Curiosities About Windows XP Code Leak

ElevenPaths    6 October, 2020

A few days ago, attention was focused on Reddit, within a community that is characterised by its conspiracy theories. According to the news it consisted of filtering 43 GBs of data from “Windows XP” but, according to the name of the Torrent (more accurate), what was filtered was “Microsoft leaked source code archive“, because it actually contained much more. This is a compilation of previous leaks, documents, documentaries, images… and yes, unpublished source code. More than half of the content is fact made up of all of Microsoft’s patents, up to 27 GB in compressed form. Let’s have a look at other curiosities 

Directory and File Analysis 

Here is an example of what it can be downloaded: 

The description of Torrent itself makes this clear. Included in this Torrent are:  

  • MS-DOS 3.30 OEM Adaptation Kit (source code) 
  • MS-DOS 6.0 (source code) 
  • DDKs / WDKs stretching from Win 3.11 to Windows 7 (source code) 
  • Windows NT 3.5 (source code) 
  • Windows NT 4 (source code) 
  • Windows 2000 (source code) 
  • Windows XP SP1 (source code) 
  • Windows Server 2003 (build 3790) (source code) (file name is ‘nt5src.7z’) 
  • Windows CE 3.0 Platform Builder (source code) 
  • Windows CE 4.2 Shared Source (source code) 
  • Windows CE 5.0 Shared Source (source code) 
  • Windows CE 6.0 R3 Shared Source (source code) 
  • Windows Embedded Compact 7.0 Shared Source (source code) 
  • Windows Embedded Compact 2013 (CE 8.0) Shared Source (source code) 
  • Windows 10 Shared Source Kit (source code) 
  • Windows Research Kernel 1.2 (source code) 
  • Xbox Live (source code) (most recent copyright notice in the code says 2009) 
  • Xbox OS (source code) (both the “Barnabas” release from 2002, and the leak that happened in May 2020) 

We have indicated the most relevant part in bold since, about the rest, much was already known from previous leaks. For example, in May 2020 the original Xbox and NT 3.5 code was leaked; in 2017, some parts of Windows 10; and in 2004, some parts of NT and 2000. 

We show here the complete TXT justifying what the Torrent consists of. 

The PDF section is nothing to be missed, mostly because of the value of gathering so much documentation and news about code disclosures. 

Mysterious Encrypted RAR 

The leak contains an encrypted RAR (Windows_xp_source.rar), and the person including it appeals to the community to try to decrypt the password. 

Including ‘windows_xp_source.rar’ in this collection, even though it’s password protected. Maybe someone can crack (or guess) the password and see what’s inside. The archive is bigger than the other XP / Neptune source tree. It might be genuine, it might not. But I’m including it just in case, since the file was so hard to track down. Original upload date seems to have been around 2007 or 2008. 

The hash key is: $RAR3$*0*c9292efa2e495f90*044d2e5042869449c10f890c1cced438” 

¿Is This relevant? 

What is important, therefore, and seems to be new, is the source code of kernel 5 from 2003 and largely shared by XP as well. Nt5src.7z, which is about 2.4 gigabytes and when decompressed reaches about 10 GB. It seems that the code is very complete, but it is not known if it contains enough to compile it. The vast majority of the files are dated 2 September 2002. The Service Pack was officially released on the 9th. 

With respect to whether this leak is a security threat, it will help detect or analyse potential vulnerabilities that are still preserved in Windows 10 by inherited code much faster. Attackers will be able, once an opportunity for flaw has been identified, to better understand why it occurs if they go to the clear code portion. And not just the inherited parts in Windows 10. Windows XP and 2003 themselves are still found on a good number of important systems. Truth be told that since 2014, when their support was stopped, administrators have other problems added if they still maintain this system. But this can make it worse. Not much more, but it is important. 

In any case, any researcher looking for vulnerabilities in the code would start from comments… where programmers reflect doubts, fears and… potential cracks. A simple search by “WARNING:” gives us some interesting idea of what things can go wrong in the code, according to the programmers themselves. Some of them will be mare curiosities and others could be seen as potential security problems. Here are some examples.

