How AI is helping fashion retailers stay afloat

Patrick Buckley    29 January, 2021

With an estimated current global market value surpassing 406 billion USD, the fashion industry is one of the most significant yet vulnerable industries out there. In an ever-worsening socio-economic climate, analysts predict a grave year for fashion retailers, expecting consumer expenditure on fashion to fall by between 27% and 30% globally throughout 2021 as the world continues to battle through the COVID-19 pandemic. 

With this in mind, today, we bring you an insight into how technologies based in Big Data and Artificial Intelligence (AI)  are giving many fashion retailers the edge, helping them stay afloat where others have gone under.

Data Driven Supply Chain Management

Inditex, a leading Spanish multinational fashion retailer with over 7,200 stores globally, has, for many years, been leveraging AI both in store and on the e-commerce side to shape product decisions. 

A data driven supply chain management system is used across all Inditex brands to support the ‘fast fashion’ model which underlines their business strategy.

Upon releasing a new season of clothing, Inditex will send only a small quantity of each product to their stores and e-commerce channels in order to first gauge the customer response to each item before placing any significant order with the manufactures.

Sales figures of each item are then recorded and internally processed. Machine Learning algorithms then automatically instruct systems to only order an appropriate amount of stock for each item at each individual location. In this way, the manufacturing process can be dynamically adjusted to only produce what is likely to sell, optimising revenue and minimising product waste.

What’s Next in Fashion? 

Internal processes such as the fast fashion model described above, are not, by themselves sufficient to remain competitive in the cutthroat world of high street retailing. 

Predictive analytics based on competitor and market behaviour are becoming increasingly important to retailers as they dynamically make decisions on all aspects of their business, from pricing to product launch dates. Data firms partner with major brands, to offer insights into the state of the market, future demand and competitor behaviour patterns. 

Through compiling data on the top selling products of the moment across a variety of brands, algorithms can suggest which styles are likely to be successful going into the future, for example, the algorithm may suggest that a striped bathing suit is likely to be more successful this summer than a dotty one, based on consumer behaviour leading up to this point.

Furthermore, by comparing pricing data with demand patterns for individual products or collections, algorithms can predict at which price point a certain collection is likely to be successful for each individual brand. 

These insights allows designers and retailers to stay ahead of the curve and plan future collections based on hard data insights.

Final Thoughts

Data driven decisions are becoming increasingly valuable as fashion retailers are tasked with understanding their consumer’s wants at a time of rapid socio-economic change and uncertainty. AI technology allows for a more dynamic design and manufacturing process and insights allow brands to identify and take advantage of relevant trends.

To keep up to date with LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

4 Tips to Secure Your Data

ElevenPaths    28 January, 2021

We surf the Internet on a daily basis. Many of us are already considered digital natives. Yes, it is almost an extension of us, but are we really aware of the scope of our use of it? How do we use it? And, above all, how do we let them use our data?

This 28 January we celebrate European Data Protection Day. This is an annual day initiated in 2006 and promoted by both the European Commission and the Council of Europe and the different data protection authorities in each country. Its purpose is to raise awareness and to inform both citizens and companies of everything related to rights and responsibilities in the field of data protection.

On the occasion of this celebration, at ElevenPaths we want to share with you 4 simple tips to give more protection to our data on the web. Ready? Open the lock because here we go.

Post-it Notes Are Not a Good Ally for Passwords

We know that you handle several passwords on a daily basis and that remembering them all is very difficult, if not impossible. But trust us, post-it notes are not the best way to keep them. Although sometimes it can be a bit of a chore to have to keep so many numbers, letters and symbols safe, think about the value of a password. Passwords are the gateway to our entire web world, to our inner self, and that is why it is so important to know how to keep them and treasure them.

As we already know, it is not advisable to repeat passwords because if someone discovers them they will have access to more than one of our accounts or web services. Likewise, we should not be tempted to share them with anyone and, much less, leave them written down on unsecured media, such as a post-it note, paper or even a Whatsapp chat.

Always keep your eyes open to where or to whom you give your passwords because phishing attacks are always around the corner waiting for us to fall into their trap. How do we avoid it and keep our passwords always safe? Two ideas: we can use a password manager and validate two-step verification.

Always Check the Small Print

Are you one of those who downloads and installs apps and programmes without reading the permissions you accept? Don’t worry, you’re not the only one, but you may think twice next time.

If we do not read the conditions and permissions that we are giving, we may find ourselves with an intrusion into our personal data that we ourselves have consented to. Therefore, it is recommended that you invest a few minutes of your time in reading and understanding, always before accepting, the terms of the downloads and installations that you are carrying out.

Our advice is to always go to official sources and markets and do not accept when you don’t know the channel or you are not sure of their authority. Don’t click on suspicious links! Check the permissions they ask for (although it may seem boring) and set up the app or programme securely and correctly before you start using it.

If You Want to Sleep Soundly, Make Backups

Whether through the now classic external disks or from the cloud, always make backup copies. In case of loss or theft, both physical and online, of our devices or accounts, we can always turn to them to rescue the most valuable information that we have considered saving on them.

A simple solution, available at the click of a button, that will undoubtedly allow us to sleep completely at ease.

What do experts recommend? Two physical copies, one of them offline (not connected) and another one in the cloud.

Information is Power

And more so when it comes to Internet security. Keeping up to date with the latest attacks, advances in cyber security, the latest antivirus… All of this information will give us a broader knowledge to be well protected in our devices.

