10 Tips for Secure Homeworking in Your Company

ElevenPaths CSAs    23 March, 2020

In situations where teleworking is possible or even necessary, as in the case of the coronavirus pandemic, we must bear in mind that the security systems used in company’s workplaces become largely dependent of the networks available to workers at home. For this reason, we are going to tell you the measures that you must adopt to make teleworking secure for both your company and your employees and clients:

  1. Implement a reliable VPN solution, both from the Server side and from the Client side. Avoid, whenever possible, using remote access services that depend on a third party or a provider to connect between your clients and your servers.
  2. Monitor remote accesses through the VPN to your company by identifying computers that do not comply with the security policies defined and, through some type of technology, isolate those devices that do not comply with them until the weak points may be resolved.
  3. During this pandemic that we are facing worldwide, many companies have a large part of their staff working remotely. Therefore, the availability of services becomes vital for the development of our work. However, cybercriminals also know this and are aware that a Denial-of-Service attack would be far more chaotic now than usually. Enable Anti-DDoS services both on your webservers and on your network.
  4. Validate the capacity of the channels and the server configurations so that your employees can connect in a stable way to the company’s services. Make sure that, as far as possible, they do not have a bad experience but, above all, that what you show them is not in conflict with your security tips. For example, if you tell them not to access portals without valid digital certificates, make sure that the platforms you make available to them have such certificates.
  5. If you have never performed security tests on your portals, it may be a good time to do it with solutions like VAMPS. Cybercriminals are working hard to harm companies, since they are aware that companies do not have currently the ability to monitor everything that happens on their portals.
  6. If you have not yet purchased SOC services, it may be a good time to do so. Having professionals providing 24/7 support and monitoring in times like this is a great advantage when suddenly you have so many remote users connected to your infrastructure.
  7. Don’t forget to secure your teleworking and video conferencing platforms, because they constitute another vector that attackers look for in order to gain access to your company. We have research and tools that prove this, we invite you to take a look at our blog where we analyze them.
  8. If employees have corporate phones, try implementing an MDM to help them keep their devices secure and reliable.
  9. In remote tasks, time is precious, so try to use task planning and monitoring tools within your work teams, such as Teams, Slack, among others. You can check out the resources that we will be publishing on our Twitter account.
  10. Bear in mind that to hold meetings and ensure productivity within your organization it is essential to have and use office tools that allow you to make video conferences or group calls or even to be able to work in groups. Most office suites like Microsoft OneDrive have these integrated into their services.

How to Detect and Protect Yourself from Phishing Attacks in Times of Coronavirus

ElevenPaths    20 March, 2020

The overinformation caused by the huge amount of news we receive about coronavirus makes it harder to distinguish true from fake emails. This poses a great risk to people’s security, since it can lead them to download malware that cyber attackers may exploit to access their victim’s data and steal their identity, causing economic and even health catastrophes. In the worst-case scenario, a phishing email could have serious consequences.

The number of those affected by COVID-19 is shocking and it is increasing every day. We all know that this disease is causing dire social and economic consequences worldwide, so we must follow the recommendations and impositions of the authorities to try to stop its spread. In the same way, we must take measures to protect ourselves from cyberthreats that may also impact on us individually and collectively.

Types of Phishing Emails on Coronavirus

Phishing emails about coronavirus, like those about any other topic, may have different forms:

  • Alerts from the Ministry of Health. Cybercriminals send emails impersonating legitimate organizations (government organizations, healthcare organizations, large companies, etc.) and including, for instance, a URL with a list of coronavirus cases in your region. Do not click on the link and delete the email!
  • Emails containing health tips. Phishers also offer supposed tips or solutions to protect ourselves against coronavirus. These emails may claim to be Chinese medical experts, where the coronavirus outbreak began, for example.
  • Emails about work policies. It is possible to receive phishing emails, not only in your personal email account, but also in the corporate one. Attackers may impersonate a well-known company or even the company you work for. In this case, check the sender’s domain because the link may contain malware.