It makes no checks on buffer…
It makes no checks on buffer…
It could break everything...
It could break everything…
It is very annoying to look at…
It is very annoying to look at…
Never ever change the order or you break backwards compatibility…
Overflow...
Overflow…
I really don´t like this but...
I really don´t like this but…

 

JlJmIhClBsr Chain 

We didn’t want to forget that in the code related to the file sharing, there is the JlJmIhClBsr chain, something curious that can indicate that the NSA already had access to the Windows code (this would not be strange at all) but that also implied that it made a mistake when creating the exploit of EnternalBlue. Because by including that chain, which was in the source code, it is not very well known why, it was adding (without being aware of it) a kind of very relevant IDS signature to know if someone was being attacked by the EternalBlue exploit. 

This is very curious because it would also imply that the NSA created the exploit by fixing or adapting the source code directly. When the exploit was made public, WannaCry, created under EternalBlue, also inherited that chain. However, it was useless and when it was ported to Metasploit it was simply removed. At the time, we already investigated and verified that in reality this chain JlJmIhClBsr would only have one use: to serve perfectly as a signature or mark to detect the network attack. A mislead from the NSA.

Part of the svrcall.c code
Part of the svrcall.c code

Introducing the New ElevenPaths Chief Security Envoys (CSEs) for 2020

ElevenPaths    5 October, 2020

For several years now, in ElevenPaths there is a CSAs (Chief Security Ambassadors) figure. These are experts in cybersecurity, ambassadors of our brand around the world whose mission is to promote the culture of security through conferences and articles. 

Last year, in order to broaden the outreach of these ambassadors, we created a new figure: the ElevenPaths CSE (Chief Security Envoy), an acknowledgement programme for professionals in the cybersecurity sector. 

After an initial experience that was a total success, today we would like to introduce you to the two new additions to this programme: Juan Carlos Fernández Martínez and David Sánchez Jiménez. 

Juan Carlos Fernández Martínez 

Worker of the Administration, lawyer and creator of TECNOGADOS. He combines these activities with his work as a specialist professor in legal issues related to new technologies and cybersecurity in various Masters (UCLMEOI or Toledo School of Public Security). He has also participated in the well-known TED talks, as well as the main Computer Security Congresses in Spain, such as RootedCONNavaja NegraMoretureloCON and the XIII STIC CCN-CERT Conference of the National Cryptology Centre. 

  • Social profiles: 

David Sánchez Jiménez 

Cybersecurity expert at  The Security Sentinel. Expert professor in Ethical Hacking and Offensive Security of the Master in CyberSecurity Management, Ethical Hacking and Offensive Security of the Escuela Internacional de Postgrados (EIP) 

  • Social profile: 

If you want to know the rest of the CSEs that will be repeating in Spain, you can check last year’s article. In Ecuador, Alicia and Christian will repeating as well. 

Events, talks and conferences organisers who would like to have one of these experts at their disposal, we provide the following email address. [email protected] where we look forward to your applications. We would be delighted to come and share knowledge! 

Cybersecurity Weekly Briefing 26 September – 2 October

ElevenPaths    2 October, 2020

The logistics giant CMA CGM affected by a cyber attack

This week, the French logistics group CMA CGM, which operates in 160 different countries, reported via its website and social networks of a cyberattack against their systems. Apparently, the incident has affected several perimeter servers, forcing the company to interrupt internet access to some of its applications to prevent malware from spreading within its network. Therefore, the entity recommends its clients to contact the group’s local agencies for any request, reservation or other type of operation. Although the group has not disclosed the type of malware that caused the incident, some communications point at RagnarLocker ransomware, which would have managed to infect several of CMA CGM’s offices in China.

More: https://www.cmacgm-group.com/en/news-media/important-notice-external-access-to-CMA-CGM-IT-applications

Windows XP and Server 2003 compilation and installation managed from the filtered source code

On 24 September, several users of 4chan and Reddit reported the leak of the Windows XP source code, which would later appear to have been leaked on one of these forums, confirming the legitimacy of the leak. Now, the NTDEV developer has published two videos on YouTube and several tweets in which he shows how to compile Windows XP and Server 2003 from the ‘System Symbol’ of another Windows XP, although the developer admits that unlike the code of Windows Server 2003, in the case of Windows XP he has not yet been able to generate an ISO image to share. This code could be related to the July 26 leak in which a GitLab repository containing the code of more than 50 companies, including Microsoft, was made public. This leak could affect various public institutions or ATMs that continue to use Windows XP even though it is no longer supported. Threat agents could analyse this code for vulnerabilities that could also be exploited in more current versions.