In this sense, updates, like changes, are welcome. They are always for the best and seek to reinforce our security in the most optimal way, thus correcting the flaws of previous versions. Whereas it is true that our current devices often update automatically, we also recommend keeping up to date with the latest updates to make sure that we comply with them and celebrate this European Data Protection Day in the best possible way.

 All of this advice can be summed up in acquiring knowledge about the technologies that we use on a daily basis, in order to do so in an even more responsible and secure way.

#CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer

Innovation and Laboratory Area in ElevenPaths    26 January, 2021

There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our own cyber security report that summarises the highlights of the second half of 2020. Its philosophy is to offer a global, accurate and useful overview of the most relevant data and facts about cyber security, and it is designed to be consumed by both professionals and amateurs in a simple and visually appealing way.

The purpose of this report is to summarise the cyber security information of the last few months, taking a perspective that covers most aspects of cyber security, in order to help the reader understand the risks of the current situation.

The information gathered is largely based on the compilation and synthesis of internal data, cross-checked with public information from sources we consider to be of high quality. The following are some of the points that are important to us.

#CyberSecurityReport20H2: General Data

Regarding Microsoft, the total number of flaws discovered and fixed is more than 600 during this half-year, the same as the previous one. We understand that most of the non-credited flaws may come from vulnerabilities found in 0-days or other circumstances where the author is not known and has not been reported anonymously. In these cases, Microsoft does not credit anyone in particular. This difference between credited and ” non-credited ” vulnerabilities, which is not the same as anonymous, is reflected in the following chart:

Compared to the previous half-year, the data on who discovers vulnerabilities at Microsoft looks very different. The long queue of “others” leads the list. This means that they are discovered by researchers with less than 5 cumulative flaws. The ZDI initiative remains (increasingly) the favourite formula for researchers. This trimester, Zhiniang Peng is a very relevant actor with 66 flaws. It is also striking that Qihoo, responsible for hundreds of flaws discovered regularly in previous years, has completely disappeared from the list this semester.

Interesting comparison with the previous semester:

Vulnerabilities in Mobile Phones

2020 has closed with 187 vulnerabilities patched in the iOS operating system, 37 of which are considered high-risk, with the possibility of executing arbitrary code. Some of them affect the kernel of the system itself.

On Android, this was the second year with the highest number of reported vulnerabilities.

With respect to this year’s Apple transparency report, there are some interesting facts. For example, these requests occur when law enforcement agencies act on behalf of clients who require assistance related to fraudulent activity involving credit cards or gift cards that have been used to purchase Apple products. In this sense, Spain is one of the most active countries requesting data from the company.

Regarding the number of vulnerabilities per manufacturer, Microsoft, Google and Oracle continue to lead. However, this number has to be seen in the perspective of criticality, number of products, etc.

Other Conclusions

In mobile phone security, the number of IOS vulnerabilities continues to trend upwards since the downturn in 2018. For Android, 2020 was the second year with the most reported vulnerabilities, after the historic 2017.

In comparison with last semester, CWE-89 based on SQL injection, and CWE-287, which explains poor authentication, sneak into the list. These are problems that have been around for years and never quite disappear from the list of the most serious known vulnerabilities. The top of the list remains intact compared to the first half of the year.

APT groups, meanwhile, have not stopped their activity. Kimsuky (Aka “Velvet Chollima”) and Fancy Bear are still active, while the OceanLotus Group has been unmasked by Facebook.

In a half-year period where again almost every month Microsoft has exceeded 100 vulnerabilities fixed, this time Qihoo does not appear in the list of manufacturers that have found the most flaws. ZDI is still the favourite formula for communicating (and rewarding) serious flaws.

You can access the full report on our website.

Laboratory Information Management System (LIMS) and its Mobile Applications

Carlos Ávila    25 January, 2021

For scientists and researchers, optimising time in a laboratory nowadays plays a key role in processing and delivering results. There are applications that have specialised capabilities for R&D laboratories, process development and manufacturing laboratories or bioanalytical laboratories. This type of software in many cases is in charge of pathological data processing, manufacturing processes, sample management, personal data, clinical results, chemical processes, “secret” experiment formulas, electronic data exchange, etc. Therefore, this type of information is as attractive to cybercriminals as in any other industry today.

Laboratory Information Management System platforms, also known as LIS, are a type of software designed to improve the productivity and efficiency of today’s laboratories. These applications allow tracking of data associated with samples, experiments, laboratory workflows and instruments.

The architecture and deployment of this type of platforms is present in several models. Among the main ones are ‘thick-client’ and ‘thin-client’, clients that run from any workstation, web environments, mobile applications and Cloud and SaaS environments, which allow the users of these systems to connect to the servers where the core LIMS functionalities and data are hosted. In this article we will take a closer look at the security status of the mobile applications that are part of the integrated LIMS platform provided by the manufacturers.

Analysing LIMS Mobile Applications

We selected the latest version of 24 applications (iOS/Android) where users can interact with a LIMS architecture deployed in an organisation and execute the corresponding tasks. Within this sample of applications, we focused on analysing in a general way only the mobile application. For this review we used an Android device (rooted), iPhone (non-jailbrake) and our platforms mASAPP (continuous security analysis of mobile applications) and Tacyt (mobile threat cyber-intelligence tool).