Tips for Detecting and Avoiding Phishing Emails

  • Be very careful when asked for personal information online. Government institutions do not ask for social security numbers or other personal data just like that. Never reply to these emails or share any kind of personal information.
  • Other phishing emails are advertisements that claim to have a treatment or cure for the coronavirus. Typically, these ads try to trigger a sense of urgency, with limited offers or even setting a time limit to get the products. What you must do is simple: delete them, because if you click on them two things may happen:
    1. Download malicious software on your device.
    2. Buy the product and not receive it, that is: your money as well as and your personal information (such as your name, address and credit card) are stolen.
  • Analyze how they address you. Phishing emails are usually sent massively, so they do not usually use your name or are personalized in terms of content. Generic formulas like ‘Dear Sir or Madam’ suggest that you are probably facing a scam.
  • Check the links and email addresses. To inspect a link, mouse over the URL and a box will appear showing the site you are going to be redirected. As for the email addresses, look carefully at everything they contain and examine the domain (what goes after the “@”), look it up on the Internet, etc.
  • Pay attention to spelling and grammatical mistakes. It may seem silly, but usually legitimate emails do not contain any grammatical mistakes or misspellings, or very few. If you find too many mistakes, delete it.

Where to Find Reliable Information about the Coronavirus?

Always go to government’s and certified health institutions’ portals. Be selective when searching for information, contrasting it. The Spanish Ministry of Health has set up a portal to provide information about the coronavirus: https://www.mscbs.gob.es/profesionales/saludPublica/ccayes/alertasActual/nCov-China/home.htm

(The information below only applies to Spain)

You can also find a section on the website of your autonomous community to find out about the specific measures that are being implemented in your region.

Bear in mind that if you are a Movistar client you can activate Conexión Segura here, a service developed by ElevenPaths and Telefónica España together with McAfee and Allot. This service blocks, instantly and preventively, malware and fraud threats you may encounter when surfing the net with your devices.

5 ways to close the STEM gender gap

Olivia Brookhouse    20 March, 2020

Rosalind Franklin, Liese Meitner, Ester Lederberg and Ada lovelace are just some of the women whose contributions to science were not recognised at the time because of their gender, because they were not men. Whilst we have come a long way, we cannot ignore the gender gap that widely exists in the STEM field, where women only make up 22% of the STEM workforce. Empowering women from day 1 ensures STEM workforces are diverse, because diversity breeds innovation and innovation breeds success.

Education

From an early age, boys are pushed towards science and maths to become astronauts, engineers and programmers, whilst girls are pushed towards humanity subjects and languages, celebrated for their creativity rather than their intelligence. It is estimated that a girl loses self-confidence in mathematical abilities between the ages of 13-15 years old, despite outperforming boys of similar ages in these fields.

Education is an essential component to close the gender gap in STEM as it can stop underlying gender bias from day 1. It can give girls the hard skills required to become programmers, data scientists, engineers, physicians etc, and it can teach everyone on the importance of diversity, not only in STEM but in every industry.

“This is not about fixing women — it is about recognising that girls and young women often learn a set of concepts in early years that limit their views of themselves.”

Gabriela Mueller Mendoza, speaker about diversity in STEM

Schools are the key place to convince girls from day 1 that they are just as capable as their male counterparts. Girls often don’t choose to continue with these subjects because they never saw it as a possibility, maybe because no females in their family ever pursued science. Encouraging girls to believe in their intelligence is a necessity.

Work experience

A lack of role models and accessible work experience to show young girls how they can fit into this field of work is also responsible for the STEM gender gap. Whilst education can provide the hard skills necessary to be hired, nothing compares to real life experience.

Female leaders already in the field need to be part of the movement to inspire the next generation, to act as mentors. This means going into local schools and youth centres to pass on expertise and advice.

Education and work experience give girls the drive to work in STEM but how do companies need to change to ensure woman remain in STEM careers.

Diversity

Innovation in the workplace requires diversity, diversity of genders, cultures and ages to bring something new and creative. This means hiring a diverse workforce and training existing workforce on the importance of inclusion. A push for diversity may also mean companies need to stamp out unconscious and conscious biases, removing both legal barriers and social invisibilities.

The solution needs to be a concerted effort to train HR, recruiters and managers of the importance of making teams diverse and keeping them that way, via upskilling or directly hiring skilled women to be part of the change. Also, within companies, there needs to be equal opportunities for women to be promoted.

Diversity is also very important in programming to produce fair machine learning sytems. If these automated systems are fed with examples of biased justice, they will end up perpetuating these same biases. Diversity in programming teams is important to spot these biases and mitigate against them. Artificial Intelligence will only learn to be inclusive, fair and representative if we are.