More info (in Spanish): https://www.genbeta.com/windows/logran-compilar-ejecutar-windows-xp-server-2003-a-partir-codigo-fuente-filtrado-asi-proceso-video

Microsoft clears up confusion with patches for Windows Zerologon flaws

Microsoft has clarified the steps that customers must take to ensure that their devices are protected against attacks using Windows Server Zerologon exploits (CVE-2020-1472). The company issued a new version of its warning after customers found the original guidance confusing and were unsure whether applying the patch was enough to protect vulnerable Windows Server devices from attacks. In a step-by-step process, the updated warning explains now the exact actions administrators must take to ensure their environments are protected and that disruptions are avoided in the event of an incoming attack designed to exploit servers that would otherwise be vulnerable to Zerologon’s exploits. The actions to be taken as described by Microsoft are as follows:

  • UPDATE domain controllers with the update published on or after 11 August 2020.
  • FIND out which devices are making suspicious connections by monitoring the event logs.
  • ADDRESS non-compliant devices that are making these connections.
  • ENABLE the run mode to address the CVE-2020-1472 in its environment.

More: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Phishing campaign takes advantage of reading permissions for third party applications on O365

Proofpoint has published a report on a new technique used by agent TA2552 since August 2019 in which it abuses access to third-party applications (3PA) of Microsoft Office 365. Specifically, an email is sent to users in Spain and Latin America with a message urging users to click on a link and redirecting them to a consent page for legitimate third-party Microsoft applications. On this page, they are asked to grant read-only permissions to their O365 account through OAuth2 or other token-based authorisation methods. Through this technique, TA2552 seeks to obtain permissions to view the content and activity of available resources, such as user contacts and email, through a user’s O365 account. Read-only access carries considerable risk, as it provides attackers with the ability to access valuable information that could be used in BEC or account hijacking attacks, to silently steal data, or to intercept password reset messages from other accounts, such as those of financial institutions.

More: https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks

ChainLock, A Linux Tool for Locking Down Important Files

Innovation and Laboratory Area in ElevenPaths    2 October, 2020

Let’s say you have a valuable file on your computer, such as a bitcoin wallet file (“wallet.dat”), or some other file with sensitive information, and you decide put a password on it to keep it safe. If you use MS Windows maybe you’ve taken steps to protect yourself from clipboard hijacking malware, and now you’re wondering what to do next in the constant arms race against attackers.

We know about some malware that try to target and steal your wallet.dat file so the attacker can crack your password offline and then transfer the funds to an account they control, so from Innovation and Laboratory we wanted to create something for Linux users.

We wanted the tool to be accessible, so it could be used to protect sensitive files without doing things like recompiling the kernel or configuring SELinux. We ended up with a new tool, dubbed ChainLock. ChainLock can lock any file on your Linux computer such that it can only be opened by a specific application. For example, it can ensure your wallet.dat file can only be accessed by your bitcoin core application and can’t be opened or copied by malware.

How does it work?

First, we onboard a file with the ChainLock command line program. This encrypts the target file with a strong password, and then a QR code pops up on screen which we can scan with the companion application for smartphones. Now the key to unlock the protected file is only stored on your phone and can’t be found on your computer. An attacker must compromise both devices to unlock your file without permission.

That takes care of protecting the file at rest, but locked files aren’t very helpful when you’re trying to use them. We can ask ChainLock to unlock the file, and a QR code pops up. With the companion app we can select the file we want to unlock, then scan the QR code. The app will send the information necessary to unlock the file to your computer using a Tor hidden service.

ChainLock now starts a daemon to watch over the file and only allow access from the authorized binary, and then decrypts the file so it can be used. Now the wallet can only be used with the specified application. Nothing else works! ChainLock also supports upgrading or changing the authorized program, so you can always upgrade your wallet application without fear, or migrate to another device.

Where do I get it?

You can download ChainLock and the companion application at the ChainLock site. If you want a deeper look at how it works, check out the accompanying walkthrough. The walkthrough will guide you through installing and using ChainLock.

You can check this video to see Chainlock in action:

With this tool we want to give to the community a new technique to ensure their important files are kept safe. We hope you find it useful.

DIARIO Already Detects “Stomped” Macros, But What Are They Exactly?

Innovation and Laboratory Area in ElevenPaths    1 October, 2020

Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We recently added the ability to detect malware in office documents which macros use a technique known as VBA stomping. What is this technique about and why is it so important?

