. The vulnerabilities would be present in real-time operating systems (RTOS) widely used in industrial sectors, in embedded software development kits (SDKs) and even in implementations of the standard C library (libc). The findings have been shared with suppliers for updating their systems. The full list of vulnerabilities can be found on the US Homeland Security department’ s website.

More info: https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/

Critical vulnerability identified in Homebrew for MacOS and Linux

A Japanese security researcher named RyotaK reported on 18 April a vulnerability in the official Homebrew Cask repository that could be exploited by attackers to execute arbitrary code on users’ machines that have Homebrew installed. Homebrew is a free and open-source software package management system that allows the installation of software on Apple’s macOS operating system as well as Linux. Homebrew Cask extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins and other non-open-source software. The reported bug, for which a PoC was published and which was fixed just a day after it was reported, lay in the way it handled code changes in its Github repository, which could result in a malicious request being automatically reviewed and approved. Homebrew would also have removed the “automerge” action from GitHub, as well as the GitHub “review-cask-pr” from all vulnerable repositories.

All the details: https://brew.sh/2021/04/21/security-incident-disclosure/

MacOS flaw allows Shlayer malware to be distributed

Apple has released a patch for the macOS Big Sur operating system, fixing a vulnerability for which no further details have been released by Apple but which some researchers describe as the worst vulnerability for Apple’s operating systems in years. Despite its severity, there is a first step necessary for exploitation that may have somewhat limited the impact, and that is that in order to exploit it, the user must be convinced to download or run an application that is not in the Apple Store or would not be allowed by Apple. Once this initial access is gained, the attackers manage to deploy malware that is poorly classified by Apple’s operating system, thanks to a logical error in the macOS code. This malware can bypass all checks performed by Apple’s security mechanisms, which are designed to stop unapproved dangerous applications from running. Researchers at Jamf have named the malware Shlayer and confirm that it has been in distribution since at least January this year. The bug was reported to Apple by security researcher Cedric Owens in mid-March. Apple spokespeople have confirmed that the company has addressed the problem in macOS 11.3 and has updated XProtect, its malware detection, to block malware using this technique. According to specialised media, the vulnerability has been exploited for the distribution of malware against Mac computers since at least January.

Learn more: https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/?sh=540dd6b85da0

Critical vulnerability in Citrix ShareFile

The Citrix team has released a security update to fix a critical resource mismanagement vulnerability in its Citrix ShareFile software. The flaw (CVE-2021-22891) is in the Citrix ShareFile storage zone driver and could allow an unauthenticated remote attacker to exploit the storage zone driver. However, the threat agent would need to have prior access to the driver’s network in order to exploit this flaw. The versions affected by this vulnerability are 5.7 prior to 5.7.3, 5.8 prior to 5.8.3, 5.9 prior to 5.9.3, 5.10 prior to 5.10.1 and 5.11 prior to 5.11.18. Citrix recommends updating to a version that fixes this flaw as soon as possible.

More info: https://support.citrix.com/article/CTX310780

Authentication Vulnerability in BIG-IP APM AD

Researchers at Silverfort have disclosed a new evasion vulnerability (CVE-2021-23008 CVSSv3 8.1) in the Kerberos Key Distribution Center (KDC) security feature that would affect the BIG-IP Access Policy Manager (APM). This vulnerability allows an attacker to bypass Kerberos authentication to the BIG-IP Access Policy Manager (APM), bypass security policies and, in some cases, bypass authentication to the BIG-IP management console. F5 Networks has released patches to address the vulnerability with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4 and 15.1.3. A similar patch for version 16.x is expected soon.

More details: https://support.f5.com/csp/article/K51213246

Do I Really Need an Antivirus?

ElevenPaths    21 April, 2021

Cyber security is one of the most popular topics due to its unstoppable growth and development, and its presence in the media is becoming more and more frequent, mainly news about the discovery of vulnerabilities, attacks and new ransomware. In the end, what the average user perceives is that cyber security is an issue for companies and large organisations and that it does not affect their day-to-day lives. But this is not true.

Cyber Security Is Everyone’s Business

Do you still think you’re not affected by cyberattacks? Here are some facts: in 2020, 43% of attacks targeted SMEs, vulnerabilities in Android and iOS increased by 44% and attacks on users continue to focus on sending emails with phishing attempts and/or malware. Not to mention the increasingly common privacy scandals related to data, misuse of cookies and a long etcetera.

The question we must ask ourselves is: how can standard users protect themselves? In this blog we have talked many times about tips for a safe remote work, tips to secure your data or mechanisms to be safe in the day to day but, what most users think is that an antivirus will be enough to be protected from attacks.

In this article we explain what an antivirus is for and how you can be (more) protected.

What Is an Antivirus?

To begin with, we should be clear about what an antivirus is. Very popular for decades, they seem to be the number one (and often the only) option for users to protect themselves on the Internet. They started out being exclusively for PCs but, with the smartphone revolution, they have also been available for mobile devices for years. Considering the number of hours a day we spend on our smartphones, it makes sense to protect our security on them rather than on PCs.

Broadly speaking, an antivirus is a software that detects “viruses”, i.e. malware present on devices (as we said, usually PCs or smartphones). This malware usually comes from malicious files attached to emails downloaded by users or when downloading files from fraudulent websites.

Paid or Free?

The main difference between paid and free antivirus is the number of functionalities or features they include (parental control, backup copies…). Normally, paid licences are renewed yearly and have several options depending on the number of devices to be protected.

There are good free options, but, as we say, generally the paid options are more complete.

Included in OS (Windows Defender)

In the majority of operating systems there is software installed by default for our defence. In the case of Windows (the most common system), we have Microsoft Defender, a system that is implemented on all computers running Windows.