Diversity in the workplace means there are increased the opportunities for women which encourage them to enter and remain in STEM careers.

Support those at the top

Too often woman at the top are not given the recognition they deserve. Once women reach the top, they need to be celebrated, not doubted.

More comments are made about what they are wearing than what they have achieved and how hard they worked to get there. We all need to come together and celebrate those women in our company, sector or community who have climbed to the top.

Self-belief

As with many things, as women we need to have the self-belief to achive what we want in STEM because we are no less capable than the men around us! Together we can close the gender gap in STEM.

Hacker Women are driving Aura, Telefónica’s Artificial Intelligence

To stay up to date with LUCA, visit our Webpage, subscribe to LUCA Data Speaks and follow us on TwitterLinkedIn YouTube.

Cybersecurity Trends Report for 2020 from ElevenPaths

ElevenPaths    19 March, 2020

This report aims to focus on the potential threats that could arise in the 2020 digital environment by offering a picture of a possible future driven by the evolution of threats and technological progress.

Which are the threats to the digital world in 2020?

The year 2020 will witness of the transition to a new decade, and so will do cybersecurity. Companies have a wide variety of applications, services and platforms that will require protection against potential attacks. We will see known attacks, such as extortion, obfuscation and phishing. However, new risks will arise.

It should be noted that cybercriminals will not be discouraged by the possibility of compromising systems, they will change and align their choice with tactics and attack vectors, making it completely necessary for users and companies to try to anticipate, and above all, to be well-protected.

It is quite possible that attackers overcome incomplete patches and, as a result, system administrators should ensure both punctuality and quality of the patches.

Karspersky researchers also point out that targeted attacks will undergo changes during 2020. The trend would show that threats will grow in sophistication and will be more selective, diversifying under the influence of external factors, such as the development of technologies, e.g. Machine Learning for the development of Deep fakes.

Broadly speaking, and as analyzed in this report, we have highlighted these trends for 2020, which make up the main technologies that will be related to cyber attacks during the coming months:

  • Ransomware attacks
  • Cloud Computing
  • Machine Learning
  • Phishing attacks
  • Open Banking and Mobile Malware
  • 5G

Cybersecurity Trends Report for 2020 available here

You can access the full report and download it from here:

Secure Homeworking, Applying Cybersecurity from Home

Andrés Naranjo    17 March, 2020

Sometimes changes occur in society and bring us new ways of addressing daily tasks, cultural, social or other changes that establish a new practice as a way of life to solve or ease a new reality.

That way, with the arrival of coronavirus in Spain, the terms teleworking’ or ‘home working’ are on everyone’s lips to try to maintain work activity while minimizing interpersonal contact to prevent further spread of the virus.

However, this ability to work remotely is not new, teleworking is very positive both for society and for the individual himself, as almost all studies on it show. As a case in point, teleworking involves fewer trips and emissions. In a few weeks, China has reduced its environmental pollution by more than 25%. Similarly, accidents on the way to work are also avoided. Another great advantage is that home working is family-friendly. If we can adapt working hours to other family-related responsibilities, worker’s quality of life is increased, and stress reduced.

Resources Required to Enable Teleworking and Its Risks

It is obvious that nothing happens for its own sake. For a change of this size you must be prepared, particularly at the technological level. Mainly, secure access to all company’s resources must be ensured, have a way to hold online meetings with the appropriate connections and tools, as well as a synchronization method of all this that allows managing the meeting agenda. Also access to corporate mail, network or cloud folders to share data and, of course, the devices to be used remotely.

But, like any change, there are drawbacks as well. When we work from home using our own technological means in terms of both network and devices, the company no longer has control over the cybersecurity measures applied if the company did not have this contingency planned.

Working from Home Securely

To begin with, the use of our own connection may generate a technological security risk for the company if it is not properly secured, both in terms of passwords and network segmentation. The work device should be isolated from other devices at home, potentially more insecure, particularly if they are managed by minors. In the same way, the system provided by the company must include the appropriate connection tools to transfer that connection to the company and, from there, secure the connections by using the usual perimeter security, for example.

