Analysis of APPs Related to COVID19 Using Tacyt (I)

Andrés Naranjo    Amador Aparicio    15 September, 2020

Taking advantage of all the attention this issue is attracting, the official app markets, Google Play and Apple Store, have been daily deluged with applications. Both platforms, especially Android, has already limited the publication and search of terms such as “covid” or “coronavirus”: Google has declared war against those who try to take advantage of fear to win downloads. Currently, only those belonging to official government bodies remain on Google Play.

For this rapid analysis we will use ElevenPaths’ Tacyt tool, the mobile cyberintelligence ecosystem, where its Big Data structure monitors, stores, analyses and correlates thousands of new applications every day. In addition to collate or compare information which we have access to through easy and simple queries.

One of the advantages that Tacyt offers is that we can have all applications accessible regardless of location. Since Google Play can only offer results based on our country of origin according to the availability proposed by the developer. We go to the Official Google Play repository in Spain and search for those apps related to COVID19.

Official Apps in Spain accessible in Google Market (10 altogether)
Official Apps in Spain accessible in Google Market (10 altogether)

Nothing to do with the amount of applications found in any unofficial market:

Apps found in APTOIDE, an alternative market using the term: “coronavirus”
Apps found in APTOIDE, an alternative market using the term: “coronavirus”

As with other markets, Aptoide, for example, does not directly download the app we have requested but the “downloader” through which the actual download will be requested. This can easily be guessed by checking that the file size is exactly the same:

Downloaded Apps through APTOIDE
Downloaded Apps through APTOIDE

In fact, we easily check it out at Tacyt when uploading these applications. It detects them as one, with identical hash:

This is due to Tacyt not only including its own application discovery drivers and applications downloading, but also, using the upload function (either via web or API) the user can upload the applications to be analysed. These can be seen labelled as “userUpload” and can also be tagged with our own identification labels (as in the image: the author of the upload or the market from which it was downloaded).

This upload function can be very useful to detect altered versions of our legitimate applications in unofficial markets, for example, from a bank. Tacyt includes a button on the interface to compare applications.

In any case, we do not miss the opportunity to totally discourage the installation of applications from unofficial sources.

Google Play Search Using Tacyt for COVID19 Related Apps Since the Beginning of the Pandemic

We will focus the research on Google Play. The filters are used to form the next search in Tacyt. As you can see these usual composite queries (dorks) in Google search, for example, are easy to read:

((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (origin:"GooglePlay") AND (createDate:"2020-03-14 00:00:00 - today")

“Dorking" to search using Tacyt apps in Google Play related to COVID-19 published since the beginning of the alarm state
“Dorking” to search using Tacyt apps in Google Play related to COVID-19 published since the beginning of the alarm state

 Tacyt’s respond to the previous search:

Apps related to COVID-19 published overseas in Google Play
Apps related to COVID-19 published overseas in Google Play
Apps related to COVID-19 published overseas in Google Play

We now search for unofficial apps related to COVID19 using Tacyt from the official date of the start of the pandemic. For this task, we can use the parameter ORIGIN indicating the exclusion of all those whose origin is not the official one. For example -origin:GooglePlay.

((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (-origin:GooglePlay) AND (createDate:"2020-03-14 00:00:00 - today")

Unofficial apps published since the beginning of the pandemic
Unofficial apps published since the beginning of the pandemic

For example we have a look at the permissions of the app with “coronavirus.tracker.news” package name and do a quick scan.

The following permissions are suspicious: (we only comment on permissions different to the “normal” official apps that violate privacy or security)

  • android.permission.CHANGE_WIFI_STATE: allows the APP to change the state of Wi-Fi connectivity.
  • android.permission.INTERNET: allows the APP to open network connections.
  • android.permission.WRITE_EXTERNAL_STORAGE: allows the APP to write in the external storage of the device.
  • android.permission.READ_EXTERNAL_STORAGE: allows the APP to read on the external storage of the device.
  • android.permission.WAKE_LOCK: allows you to use PowerManager WakeLocks to prevent the processor from going into sleep mode or the screen from getting dark.

For any research, we can load the apps in batches into Tacyt and then search for them using a custom label and locating, for example, as we said, suspicious permissions:

Likewise, we could have used the expiry date of the certificate (sometimes suspiciously long), apikeys, text or emails chains associated with malware, and a long etc…

We will see in the next part some more information about the findings.

Barriers to IoT adoption

Beatriz Sanz Baños    15 September, 2020

Internet of Things is constantly growing. There are more and more objects in our familiar environments that work connected through the network. It makes our everyday activities easier in all areas of our lives: work, family and it also increases the time that we can dedicate to leisure.

There are more and more objects in our familiar environments that work connected

Beyond its success, and like any technology in evolution, Internet of Things has to face important challenges to continue expanding to all sectors of society. Next, we expose some of the existing barriers for its adoption.

Security

Guaranteeing the privacy of confidential data needs to be an absolute priority, since this technology connects numerous devices that store sensitive personal information. In order to deal with this issue, the equipment manufacturers, as well as software designers and connectivity providers, have to implement strict security requirements when launching new IoT solutions.