The main security controls of the OWASP Mobile Top 10 were considered for this review. They represent only an overview of a number of tests that could be performed in detail and exhaustively. The results showed that, although security controls have been implemented for the development of such applications, several weaknesses were found that should be corrected and above all continuous improvement in the development process.

The vulnerabilities found in accordance with the assessed controls are listed in the following summary matrix:

Identified Weaknesses

We would like to highlight several weaknesses that we found in easily readable structures between XML, API Keys or configuration files, reflecting bad practice in terms of insecure local storage.

Figure 1: Certificate files / Key Hardcoded
Figure 2: Files with Readable API Keys

Figure 3: Hardcoded API Keys in source code

While a large part of these applications establish secure communication channels (HTTPS) with their backends as shown in our table of results, some unencrypted HTTP channels, applications without verifying certificate authenticity, self-signed certificates or applying methods to improve security in this regard are still in operation.

Figure 4: Use of (insecure) HTTP channels to the backend

Likewise, among insecure application programming practices, we continue to observe the lack of code obfuscation features (depersonalisation) to hinder the reversing process, removing obsolete or test files, not using deprecated functions or APIs, not using debug or logging functions in productive applications or very descriptive comments in the code. These features are included in most secure development practice guides.

Figure 5: Review of classes after DLLs decompiling process

Figure 6: Test files stored in the App

Figure 7: Insecure use for credential transmission (base64)

Figure 8: Debug/logging functions used

Conclusions

Mobile applications have benefited the monitoring and automation of laboratory processes, where functionalities such as sample location and tracking, inventories, integration with instruments and other platforms, workflow optimisation and many more can be highlighted. However, we must not ignore the challenges associated with security controls, which in this type of applications require careful consideration by equipment designers, software and control system developers, as well as a good awareness of the users who use them.

The businesses of the so-called ‘bioeconomy’ companies and their laboratories of the future are facing the IT risks associated with security flaws that can be exploited by cybercriminals to profit from the cybercrime industry. On the other side of the equation are researchers, organisations, manufacturers and the community trying to bring security to this ‘new’ ecosystem.

La transformación digital en la gestión del agua, ahora más que nunca

AI of Things    25 January, 2021

Hoy en día mantenemos la incertidumbre de cuándo dispondremos de una vacuna o cuál será el impacto real en la sociedad y en la economía que nos deja esta pandemia. Sin embargo, aún con todo el legado que nos dejará la Covid-19, hay cosas que sí están en nuestra mano.

Desde Telefónica llevamos tiempo trabajando en diferentes soluciones para adaptarnos a las necesidades de nuestros clientes.

En concreto para el sector del agua, disponemos de soluciones innovadoras a las que denominamos Smart Water Solutions, que permiten mitigar el impacto en la salud de nuestros empleados y clientes; garantizando que todos los procesos en las compañías gestoras de agua se desempeñen con total normalidad.

¿Quién se iba a imaginar que las empresas tuvieran que suspender la lectura del agua?

Nadie se lo imaginaba, pero así pasó. Durante el confinamiento muchas empresas se vieron en la obligación de suspender la actividad de lectura de contadores para preservar la salud, no solo de sus empleados, sino también de los clientes. Gracias a la telelectura desarrollada por tecnologías como IoT (Internet de las Cosas) y Big data, las empresas podrán superar este tipo de inconvenientes.

Durante los últimos años las compañías gestoras de agua se han venido apoyando en nuevas tecnologías para dar el salto del mundo analógico al digital y poniendo foco en las áreas más relevantes de su cadena de valor.

Sin embargo, este esfuerzo en innovación no ha sido suficiente para hacer frente a este nuevo escenario de crisis, aunque se están dando grandes pasos en la modernización de las infraestructuras desplegadas, así como la transformación de los procesos que la soportan.

Si comparamos el estado de este sector antes de la irrupción de esta pandemia, podemos afirmar que la Covid-19 está acelerando la adopción de la transformación digital por parte de las empresas gestoras de agua, para garantizar la continuidad de sus servicios, y especialmente en el suministro de este bien esencial a los usuarios, reducir el riesgo de contagio en los trabajadores de sus organizaciones y sus clientes.   

Telefónica Tech ofrece Smart Water Solutions

En este escenario, Telefónica Tech ofrece Smart Water Solutions, una solución abierta, escalable y segura, que garantiza a las compañías gestoras de agua el control remoto y centralizado de toda su infraestructura, así como la normalización, procesamiento y análisis avanzado de la información.

Se basa en una solución desarrollada sobre tecnologías innovadoras como NB-IoT y 5G, así como Big Data o Inteligencia Artificial, orientadas a impulsar la eficiencia en la gestión del agua, facilitando a las gestoras una gestión unificada de todos los procesos y facilitando la toma de decisiones.

La solución comercializada es fruto del trabajo conjunto desarrollado junto a nuestros partners que son líderes en sus mercados. Se trata de una solución integral que nos permite ayudar a las gestoras de agua en toda su cadena de valor, desde los procesos de captación hasta la depuración, que incluye desde una solución de telelectura hasta la gestión de los procesos industriales y de negocio.

Ponemos a disposición de las gestoras de agua un conjunto de soluciones que permiten afrontar la transformación digital de todos sus procesos y responder a situaciones de crisis como la COVID-19.