We already know that emails with attachments are one of the most popular entry routes for malware, specifically office type attachments. This is largely possible due to the ability to program code into office document macros. There are several reasons why this technique is still in use two decades after it was first introduced:

  • Macros are easy to hide.
  • Macros are legitimate. Even if they are disabled by default, it is easy for the user to enable them.
  • The sandboxing is more complex to emulate them.
  • They are sent by email, so usually they are only analysed statically.
  • The user does not think that a document or spreadsheet can be dangerous.
  • It is still a very lucrative route for cyberattackers.

And even though so much time has gone by, innovation in this technique is still going on. The technique of stomping is a test. Firstly, let´s see what a “recent” macro consists of. We will find a binary file, with the extension .bin, inside the .zip file that nowadays are the documents. At least in the most recent versions of Office.

The first thing to bear in mind is that in this .bin file there are no macros as such, but a whole system ready to be compiled and executed by Office itself. Yes, it can be compared to any project carried out with Visual Studio, where we have the source code, the definitions, the compiled code… The Office system in use, such as Word or Excel, has an engine for compiling and executing this code.

In fact, within this .bin file, we can find the following (if we analyse it with the appropriate tools):

  • PROJECT: flow (file): it is like the configuration file.
  • VBA_PROJECT: flow with instructions for the VBA engine. Not documented.
  • Dir: compressed and has the layout of the project.
  • Module streams of the type VBA/ThisDocument/NewMacros/…/__SPR_1/Module1, which contains the code to be executed. Each module of the code is in turn composed of PerformanceCache and the CompressedSourceCode, which is the source code of the compressed macro.

What is all this for?

This pursues the obsessive backward compatibility of Microsoft. Let’s imagine that we create a document with macros in a recent version of Office, for example Word 2016. We create the macro and it is compiled into the system, but the source code is also stored with it. The person who receives the document may have an Office 2016, in which case, in order to go faster, the compiled macro will be executed directly. But what if you want to open the document with a Word 2003? Then, for compatibility, you must take the VBA source code of the macro, compile it in your engine and run it. And this is the reason why we find “clearly” the source code of the macros in the documents.

Historically, this has been an advantage for those who analyse this type of malware: they can access the code effortlessly and analyse it more easily, etc. Antiviruses have relied on this source code even to classify samples. However, someone thought that the document could still be infected if the compiled code was kept but the source code was deleted. And it was indeed. This technique of deleting the source code is VBA stomping, and allows malware to go unnoticed with little impact on its ability to infect. Only those users with unsupported or very old VBA engine versions (Office versions after all) would be spared from the infection.

The Evil Clippy tool already exists, capable of facilitating VBA stomping and automating all the necessary processes

As it can be seen, DIARIO already detects this type of documents and displays the code even if this technique has been used:

Internet of Things… Archaeological Sites

Paloma, Recuero de los Santos    1 October, 2020

At the end of 2019, according to IoT Analytics, there were already 9.5 billion connected devices for consumers, businesses and scientists. The forecast for 2025 is three times this figure because the formula: large volumes of data + analysis + expert knowledge in one domain is useful … for almost anything. From managing devices in the home to controlling pollution or traffic in cities to using water more efficiently in agriculture or helping to control the spread of a virus. In today’s post, we will see how it can also be used to protect our archaeological treasures, with a world-famous example: The Valley of the Kings in Egypt.

IoT Solutions for Geology: Catastrophe Prevention 

Normally, IoT solutions for Geology monitor the natural environment to predict and prevent natural disasters. Thus, there are solutions aimed at predicting overflows in rivers, subsidence in tunnels, or earth movements. Other applications are aimed at understanding the impact of climate change on the stability of certain rock formations.

The importance of this study is evident when these “rock formations” are part of one of the most important archaeological sites in the world, such as the Valley of the Kings, located on the outskirts of Luxor, on the banks of the Nile. The Valley of the Kings is an ancient Egyptian necropolis where the tombs of most of the pharaohs of the New Empire are located. Among them, the best known is KV62, the tomb of Tutankhamun (c. 1342 – c. 1325 BC), discovered by Howard Carter in 1922.

To guarantee the best conservation of the tombs and the safety of the millions of tourists who visit them every year, it is essential to control the stability of the limestone formations that surround the valley, and which can be impacted by both seismic and meteorological phenomena.

The Valley of the Kings project

To find out more, a team from York University (Canada), the Department of Earth Sciences at the ETH Zurich and the University of Basel carried out a study on the stability of the rocky cliff above tomb KV42.