Settings

Almost all applications include the option to configure certain aspects of privacy. We recommend that you make these settings before using any application or programme that you download, and that you read the terms of conditions carefully before downloading it.

Update, Update, Update

The most important thing to keep your system invulnerable is to update, whenever possible, both the operating system in general, and applications or programmes in particular, as well as the antivirus itself. Be careful, free antivirus software often uses the data to sell it to third parties: when something is free, it means you are the product.

You Are the Best Antivirus

A large percentage of attacks are successful because they are aimed directly at users, imitating genuine communications in an attempt to provoke errors. This is called social engineering, and these are our tips to avoid falling into this trap:

  • Be suspicious of all emails where you do not know the sender
  • Only click on pages that you know are 100% authentic or type the URL by hand instead of clicking on a link in an email.
  • Although https pages guarantee the client-server connection as encrypted, malware can infiltrate these pages, so prevention is the least you can take

NFT Fever: The Latest Cryptocurrency Killing It Online

Gonzalo Álvarez Marañón    19 April, 2021

In May 2007, the digital artist known as Beeple decided to create and publish a new piece of artwork on the Internet every day. True to his word, he produced a new digital image daily for 5,000 days in a row. Known individually as EVERYDAYS, these illustrations collectively form the core of EVERYDAYS: THE FIRST 5,000 DAYS, one of the most unique works in the history of digital art. On 11 March his creation was auctioned at Christie’s for a total of $69,346,250. Yes, you read that right: almost 70 million dollars!

Why would anyone pay such a tremendous sum of money for a digital work of art that can be copied over and over again, and that you and I can own with identical fidelity?

Because the copy sold was unique thanks to non-fungible tokens (NFTs).

What Is a Token?

If you’ve never been to a casino before, you’ve seen it in the movies: when players go in, they exchange their money for tokens. When they gamble in the various games of chance, they don’t bet real money, they bet these tokens. Outside the casino, tokens have no value in themselves, they are nothing more than small plastic or ceramic discs. Inside the casino, a token is worth as much as the number written on the back of the token.

In addition, these tokens have a number of interesting characteristics:

  • Anonymous: they don’t have any distinctive markings to identify the user. If one is stolen, they can use it and no one will notice anything.
  • Fungible: a token of a given value is identical to another token of the same value.
  • Single-use: you cannot use the same token twice.
  • Private: issued by a private entity.
  • Worthless: they are created from low-value materials, so the token itself is worthless.
  • System: to be of any use, they must operate within a system of rules that give them a value.
  • Unforgeable: theoretically, no one could make an identical token at home.

Don’t think that casino tokens are the only ones. There are many other types of tokens: the fake money that is handed out at many festivals to pay for drinks, valid only within the festival grounds; the tokens sold at fairs and fairgrounds to get on the various attractions; the coins of many video games, which are acquired by paying with real money and only have value within the universe of the game; the invitation to private parties in nightclubs that you can redeem for a drink; not to mention lottery tickets; and many others.

What is a Digital Token?

If you’re a frequent user of services like Apple Pay, Amazon or Uber, I bet you’ve registered your credit card details to avoid having to enter them every time you buy something or take a ride. Tell me, how does it make you feel knowing that Apple, Amazon or Uber have access to your credit card? A dishonest employee or cybercriminal could gain access and use it in your name.

To limit the damage, decades ago the financial industry introduced the concept of a token: a virtual credit card, linked to your real credit card. You can create as many tokens (virtual cards) as you want, linked to the real card so that your transactions are charged to the account behind the real card, but with restrictions:

  • One token could be used only with Apple Pay; another token, only with Amazon; and another, only with Uber. In other words, each token is tied to a service. If someone steals that token, they can only use it on your behalf on the platform for which it was created.
  • A token could have a limited amount of spending. Once exceeded, it would no longer be valid.
  • Each of your devices could have its own token assigned to it: one for your laptop, one for your smartphone, one for your tablet, one for your fridge, and so on. If someone steals a token and tries to use it from another device, it won’t work.

These restrictions limit the usefulness of the tokens and thus the impact in case of fraudulent use. These financial tokens mimic some of the characteristics of casino tokens, as they can only be used in a very limited environment, outside of which they have no validity.

Another common use case for tokens is in user authorisation. When you authenticate by entering your credentials on a website, it generates a (random) token associated with your identity and delivers it to you via a cookie or URL. From this moment on, you only need to show the token to be authorised to access any other page or service on the same website. Your token acts as a substitute for your credentials. Anyone who steals your token will be able to impersonate you, but only on that site, because outside its domain it is worthless and does not represent you.

Therefore, in its broadest sense, a token is any given substitute for sensitive data (bank accounts, financial statements, medical records, criminal records, driving licences, loan applications, stock market transactions, voter registrations and other types of personally identifiable information or PII), with no extrinsic value or exploitable outside the reference system in which it is created.

The process of creating a token from the original sensitive data is known as tokenisation, while the reverse process of redeeming the token is called de-tokenisation.

The security of a tokenisation system depends on the (im)possibility of forging tokens and de-tokenising them without access to the association map of the tokens with the sensitive data they represent. In particular, tokenisation of payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS).

As you can see, this tokenisation is not related to cryptography, but there is still more.

What Is a Cryptographic Token?

Technically, every cryptocurrency is a token: if you check the list of casino token features, you will see that cryptocurrencies have tokens. Depending on the exchange rate, for one euro you will get a certain number of tokens (or fractions of tokens). But in recent times, “token” is taking on a more specific meaning in relation to cryptocurrencies.