Integration

Another challenge facing IoT is its integration with existing technology. All types of devices must modify their architecture to work connected to the cloud and, in many cases, with other gadgets. This implies the implementation of more innovative and complex technology in everyday objects such as watches, washing machines, refrigerators, etc.

The transformation of analogue equipment into digital products that also meet current sustainable energy demands is a challenge. In addition, it must be taken into consideration that the integration of networks and devices with each other increases their interdependence. The existence of multiple interrelated elements makes the failure of only one of the nodes (electric current, Internet connection, components of the devices, etc.) affect the entire system.

Cost

Although in the long term the expense in IoT technology is usually profitable for companies, it must be taken into account that many startups are in serious difficulties to provide the necessary capital to make the initial investment, although once it is made, it is expected that the return is significant since amplifies business opportunities. Also, companies dedicated to the manufacture of traditional analogue equipment need to invest in media, training and personnel to carry out the IoT conversion.

The development of IoT produces an increase in productivity in work, domestic and public or management environments, which has a global benefit for society. In this sense, to promote its viability, the support of public institutions is necessary through financing plans for entrepreneurs in the R & D sector.

On the other hand, household products are not always affordable for everyone. In this sense, it is expected that the evolution of the industry will bring productive improvements that bring its benefits to all citizens.

Digital divide

Not all people have the same opportunities to access and use IoT applications. On one hand, there is a generational digital gap. We can find a great difference between digital natives, who have internalized the functioning of new technologies, and older people, who have joined the use of the Internet later.

There are millions of people in the world who have not received even minimal training in the use of Internet-connected devices and who would need training plans that are appropriate for them. The manufacturers of Internet of Things applications have to take into account this circumstance and develop intuitive systems for these consumers.

The world advances every day and we see how the old barriers are breaking down to make way for a digital and connected world. The increased implantation of technology at all levels and in all aspects of our life in our society is becoming a reality. Goodbye, analog world; Welcome, digital era.

To keep up to date with Telefónica’s Internet of Things area, visit our web site or follow us on TwitterLinkedIn YouTube.

What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You?

Sergio de los Santos    14 September, 2020

We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can be given), use an anti-virus, a firewall (?)… All of them good intentions that are not practical, very repeated yet not very effective. Users and companies still get infected. So, what if, for a change, we listen to the creators of ransomware themselves? Wouldn´t they most certainly have a more practical and realistic vision of what to do to avoid their own attack? What are their recommendations against their own selves?

First of all, a distinction must be made between homemade ransomware and professional ransomware. In the first one, the target is any individual’s random computer, the one that doesn’t apply protection recommendation can be affected. The second one is the ransomware developed with a specific company as a target. The attackers will spend months planning the attack, probably weeks inside the network and within minutes they will encrypt everything they can to ask for a millionaire ransom. And once affected, little can be done.

Garmin has recently paid and so has CWT, a US business travel and event management company that has just paid $4.5 million to decode its own data. The deal with the attacking negotiator has been by chat and has been made public. The transcription shows the management of any business between professionals. Let’s have a look at the recommendations that the “bad” negotiator made to the CWT representative and analyse the effectiveness.

Anti-Ransomware Recommendations

It is worth stressing that these are recommendations from the attackers themselves in order to help large companies attacked by professional ransomware. Let’s check them out and analyse if they are suitable.

List of recommendations
List of recommendations. Source: Twitter Jack Stubbs
  • Disable local passwords  
    On systems and servers controlled by Domain Controller, it is a good idea not to use local users and to focus on those of the domain controller. This improves traceability and reduces exposure. Good recommendation.
  • Force the end of administrators’ sessions
    when attackers are already on the network at ease, they will try to escalate to the administrator domain and open sessions with it, otherwise they will not be able to encrypt everything important and the backups. It is a good idea that these sessions come to an end, to have an expiration date and that they are fully monitored.
  • Avoid WDigest (Digest Authentication) used in LDAP, store the passwords in the memory
    The attacker here refers, veiled and almost certainly, to Mimikatz and how it most likely recovers the domain controller administrator password and escalates privileges thanks to this tool. If a certain Windows value is set to zero, they will not be able to see the password clearly and the elevation will be complicated for the attackers. Excellent recommendation.
  • Monthly passwords updates
    There is a lot of controversy about updating passwords. Users find it tedious to update their passwords monthly and end up writing them down or following a pattern. But for administrators (which is where criminal is target) it makes sense. Attackers may spend more than a month on a network without revealing themselves, studying when it is the best time to launch the most effective attack. Changing passwords, which they have probably already figured out, can force them to rethink the attack and may undo much of their work. Interesting recommendation.
  • Reduce user permissions to access only the essential
    Well, this is a common recommendation. It also very probably refers to how attackers manage, from a simple user, to increase privileges thanks to the negligence in the segmentation of permissions and privileges.
  • Applocker and the use of the necessary applications  
    This is every network administrator’s dream: to be able to have a whitelist of applications that users can run and ignore the rest. With AppLocker, already integrated in Windows, this would be enough. It works very well and allows you to limit by certificate, location, etc. Attackers would not be able to download their tools and launch them in order to increase privileges. It is an excellent, complex measure to implement yet not impossible.
  • Don’t count on anti-virus in short term
    Well, unfortunately, we have already explained this on many occasions. Antivirus (as such) is not the best solution for early detection. “Don’t count on them”. Here, the attacker claims that anti-viruses could work in a long term, as something reactive. And unfortunately, he is right. Anti-viruses as such are a reactive element and that is where they work best: as a system for detecting and eradicating an infection when it has already occurred. To prevent, it is reasonable to use a much broader set of measures. Furthermore, he points out that the anti-virus is only useful if the attacker “for some reason does not attack in a short term”. He suggests that professional attackers are rarely impulsive. He adds that they take their time to analyse the victim and strike effectively.
  • Install an EDR (EndPoint Detection and Response) and efficient technicians to work with it
    An EDR is more than just an anti-virus, it is actually aimed at early detection, at analysing what is happening in the system in real time, beyond the traditional anti-virus firms. And yes, that could be useful. But the subtlety touch added by the attacker is interesting: not only that they use it but also that “the technicians work with it”. As with any software, there is no point in setting up the EDR if it is not properly configured, known, worked on and monitored.
  • Work 24/7
    For large companies, the attacker recommends three eight-hour shifts for managers, covering 24 hours a day. This means that attackers will most likely look for times when administrators are not working to launch attacks, side moves, or privilege elevations. If they manage to do so without alarms being raised (and checked), then they can wipe out the tracks. So full shifts of “human surveillance” are important.