The researchers developed mathematical modelling of the behaviour of the rock, analysing factors such as moisture absorption, volume changes due to temperature changes, displacements/fractures caused by small seismic movements or torrential rainfall etc.

The role of IoT sensors

The researchers installed a set of IoT sensors to monitor the rock and its environment and generate the data to train the model. In particular, a Plug & Sense Smart Agriculture Pro weather station from one of our partners, the company Libelium, was installed. The station allows the measurement of wind speed and direction, rainfall volume, solar radiation, temperature (air and rock), and degree of humidity. Additional sensors were added to the station, which is powered by solar energy:

– A dendrometer, to measure how tree growth influences the opening of the fracture

– A seismometer

Figure 1: Sensors monitoring the crack (source)

The sensors record data every 15 minutes, store it in memory and then send it to a remote server via a cellular network (3G/4G).

In this way, the impact of erosion on the crack can be controlled, and an early warning can be generated in the event of a risk of fracture, thus ensuring the preservation of the historical heritage site and the safety of visitors.

Conclusion

Technologies for monitoring cracks in solid materials are becoming increasingly important, not only in historical sites but also in any other type of natural or human structures due to the negative impact on them of phenomena related to climate change.

References: Alcaino-Olivares, Rodrigo & Perras, Matthew & Ziegler, Martin & Maissen, Jasmin. (2019). Cliff stability at tomb KV42 in the Valley of the Kings, Egypt: A first approach to numerical modelling and site investigation.

Original Post in Spanish Translated By: Patrick Buckley.

 LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

Has the Office as We Know It Come to an End?

Miguel Ángel Martos    30 September, 2020

2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre of the company. This crisis may be the key to showing that a physical office building is a thing of the past, especially when remote working can be the guarantee for business continuity.

In times of crisis, technology allows us to work from anywhere and on any device. We are witnessing a change of focus towards a model of distance working driven by need and by companies seeking to take advantage of its potential benefits. But while workers think that remote working is an obvious thing nowadays, we still need a cultural change in the way companies think about remote working.

Remote working forces companies and employees to change. There are two areas where change stands out because of its impact on people: personal and collective interaction and security. Some fear that remote working may kill the corporate culture. It is not uncommon for someone to tell us that “being in the office is key to collaboration and boosting corporate culture” or “I love coming to the office to see my colleagues”.

In many companies it is quite normal to go out in groups for breakfast. It allows us to enjoy the social aspect of work and the culture of chatting with our colleagues. But, does that help us to be more efficient? People think that work is more effective if we do it together, and that is completely true. However, corporate culture is developed through strong principles adopted by management and employees. The interaction and execution of these principles take place remotely and, in the office. Especially when excellent collaboration tools are used, such as O365, Slack, Zoom, etc.

  • Physical security: when you enter the office, the company provides a “safe” environment: it controls access to the building, the climate, spaces, etc. Working from home allows oneself to control the environment and keeps the motivation and efficiency when working. It also protects oneself in a crisis where it is not advisable to be close to each other in the same room.
  • Technical security: the company also provides tools and services necessary to carry out our work. It ensures (hopefully) access to its information and services, such as e-mail, file sharing, applications, Internet, etc.

The methods focus on offering the highest possible degree of security, controlling access, connections and providing visibility of what is happening when interacting with corporate applications. It is becoming essential for companies to be able to protect their services, applications and the data residing within them from nowadays threats, which on their side, have also taken advantage of the circumstances and increased in number. However, in a constantly developing world, the tools and resources available to implement security from within and outside the workplace are also improving and adapting to the new conditions of decentralised and distributed environments.

Where We Are Headed: Remote Work, Zero Trust and SASE

Companies must apply two key models to protect remote work: Secure Access Service Edge (SASE) and Zero Trust. Both models are based on direct connectivity. They offer fast and secure routes to access any application.

In the previous model (over 30 years old now), a secure perimeter protected the data centre, applications and data from external threats. With cloud applications, the Internet of Things (IoT) becoming more common and users connecting from many locations, this previous model is no longer sustainable and not as secure. How could a perimeter around data be applied outside the corporate network?