Let’s focus on those essential solutions to ensure security when working from home:

  • Secure Connection to the Corporate Network: These conveniently-encrypted Virtual Private Network (VPN) services guarantee us, on the one hand, a point-to-point encryption of the connection, so that if someone ‘listens’ when penetrating into the communication, this would be illegible. These attacks, called man-in-the-middle, are usually more common than people might think (for example when using public Wi-Fi), and everything that happens through HTTP traffic, which is not encrypted, may be accessed. By the way, by connecting to the corporate network and “going out” to the Internet by its security measures we will be more protected and, if necessary, we will be allowed to access the Intranet or necessary network folders.
  • Robust Identity Management: Any remote access must imperatively avoid delegating access to the username / password pair. It must be avoided at all costs since a potential theft or leakage of them will surely end up with unauthorized access to the company’s resources. Here, two-factor authentication systems or adaptive authentication play a major role and that’s why cybersecurity companies have identity services that, in short, guarantee that users are who they claim to be.
  • Device Protection Tools or EDR tools, the evolution of old ‘antivirus softwares’ that perform a comprehensive and centralized management of the company’s security policy locally on the employees’ devices.
  • Awareness about the Responsible Use of Technology: There is no science that advances at a faster pace than technology, so its use must be considered continuous training since every day more aspects of companies are related with the use of technologies. It is highly recommended that all companies train their employees in the appropriate use of technological means. Currently, more than 90% of successful cyberattacks are related with human errors.

In short, whether due to the threat of coronavirus or not, your company may be considering allowing telework at least partly. This requires a study of the feasibility and risks in this regard. ElevenPaths has products and services to secure this digital transformation of the world of work.

More and Shorter Certificates with a Lower Lifetime: Where Is TLS Going to?

Sergio de los Santos    16 March, 2020

These are turbulent times for cryptography. Although the ordinary user does not perceive it, the world of encrypted and authenticated websites (although this does not make them safe) is going through a deep renewal of everything established. Something in principle as immutable as cryptography is going through a strange moment and we don’t know how it will end. Of course, what is certain is that we must modify our traditional beliefs about how the web works. Let’s review some recent events that will turn everything upside down.

Apple and Its Increasingly Shorter Certificates

Browsers have been steering the course of the Internet and, in particular, cryptography. Chrome has long been in a relentless fight to do away with HTTP and try to make everything HTTPS. It has been with the “increasingly” strategy for years, flagging as insecure those webpages that do not have encryption and authentication and, in turn, raising the security standard of those that do. For instance, setting aside certificates that use SHA1. First on the sheet, in the middle, etc.

But this time, curiously, it was not Chrome but Apple with Safari the one which has decided to shorten the lifetime of the certificates to a year. This has been discussed and voted several times by the agents involved. The browsers wanted it to be a maximum of one year, the CAs did not. Now Safari says it will flag certificates of more than one year from September 2020 as invalid.

The main agents of the Internet and the CAs voted in September 2019 if the lifetime of the TLS / SSL certificates should be reduced (even more), forcing them to have a maximum lifetime. The result was (again) no. 35% voted for the reduction, including Google, Cisco, Apple, Microsoft, Mozilla, Opera and Qihoo360. The rest, particularly the CAs, voted against, so we officially continue with the maximum certificates’ lifetime of 825 days.

However, in February, at the CA/B Forum in Bratislava, Apple announced that its maximum will be 398 days. Just like that, without notice or statements about it. From September 1, it will flag as distrusted the certificates created from that date and whose lifetime is more than 398 days. Will this sweep the other browsers along? The whole industry? Safari, thanks to iPhone, has 18% of the market, so it has enough popularity to push it. In our view, it is a way of taking the pulse of their own leadership.

Facebook and Its Ephemeral Certificates

There are essentially three technologies that browsers can implement to check the revocation status of a digital certificate:

  • The downloadable revocation blacklist known as Certificate Revocation List (CRL), defined in RFC 5280. History has shown that it does not work.
  • OCSP, defined in RFC 6960. OCSP works with a request-response mechanism that requests information about a specific certificate from the CA. The most effective so far (without really being it) is the OCSP Staple required variant, but it is not widely used.
  • CRLSets: it is a “fast” revocation method used only in Chrome, as it is said, for “emergency situations”. They are a set of certificates that gather information from other CRLs, are downloaded from a server and are processed by Chrome. Although the method is fully transparent, the management of which certificates are on the list is completely opaque and the certificates used to update it are not known (unless it may be found by other means).