The term token is also used to refer specifically to a digital asset that resides on the blockchain of another cryptocurrency. The most widespread case is the ERC-20 token on the Ethereum blockchain. Ethereum incorporates a smart contract functionality that allows decentralised applications to run on its blockchain. ERC-20 tokens can represent a wide range of digital assets and, like other cryptographic assets, can hold value and be sent and received.

To create an ERC-20 token on the Ethereum blockchain, a smart contract is written. The contract is actually a piece of code, stored on the Ethereum blockchain, that will be executed when someone or another contract requests it. This contract is not only responsible for creating tokens, but also for managing their transactions and keeping track of the balance of the holders of each token. 

Not only can money be tokenised, but almost anything can be tokenised. According to the ERC-20 standard, a token can represent on Ethereum:

  • Reputation points on an online platform
  • Skills of an individual in a game
  • Lottery tickets
  • Financial assets such as a share in a company
  • A fiduciary currency such as USD
  • A gold ounce
  • And much more

As in casinos, these ERC-20 tokens are fungible and replaceable: one token is equal in type and value to another token. But what about goods that are unique, such as a piece of art?

And so, we finally come to non-fungible tokens.

What Is a Non-Fungible Token (NFT)?

A non-fungible token (NFT) is completely unique and cannot replace any other token: there is either one NFT or there is none. In the case of ERC-20 tokens, there may be a hundred, a quarter or a million, but in the case of NFTs there is only one.

ERC-721 is a free and open standard that describes how to build non-fungible (or unique) tokens on the Ethereum blockchain. When an ERC-721 token is created, there is one and only one of these tokens in existence.

Apps using ERC-721 can register ownership of a lot of unique things and assign them to Ethereum pseudonymous account numbers: from a person’s birth certificate to property, art or even rare items in video games, such as plots of virtual land.

What Are Non-Fungible Tokens (NFTs) For?

To recap, an NFT can represent a still or animated image, a video clip or any other digital element. It can also be authenticated through a blockchain. Putting it all together, we see that an NFT is ideal for launching limited edition items: artwork, sports memorabilia, unique weapons in a video game, literally any unique digital good!

One of the first uses of NFTs was CryptoKitties: in 2017, the collection of cute, unique digital kittens appeared, with their own digital genome, stored in a smart contract immutably registered on the Ethereum blockchain. Depending on the specimen’s characteristics, each kitten can be worth more or less, from a few euros to hundreds of thousands. No two kittens are identical, which makes them rare and attractive and therefore desirable for collectors. Their success was so overwhelming that they crashed the Ethereum blockchain after their launch. They have now migrated to their own blockchain, known as Flow, designed especially for gaming.

The CryptoKitties phenomenon helped establish the legitimacy of non-fungible tokens in general and ERC-721 contracts in particular, especially for the gaming and collectibles markets. Anyone can verify in real time the rarity of an object, even non-technical users, through blockchain scanners such as Etherscan.

A typical problem faced by the art market has been counterfeiting. ERC-721 eliminates it because each item can be represented only once on the Ethereum network. As a consequence, in recent months we are witnessing an explosion (bubble?) of NFT applications in the world of art and collectibles:

  • Terra Virtua: a platform for the creation and sale of digital collectibles, with a special focus on major brands and Hollywood products.
  • SuperRare: platform for the commercialisation of unique works of art.
  • Decentralandfully decentralised video game world, where you can buy everything, even parcels of land, knowing that every item and digital good will be unique.
  • Sorare: a collection of football players’ stickers adapted to modern times. As a curiosity, a Mbappé sticker was sold for 65,000 dollars!
  • Top Shotthe same concept, applied to basketball cards, which contain not only photos but also short video clips of amazing moves by the big stars.
  • And much more: RaribleAavegotchiOpenSeaThe SanboxMinecraftDoctor Who… the list is never-ending and we will see new additions every week.

The art and collectibles world has embraced non-fungible tokens to secure the identity of unique digital objects. In the coming months, we will see how far this fever will spread. In the meantime, have you already got your hands on a cryptokitty or your favourite player’s sticker??

Telefónica Tech, recognized with Palo Alto Networks’ SASE, Cloud and Cortex Specializations

Pablo Alarcón Padellano    19 April, 2021

In the past year, we’ve seen organizations challenged by the increasingly complex and rapidly changing tactics of savvy cyber adversaries, as they have dealt with expanding remote workforces, with cloud digital transformation and a growing threat landscape. Staffing of security skills remains one of the biggest challenges of the security industry, closely related also to the level of specialization and expert knowledge required by the new areas of cybersecurity that have recently emerged, and with the sophistication of existing cyberthreats.  

In our continuous objective of helping our clients meet their security needs, we are very pleased to announce that we have obtained Palo Alto Networks recognition in its three new channel program specializations, as the first partner in Spain awarded with Prisma SASE (Prisma Access and Prisma SD-WAN, formerly CloudGenix), Prisma Cloud and Cortex XDR/XSOAR specializations.  

Well done team! 

NextWave 3.0

Palo Alto Networks (PANW) has recently unveiled NextWave 3.0, a new version of its channel partner program. This Partner Specialization is awarded specifically to channel partners who have demonstrated the required expertise to successfully demo, sell, implement and support the Palo Alto Networks SASE, Cloud and endpoint protection offering. 