Secure Access Service Edge (SASE) specifically addresses the security reality faced by organisations choosing the cloud. SASE secures the traffic between the user and the application. It is the journey and not the goal that is most important. With the SASE model, digital enterprises can provide security at all times, wherever the user’s location is, without complex and costly hardware stacks of security devices that require constant maintenance and updating.Zero Trust provides a unique and simple access model for users, regardless of where they are and what they are trying to access. This is critical, as companies quickly transfer employees to remote work environments. Using the principle of zero trust allows companies to isolate and segment who has access to what. There are no more shared spaces, each access must be validated before it is enabled. Connections are ephemeral: the user and the application connect only for a specific communication and nothing else.

Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex

ElevenPaths    30 September, 2020
  • This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.
  • This solution has the capability of learning and modelling the legitimate behaviour of IoT devices through traffic analysis and the implementation of Machine Learning techniques to detect anomalies and potential cybersecurity incidents.

ElevenPaths, Telefónica’s Cybersecurity Company, takes a further step in protecting IoT and converged environments with the signature of a global partnership agreement with Subex aimed at offering the IoT Threats Detection service worldwide. This monitoring and incident response service will leverage Machine Learning and specific IoT/OT threat intelligence techniques to profile the behaviour of IoT devices and associated networks, thereby making it possible to detect and respond to anomalies or cyberattacks that may affect the different end-to-end elements in IoT (devices, communication network, or service platforms).

The service is fed by a global network of honeypots (“decoy” system designed to be the target of an attack to detect it and obtaining more information) specialised in IoT/OT. This network is distributed throughout the world in over 60 locations and covers more than 500 different system architectures, processing on average 10 million sophisticated cyberattacks every day.

Telefónica’s extensive experience in network management enables the access to traffic information that will be analysed later using Subex’s capabilities. Moreover, customers can receive all benefits of a managed service through the Telefónica operations expertise, relaying on the ElevenPaths’ SOC (Security Operations Centre), that has locations in eleven centres on the planet and is supported by experts specially trained in this technology. 

IoT Threat Detection addresses several pressing IoT challenges:

  • Increased discoverability and visibility of the IoT devices that are part of the infrastructure as well as the organisations’ services, to gain an understanding of their legitimate behaviour.
  • Holistic protection of organizations, where IoT devices must be seen as an increasingly significant part of the whole infrastructure to be protected. Most of the time, these elements may be the weakest link due to their dispersion, their physical accessibility, and the inexistence or deficiency of security controls.
  • The need to have solutions capable of escalating to the dimensions required by IoT infrastructures, as well as having sources and mechanisms to generate specific cyberintelligence in this field that guarantees the effectiveness and reliability of the detection systems.

Among the many benefits of this service, being an agentless solution, releases from the need to install software on the IoT devices. Given the IoT intrinsic dimension and the limited resources associated with many of these devices, this factor constitutes a great advantage. Also, as the analysis is performed over a copy of the traffic, the solution does not impact the original traffic of the IoT service or its SLAs at any time.

The vast majority of our customers from almost any sector we focus on have launched − or will launch in the short term − projects and initiatives where IoT technologies are the key. While the possibilities in terms of new services and efficiency improvements are huge, they also mean greater exposure to security risks that need to be properly managed. This agreement with Subex allows us to provide a best-in-class monitoring and incident response service for IoT environments.


Alberto Sempere, Product and Go-To-Market Director at ElevenPaths

Our partnership with ElevenPaths is built around affording businesses a new class of enterprise security that spans environments, devices, cybersecurity strategies, and regional and global threats to deliver true cyber-resilience that is deep, robust and sustainable.  We are excited by the possibilities that this alliance brings forth specifically in areas such as jointly equipping businesses to deal with the existing and emerging cyber threats with a high level of confidence and assurance.


Kiran Zachariah, VP Digital Security at Subex

Press release

Click to access telefonica-elevenpaths-enhances-iot-security-capabilities-subex.pdf

New TheTHE Version with URLScan and MalwareBazaar Plugins

Innovation and Laboratory Area in ElevenPaths    29 September, 2020

The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is it malware? Is it in a repository? Since when? Whois? Country of origin? Is it in pastebin? Now, with the new version, it is even easier.

You start opening tabs, entering passwords in the different services and the consulting begins. Hopefully you have an API shared with a colleague and after checking several systems, you open a TXT to pass the information to the intelligence platform. Your colleague, with whom you share these APIs and passwords but who is elsewhere in the world, does the same because he has also received the same IoC. This is over with TheTHE.

What’s New?