As none of this works as it should, the ‘delegated credentials’ are born. They mean shortening to a few hours the certificates’ lifetime, but not exactly, although they play with the concept of the ephemeral to tackle the problem. What a server will do is sign with its certificate small data structures valid for days or hours and delegate them to the servers that will actually manage the TLS with the browser. That is, instead of creating shorter certificates signed by the intermediate CA and deploying them, they are simplified into a kind of ‘mini-certificates’ signed by the leaf certificate.

With the leaf certificate’s private key, we leave behind all the complexity of the intermediate and root CAs. The system would delegate this delegated credential to the front-end servers and, if the browser supports it, the system would verify it rather than the ‘traditional’ certificate. If the delegated credential is signed by the leaf certificate (it has the public key to verify it), then the public key in the delegated credential itself is used for the TLS connection and not the certificate’s public one.

This is the key: there is a much more dynamic formula in case of revocation that would not depend on any CA and that would be very quick to deploy (as soon as the delegated credentials expired, attackers looked for others and could not sign them). In addition, it is not necessary to leave the private key on all servers or intermediate proxies. A single server could serve all credentials delegated to web servers, balancers, etc.

Let’s Encrypt and Its Large Certificates

Let’s Encrypt broke off the engagement and offered free certificates that may be issued automatically. Their philosophy was to go towards ‘HTTPS everywhere’ and not have to pay for it. Their first certificate was born in September 2015. In June 2017 they had issued 100 million certificates and on February 27 they reached a billion certificates.

That’s a lot of certificates and means a clear success of the company involved, but also a little problem for other projects such as Certificate Transparency. While it cannot be used for revocation, it does allow all certificates (fraudulent or not) to be registered and, therefore, it is easier to detect the fraudulent ones and then revoke them by the “usual” methods.

Certificate Transparency was already born with a privacy issue, and delayed its enforceability for several reasons: implementations that were not achieved, headers that were adopted with very little room, RFCs that were starting too tight, and so on. Even so, Certificate Transparency is in good health (or at least not as bad as HPKP), but Google has been overly ambitious with the proposal. Bringing together so many actors is complicated, even more so in such a critical environment as TLS security. Moreover, it now faces an insane growth that may complicate infrastructure.

Certificate Transparency Log Growth
Source: sslmate.com

Some Certificate Transparency logs are close to one billion certificates. To better manage this system that aims to cover everything and be ‘read only’, they ended up creating logs for years. The certificates that expire within those years get into different log servers that later (normally) will no longer receive certificates.

Source: sslmate.com

But if we take, for example, Google Argon 2019 servers (already almost stable at 850 million certificates throughout 2019) and compare it with Argon 2020, we see that the latter has 400 million in just two months, almost half of the former. At this rate, it would reach 2400 million certificates (if not more) thanks precisely to the growth of Let’s Encrypt and the policy of increasingly shorter certificates.

Source: sslmate.com

How will all this fit into the future TLS ecosystem? We will see it little by little.

Trend Report: Hacktivist CyberThreats Report 2019

ElevenPaths    12 March, 2020

The Hacktivist Cyber ​​Threat Report is an analytical report that includes the periodic scanning of the hacktivist threat’s behavior in five observation rings: Europe and the United Kingdom, North America, Latin America, MENA / Asia and Africa, where it is made a description of the most significant hacktivist operations and cyberattacks, a selective portray of hacktivist identities the authorship of actions is attributed to, and a focused analysis of the structures, infrastructures, intentions and capacities of hacktivist identities.

The report is intended to be a generalist and depthless document to be completed by a specialized analysis that could be requested from Telefónica’s CyberThreats service on a case-by-case basis.

Hacktivist CyberThreats Report 2019 available here

You can access the full report and download it from here:

Why are Hedge Fund managers investing in Big Data?

Olivia Brookhouse    12 March, 2020

Hedge funds have increased significantly since 2000 with an estimated 10,000 hedge funds worldwide, managing $1 trillion of global assets. But in recent years they have started to incorporate new Big Data and Machine learning techniques, disrupting traditional financial modelling approaches to gain better market and client insights.

What is Big Data?

Big Data is a term that refers to a large quantity of data that traditional software is not capable of obtaining, managing and processing in a reasonable time. It therefore refers to the ability to work with collections of data that had been impractical before because of their volume, velocity, variety and veracity, known as the 4 V’s. To understand the concept in more detail, check out our datapedia.