Customers want security experts capable of designing, implementing, configuring, maintaining and troubleshooting the vast majority of security deployments, and they are also looking for trusted partners who guide and help them meet the complex cybersecurity challenges of nowadays. Year after year, ElevenPaths, part of Telefónica Tech, demonstrates its commitment to strengthen and increase the cyber resilience of our clients, contributing to the achievement of the objectives of their strategy and security posture through its industry-leading SOC operations team, this time with technical experience and recognized specializations on

  • Prisma SASE: we help organizations simultaneously protect their remote workers and optimize the user experience with Prisma Access security access service edge (SASE) platform. 
  • Prisma Cloud: if you are overwhelmed with lack of visibility, context and control despite the robust toolkits and capabilities offered by cloud service providers, we deliver the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout our Cloud MSS as a service and Prisma Cloud offering. 
  • Cortex XDR & XSOAR: we empower your security operations team with our NextDefense advanced security services dedicated to detect and respond to threats and digital risks, to ensure a comprehensive managed defense in cloud, endpoint, network and corporate IT, in this case by delivering proactive security operations as industry-leading MDR Partner of Palo Alto Networks.

Want more? Ask us! We are an Intelligent MSSP, focused on offering prevention, detection and appropriate response capabilities and a SASE, Cloud and Cortex Specialized Partner of Palo Alto Networks. We will enhance your security architecture, we will help to secure your cloud journeys, and we will help you keep pace with evolving cyber threat landscape and cybersecurity challenges. Together we are stronger. 

5 reasons why everyone wants to learn Python

Paloma, Recuero de los Santos    19 April, 2021

Python is currently the most popular programming language.  Many different people from children, students, teachers, researchers of all kinds (Social Sciences, Biology, Medicine, Economics…), experts in Finance, Insurance, Marketing, developers, analysts or data scientists learn it and use it in their fields of interest. In today’s post, we will try to explain why.

How do you measure the popularity of a programming language? It depends on who you ask.

Developers do it by calculating the number of questions asked about it on websites like StackOverflow. These are websites where people can ask questions and share knowledge with the community. Thus, although JavaScript continues to be the language with the highest number of questions accumulated since the creation of Stack Overflow, Python has become the language that has sparked the most interest so far this year.

Projections of future for major programming languages (Image Credit: Stack Overflow)
Projections of future for major programming languages (Image Credit: Stack Overflow)

(The more “purist” developers prefer to consult indexes such as PYPL or rankings such as IEEE’s).

And for non-programmers, I’m sure this quote from The Economist will give you an idea:

“In the last 12 months, in the US, there have been more Google searches for Python than for Kim Kardashian.”

“Python has brought computer programming to a vast new audience”.

Is Python really more popular than Kim Kardashian in the USA?. Well, it seems so 😉 We will see some of the reasons, but first of all, let’s explain what Python is.

Python in a nutshell

To “warm up”, let’s start with a curious fact: Do you remember “Life of Brian”, the famous “Spam” spot? The name Python has no zoological connotation but is a tribute by its author to the unforgettable English comedy group Monty Python, protagonist of one of the best comedies in the history of cinema.

Image of the Monty Python group.
Image of the  Monty Python group.

Let’s get back to being serious and start with a technical definition that we will be “unpacking” little by little:

Python is an open-source, multi-paradigm, but mainly high-level object-oriented interpreted programming language. Its syntax emphasises code readability, which makes it easy to debug and therefore favours productivity. It offers the power and flexibility of compiled languages with a gentle learning curve”

By The people from the Tango! project. -
By The people from the Tango! project.

From this definition, we will analyse the 5 reasons why Python has gained so much popularity in the last few years.

1. Python is an interpreted language

Python was created by Guido Van Rossum in 1991 as a general-purpose interpreted programming language.

What does it mean for a programming language to be interpreted?

Low-level languages, such as machine or assembly language, can be run directly on a computer. High-level languages, such as Java, C, C++ or Python itself, on the other hand, have to be reinterpreted (compiled) as low-level languages before they can be executed. This usually results in slower execution times. Nowadays, however, this is not a problem as advances in cloud computing make customised computing capabilities available at very affordable costs. How well the code is optimised also plays a role.

With Python, programming is easy

Programming in machine code is expensive and difficult. Python offers a syntax that is much simpler and closer to human logic. More readable code is easier to generate, debug, and maintain. As a result, the learning curve for interpreted languages is much smoother.

2. Python is powerful, flexible and versatile

Let’s see why this power and versatility. There is no shortage of arguments.

It is a general-purpose language

Being a general-purpose language, and not created specifically for web development, Python allows you to create all kinds of programs and tools.

It is compatible with other programming languages

Its interoperability with other programming languages such as C, Java, R, etc., is another factor that has helped its widespread use in different fields.

It allows you to work with different programming models

In Python, everything is an object. However, although it is mainly an object-oriented language, it combines properties of different programming models or paradigms (imperative, functional, procedural or reflexive).

It offers libraries and environments specialised in a wide range of topics.

On the other hand, Python offers very powerful libraries and development environments for Machine Learning, Science, data visualisation etc. 

For example:

Mathematicians and scientists use SciPy and NumPy in their research

It is the language of reference in Data Science and Machine Learning.

In fact, it has become the reference language in Data Science, being the language of choice for 57% of data scientists and developers. If we take into account the evolution in the last two years of Python environments for Deep Learning, including the creation of Tensorflow and other specialised libraries, it will come as no surprise that it has left behind other languages such as R, Julia, Scala, Ruby, Octave, MATLAB and SAS.

It is the language of reference in Education

The fact that it is such a simple language that it can be used by beginners to professional programmers has also made it the programming language of excellence in educational environments. And not only because of its simplicity, but also because it can be run on different operating systems (Microsoft Windows, Mac OS X, Linux, or using the corresponding interpreter). It is also accessible through web services such as Python Anywhere.

This is especially important for the education sector because it can be used from computers in school classrooms, or even at home, without the need to install additional software.

Thanks to this, Python has been at the centre of several very interesting educational projects, such as the ones we will see below.