We have worked to substantially improve the tool. Some of these interesting improvements are the following:

  • We have added a global search for IoCs: it is now possible to search for any IoC that is in TheTHE from a search engine which functionality will be extended with new features.
  • We have improved the project selection interface: it now includes additional information and it is possible to sort out the list in many different ways.
  • We have created a new labelling manager that includes the creation of tags with icons. In addition, it is now possible to delete a created tag and propagate the changes through the system.
  • Now the installer (install.sh) will ask you for the system variables you want to set if it does not detect the presence of an .env file with the variables needed to start the environment.
  • We have created an IoC scanner that detects and extracts IoCs from the results of the plugins. In addition, it is now possible to delete IoCs we are not interested in from the list of detected.
  • The following plugins are added with their respective views in the interface: URLScan and MalwareBazaar.

The Threat Hunting Experience 

We introduced this tool at Black Hat 2019 in London, where it was very well received by its target audience: researchers, SOCs, Threat Hunting teams, security companies, CERTs, etc. TheTHE is a free and open environment designed to help analysts and hunters during the early stages of their work to make it easier, faster and more unified. One of the biggest problems when conducting hunting or IoC research (Indicators of Commitment) is dealing with the initial collection of such large amount of information from so many sources, both public and private.

All this information is usually dispersed and sometimes even volatile. Perhaps at some point there is no information from a certain IoC, but this situation can vary in a matter of hours and become crucial for an investigation. Based on our experience in Threat Hunting, we have created this free and open source framework to make the first stages of the investigation simpler:

  • The IoCs are yours: they do not leave your platform and are not shared.
  • Free and open: docked and totally yours.
  • Client server architecture: The research can be shared with your team.
  • The results are cached so that no API requests are wasted.
  • Feed your Threat Intelligence Platform better: TheTHE makes previous research faster and easier.
  • Easy Plugins: Anything you need is easily embedded in the interface.
  • Ideal for SOCs, CERTS and any team.
  • API keys are stored in a database and can be shared by a team from a single point.
  • Automation of tasks and searches.
  • Fast processing of multi-tool APIs.
  • Unification of information in a single interface: so that screenshots, spreadsheets, text files, etc. are not dispersed.
  • Periodic monitoring of an IoC in case new information or movements related to it appear (available in future versions).

TheTHE has an interface where the analyst enters the IoCs that will be sent to the backend. The system will automatically search those resources (through plugins) in several already configured platforms to obtain uniform information from different sources and access to related reports or existing data.

Adversarial Attacks: The Enemy of Artificial Intelligence (II)

Franco Piergallini Guida    28 September, 2020

In Machine and Deep Learning, as in any system, there are vulnerabilities and techniques that allow manipulating its behaviour at the mercy of an attacker. As we discussed in the first part of this article on Adversarial Attacks, one of these techniques are adversarial examples: inputs carefully generated by an attacker to alter the response behaviour of a model. Let’s look at some examples:

The easiest one can be found in the beginning of spam detection, standard classifiers like Naive Bayes were very successful against emails containing texts like: Make rapid money! Refinance your mortgage, Viagra… As they were automatically detected and classified as spam, the spam generators learned to trick the classifiers by inserting scores, special characters or HTML code like comments or even false tags. So they started using “disguises” like: v.ia.g.ra, Mα∑e r4p1d mФn €y!…

And they went further, having solved this problem for the classifiers, the attackers invented a new trick: to evade the classifiers that relied on text analysis, they simply embedded the message in an image.

Adversarial examples Ebay
Adversarial examples EbayPicture 1: Adversarial examples Ebay

Several countermeasures were quickly developed based on image hashes known as spam using OCRs to extract text from images. To evade these defences, attackers began applying filters and transformations to the images with random noise making the task of recognizing characters in the images quite difficult.

Random noise
Picture 2: Random noise

As in cryptography, we find ourselves in an endless game where defence techniques and attack techniques are constantly found. Let’s stop at this point.

Image Classification and Adversarial Attacks

In the classification of images, the attackers learned how to meticulously and strategically generate white noise, using algorithms to maximize the impact on neural networks and go unnoticed by the human eye. In other words, they achieve a stimulation in the internal layers of the network that completely alters their response and prevents them from being processed intelligently.