Conclusions

Bearing in mind that they have just charged $4.5 million for a ransom they themselves have provoked, the attacker undoubtedly belongs to a professional group that knows exactly what they are doing. The recommendations seem sincere and, although it may seem counterproductive, aimed at hindering their own work. Why reveal these tricks? They communicate it exclusively to their victim (who let´s recall, has just paid) as an act of professionalism. They have completed a transaction between “professionals” for a service and so they give a “bonus” of information.

Like the plumber who, after fixing a pipe blockage, advises you before he leaves, while he is billing you, on how to prevent the sink from getting stuck again. No plumber would deny this little tip thinking he wasted opportunities by doing so. On the contrary, as a good professional, the attacker needs to generate confidence because the next time he attacks a big company and demands a few million, he wants them to know that paying is the best option to recover their data. Treat your present and future clients well… even if they are victims.

But even if these tips have been leaked, we assume that they don´t really mind. There are thousands of large companies out there who will not listen. Due to their ignorance or lack of resources, who knows, but they will still be potential victims. Attackers can afford to give advice on how to stop them from attacking and still enjoy a sufficient surface to maintain a prosperous business.

Download our new guide created in partnership with Palo Alto to help you prepare, plan, and respond to Ransomware attacks

Cybersecurity Weekly Briefing September 5-11

ElevenPaths    11 September, 2020

Microsoft Patch Tuesday

Microsoft published on Tuesday its newsletter with updates for the month of September. In this new bulletin a total of 129 vulnerabilities have been corrected in 15 of its products, of which 23 are considered critical, 105 important and 1 severe. Among the critical vulnerabilities, 11 of them stand out, which would allow remote code execution in Windows (CVE-2020-1252), in Microsoft SharePoint (CVE-2020-1200 / 1210 / 1452 / 1453 / 1576 / 1595) and Microsoft SharePoint Server (CVE-2020-1460), as well as in Microsoft Dynamics 365 (CVE-2020-16857, CVE-2020-16862) and Microsoft Exchange (CVE-2020-16875). For this last vulnerability, there could be exploits according to some users. It is recommended that the latest Microsoft patches are installed as soon as possible.

More details: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep

Emotet campaign in France

The French National Agency for Information Systems Security (ANSSI) issued an alert on monday warning of increasing Emotet activity in France. Since its return to activity in July, after five months absence, Emotet has been distributed in phishing campaigns all over the world. While ANSSI has observed how these campaigns have been paying special attention in companies and the French public administration in recent days. In the alert a series of recommendations and means of detection of Emotet are issued, due to the added risk that this malware carries, which once downloaded it installs other Trojans like TrickBot or QakBot. The warning from the French authorities is in addition to those already issued by agencies in New Zealand or Japan regarding this same malware.

All the info: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/

New impersonation of the Tax Office to distribute malware

The National Institute of Cybersecurity (INCIBE) has warned of a new malware distribution campaign via emails impersonating the Tax Agency (AEAT). The emails, distributed this tuesday, are sent under the subject “AEAT – Notification Warning (random numbers)”. These emails inform the user about an alleged claim against their company for an undeclared invoice and inform that within the next 3 days a representative of the Tax Office will contact to arrange a meeting. The emails encourage the victim to open the attached Excel file (with AEAT password) where it is supposedly possible to find more information about the claim. When this file is opened, a request is made to activate it, and at this point is when the Trojan is downloaded.

More: https://www.incibe.es/protege-tu-empresa/avisos-seguridad/campana-distribucion-malware-traves-email-suplanta-aeat

Cyber-attacks affecting the US presidential elections

In recent weeks Microsoft has detected a new wave of cyberattacks targeting the US presidential elections. These attacks come from foreign groups such as Stronium, Zirconium and Phosphorus.