How it helps fund management

A Hedge fund is an investment pool which can have a limited number of partners (investors) that contribute regularly. But, it is directly run by the hedge fund manager who will have specific goals and for the fund. These specific goals and investment requirements will vary from fund to fund, but their main goal will be to maximise profit and minimise risks, decisions which have always been informed by data, but now are being informed by Big Data.

Hedge funds, unlike investment funds have a wider range of securities in which they can invest, including traditional stocks, bonds and other commodities. With Big Data strategies, hedge funds can now assess all potential investments and clients more accurately due to the greater variety of data sources available to them, which now can be analysed in conjunction with each other. They can no longer just rely on price data to inform decisions.

Because of how unstructured some of the data types are, prosessing software could not process it before. Now, non-traditional data, ranging from consumer credit card transactions to social media and app data can now help managers understand competitive markets, and develop unique investment strategies for their fund. The data is also updated more frequently than traditional data which means models can select stocks and predict future prices with more accuracy.

So how can non-traditional data sources such as social media or User-Generated Content (UGC) help a hedge fund manager?

When people express their emotions and opinions via Tweets, Facebook posts, Instagram stories and blog posts they produce emotional data. Via these platforms we also become consumers of emotional data which influences our own feelings, opinions and consumer habits. Hedge Fund managers will want to know how our consumer habits will directly impact the market and their securities.

What role does Artificial Intelligence play?

Whilst Big Data helps hedge fund managers access new data sources the ability to optimize them to produce insights depends on Big Data’s younger brother, Artificial Intelligence. The ability to review, verify, and implement this unstructured data into an investment process is critical to making the data useful. The incorporation of more advanced methods such as machine learning to find patterns within this data can inform minute by minute decisions. Whilst human analysts are good at what they do, AI is able to process data at a faster pace to free up time for analysts to design investment strategies instead of crunching numbers.

AI can also be used to analyse non-traditional data types using a machine learning technique called natural language processing which can analyse social media posts with quite a high degree of accuracy. However, whilst these data types hold a degree of subjectivity, it is important to keep human analysts in the analysis process to ensure the machine isn’t the only one making the decisions.

To stay up to date with LUCA, visit our Webpage, subscribe to LUCA Data Speaks and follow us on TwitterLinkedIn YouTube.

Big Data, the fuel for Digital Banks

What Differential Privacy Is and Why Google and Apple Are Using It with Your Data

Gonzalo Álvarez Marañón    11 March, 2020

In order to customize their products and services and offer increasingly better features that make them more valuable and useful, companies need to know information about their users. The more they know about them, the better for them and better (allegedly) for their users. But of course, much of this information is sensitive or confidential, which represents a serious threat to users’ privacy.

So, how can a company know everything about its customers and at the same time not know anything about any particular customer? How can their products provide great features and great privacy at the same time?

The answer to this paradox lies in ‘differential privacy’: learning as much as possible about a group while learning as little as possible about any individual within it. Differential privacy allows obtaining knowledge of large data sets, but with a mathematical proof that no one can obtain information about a single individual of the set. Thanks to differential privacy you can know your users without violating their privacy. First of all, let’s see the threat to privacy of large data sets.

Neither Anonymity nor Great Queries Ensure Privacy

Imagine that a hospital keeps records of their patients and gives them to a company to make a statistical analysis of them. Of course, they delete personally identifiable information, such as name, surname, ID, address, etc. and only keep patients’ birth date, sex and zip code. What could go wrong?

In 2015, the researcher Latanya Sweeney organized a re-identification attack on a set of hospital records. Hold on, because from newspapers stories she was able to personally identify (with names and surnames) 43% of the patients from the anonymized database. Actually, she claimed that 87% of the US population is uniquely identified by their birth date, gender and zip code.

As you can see, the techniques of database anonymization fail miserably. In addition, the more anonymized a database is (the more personally identifiable information has been deleted), the less useful it is.

And if only queries on large volumes of data and not on specific individuals are allowed? The ‘distinguishing attack’ deals with this case: let’s imagine it is known that Mr. X appears in a given medical database. We launch the following two queries: ‘How many people suffer from sickle cell anemia?’ and ‘How many people without the name X suffer from sickle cell anemia?’ Together, the answers to the two queries show the sickle cell state of Mr. X.