In 2015, the BBC launched the MicroBit project. This is a small programmable device, micro:bit, which aims to inspire a new generation of creators, makers and coders, aimed at children from 11 years of age.

Other projects, such as the MicroPython project, allow you to work with other small devices, such as Raspberry Pi, and can be used as the basis for many interesting and entertaining electronics projects to control screens, speakers, microphones, motors, etc. You can even create simple robots.

In short, Python can be used to create all kinds of tools, can be run on different operating systems, is compatible with other programming languages and offers libraries and frameworks specialised in different areas of knowledge.

3. Python is a free software project.

The Python Project was born as a free software project. Until very recently, it was still run by its creator, Guido van Rossum, who, in another nod to Monty Python, was the “Benevolent dictator of  life” of the PSF for almost three decades.

Guido van Rossum By Alessio Bragadini - originally posted to Flickr
Guido van Rossum By Alessio Bragadini – originally posted to Flickr

What characterises free software?

Free software is not necessarily always free (although Python is), but is characterised by the scrupulous respect of the so-called “4 freedoms”:

  1. The freedom to use the program, for any purpose. (freedom 0)
  2. The freedom to study how the program works, and adapt it to your needs. (freedom 1)
  3. The freedom to distribute copies, so you can help your neighbour. (freedom 2)
  4. The freedom to improve the program and make the improvements public to others, so that the whole community benefits. (freedom 3)

For freedoms 1 and 3 to be possible, it is necessary for users to have access to the source code of the programs.

In short, free software are those programs that once obtained can be freely used, copied, studied, modified and redistributed. Therefore, the “freedom” of software is related to the permissions that its author offers

and not to its price.

Python is released under the Python Software Foundation License. The PSF is a non-profit organisation, which was created in 2001 with the aim of managing the project (development, rights management, fundraising, etc.). And it is compatible with the GNU GPL (GNU General Public License, from version 2.1.1).

4. Python is an open source language.

In addition to being free, Python is an open source language, which is similar, but not the same thing. According to Richard Stallman, both free software and open source pursue a common goal: to give greater freedom and transparency to the software world.  However, they differ in the way they go about it.

Free software is defined by its ethics. Not only programs whose code is open source are considered free software, but all programs that respect the four essential user freedoms defined by the Free Software Foundation (1985).

The concept of open source software emerged in 1998, when the OSI (Open Source Initiative) was created as a split from free software. In this case, instead of the 4 freedoms of free software, 10 requirements were defined, which a software must fulfil in order to be considered open.

The main difference between the two types of software is subtle. Free software prioritises ethical aspects, while open source software prioritises technical aspects. Therefore, it is usually less strict, so that all free software is also open source, but not necessarily the other way around.

In any case, Python is free and it is open.  And therein lies one of the keys to Python’s success: the Python community. It is a large and very active community, which contributes to the development and improvement of the source code, according to the needs and demands of users. Although many companies and organisations, such as Google, Microsoft or Red Hat, make extensive use of this language and have an influence on its evolution, none of them have any control over it.

Its free and open character has undoubtedly also facilitated the versatility, flexibility and power mentioned in the previous point, since in addition to all of the above, Python is a multiplatform language. That is, we can run it on different operating systems such as Windows or Linux simply by using the corresponding interpreter.

5. And also… it’s free

As we mentioned before, despite the confusion that may arise from the fact that, in English, “free”, in addition to being free, means free, free software does not necessarily have to be free.  However, it can be affirmed that to program in Python, it is not necessary to pay any kind of licence fee. However, we must never forget that any code not developed by ourselves may be subject to some kind of licensing.

Conclusion

In short, Python’s simplicity, versatility and power have made it the all-rounder programming language that can help boost the digital literacy of broad sectors of the population, making programming accessible to people and professionals of all kinds.

What about you? Do you dare with Python?

You can read the original post in Spanish here.

To keep up to date with Telefónica’s Internet of Things,

visit our website or follow us on TwitterLinkedIn and YouTube

Cyber Security Weekly Briefing April 10-16

ElevenPaths    16 April, 2021

​0-days in Chrome and Edge

Security researcher Rajvardhan Agarwal has discovered a 0-day vulnerability in the current versions of Google Chrome and Microsoft Edge, which he has made public via his Twitter and GitHub profile. According to The Record, the exploit code comes from a vulnerability that was used during last week’s Pwn2Own hacking event. While the details of the vulnerability were never published, Agarwal reportedly discovered that it was in Chromium’s V8 JavaScript engine by reviewing the source code for patches. Chromium developers have presumably already fixed the flaw, but the fix is not yet part of the official updates for browsers such as Google Chrome and Microsoft Edge, which remain vulnerable.

​​A few days later, security researcher known in Twitter as @frust93717815 announced a new 0-day vulnerability in Chromium-based browsers, publishing a PoC in his Github profile. This new vulnerability would be affecting both Chrome and Edge and, like the one published earlier this week, could allow remote code execution, allowing the Windows Notepad application to be opened. While this vulnerability is not able to escape the Chromium sandbox, and is therefore not harmful as such, a threat actor that manages to disable Chrome’s sandboxing argument (either by chaining it with other vulnerabilities or confusing the user) could exploit it.  Bleeping Computer has verified that the exploit is functional in the latest versions of Google Chrome (89.0.4389.128, released just a few days ago) and Microsoft Edge (89.0.774.76).

Both vulnerabilities have been patched in Google Chrome 90.0.4430.72 and Microsoft Edge 89.0.774.77.