  • Regarding Stronium (Russia), the Microsoft Threat Intelligence Center (MSTIC) has linked them to a newly discovered theft pattern of Office365 credentials aimed at US and UK organisations directly involved in the elections. Credential collection is a well-known technique used by Strontium to enable future surveillance or intrusion operations. Their activity would have been monitored since April 2020 and, on this occasion, the group has used brute force and password spraying tools for the collection. Between September 2019 and June 2020, Stronium launched credential collection attacks against thousands of accounts in over 200 organisations. From 18 August to 3 September, the same attacks targeted 6,912 accounts belonging to 28 organisations. None of these accounts were successfully compromised.
  • Regarding Zirconium (China), their attacks have focused on prominent individuals in the international affairs community, as well as on campaigners and candidates, with almost 150 email commitments reached.
  • Finally, Phosphorus (Iran) has attempted to access personal and work accounts of people directly and indirectly involved with the elections.

More: https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

Cybersecurity and Pandemic (II)

Gabriel Bergel    10 September, 2020

We continue with the second part of this article in which we analyse the current situation in its three dimensions. Let’s remember that in the first part of the post we talked about the first dimension: people. Now we will develop the other two: cybersecurity and the pandemic.

Second Dimension: Cybersecurity

Weird enough, it could be said that everything has already been hacked. If you don’t believe me, I invite you to check our cybersecurity research reports or visit the computer graphics from Information is Beautiful.

The latest DBIR 2020 report indicated that “times do not change”, since credential theft, social engineering attacks (phishing and email compromise) and human errors caused most of the security breaches in 2019 (67%). Employees working from home today could be particularly vulnerable to these attacks, so this is where we should focus prevention efforts.

I will also add a couple of additional facts: on the one hand, three years ago there was a cyberattack every 39 seconds; on the other hand, Cybersecurity Ventures predicts that cybercrime damage will cost the world $6 trillion in 2021, compared to $3 trillion in 2015.

Why is cybercrime so popular nowadays? Because it moves a lot of money. The cybercriminals are most likely earning much more than the owner of a successful, profitable company. Here are some figures taken from Digital Shadows’ research:

  • Illegal online markets: $860 billion
  • Trade secret, intellectual property theft: $500 billion
  • Data trade: $160 billion
  • Crimeware / Cybercrime-as-a-Service (CaaS): $1.6 billion
  •  Ransomware: $1 billion

Regarding cybercriminals, the age range has become wider and their attacks more advanced. I would dare to say that most cybercriminals are millenials and behave as their generation dictates: they want quick results using the minimum of resources, effort and time.

As a further illustration, we have, for example, kids like Kane Gamble, who in 2015, at the age of only 15, accessed the accounts of then CIA Director John Brennan and FBI Deputy Director Mark Giuliano using social engineering. Another example is that of Park Jin Hyok, the alleged leader of the Lazarus group, who is also a millenial and is one of the most wanted people by the FBI. Many of the actions of this group helped Kim Jong-Un financed his nuclear arms race.

Profile of Park Jin Hyok. Source: FBI
Profile of Park Jin Hyok. Source: FBI

Third Dimension: The Pandemic

The COVID-19 pandemic, declared worldwide on 11 March 2020 due to its high levels of contagion and lethality, is a critical health situation without precedent in the 21st century. It has forced us to remain in quarantine or social isolation, which entails a series of psychological, sociological and occupational challenges, such as adapting to teleworking over an extended period of time.

Nowadays we are concerned about the number of deaths and people infected by the virus, the lack of a vaccine, etc. In addition, we are beginning to be distressed by the uncertainty of a return to “normality” and we are beginning to experience a global economic crisis. In short, the overall picture is not encouraging at all.

From a corporate point of view, today there are more remote workers and therefore fewer IT and security personnel ready to mitigate attacks and intrusions. This reason and all of the above make it a conducive environment to cyber criminals, who take advantage of these situations of concern, uncertainty and stress to activate their fraud and scam campaigns. The widespread deconcentration and global expansion of the pandemic makes the job of cybercriminals easier and increases the likelihood of success of their campaigns.

This is reflected in the unprecedented figures and statistics provided by different sources such as Google, which through its transparency report indicated that in January this year it registered 149,000 active phishing websites. In February, that number almost doubled to 293,000, and in March it reached 522,000, this is to say, a 350% increase since January. By May there were 1,915,000 sites.

Nowadays, deception, fraud and phishing by e-mail comes first. Also telephone scams, where they call victims introducing themselves as members of the staff of a clinic or hospital and claim that a relative of the victim has been infected with the virus in order to ask them to pay for the corresponding medical treatment, etc. We also find fake applications of infection maps or impersonating governments or hospitals. Furthermore,there is even the sale of fake vaccines. Nowadays, whoever is thinking of buying medical supplies online should think twice and check very carefully that the supplier is a legal and accredited company.

Conclusions

Considering all three dimensions, we can see that cybersecurity is more necessary today than ever before. We must invest in it and be concerned about the risks we are exposed to on the Internet. The picture has changed: it no longer matters whether the company is known or attractive to cybercriminals, no longer matters its size or the sector it belongs to. All companies must be aware of the potential risk involved in their daily basis at work, as they are dealing with personal data and sensitive information about employees and customers.