Algunas de las bondades con las que cuenta nuestra propuesta Smart Water Solutions son:     

  • Garantiza la seguridad de tus empleados y clientes mediante la reducción del personal en campo.
  • Detecta de forma inteligente las fugas en la red y controla los consumos no autorizados.
  • Optimiza las rutas de trabajo. 
  • Ajusta la producción de agua mediante modelos de previsión de la demanda.
  • Conoce nuevos patrones de consumo y adapta la oferta para garantizar el abastecimiento y evitar el colapso de la red.
  • Realiza una correcta facturación evitando los sistemas manuales o la estimación de consumos.
  • Detecta bajos consumos en grupos de riesgo para poder alertar a los servicios sociales.
  • Ofrece Oficina Virtual a los usuarios finales.

Aún queda camino por recorrer hacia la transformación digital en la gestión del agua pero, la parte positiva, es que contamos con herramientas para conseguirlo.  

Escrito por Francisco Ibáñez

AI of Things
AI of Things

AI of Things, one Telefonica Tech´s business unit, helps its customers in their digital transformation process by unifying IoT, Artificial Intelligence, Big Data and Blockchain capabilities.

Cyber Security Weekly Briefing January 16-22

ElevenPaths    22 January, 2021

SolarWinds Update

New details have been released about the software supply chain compromise unveiled in December.

  • FireEye researchers have published an analysis that puts the focus on the threat actor called UNC2452, to which the incident is attributed.  This group uses a combination of techniques to move laterally in the Microsoft 365 cloud: the theft of token signing certificates in ADFS; the modification or addition of trust domains in Azure AD; the compromise of local user credentials with high privileges synchronized to M365; and finally, the abuse of a legitimate app’s permissions by installing a backdoor.
  • Meanwhile, Symantec researchers have discovered an additional piece of malware that would have been used as a secondary payload on several of the systems compromised by UNC2452. This malware, called Raindrop, is a payload mainly intended for the installation of Cobalt Strike.
  • The software company MalwareBytes has admitted in a statement to have been compromised by UNC2452, although not through SolarWinds Orion, but through the abuse of a third-party application with permissions within the corporate Office365. They point out, however, that the threat actor only accessed a limited number of emails.
  • Microsoft researchers have provided more details on the mechanisms involved in the distribution of secondary payloads (Teardrop, Raindrop, etc.) from the Solorigate backdoor (SUNBURST, according to FireEye’s terminology), which is the origin of the compromises of public and private entities resulting from the trojanisation of the SolarWinds Orion software. The researchers show how the initial backdoor is only activated for specific victims by creating two files on disk: a VBScript, which is typically named after existing services or folders to simulate legitimate machine activities; and a DLL implant, which corresponds to a custom Cobalt Strike loader. The Cobalt Strike implant, however, is not executed directly, but instead the attackers generate an IFEO registry value for a commonly running process in Windows, thus making its activation completely detached from the backdoor, making it difficult to detect and ensuring that Solarigate remains hidden. Apart from Teardrop and Raindrop, Microsoft claims to have detected other custom Cobalt Strike beacons. These DLLs are mainly placed in existing Windows subdirectories and are assigned names similar to legitimate files and directories to camouflage themselves as much as possible with the environment.

New data on Intrusion at the European Medicines Agency

Further details of unauthorised access to the European Medicines Agency (EMA) by cybercriminals were revealed in December, when they gained access to confidential documentation on the vaccine developed by Pfizer-BioNtech. In the last statement issued by the Agency, it has been confirmed that the cybercriminals leaked some of the documents to which they had access in underground forums at the end of December, including internal emails related to the vaccine evaluation processes, Word documents, PDFs, etc. In addition, the EMA has reported that some of this correspondence was manipulated prior to publication, in order to undermine confidence in vaccines.

More details: https://www.ema.europa.eu/en/news/cyberattack-ema-update-5

FBI Warns of New Vishing Attacks

The Federal Bureau of Investigation (FBI) has issued a notice to the private industry warning of the detection of telephone social engineering techniques with the aim of acquiring corporate credentials that would allow access to the networks of national and international entities. The threat actors are reportedly using VoIP platforms (also known as IP telephone services) to contact employees of any category and guide them to access a fraudulent website (e.g. fake VPN interface) where they enter their login credentials. This first compromise provides them with an entry vector that is later used to gain greater privileges by finding other network users with permissions to create and modify e-mails and usernames. This is the second warning of active vishing attacks against employees issued by the FBI since the beginning of the pandemic, after a growing number of them became homeworkers.

More information: https://beta.documentcloud.org/documents/20458329-cyber-criminals-exploit-network-access-and-privilege-escalation-bleepingcomputer-210115

DNSpooq: Seven Vulnerabilities that Allow DNS Hijacking

Security consultant JSOF has revealed seven vulnerabilities in Dnsmasq, an open source DNS redirection software widely used to add capabilities in IoT devices and other embedded systems. Together, these flaws have been referred to as DNSpooq, and could be exploited for DNS cache poisoning, remote code execution or denial of service attacks against millions of affected devices. Three of the vulnerabilities (classified as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow DNS spoofing attacks to be carried out by poisoning the cache. With this attack, the threat actors can redirect users to malicious servers under their control without them noticing. The rest are buffer overflow vulnerabilities (classified as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) that could allow remote code execution. While several workarounds exist, JSOF advises that the best and only full mitigation is to update Dnsmasq to version 2.83 or above.