According to the Fundamental Law of Information Recovery:

Overly accurate answers to too many questions will destroy privacy in a spectacular way.

And do not think that banning this pair of questions avoids distinguishing attacks, since the simple fact of rejecting a double query makes it possible information leakage. Something more is required to ensure privacy and, at the same time, to be able to do something useful with databases. There are different proposals to achieve differential privacy. Let’s start with a very simple technique used by psychologists for over 50 years.

Do You Want Privacy? Add Noise

Imagine that I want to get the answer to an embarrassing question: have you ever scarfed a can of dog food? As it is a delicate matter, I propose answering as follows:

  1. Flip a non-trick coin.
  2. If it’s heads, flip the coin again and, whatever you get, say the truth.
  3. If it’s tails, then flip it again and say ‘yes’ if it’s heads and ‘no’ if it’s tails.

Now your confidentiality is safe because no one can know if you answered the truth or if you selected a random result. Thanks to this randomization mechanism, plausible deniability has been achieved: even if your answer is seen, you can deny it and no one could prove otherwise. Actually, if you asked yourself why then the coin is flipped an extra time in the first case if it is not taken into account later, it is in order to protect you in situations where you may be watched while flipping the coin.

And what about the accuracy of the study? Is it useful considering all the random data? The truth is that it is. As the statistical distribution of the results of flipping a coin is perfectly known, it may be removed from the data without any problem.

Be careful! Math! Don’t keep reading if you can’t stand equations. A quarter of positive responses are given by people who do not eat their dog’s food and by three quarters of those who do. Therefore, if p represents the ratio of people who scarf cans of dog food, then we expect to get (1/4)(1-p)+(3/4)p positive responses. Consequently, it is possible to estimate p. And the more people are asked, the closer the calculated value of p will be to the real value.

As it happens, this idea (with some additional complication) was adopted by Google in 2014 for its RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) project. According to Google, “RAPPOR provides a new and modern way to learn software statistics that we can use to better safeguard the safety of our users, find errors and improve the overall user experience”.

Of course, while protecting users’ privacy. Or so they say. The good point is that you can examine the RAPPOR code on your own to verify it.

Differential Privacy Beyond Randomized Responses

Randomized responses are a simplified way to achieve differential privacy. The most powerful algorithms use Laplace distribution to spread noise throughout all data and thus increase the level of privacy. And there are many others, included in the free download book The Algorithmic Foundations of Differential Privacy. What all of them have in common, though, is the need to introduce randomness in one way or another, typically measured by a parameter ε, which may be as small as desired.

The smaller ε, the greater the privacy of the analysis and the lower the accuracy of the results, since the more information you try to query your database, the more noise you need to inject in order to minimize the leakage of privacy. This way, you will be inevitably facing a fundamental compromise between accuracy and privacy, which may be a big issue when complex Machine Learning models are being trained.

And what is even worse: no matter how small ε is, every query leaks information, and by each new query, the leak becomes larger. Once you cross the privacy threshold that you had preset, you cannot go ahead or you will start leaking personal information. At that point, the best solution may be to simply destroy the database and start over, which seems hardly feasible. Therefore, the price to pay for privacy is that the result of a differentially-private analysis will never be accurate, but an approximation with expiration date. You cannot have it all!

Or maybe you can? Fully homomorphic encryption and secure multi-party computation allow 100% private and 100% accurate analysis. Unfortunately, these techniques are currently too inefficient for real applications of the magnitude of Google’s or Apple’s.

Too Pretty to Be True: Where Is the Trick?

Since in 2016 Apple announced that iOS 10 would include differential privacy, the concept has moved from cryptographers’ boards to users’ pockets. Unlike Google, Apple has not released its code, so it cannot be known exactly what type of algorithm it uses or if this is used with guarantees.

In any case, it seems a positive sign that giants like Google and Apple take steps, even if shy, in the right direction. Thanks to cryptography, you have at your fingertips resources to know your users and at the same time safeguard their privacy. Let us hope that the use of these algorithms will become popular and other giants, such as Amazon or Facebook, will also start to implement them.