More info:

Microsoft security newsletter

​​Microsoft has published its monthly security newsletter for April in which it has fixed more than 100 vulnerabilities. Among the updates there are patches for new flaws in the 2013-2019 versions of Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), all of them with a high criticality and two of which would allow a potential attacker to execute remote code without the need for authentication. Regarding these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged all federal agencies to install the updates by Friday. On the other hand, a vulnerability in Desktop Window Manager has also been fixed, with CVE-2021-28310 and medium criticality, which is being actively exploited by several threat actors to escalate privileges on vulnerable systems.  Finally, it is also worth mentioning several RCE vulnerabilities affecting Microsoft Office: CVE-2021-28454, CVE-2021-28451 (Excel), CVE-2021-28453 (Word) and CVE-2021-28449. Other patched systems include Edge, Azure, ShrePoint, Hyper-V, Team Foundation and Visual Studio.

All the details: https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/

​​​​Adobe fixes multiple critical vulnerabilities

Adobe has patched several vulnerabilities affecting four of its products: Adobe Photoshop, Adobe Digital Editions, Adobe Bridge and RoboHelp. There are a total of ten vulnerabilities, including two critical flaws listed as CVE-2021-28548 and CVE-2021-28549 affecting Adobe Photoshop, one critical flaw (CVE-2021-21100) in Adobe Digital Editions, six vulnerabilities, including four critical (CVE-2021-21093, CVE-2021-21092, CVE-2021-21094, CVE-2021-21095) that impact Adobe Bridge and, finally, a high-risk flaw reportedly affecting RoboHelp. Adobe warns its clients to update vulnerable versions as soon as possible.

Learn more: https://helpx.adobe.com/security.html

IcedID distribution campaigns

​​Microsoft researchers have recently detected a campaign to distribute the IcedID malware via legitimate contact forms on web pages. Attackers are allegedly filling out automated contact forms that are received by victims in the form of an email that looks trustworthy at first glance. The message sent uses social engineering techniques to force the victim to access an embedded link, using urgency language and legal threats for false copyright claims for images or other material supposedly used on their website.  The link redirects to a Google login where the victim enters their credentials, automatically initiating the download of the malicious file containing IcedID. Meanwhile, Uptycs researchers and analyst Ali Aqeel have also detected the distribution of IcedID via malicious Microsoft documents, mainly Excel and Word. It is worth remembering that IcedID is a banking trojan that steals victims’ financial information and is also capable of acting as a gateway to infected systems for other malware; it is thought that it may be one of the access vectors for the RansomEXX ransomware, which recently included the Castelló City Council among its victims.

More details: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/

Cyber Security in Times of Pandemic: How Has Confinement Affected Our Digital Security?

ElevenPaths    15 April, 2021

The pandemic has accelerated the transition to a digital life, and with it, cyber-attacks against users and businesses have risen. The most frequent attack, which is the most common breach, is phishing. How many times have we received an email, opened it and accessed an inappropriate link or download? Three such common and simple steps that they have become a routine that many users fall into. Since the beginning of the Covid-19 crisis, phishing attacks have grown by 70%.

Did you know that companies’ ability to contain attacks has declined by 13% in the last five years? The pandemic has forced many companies to adapt to remote working so quickly that they have opened security breaches in their systems. The rise of video conferencing platforms and the need for information have opened attack points that cybercriminals are trying to exploit. In addition, many employees have had to work with their personal devices that are beyond the organisation’s control to find out what types of operating systems they use, whether they are up to date, whether they have any vulnerabilities caused by different applications installed…

Types of Cyber-Attacks

The types of cyber-attacks recorded by the authorities during the pandemic are mainly phishing and smishing, a version of SMS phishing. Both are used in the same way, impersonating an official organisation and attempting to redirect the user to a fake website to enter personal data or download malicious files.

These attacks and many others are on the rise because of the new reality that we are living in. We are spending more time at home and our digital lives are increasing. Now, more than ever, we need to be specially careful in our digital lives, identify threats and take extra precautions when using the internet.

Both users and companies, large and small, must take into account the security of their business. Any cyber-attack can have very negative consequences for companies: economic losses, reputational impacts, etc. For all these reasons and more, cyber security and information protection have become a necessity.

Top 4 Programming Languages for Beginners

ElevenPaths    14 April, 2021

Have you set yourself new challenges this year but don’t know where to start? How would you like to become an expert in programming? We know that, at first, it may sound a bit complicated and arduous.

“Me, programming? I don’t see it”, you may be thinking. But believe us if we tell you that with the selection of programming courses we have made for you, there will be no excuse for you not to become a real expert in this world in a few months. If you dare…Here we go:

Python

You haven’t stopped hearing its name for a couple of years now, but what is it about Python that makes it so attractive for those starting out in programming? Undoubtedly, one of its main advantages is that, in addition to being a free software (and free, with no need to pay license fees for its use), it is an open-source language.

Two features that give Python a status of greater freedom and transparency, facilitating the creation of a large community around it. Something that, for a person taking his first steps in programming, is a real treasure, being able to ask questions and learn with online peers.   

In addition, compared to other programming languages, Python’s syntax is quite simple and familiar. Just in case we don’t want to forget anything, we can interpret parts of the code by using the logic.

JavaScript

If you’ve been looking for job offers, we’re sure this name sounds familiar: JavaScript. It is the king of programming languages in the search for job profiles, so what are you waiting for to take the leap? The demand for this language does not cease and its integration in various applications make it the perfect companion to get started in this web development adventure.

It is a good starting point because it is not difficult to learn since it is a weak typed language and it will give you the necessary background to continue studying more complex programming. In addition, JavaScript allows us to run it natively from any browser. Another point in its favour.

Ruby

Perhaps this language is not as well known as the previous two, but Ruby will also be another important ally. It is an open source programming language that is quite simple and easy to read and write, which makes it very accessible for beginners. Dynamic object-oriented, this language is especially used for web development.