All the information: https://www.jsof-tech.com/disclosures/dnspooq/

Exposed RDP Services Used to Amplify DDoS Attacks

Security researchers at Netscout have recently detected malicious exploitation of the Windows Remote Desktop Protocol (RDP) by threat actors as part of the infrastructure of stressers (on-demand DDoS tools). The RDP service is typically configured to receive requests on port 3389, TCP and/or UDP. When the second option is enabled, it is possible to achieve an amplification ratio of almost 86:1. The observed attacks range in size from 20 to 750 Gbps. All packets sent are consistent in size, 1,260 bytes. According to the researchers, there are more than 14,000 servers susceptible to this type of attack.

More details: https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification

Homeworking: Balancing Corporate Control and Employee Privacy (II)

Antonio Gil Moyano    Juan Carlos Fernández Martínez    21 January, 2021

As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue we are going to deepen in what is really interesting about the regulation: the legal and technical balance between the parties, in this case, employer and employee.

Balance Between the Employer’s Power of Control and The Worker’s Right to Privacy

The line drawn by the Courts for the lawful access of the employer to the corporate information of devices begins with the duty of the employer to have policies on the use of its devices, a matter which is regulated in the current Data Protection Act.

And the million-dollar question: can the employer access information from corporate devices and emails? “It depends. It depends on the point of view of either the employer or the employee, as the answer can be as varied as the case studies in the business world. The first thing that should be checked is the existence of prior regulation of the use of devices. If the answer is affirmative, the document in question should be analysed and the control measures regulated and the existence or lack of express prohibitions on personal use should be verified. This prohibition may be motivated by reasons of information security. On the other hand, in the absence of such regulation and in the case of access to the employee’s corporate information, he or she may claim that his or her right to privacy has been infringed, since the courts understand that, in the lack of regulation, there is a certain tolerance in the workplace of the personal use of company equipment.

In both cases, and in order to avoid problems of arbitrariness on the part of the employer, he is required to prove the existence of a prior suspicion of his employee’s employment infringement and, on the basis of this evidence, the initiation of the investigation and the gathering of evidence could be justified, in accordance with the principles of necessity, appropriateness and proportionality, so as to enable the employer to prove the infringement while ensuring the utmost diligence of the employee’s right to privacy.

In order to solve the problem of minimising access to information, technicians often use software that allows heuristic searches based on keyword criteria, date range selection and files based on their hash signature code, so they can separate the wheat from the chaff in a tangle of information and emails.

It is a common question among lawyers and computer experts who wonder who is responsible for the legality of the evidence obtained. And the answer from both professionals is that employers usually delegate the responsibility for obtaining digital evidence to computer experts, even, on many occasions, when company lawyers are present, since they are often unaware of the specific regulations on the subject.

In this sense, and in order to limit responsibilities regarding the validity of the evidence, it is a recommendation for these professionals, computer experts, that they reflect this circumstance regarding the validity of the evidence and limitation of responsibility in a specific way in the object of the contract for the provision of services. It would be more convenient to incorporate a third party, such as a lawyer specialised in evidence and technological research, to enable the employer to establish a correct digital evidence strategy to prove the fact of the previous suspicion and, consequently, the legitimacy for its subsequent investigation. This professional assists the employer throughout the process that could result, for example, in a disciplinary dismissal, from obtaining the digital evidence to the defence in court.

Technical Tools for The Control and Access to Information Of Business Devices

Since we have an IT support and cyber security team in our company, we know very well what this sudden change in the way of working without being prepared and without having taken the necessary measures to guarantee the security of information and the continuity of their business has meant for our clients. We have had to configure their infrastructure to adapt it to the massive use of remote working, as well as the personal equipment of users who, in general, did not meet the minimum-security requirements.

This is a complex scenario and requires the use of tools that allow control and secure access to the company’s information. Before drawing up an information security policy related to asset management and homeworking, we must ask ourselves these questions:

About the assets

  • Is there a policy on the acceptable use of company assets such as the computer or laptop, mobile phone, email, instant messaging, internet, social networks, etc.?
  • Is the use of company assets allowed on a personal basis?
  • If so, has the misuse been properly documented and explained?
  • Has it been accepted and signed by the employee?
  • How is this controlled and managed?
  • Is there any monitoring or traceability?
  • Once the employee/company relationship has ended, how are these assets returned?
  • Is there a procedure and document for this purpose?
  • What happens if they are not returned?

About Homeworking

  • Is there a specific homeworking policy for mobile users?
  • Are the controls applied the same way for all users regardless of their location?
  • Is there any type of MDM (Mobile Device Management) tool for mobile devices that allows their control and encryption?
  • Have specific measures been implemented to guarantee use during homeworking? For example:
    • Use of VPN (Virtual Private Network) connection
    • Secure password with double authentication factor (2FA)
    • Backup copies
    • System Updates
    • Specific security solutions (not only antivirus)
    • Security in the cloud (95% of attacks in the cloud will be the responsibility of users)

INCIBE has developed a handbook on cyber security for homeworking to guide these good practices.

Conclusions

It is mandatory to know and apply, in any labour infringement through the new technologies in the labour order, what is known as the Barbulescu II Test, in the name of a famous sentence of the European Court of Human Rights in which criteria are given for the licit access to the information of the corporate devices/mails. The first thing that has to be done is to check the existence of policies on the use of corporate devices and whether they are in line with the reality of the organisation, the work methodology and the existence of express prohibitions on personal use, so that the employee cannot claim what is known as “expectation of privacy” in the personal use of corporate devices and, therefore, the evidence obtained could be declared null and void for violation of Fundamental Rights. And if, finally, the principles of necessity, appropriateness and proportionality were applied to the access to information on the employee’s computer equipment.