One of the reasons why there are these types of attacks in the images is due to the dimensions of the images and the infinite possible combinations that a neuronal network can have as an input. While we can apply techniques such as data augmentation to increase both the size and variety of our training data sets, it is impossible to capture the great combinatorial complexity involved in the actual space of possible images.

https://arxiv.org/abs/1412.6572
Figura 3: https://arxiv.org/abs/1412.6572

But how is this white noise generated? First, we will formulate the adversarial examples mathematically, from the perspective of optimization. Our fundamental objective in supervised learning is to provide an accurate mapping from an input to an output by optimizing some parameters of the model. This can be formulated as the following optimization problem:

〖min 〗_θ loss(θ,X_i 〖,Y〗_i )

Which is typically known as neural network training. To perform this optimization, algorithms such as stochastic gradient descent are used, among others.

A very similar approach can be used to get a model to misclassify a specific input. To generate an adversarial example, we used the parameters into which the network converged after the training process and optimised on the possible input space. This means that we will look for a disturbance that can be added to the input and maximize the model’s loss function:

〖max 〗_(δ∈∆) loss(θ,X_i+ δ〖,Y〗_i )

Toy Example

Let’s think for a moment about a simple example where we have a linear regression neuron, with a 6-dimensional input:

This image has an empty alt attribute; its file name is image-36.png

Which, when going through the training process, converged with the following weights: W=(0,-1,-2,0,3,1), b=0. If the input is given:

This image has an empty alt attribute; its file name is image-40.png

The neuron will remain as output:

This image has an empty alt attribute; its file name is image-41.png

So how do we change x→x* so that yx* changes radically but x x*≅x? If we take the derivative of ∂y/∂x=WT, it will tell us how small changes in x impact on y. To generate x* we add a small perturbation εWT,ε=0.5 ε to the x input:

This image has an empty alt attribute; its file name is image-42.png

And if we do forward propagation to our new x* input, if we are lucky, we will notice a difference from the output provided by the model for x.

This image has an empty alt attribute; its file name is image-43.png

Indeed, for x* input we get 6.5 as output, when for x we had -1. This technique (with some minor differences to the toy example we have just seen) is called fast gradient sign method and was introduced in 2015 by Ian Goodfellow in the paper entitled Explaining and Harnessing Adversarial Examples

Future Adversarial Examples: Autonomous Cars

Adversarial examples are an innate feature of all optimisation problems, including deep learning. But if we go back about 10 years, deep learning did not even do a good job on normal, unaltered data. The fact that we are now searching and investigating ways to “hack” or “break” into neural networks means that they have become incredibly advanced.

But can these attacks have an impact on the real world, such as the autopilot system in a car? Elon Musk gave his opinion in Lex Fridman’s podcast assuring that these types of attacks can be easily controlled. In a black-box environment, where attackers do not have access to the internal details of the neural network such as architecture or parameters, the probability of success is relatively low, approximately 4% on average. However, Keen Labs researchers have managed to generate adversarial examples by altering the Tesla car’s autopilot system. Furthermore, in white-box environments, adversarial examples could be generated with an average success rate of 98% (An Analysis of Adversarial Attacks and Defences on Autonomous Driving Models). This implies a high susceptibility in open-source self-driving projects such as comma.ai, where the architecture and parameters of the models are fully exposed. Waymo, a developer of autonomous vehicles belonging to the Alphabet Inc. conglomerate, lays out a range of high-resolution sensor data collected by its cars in a wide variety of conditions, in order to help the research community move forward on this technology. This data could be used to train a wide variety of models and generate adversarial attacks that in some cases could have an effect on the networks used by Waymo due to transferability, a property of neural networks in which two models will be based on the same characteristics to meet the same objective.

We must mention that there is a big gap between cheating a model and cheating a system that contains a model. Many times, neural networks are just another component in an ecosystem where different types of analysis interact in decision making. Regarding the case of autonomous cars, the decision to reduce speed due to the detection of a possible nearby object, detected in the analysis of the front camera, may not agree with the data obtained from another component such as a LIDAR in the case of an adversarial attack. But in other types of decision making, such as analysing traffic signs, only video analysis could interfere and have a really dangerous effect by converting a stop sign into, for example, a 50 kilometres speed limit sign.

Stop signal
Picture 4: Stop signal

This technique undoubtedly constitutes a latent threat to the world of deep learning. But that is not everything, since there are other types of attacks for each of the stages in the machine learning pipeline in which an attacker can take advantage:

  • Training stage: poisoning of the data set.
  • Learned parameters: parameter manipulation attacks.
  • Inference stage: adversarial attacks.
  • Outputs Test: model theft.

Want to know more about Adversarial Attacks? Find out in the first part of this article here:

Adversarial Attacks: The Enemy of Artificial Intelligence