Thanks to Rails, a web application framework that works with this programming language, learning it is very easy and the hours in the classroom will fly by.

C Language

This is the last of the programming languages that we bring you. Like the previous one, it is not so well known at a user level, but we recommend it for its variability and the fact that it can be used to create practically everything, from mobiles to servers, desktop apps to video console applications. What more could you ask for?

Nevertheless, to do all this you will need Visual Studio, an ally in the simplification and proximity of this language, although there are also open-source compilers.

A Trillion-Dollar on Offer to the Puzzle Solver

Gonzalo Álvarez Marañón    12 April, 2021

Are you a fan of mathematical puzzles? Well, here’s a lucrative one… but hard to beat! If you discover a method to crack the hashes used in Blockchain, you could get your hands on all the future Bitcoins yet to be mined!

Cryptomining is based on a concept called “proof of work” (and on chance). The miners with the most computational resources at their disposal (and who are most favoured by chance) are rewarded with new bitcoins. In this article we will explain the origin of proof of work, linked to the battle against spam, and how it is used today in Bitcoin.

If Spammers Had to Pay for Every Email They Send, It Would Be a Completely Different Story

That’s what Adam Back thought in 1997. A reputed cryptographer and hacker. He had read an article published in 1992 by Cynthia Dwork and Moni Naor on how to combat spam by forcing expensive mathematical calculations. This article inspired him to design his pay-per-mailing proposal: if you want to send spam, you’re going to have to pay, but not with money, you’ll pay with computer sweat (if it reminded you of “Fame”, you’re too old). The spammer will have to solve a cryptographic puzzle of varying difficulty and will not send his mail until he finds the solution. Solving the puzzle will be very complicated but verifying the solution will be very easy. In other words, either you prove you’ve worked hard, or there’s no spam. And so Hashcash was born.

Back’s proposal calls for adding the X-Hashcash: header to the SMTP protocol, so that if a message arrives at a mail gateway or mail client without this header, it will be immediately rejected. And which token should be used to fill this header in?

First, a secure hash function is required. Although Hashcash proposed SHA-1, today another algorithm would be used, such as SHA-256 or SHA-3.

Secondly, Hashcash uses the following parameters:

  1. A work factor w, such that 0 <= w <= L, where L is the size of the hash function output (in bits). This is used to modulate the difficulty of the puzzle.
  2. A version number, see.
  3. A timestamp parameter: time.
  4. A resource identifier: resource.
  5. A randomly chosen number of at least 64 bits: trial.

The Hashcash token is composed by joining these fields by the ‘:’ character, in the following way:

token = ver:time:resource:trial

The puzzle consists of repeatedly calculating the hash of the token until the most significant w bits are 0, incrementing the trial value by one each time it is missed. Obviously, the higher the value of w, the more difficult the puzzle. Fortunately for the receiver, verifying that the solution to the puzzle is correct is as trivial as calculating the hash of the token. Moreover, no matter how many puzzles you solve, solving a new one will always take on average the same amount of time: the difficulty remains constant for a given value of w. And if the computational power improves over time, just increase w and sweat it out again.

Of course, tokens are only considered valid if they are not repeated, because then, once one token is resolved, it would be enough to attach it to all spam messages. An inexpensive way to solve the problem of how to store a history of tokens is to set an expiry period, calculated using the parameter time.

Although this idea did not come through in the fight against spam, it did inspire Satoshi Nakamoto to design the Bitcoin proof of work.

Cryptominers to Mint Bitcoins With the Sweat of Their ASICs

In the mine, the earth is dug up in search of a scarce yet very valuable resource. In Bitcoin, the scarce resource is computing power. Nodes in the Bitcoin network compete against each other in a frantic race to be the first to solve a cryptographic puzzle, called “proof of work”, based on Hashcash.

Explained in a very simplified way, you take the hash of the new block, c, that you want to incorporate into the blockchain, concatenate it with a nonce, x, and calculate the hash of the set. If the value of the resulting hash starts with a predetermined number of zeros, i.e., is less than a certain target, then you’ve won the race! Otherwise, add one to the nonce and start again.

The hash function used in Bitcoin is SHA256, passed twice consecutively. Mathematically expressed:

SHA256( SHA256( c | x ) ) < target( d )

The difficulty of this puzzle can be adapted dynamically, by varying the number d of the leading zeros that the hash must have. Thus, a difficulty of 1 means that the hash must have (at least) one leading zero, while a difficulty of 10 means that the hash value will have at least 10 leading zeros. The higher the difficulty level, the more leading zeros will be needed and the more complicated the puzzle will be, as the difficulty grows exponentially with the number of zeros. Obviously, the more complicated the hash puzzle, the more computing power or time it takes to solve it.

Bitcoin sets the difficulty so that globally a new block is created on average every 10 minutes. The first miner to solve the puzzle receives a reward consisting of bitcoins and collects the fees applied to the transactions contained in the block. The reward for the winner is programmed from the start. Initially, the winning cryptocurrency owner was rewarded with 50 bitcoins for each new block. This reward is reduced by half every 210,000 blocks, i.e. approximately every 4 years. Due to this reduction of the reward per block, the total amount of bitcoins in circulation will never exceed 21 million bitcoins. These economic incentives must compensate for the computational resource expenditure or no one would mine bitcoins.

I Am a Miner!

In the beginning, a computer with a decent CPU was enough to mine bitcoins. But juicy incentives quickly increased the difficulty of the proof of work mechanism. CPUs were soon replaced by GPUs, GPUs by FPGAs and, as bitcoins became more valuable, application-specific integrated circuits (ASICs) were used. I don’t know if all cryptominers who buy these devices are enriching themselves, but their manufacturers have certainly found their own niche. The barrier to entry in mining is now so high that for many years the mining community has been dominated by a small number of “big player” mining groups.