It is understood that, with compliance with the above, both from a legal and technical point of view, the taking of evidence should be considered lawful and, consequently, taken into consideration by the Court, subject to criteria of relevance and free assessment, as well as to the principles of publicity, orality, immediacy, contradiction and concentration in the act of oral proceedings.

There is no such thing as 100% cyber security, nor is there full legal certainty.

Case study: My Employee Is Fooling Me

Our company has a registration application for employees, where each day they must identify themselves at the beginning of the day, so that the time of arrival and departure is recorded. Our employee works with an application that also records the whole process/activity of the employee. This function has been developed for 10 years, although lately we have noticed some strange behaviour and some unjustified leaves. In addition, some of her colleagues complain about harassment and management has told her off on several occasions.  The company and the employee keep track of absences from work, and a discrepancy is detected on a particular day when the employee claims to have been at work.

Our forensic analysis work begins by analysing the access logging application and also the one for your work. We detect that on that particular day two accesses are recorded with that user: one at 8:00, which barely lasts 2 seconds; and another at 8:05, which lasts until 14:00, the time of departure. When designing the application, not only the user’s registration was taken into account, but also the IP from which the user connects. This IP is always the same, the one of the company, since all users work from within the network and homeworking is not contemplated. It is detected that the registered IP is external and therefore that the connection has been made from outside the company. The log of the management application is also analysed, and it is verified that there was no activity during that day for that user. We then proceed with the complaint and request to the court so that the communications operator identifies and geolocates the registered IP. The operator’s report certifies that the IP corresponds to an ADSL that is in the employee’s name and geolocated in his or her usual home

Resolution of the Case

All the evidence found (IP of the external connection, activity of the management application and its geolocalisation with a technical report from the operator) pointed to the fact that it was the employee, from his/her home, who made the connection to show the company that he was working in the office that day. Finally, the resolution was favourable to the company.

First part of this article available here:

Homeworking: Balancing Corporate Control and Employee Privacy (I)

Thanks to AI, the future of video-conferencing is in sight.

Patrick Buckley    21 January, 2021

Throughout the COVID-19 pandemic, video-conferencing has become the backbone of both our work and social lives. Today, on #WorldHugDay, we take a look at some of the ways in which AI (Artificial Intelligence) will help to more efficiently connect us virtually in the future.

Almost  a year after most of the western world was plunged into a state of lockdown, it’s hard for most of us to imagine life without the constant bleeping of the team’s application on our phones or the ever so frequent occurrence of having to remind a co-worker that they had accidentally muted their microphone. 

As innovative and advanced as this current technology may be, the future possibilities of further technological advancements in video-conferencing platforms are becoming increasingly visible thanks to the continuous evolution and advancement of AI based technologies. 

Sorry, you froze!

There’s nothing more annoying than a ‘laggy’ or low-quality video stream when you’re trying to catch up with friends or take part in a meeting. It’s a daily problem for most of us without a high-speed internet connection, but this bothersome reality of the virtual lifestyle will soon be a thing of the past.

So called ‘AI video compression technology completely reinvents the way in which video-chat platforms work and is currently being incorporated into video-conference platforms. 

How does it work? 

By collecting data on the facial features of users such as the eyes, nose and mouth, this AI powered technology creates a virtual avatar which, when combined with the organic video image, produces a much higher quality stream for users. 

At the same time, this technology dramatically reduces bandwidth consumption. The result is a much more seamless user experience, allowing everybody to enjoy high quality video streams regardless of their bandwidth capacity, making video-conferencing possible in remote areas with weak network connections. 

This technology also has the ability to adjust camera angles, make users appear more engaged by diverting eye contact towards the screen and potentially even mask imperfections on the skin such as zits and eye-bags.  

NVIDIA MAXINE is an example of such a pioneering solution that offers integrated AI frameworks to video conferencing developers.  

Can you translate please?

As we become accustomed to working remotely and depending on video- conference technology as a primary way of doing business, developers are starting to incorporate conversational AI frameworks into their products.

Video-conferencing platforms of the future will incorporate tools such as a digital assistant function which can inform users of relevant information such as of the weather and offer real time translations whilst on call. Clearly, this will be extremely helpful for those who wish to engage in international conversations both in a business and leisure context.  

Conversational AI frameworks also have the capacity to identify different voice tones, allowing the platform to recognise the voice of the main speaker and mute all noise from the surrounding environment, making it far easier for people to hold a virtual conversation in busy public spaces, or indeed at home with noisy animals or children around.

Final Thoughts. 

Video-conferencing platforms are a vital tool for many of us as we go about our daily lives during the COVID-19 pandemic. This has incentivised developers to push the boundaries of existing platforms and apply AI within current technology to achieve increased functionality. Thanks to this innovation in AI, someday soon, perhaps without even realising it, we will be communicating with our digitally produced avatars as we ignore the screaming children in the background of our online interview. The future is in sight. 

To keep up to date with LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It

Gonzalo Álvarez Marañón    20 January, 2021

When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found the USB disk with all the names and addresses of the political dissidents she was helping to flee the country, she was relieved: the disk was encrypted with a 256-bit AES key, and even a supercomputer would not crack it in a billion years. When she was strapped naked to a grill and received the first shock of 1000 volts, her nerves and muscles convulsed in panic. How long could she hold out before revealing the secret key? If she spoke, how many more people would be tortured and killed? Is there any point in cryptography if you can be made to reveal the key?