Cybersecurity and Business: ElevenPaths at the RSA Conference 2020

ElevenPaths    9 March, 2020

We are back from the RSA Conference 2020, the year when the standard ‘humanization of technology’ has been set within the sector. We already predicted it last year with our commitment under the motto #HumanizingSecurity. During this edition, the conference organization itself has highlighted the presence of the human element in the management of company security.

The conference −held in San Francisco from 24 to 27 February 2020− has coincided with the alert situation caused by the famous virus known as Covid-19. This has caused the cancellation of various events on these same dates. However, the situation has not been a problem for the RSA Conference organization and the great annual cybersecurity conference has been held naturally despite the withdrawal of some large companies such as IBM, AT&T and Verizon. According to data collected by the organization, this exceptional situation has marginally affected the attendance and celebration of the event.

Participation of Telefónica

Telefónica has not been impacted by this situation either, since we have taken part for the fourth consecutive time in the XXIX edition of this great world event within the security sector.

Concentrating on a single place and for a week such various profiles encouraged Telefónica to move a multidisciplinary team that was present all week. From those responsible for the global area of ​​ElevenPaths (Go to Market, Product, Go to Customer, Alliances, CEO’s Office and Marketing and Communication, among others) to security managers of the main OBs of the group ([MGA1] Spain, Brazil, UK, France, Chile, Mexico and Argentina); product, sales and marketing managers of Telefónica USA as well as managers from in-house security areas. In addition, as a differential point compared to previous years, two key members of Telefónica’s management structure (José Cerdán and Antonio Marti, CEO and COO of Telefónica Tech respectively) were present to support us.

Learn More about ElevenPaths’ Proposal

Let’s start by talking about the stand, this year renewed with the colors of the new brand identity of ElevenPaths, the Telefónica’s Cybersecurity Unit. This new identity has led the design of all the pieces.

RSA Conference: Booth South #1459 Moscone Center
RSA Conference: Booth South #1459 Moscone Center

The stand constituted the ideal meeting point to build new relationships and strengthen the existing ones with clients, strategic partners and vendors as well as with analysts of all nationalities. Moreover, all conference attendees who visited us could enjoy the sessions prepared by the product and alliances managers of the ElevenPaths team, companies shared by Telefónica and security startups promoted by Wayra, which presented their security proposals.

As we mentioned, one of the main topics of the conference was the inclusion of the human element, and our strategy is fully aligned with this concept. It is not by chance that once again we stand out our commitment to humanize security, aiming for a security that goes far beyond technology. As an Intelligent Managed Security Service Provider (iMSSP), our technologies are improved thanks to the people who manage them, being at your disposal whenever you need us: There when you need us.

Vicente Segura durante su charla sobre Seguridad IoT
Vicente Segura during his talk about IoT Security

Among the main sessions, one of the most outstanding was the one given by Vicente Segura, Head of IoT and OT of Telefónica. During his talk, he presented the different security projects for the growing Internet of Things market we are working on. This talk and the rest of the sessions coincided with several of the main topics discussed at the conference, given that for the first time the general agenda of plenary sessions included topics on the convergence of IT and OT [MGA1] security, as well as sessions focused on products and open source tools (user interface design, artificial intelligence, privacy and security operations centers).

Another session that had great expectations was ‘Coronavirus: From health and beyond’, where our colleague Helene Aguirre from the Global Area of ​​ElevenPaths presented an analysis of the conversation generated on social networks around the well-known virus. To this end, she used the Aldara tool (managed by the cyberthreat service, VERO) analyzing the behavior of the virus from the first day it was announced and she explained the different communities that have been created since then.

Furthermore, and from a business point of view, we must highlight the progress achieved with local and worldwide clients, particularly Europeans. We had the opportunity to provide in detail the full offer and global reach of our services, the technological advances we are implementing as well as the challenges we will face in the very near future. Knowing their concerns in detail and in such an environment has strengthened our positioning as consultants, since it has been possible to share synergies and create closer ties with vendors that meet their needs.

To sum up, our experience in San Francisco had a threefold effect:

  1. Holding a large number of meetings with key players within the sector, from customers and vendors to analysts, strengthening and enhancing our relationships.
  2. Position ourselves as strategic security consultants by offering our intelligent managed security services (iMSSP).
  3. Share synergies with security partners from different countries with the aim of joining forces for the company’s next challenges.

In short, a great experience that year after year helps us to continue moving up in this growing sector. We are already preparing our participation for next year, so we hope to see you there. See you next time!