As a result, the supposedly large and diverse group of peers that collectively maintain the integrity of the system ultimately becomes a very small group of entities, each of which possesses enormous computational power in the form of specialised hardware, hosted in giant farms, the largest of which are spread across China, Russia, Iceland, Switzerland and the US.

These exclusive groups form a kind of oligopoly that divides the responsibility for maintaining the integrity of the system among themselves. This leaves the door open to abuses of power, such as skipping specific transactions or discriminating against specific users. In the end, Bitcoin and Blockchain are not as decentralised as originally intended because the integrity of the system is not distributed among a huge number of entities, but is concentrated in a few very powerful entities, establishing a kind of hidden centrality that undermines the distributed nature of the whole system.

The Dark Side of the Proofs of Work

And let’s not forget a small problem associated with proof of work. Since solving cryptographic puzzles requires an immense computational power expenditure, the mining/validation process is prohibitively expensive, both in terms of electricity and heat dissipation. This consumption has an incredibly detrimental impact on the environment.

In a paper published in 2019, The Carbon Footprint of Bitcoin, the authors claim that Bitcoin mining accounts for 0.2% of all electricity consumption worldwide and produces as much carbon dioxide as a metropolis the size of Kansas City (about 500,000 inhabitants).

Another research published in Nature in 2018, Quantification of energy and carbon costs for mining cryptocurrencies, calculated that the mining of Bitcoin, Ethereum, Litecoin and Monero combined produced over a 30-month period the equivalent of between 3 and 13 million tonnes of carbon dioxide. And looking at the rising price of all these cryptocurrencies, despite their volatility, all signs are that energy consumption (and emissions) will continue to rise.

Once again it is shown that when cryptography jumps from cryptographers’ blackboards into the real world, things get complicated. After all, Bitcoin does not run on paper, but on processors. And, the more work, the more consumption.

A digital twin to save the Mar Menor

Paloma, Recuero de los Santos    12 April, 2021

The Mar Menor, Europe’s largest saltwater lagoon, is suffering from severe degradation due to various socio-environmental factors. The Smartlagoon project, funded by the European Commission, kicks off the efforts to achieve the lagoon’s sustainability.

Despite being an ecosystem of great environmental and socio-economic value, the strong climatic and anthropocentric pressures on the Mar Menor triggered a real environmental collapse in October 2019. The effects of a ‘DANA’ (a short period of intense rainfall)  that hit the region at that time, added to the serious problem of the eutrophication of its waters and resulted in the desolate image of tons of fish dead due to asphyxiation.

In addition to its ecological interest, the Mar Menor also has great cultural value, and treasures important remains of palaeontological, archaeological, historical and anthropological heritage. It is therefore vitally important to understand how this situation has come about and to take action to reverse it.

Figure 1: Natural Areas of Campo de Cartagena (Murcia)-Nanosanchez, Public domain.
(Enlarge)

How did this situation come about?

Throughout its history, the Mar Menor has undergone a process of transformation, due to human intervention, which has modified its physical and natural characteristics. The main causes of its current difficult situation are, for example:

  • Contamination by organic waste and fertilizers,
  • landfills and coastal works,
  • dredging to extract sand,
  • accelerated and poorly planned urban growth,
  • Intense pressure from tourism.

Marinas and artificial beaches where there used to be seaside resorts. Wetlands and altered riverbanks. Muddy seabeds. Uncontrolled proliferation of algae due to excess nutrients from illegal agricultural drainage. Dumping of sewage. Degradation of dune systems. Natural spaces overwhelmed by tourist pressure…

Deterioration of the salt marshes of el Mar Menor
 Figure 2: Deterioration of the salt marshes of the Mar Menor

The causes seem clear, but how can this difficult situation be resolved?

The SmartLagoon project

The SMARTLAGOON project, funded by the European Commission under the Horizon2020 research and innovation program, will combine new sensing technologies, based on artificial intelligence and IoT, to create a digital twin of the lagoon.

It is an international project, coordinated by the Catholic University of Murcia, with the participation of the following institutions and companies: The Polytechnic University of Valencia and Vielca Ingenieros S.A (Spain), WaterITech ApS (Denmark), Uppsala University (Sweden), Norwegian Institute for Water Research (Norway), Università di Bologna (Italy) and Photrack, AG (Switzerland).

As we already told you in one of our blogs, a digital twin is nothing more than an innovative virtual model of the lagoon. Its main objective is to gain an in-depth understanding of the socio-environmental interrelationships affecting coastal lagoons and their ecosystem. To do so, it will combine data from IoT sensors and satellite data with human behavioral data (social network data, economic data, etc.), data from open repositories (open data), and citizen science.

Thus, by combining new sensing technologies based on artificial intelligence with IoT infrastructures, the digital twin of the lagoon will replicate the physical processes that occur in it. In this way, it will be possible to know in advance the impact of each of the actions carried out by the sectors involved.

The Smartlagoon tool, funded by the European Commission, has a budget of 3,972,000 euros. It will be developed jointly with citizens, policy makers and other stakeholders to capture their needs and requirements. An agile methodology will be followed to ensure practical and useful results for this particular scenario in the first instance, but with the aim of extending to other coastal gaps in the future.

We will keep a close eye on the results. Not only because of the importance of recovery of the Mar Menor; but also because of how the combined application of data technologies, IoT and Artificial Intelligence can help us to conserve our environment.

References:

To keep up to date with Telefónica’s Internet of Things,

visit our website or follow us on Twitter, LinkedIn and YouTube