From the CyberThreats service of the Security Cyberoperation Center (SCC), we carried out a useful guide to risks and recommendations in cyber security for the COVID-19 that I highly recommend. For more information, follow us on social networks, visit our website and our blog.

Indicators of Compromise, Key to Detecting and Solving Incidents in an Agile Way

Cytomic Team, unit of Panda Security    10 September, 2020

Quick and agile response to incidents is a basic aspect of a good cybersecurity strategy. Little by little, more and more companies are becoming aware of this, and this is shown by the favourable evolution of the remediation time.

This statement is corroborated by the latest study published by SANS on incident response, which shows that, for the second consecutive year, there has been an improvement in the way staff teams respond to incidents. 67% of those surveyed indicated that they had gone from detection to containment in less than 24 hours, an 6% of increase over the previous year. In addition, 89% of remediation efforts occur within the first month, a period which, depending on the nature of the incident, can be considered reasonable. However, and as a result of these figures, there is still room for improvement.

In order to secure and maintain an TI infrastructure (Threat Intelligence), the cyberdefence strategy must be able to detect all abnormal activity, identify it and react quickly to the incident as soon as possible.  Furthermore, it is also essential to carry out advanced analysis of all security events to gather patterns and potentially malicious information in what is called an Indicator of Compromise (IOC), which helps give context to the description of the incident. Thus, companies can understand the nature of the damage they have suffered and can react to it.

Searching for IOCs: A Necessity

Given the speed at which cybercrime advances, the speed at which an incident is detected and mitigated is crucial to the survival of any business. In order to speed up the identification of devices and the response to threats, having a service provider that has support for retrospective and real time searches for IOCs, as well as advanced rules for hunting (Yara) in the endpoint, is not an option, but a necessity.

But why is this so important? In the event of an incident in an organisation, the possibility of searching for Indicators of Compromise in real time throughout the company’s set of endpoints makes it possible to speed up the identification of the devices being attacked. And thereby, to take the relevant remedial measures to contain the breach as quickly as possible and reduce the exposure time.

In short, with the search for IOCs, the TI team and the CISO have greater visibility of the surroundings and what is happening, and so, be able to anticipate the problem and put a stop to it before the consequences get worse.

Reinforcing the Strategy with an Incident Response Plan

Cybersecurity personnel should not only use these Indicators of Compromise to their advantage, but also reinforce their strategy with an Incident Response plan and leading-edge solutions that enable them to maintain a proactive approach and face threats in a more effective way.

To reach – and exceed – standards of effectiveness when responding to cybersecurity incidents, there are five steps to consider: prepare a solid response plan in advance to help avoid gaps; once the threat is detected, determine the cause of the incident to try to contain it; assess all efforts made and needed to provide the best response (triage and analysis); contain the damage, eradicate it and recover; and implement appropriate changes to the cybersecurity strategy to prevent this from happening again.

Visibility and Intelligence at the Service of Incident Response

In this context, where the advantages of the search for IOCs and having a firm and updated response and remediation plan to mitigate the damage have been clearly seen, it is very important to have the most advanced leading technology available. For instance, there are solutions on the market that can accelerate the response to incidents and the search for malwareless threats based on behavioural analysis from the cloud.

In this sense, technologies such as Threat Hunting libraries or Jupyter Notebooks are resources that must be present to give visibility and intelligence to the effective search for threats, accelerated research and immediate action on the endpoint. The preconstructed investigations, Jupyter Notebooks, also favour a short learning curve for analysts and hunters as they are self-explanatory, extendable and repeatable.

Early detection is undoubtedly the first step in containing and eradicating an attacker from the network, but this is useless without immediate action at the endpoints as a response mechanism, and that is where advanced tools that can amplify the capabilities of the SOC come into play: in order to distinguish between expected activity and abnormal actions that may indicate the presence of a threat.

Our Story With Govertis

Carmen Dufur    9 September, 2020

Since José Mª Álvarez-Pallete announced the creation of Telefónica Tech last November, ElevenPaths has accelerated its pace to get the complicated yet exciting mission that was entrusted to us by the company’s top management. It has been a time full of work in which, as a team, we have managed to become an independent company which allowed us to create value and grow organically and inorganically, in a more rapid way. 

Within the framework of this inorganic growth, yesterday we announced the purchase of Govertis, a company from Valencia with international presence and projection. It has managed to become a leading cybersecurity consultancy firm specialising in GRC (Government, Risk and Compliance) and IRM (electronic management of digital assets).  Govertis also offers a comprehensive solution capable of unifying the legal and technological perspectives of cybersecurity. 

More than eight years ago, a relationship that began in 2012 when Eduard Chaveli and Óscar Bou, founders of Govertis, successfully carried out several projects for Telefónica. Three years later, the relationship between the two companies was consolidated with the purchase by Telefónica of GesConsultor GRC, Govertis’ platform for management and regulatory compliance, (which would later be renamed as SandaS GRC by ElevenPaths). This operation was a clear commitment to the technology developed by Govertis and it was reinforced with the signing of a strategic alliance for the improvement and evolution of the platform in 2018. At that time, in addition to updating Sandas GRC, Telefónica was investing in the company through Wayra. Govertis thus became a company in which telco hold a 5%. 