Indeed, even the best encryption algorithm in the world will not resist rubber-hose cryptanalysis: so why bother mathematically attacking an encryption algorithm, when through extortion, bribery or torture the keys of the people who use or manage it can be extracted?

It would be wonderful to be able to encrypt the information so that, if you reveal the encryption key under duress, the original sensitive information is not decrypted with it, but rather a decoy. Fortunately, this amazing form of cryptography exist; it is called plausibly deniable encryption.

Plausibly Deniable Encryption to Decrypt One Message or Another Depending on The Scenario

For instance, an encryption algorithm (E) receives as inputs a sensitive message to be protected (the clear text, m) and a short random string of bits (the key, k) and produces as an output a random-looking set of bits (the encrypted text, c) of approximately the same length as the message:

c = Ek( m )

The same message m encrypted with the same key k produces the same encrypted text c. For the sake of simplicity, in this article we will leave aside the randomly filled-in encryption that precisely avoids this determinism. Likewise, the same encrypted text c decrypted with the same k key produces the same clear text m using the corresponding decryption algorithm (D):

m = Dk( Ek( m ) )

It is in this sense that it is affirmed that encryption compromises: once you have encrypted a text m with a key k and shared the c encrypted text, the three values are indissolubly linked. If under duress you reveal k, from c you will obtain the original text m, perfectly legible by everyone. If instead of revealing the true key k, you invent any k value , then the result of decrypting c with it will be a random text and, therefore, illegible, so everyone will know that you did not confess the real key: k. Therefore, they will be able to keep coercing you until you reveal the real k.

Furthermore, the mere fact of storing or transmitting encrypted messages is in itself incriminating, depending on the scenario. To a repressive government, a bloodthirsty criminal or a jealous partner, possessing or sending encrypted information will make them suspect that there is something they want to hide. Encryption protects the confidentiality of the message but does not hide its existence. How do you get out of the way if an adversary intercepts your encrypted information and demands that you decrypt it? You neither want to reveal the encrypted information, nor can you decrypt it with a wrong key that returns unreadable text.

The aim of plausibly deniable encryption is that the same c encrypted text can be decrypted with two different keys, k1 and k2, resulting in two different clear texts, m1 and m2, both perfectly readable, but with a fascinating twist: m1 is the sensitive text whose confidentiality you really want to protect, while m2 is a readable and plausible text, which acts as a decoy, and which you can happily display to the satisfaction of your adversary. Both created from the same c!

How To Achieve Rudimentary Deniable Encryption Using XOR Encryption

If you think that plausibly deniable encryption is a matter of magic, you will see how a rudimentary version can be achieved through a simple example based on the one-time use notebook. Simply by using XOR operation, also known as sum module 2, which we will represent by (+). In this algorithm, it is encrypted and decrypted as follows:

Encryption à c = m (+) k

Decryption à m = c (+) k = m (+) k (+) k = m

since the XOR of a value with itself is equal to 0.

We start with two messages, the sensitive m1 and the decoy m2, and a secret key, k1, as long as the longest message. The encrypted text c is calculated as:

c = m1 (+) k1

k2 key is calculated as

k2 = c (+) m2

If c is decrypted with k1, m1 is obtained:

c (+) k1 = m1 (+) k1 (+) k1 = m1

While if c is decrypted with k2, m2 is obtained:

c (+) k2 = c (+) c (+) m2 = m2

Deniable encryption works! The adversary has no way of knowing whether m2 was the authentic message or a fake one. Hopefully, he will be satisfied and leave the victim alone. Obviously, you can calculate as many keys and alternative messages from c as you like.

Another scenario of using deniable encryption that has nothing to do with protection against duress is to send different instructions to different recipients, but all of them contained in the same encrypted text! All recipients openly receive the same cipher text c. However, each recipient is given a different ki key that will decode a different mi message from the same c. Recipient 1 will get the m1 message if he/she decrypts c with the k1key, recipient 2 will get the m2 message if he/she decrypts c with the k2 key and so on. None will be able to read the other’s message. Moreover, they will not even suspect its existence.

Of course, this version would be impractical, as it requires keys as long as the messages themselves. So the cryptographers had to develop more efficient algorithms.

The Gradual Improvement of Deniable Encryption Over the Years

The first operational deniable encryption algorithm was proposed in 1997 by R. Canetti, C. Dwork, M. Naor and R. Ostrovsky, based on the following ingenious idea: imagine that the sender (Alice) and the receiver (Bob) have agreed on a certain method that allows Alice to choose in a domain an element either totally randomly or in a pseudo-random way, so that Bob can distinguish the random from the pseudo-random choice. When Alice wants to transmit a 1, she sends a pseudo-random chain; while to transmit a 0, she sends a truly random chain. Since the adversary cannot distinguish the pseudo-random element from the random one, Alice can pretend to have sent any kind of message.

Over the years, numerous deniable encryption schemes have been proposed, both for public and secret keys. These last ones can be used to encrypt large volumes of data, such as entire hard disks. A good example of these deniable encryption systems applied to disks is the multi-platform tool Truecrypt, with its volumes hidden within encrypted volumes. It is based on the pioneering work developed in 1997 by the cryptopunks Julian Assange (yes, the one from Wikileaks) and Ralf Weinmann, precisely named Rubberhose File System, in reference to the above-mentioned cryptanalysis method. Tools for deniable encryption of Android smartphone content have also been launched, such as Mobiflage or MobiCeal. The BestCrypt app provides the widest coverage, as it works on Windows, MacOS, Linux and Android.