During the last few years, the ElevenPaths team has worked on identifying collaboration and investment opportunities with startups related to the world of cyber security and innovation in this same field, collaborating in some investments with the Wayra team, as in the case of Govertis in 2018, and closing own operations as with the purchase of the company Dinoflux also in 2018. 

The purchase of 100% of Govertis by ElevenPaths has been the natural evolution of a strategic relationship that both parties had been nurturing for years. With this acquisition, we are now positioned as leaders in specialised consultancy in cybersecurity, governance, risk, regulatory compliance and information security. Complementary capabilities to our consolidated offer in the integration and management of security services. 

This is a great work in which a multidisciplinary team of professionals from ElevenPaths has participated and which does not end with the purchase of the company. The work starts now. 100 new colleagues, first level professionals are joining ElevenPaths. It is a great opportunity to welcome them, to allow them to get to know the ElevenPaths culture and to enrich our know-how with their great experience and knowledge.

How to Track COVID-19 Infections, Discover Contacts On WhatsApp or Share Your Genes While Keeping Your Privacy

Gonzalo Álvarez Marañón    8 September, 2020

When you sign up for a new social network, such as WhatsApp, you are often asked if you want to find out who among your contacts is already part of that social network (contact discovery). But if you don’t want to provide your full list of contacts, how do you know if any of them is on the social network without sharing your address book?

Countries around the world are developing apps to track COVID-19 infections down. In Spain, for example, the pilot COVID Radar was launched in the island of La Gomera at the end of June. These apps arouse many misgivings about privacy. Would it be possible to find out if you have been in contact with any infected person without either you or the server knowing exactly who it is?

Or imagine that a laboratory has discovered a drug against COVID-19 that works only with people who have certain genes. How can the laboratory know if you have those genes without you revealing your whole genome or the laboratory revealing what those specific genes are?

What Is Happening?

Big Data and cloud computing are giving rise to a multitude of situations where two parties each have a set of data that they want to share with the other part in order to find the intersection between the two sets. But only by revealing the data in common. This is an old problem of cryptography known as Private Set Intersection (PSI) that is experiencing a strong resurgence. In addition to the three scenarios already mentioned, there are many other use cases:

  • A company develops a remote diagnostic app for the COVID-19 with extraordinary accuracy from a list of symptoms provided by the patient. The patient does not wish to reveal his symptoms to the company, nor does the company wish to reveal to anyone what symptoms it uses for diagnosis.
  • The same person receives medical care in different locations. Different administrations want to know which patients have visited health centres in other communities without disclosing their list of patients to each other.
  • In order to conduct an international operation, several national cybersecurity agencies want to find the intersection between their criminal IP databases without revealing their complete lists of IPs to each other.
  • An advertising agency sends an online ad to a group of users. Some of these users subsequently buy the product in a physical shop. The agency wants to find the intersection between the group of users who saw the product ad and those who bought it in physical shops (online-to-offline ad conversions).
  • One healthy food company serves meals to many employees of another company, which performs medical tests on them twice a year. The catering company wants to know if employees who have lowered their cholesterol in the last year consumed their food, but the other company does not want to (and should not) disclose its employees’ health data.

The more traction the cloud and Big Data gain, bigger the amount of new use cases arising every day: detection of botnets, identification of cheats in online games, sharing of locations, discovery of compromised credentials, etc

The need to make this intersection of sets in a private way has become crystal clear, but the question is: how do we achieve that? Cryptography offered numerous PSI techniques, from the hash-functioning naive solution to semi-confidential third-party protocols and protocols involving only two parties. Let’s have a quick look at how they work.

The Naïve Solution With Hash Functions

It consists of comparing the hashes of each element of both sets. If two hashes match, then an adjustment has been made. This approach, which was used by WhatsApp at the time, is simple and fast, but it is not safe because with a small data set or low entropy, such as telephone numbers, it is perfectly feasible to perform a brute-force attack, calculating the hashes of all possible elements. In this way, structured with the list of hashes of all the phones, WhastApp would not only know the contacts you share, but the phone numbers of all your contacts!

In the same way, this approach is not suitable for comparing ID cards, simple identifiers, names, etc. It only provides security when the data to be compared is random or have a high entropy.

PSI Based On Semi-Confidential Third Parties

Another, more solid approach is to pass each element of the assemblies through the same HMAC function with a secret key that the two parties, Alice and Bob, have agreed upon in advance. They send their randomised data to the third party, Trent, who returns the intersection set to each of them. Since Alice and Bob have each kept a private table with the outputs of the HMAC function for each data of their respective sets, they can search this table for settings and determine which elements they share.

The maximum information filtered to Trent is the cardinality of the intersection set, this is to say, how many elements Alice and Bob have in common; and the cardinality of Alice and Bob´s sets, since Trent will know whether Alice has more elements in her set than Bob or vice versa. Of course, Trent could turn out to be malicious and try to deceive Alice and Bob, for example, by returning a different intersection set to the real one. Fortunately, there are simple adjustments to this protocol to avoid this type of manipulation by Trent. What you will never discover is Alice and Bob’s data.

PSI Based On Two Parties

What if you don’t want to depend on a third party? No problem. There are many alternative approaches in which only the two parties involved who want to find the intersection between their sets interact.

One of the first and conceptually simpler approaches proposed is based on the cryptographic premises of the famous Diffie-Hellman protocol for agreeing session keys between two parties through an insecure channel. In this case, Alice and Bob apply the DH protocol to share one session key for each data in their respective sets. Any shared key found in both sets indicates that the corresponding element is a member of the original sets of both parties. Let’s see how this works in detail:

  1. Alice and Bob agree on a large prime number, p, using a public channel
  2. Alice randomly generates a private key, a.
  3. Alice calculates the hash, gi, of each of the values of her original set. In fact, this step is a bit more complicated, since the hash must be repeated until g is a primitive root mod p, but we won’t go into the mathematical details.
  4. For each of these gi values, Alice calculates the gia value mod p.
  5. Alice sends these values to Bob.
  6. Bob randomly generates a private key, b.
  7. Bob repeatedly calculates the hash, hi, of each of the values of his original set, until they are primitive roots mod p.
  8. For each of these hash values, Bob calcula hib mod p.
  9. Bob calculates the shared keys corresponding to each element of Alice’s original set, raising the values received from Alice to the power of his private key, this is to say, giab mod p.
  10. Bob sends his calculated values, hib mod p, to Alice, as well as the calculated shared keys corresponding to the elements of Alice’s original set, giab mod p.
  11. Alice calculates the shared keys corresponding to each element of Bob’s original set by raising the values received from Bob to the power of his private key, this is to say, hiba = hiab mod p, for each of the values received from Bob.
  12. Alice compares the shared keys calculated from the elements of her own original set, giab, with the shared keys calculated with the elements of Bob, hiab. The intersection consists of those elements of Alice’s original set whose shared key can also be found in the set of shared keys calculated from the elements of Bob’s original set, giab = hiab.

Since the publication of this protocol, dozens of alternatives using increasingly sophisticated cryptographic primitives have appeared. Highly elaborate protocols based on other public key algorithms have been proposed, such as blind RSA operations; based on Bloom filters; on fully homomorphic encryption; on oblivious transfer (OT) to transmit set data; or on variants of Yao’s Garbled Circuit, capable of simulating any mathematical function with a Boolean circuit using only AND and XOR logic gates.

Security Challenges and PSI Scalability

The security and scalability challenges faced by all these protocols in calculating the private intersection of sets are varied:

  • The most efficient protocols work for small sets of a few hundred or thousands of elements. However, in many real applications, sets of billions of data need to be compared, which requires finding faster alternatives.
  • In addition to requiring only few operations to function, it is important to minimise communications for data exchange between the parties.
  • Not all agents involved will play by the rules. In secure multiparty computing, two types of opponents are considered: semihonest (or passive) and malicious (or active). The semihonest opponent tries to obtain as much information as possible from the execution of a certain protocol, without drifting from the steps of the protocol. More dangerous and realistic is the malicious opponent, because he arbitrarily drifts away from the protocol steps to take advantage and obtain more information than the others. PSI protocols that are resistant to malicious opponents are considerably heavier and less efficient than protocols that are resistant to semihonest opponents.
  • The simplest PSI approaches filter information: at a least, the number of elements in each set and the number of elements in the intersection set. In applications where it is not even acceptable to filter this information, more secure protocols are required, which unfortunately require more operations and more bandwidth.

The More the Cloud and Big Data Advance, the Greater the Demand for PSIs

As data protection laws and regulations evolve in an effort to safeguard the private sphere of citizens’ lives, the private intersection of sets will enable public and private organisations to continue to generate knowledge from the Big Data that benefits the citizen, while satisfying privacy regulations.

In June 2019, Google announced a tool to perform operations on the intersection of sets called Private Join and Compute. According to the press release:

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data and then join them in a consultation. They can then make certain types of calculations on the overlapping data set to obtain useful information from both data sets together. All entries (identifiers and their associated data) remain fully encrypted and unreadable throughout the process. None of the parties ever reveals their raw data, but they can still answer the questions raised using the calculation output. This result is the only thing that is decoded and shared in the form of aggregated statistics such as a count, sum or average of the data from both sets.

Private Join and Compute combines the private intersection of sets with full homomorphic encryption to protect individual data. The following video gives an idea of how it works:

PSI represents the intersection between the voracity of data from large organisations and the right to privacy of citizens. Technological giants such as Google, Microsoft or Baidu are investing enormous amounts of money and cryptographic neurons in these technologies. In the coming months we will see where mass data analysis applications turn, whether to favour citizens with better services or to further reduce their battered privacy. After all, as the cryptographer Phil Rogaway said:

“Surveillance that preserves privacy is still surveillance.”

We Acquire iHackLabs to Boost the Training of Our Ethical Hackers

Alberto Cuesta Partida    7 September, 2020

Following recent acquisition of Govertis, we are still looking for startups with interesting initiatives that can help us continue grow and establish ourselves as leaders in cyber security services. Following the creation of Telefónica Tech and with the aim of becoming an independent company that allows us to grow in all possible ways, today we announce the acquisition of iHackLabs, a company specialised in the education and training of cybersecurity professionals.

As head of detection and response services (MDR, Managed Detection & Response) and offensive security (OSS, Offensive Security Services), which includes Telefónica’s Blue Team and Red Team , whose mission is to respond to incidents and carry out simulations of real attacks on our customers, I am delighted about this new acquisition. In this way, our team of experts will take a step forward in offensive and defensive security and incident management, thereby,  improving their skills and growing as cyber security professionals. In such changing environment as cyberthreats, it is very important to have the best cybersecurity professionals, and we are going to achieve this by having the next generation of computer security professionals within the ElevenPaths team.

In addition to this, iHackLabs has different platforms and laboratories for training in the cloud under a SaaS (Security as a Service) model, in which they recreate real threat environments adapted to the specific needs of companies and organisations. They have platforms with the capacity to recreate a complete cycle of ransomware and denial of service attacks.

Our relationship with iHackLabs began in 2018, when we advised Wayra, Telefónica’s global open innovation hub, to make an investment in the startup of Miguel Rego, CEO of iHackLabs. Having just landed in Spain at the beginning of that year, we have not stopped being in contact with them in search of collaborations and investments, and we have finally succeeded. The capabilities of the platforms and solutions developed by iHackLabs are at the forefront of cybersecurity training. Combining these characteristics with our team of highly qualified professionals will ensure that we have the best talent in the sector as the company keeps growing. Moreover, we will be expanding our training offerings to our clients, both in the private and public sectors.

We are looking forward to forming a single team with this acquisition in order to train our professionals and those of our clients, to be able to offer them the most specific solutions to their needs. One of our priorities is continuous training to anticipate and deal with the increasingly frequent and diverse cyberattacks.

The art of communication in times of change

AI of Things    7 September, 2020

Confuncio said “what I hear, I forget; what I see, I remember; what I do, I learn”. By communicating we learn, and from Data Governance team we understand that generating an suitable communication plan in accordance with a set of expectations will mark the successes of the organizations and maximize the investment made, even more so in these troubled times where new working circumstances will require a deep change. The implementation of any service is not only based on technology, processes, and best practises, but also on people as the driving force in the evangelization of existing changes regarding as time goes on.

The communication plan

A communication plan can bring about a cultural change and speed up the processes of digital transformation in companies. To create from scratch synergies, to spread pills to those sponsors participating in the initiatives and lines of Data Governance will be key to add resources and to obtain supports and alliances that allow the generation of a return of investment (ROI) and knowledge as premature as possible.

For its disclosure, it will be necessary to prepare several guidelines to give a Data-Driven company approach and to understand the data through its Metadata-Centric model as the main business asset.

Figure 1: Dissemination, communication and training I(View large )

Guidelines

These guidelines are:

  • Identification of the change: As in all inception of a Data Governance project or service, it will be essential to carry out an initial analysis and detailed evaluation, offering a misleading picture as close as possible to reality in order to make the communication campaign as effective as possible. This will help to identify the target audience, its current maturity, groups to which a member belongs and their clustering, as well as the way in which to head up the target necessary to develop a tailor-made action plan.
  • Proposal of initiatives: Assuming that the customer will be the one who ultimately defines the SMART objectives referring to the communication plan, from Telefónica we understand that the strategic vision must be to create a business culture focused on data, establishing in a guided and gradual way covers a series of insights or KPIs that allow to follow up the progress of the agreed measures.
  • Designing the action plan: Here comes the time to take real action. The approach proposed by Telefonica on how to become the content of the message to all over the organization is based on the generation of:
    • Manuals or guides
    • Circulars and mailings
    • Intranet newsletters
    • Workshop planning
    • Participation in events
Figure 2: Dissemination, communication and training II (View large)
  • Monitoring and evaluation: After the execution of the plan, there will be a maintenance phase, contingency plans and continuous follow-up, which will make it possible to know the scope and satisfaction level among the group and to carry out mitigating actions in case of risk or anomaly.

Likewise, and closely linked to the art of communication, we draw from a baseline of resources and training needs that can be adapted to the target audience to which the knowledge is leading. This thread pipeline given the moment we find ourselves, may be used either in person or remotely. In either case, a calendar will be established, as well as a location through the reservation of an appointment or space, and support (physical or multimedia documentation) to be offered to the stakeholder.

Conclusion

All these facilities make new learning opportunities, democratize access to quality knowledge, and establish the foundations for social and ethical corporate growth.

And as our president says:

“we are not facing a time of change, but a change of era”

José María Álvarez-Pallete

It is essential to be in a continuous process of adaptation as people, as a society, and, as companies. Only those who know how to offer their best essence and adapt to this reality will survive in this new digital world.

Writen by Raúl Hernáiz Ortega

To stay up to date with LUCA, visit our Webpage, subscribe to LUCA Data Speaks and follow us on TwitterLinkedIn YouTube.