Be Careful with Deniable Encryption, Which Can Give You Away

However, deniable encryption is not exempt from very serious risks. If your adversary is sufficiently well versed in cryptography, the mere suspicion that you are using a deniable encryption system will motivate him to continue extracting keys from you. Suppose you have used Truecrypt to encrypt the information on your disk, data that you cannot hide from a basic digital forensic investigation. Will your adversary be satisfied with the first key you reveal to him? Possibly he will continue to coerce you, with rubber-hose or other means, to reveal a second key. And a third. And a fourth… How will your adversary know that he has extracted your last key and you are not hiding another one? Deniable encryption can turn against you in a rubber-hose cryptanalysis scenario because it could incite to never stop.

In short, plausibly deniable encryption is yet another tool that cryptography places at the service of civil liberties and rights. However, in circumstances of real danger of duress, it must be used with caution.

Cyber Security Weekly Briefing January 9-15

ElevenPaths    15 January, 2021

Sunburst shows code matches with Russian-associated malware

Researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a .NET backdoor associated with the Russian cybercriminal group, Turla (also known as Venomous Bear and Waterbug), which specializes in information theft and cyber espionage. These data support the attribution of the compromise to a Russian-linked APT (starting to be called UNC2452 and DarkHalo), confirmed by the FBI, CISA and NSA last week. Crowdstrike investigators, in collaboration with other firms and SolarWinds itself, claim to have identified the entry vector for injecting the malicious code into the Orion software development process. The malware used for this purpose is called Sunspot. It has the ability to monitor running processes to detect those involved in Orion packaging and then inject the Sunburst backdoor into the source code before it has even been read by the compiler.

More: https://securelist.com/sunburst-backdoor-kazuar/99981/

New Trojan for Android

Hispasec researchers warn of the detection of a new family of banking malware for Android devices. The warning follows the detection last Thursday, January 7, of a sample on the VirusTotal and Koodus platforms, which, according to the researchers, did not appear to belong to any banking malware family already identified. Shortly afterwards, the MalwareHunterTeam account reported this sample, indicating that some forms of antivirus were already detecting it but that they were doing so with generic signatures of banking malware or making reference to families such as Cerberus or Anubis Bankbot. From Hispasec they indicate that they do not observe any relationship with any of these two families. The aim of this new trojan would be, as usual, to steal credentials by activating them as soon as the opening of a banking application is detected on the device. To this end, the malware takes advantage of the accessibility permissions, which requires as soon as the user executes the malware after its installation. The target of the developers of this new malware would be Spanish entities, since most of the affected entities are Spanish, although some German entities would also have been affected to a lesser extent.

All the details: https://unaaldia.hispasec.com/2021/01/detectado-un-nuevo-troyano-bancario-para-android.html

Microsoft Security Newsletter

Microsoft has published its monthly security update newsletter for the month of January, in which they have corrected a total of 83 vulnerabilities, including 10 classified as critical and the rest as important. Among the critical vulnerabilities are a 0-day bug (CVE-2021-1647) in remote code execution in the Microsoft Defender antivirus software that is being actively exploited, and a privilege elevation vulnerability (CVE-2021-1648) in the splwow64 service, previously published by Google’s Project Zero team. In addition, it is worth mentioning a security feature omission flaw (CVE-2021-1674) in Windows Remote Desktop and five RCE flaws in Windows Remote Procedure Call Runtime.

More info: https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan

Critical flaw in Thunderbird

Mozilla has released a security update that fixes a critical vulnerability (CVE-2020-16044) in Thunderbird and affects all versions previous to the last release. This bug is a use-after-free writing problem resulting from the way cookies are handled in the browser, which is why it does not directly affect the Thunderbird desktop client but can be exploited by different browsers. Eventually, it could allow the attacker to execute malicious code on the affected device. Both CISA and INCIBE have warned of the need to update Thunderbird to the latest version available, which by default is done automatically.

Learn more: https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/#CVE-2020-16044

Notices from US agencies

Two of the main US security agencies have published alerts on different issues:

  • The US Cybersecurity Agency (CISA) issued a statement (AR21-013A) warning that it was aware of several commitments for corporate cloud services protected by multi-factor authentication (MFA). To gain access, threat actors are using different techniques such as phishing campaigns, brute force attacks and pass-the-cookie attacks, among others. The campaign is part of the situation generated by the COVID-19 where multiple employees combine the use of personal and corporate devices to access business services in the cloud. CISA has also pointed out that these attacks are not linked to the threat agents behind the SolarWinds supply chain compromise.
  • The National Security Agency warned about the need to avoid using third-party DNS resolvers to block attempts by threat actors to manipulate DNS traffic. The agency recommends that traffic from a business network, whether encrypted or not, should only be sent to the designated company’s DNS resolution system through its own servers or through external services with built-in support for encrypted DNS requests such as DoH.
  • The Cybersecurity and Infrastructure Agency (CISA) last Thursday urged federal agencies to deploy ad-blocking software and standardize the use of web browsers on their computers to prevent malware ads. It also recommended that other agencies consider isolating web browsers from operating systems, as the Department of Defence already does.

All the details: