ElevenPaths Cybersecurity Weekly Briefing July 4-10 RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902) Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows...
ElevenPaths ElevenPaths Radio English #1 – Skills of a Cybersecurity Professional In this first episode, our CSA Deepak Daswani discusses what a true cybersecurity professional must have to be valuable to companies.
ElevenPaths Keys to Implementing a 360 Corporate Digital Identity We analyze the identity management issues and the characteristics that a comprehensive solution of this kind must have in all organizations.
ElevenPaths #CyberSecurityPulse: The Transparent Resolution of Vulnerabilities Is Everyone’s Business The new year has started with a story that has taken the covers of specialized and generalist media all around the world. The vulnerabilities named as Meltdown and Spectre...
ElevenPaths Cybersecurity Weekly Briefing July 4-10 RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902) Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows...
ElevenPaths ElevenPaths Radio English #1 – Skills of a Cybersecurity Professional In this first episode, our CSA Deepak Daswani discusses what a true cybersecurity professional must have to be valuable to companies.
ElevenPaths New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in...
ElevenPaths #CyberSecurityPulse: Biggest-Ever DDoS Attack Hits Github Website At the end of 2016, a DDoS attack on DynDNS blocked major Internet sites such as Twitter, Spotify and PayPal. The Mirai botnet was used to take advantage of...
ElevenPaths Cybersecurity Weekly Briefing July 4-10 RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902) Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows...
Diego Samuel Espitia How to Protect Yourself from Pandemic Cyberattacks Using Free Tools Find out which free tools you can use to protect your computer from common cyberthreats and how to configure them correctly.
Gonzalo Álvarez Marañón Top 10 TED Talks to Learn about Cybersecurity Discover the top 10 talks to learn about cybersecurity and, at the same time, some ways to improve your own presentations.
ElevenPaths How to forecast the future and reduce uncertainty thanks to Bayesian inference (I) Imagine that you come back home from San Francisco, just arrived from the RSA Conference. You are unpacking your suitcase, open the drawer where you store your underwear and…...
The Pharmaceutical Retail Industry and Their Mobile ApplicationsCarlos Ávila 21 May, 2020 The pharmaceutical retail industry has been forced to act much faster in this race of the so-called “digital transformation” due to the global pandemic that society is currently going through. Therefore, pharmaceutical companies have had to use applications already deployed or they have had to deploy applications quickly. These applications are the same ones that move their business to manage prescriptions and orders for drugs, discounts, etc. and that make the use of their services attractive to customers in this period of high demand for drugs. On the other hand, many governments around the world established the mandatory quarantine, which led people make greater use of digital media for the purchase of medicines, food, and other products. As a result, mobile applications and the infrastructure supporting them play a key role today and are likely to be introduced into our daily lives more than ever before. What Are the Implications of This? All the data generated through the customers are managed by your mobile device and the technological infrastructure (in-house or third-party) of the pharmaceutical companies. As you might expect, these applications could have vulnerabilities and pose a risk to customer data. Many of these applications have direct communication with company devices and systems running internal processes, creating an additional attack vector for cybercriminals seeking this type of information. Image 1: Description and functionalities of pharmaceutical applications For this analysis, we have selected the latest version of 29 applications (iOS/Android) from pharmaceutical companies where the user can access various services. These include, mainly, online purchase of drugs and management of medical prescriptions. The applications were randomly selected from pharmaceutical companies in South America, Spain, and the United States. Within this set of application samples, we focused on analysing only the mobile application. Although weaknesses were discovered on the server side (backend), these were not included. For this analysis, we employed an Android device (rooted), an iPhone 5S (no jailbreak) and our platforms mASAPP (continuous security analysis of mobile applications) and Tacyt (mobile threat cyberintelligence tool). Analysis Results The OWASP Top 10 Mobile Security Controls performed general tests. These are only an overview of the number of tests that could be done on these mobile applications in a comprehensive manner. In our case, the results showed that, although security controls were implemented for the development of these types of applications, several weaknesses to be fixed were found and, above all, maintain continuous improvement in the development process. The vulnerabilities found according to the controls evaluated are in the following summary matrix: General summary of analysed control results(-) Feature applicable only on Android platforms Firstly, we wish to highlight several weaknesses that we found in easily-readable structures such as XML, API Keys, or configuration files. This denotes insecure local storage. Image 2: Certificate/Key Hardcoded files Image 3: Readable API Keys Hardcoded Files While a large number of these applications establish secure communication channels (HTTPS) with their backends, some unencrypted HTTP channels are still working, as showed in our results box. We also found applications that do not verify the authenticity of their certificates or self-signed certificates. This shows that security needs to be improved in this regard. Image 4: Use of Self-Signed Certificates Also, among other unsecure application programming practices, we noted the lack of code obfuscation features (depersonalization) to make the reversing process harder in almost all Android applications. Image 5: Review of java classes after reversing process Image 6: Documentation and technical comments in detail A not-insignificant fact in this analysis is that 5 of the applications were found by Tacyt on unofficial markets. In many cases they were deployed by users who did not necessarily own the application (we do not know for what purpose). Image 7: Sample of an application found on other unofficial markets Conclusions We believe that these findings are a further contribution to the progress towards enhanced security and hope that they will help application developers from the pharmaceutical sector. In this global health crisis, there have been many other cases where industries have had to transform abruptly many of their traditional services into digital services, with all the IT risks that this entails. Managing the security and privacy of the user data of pharmaceutical applications is essential since these store private data of our health. It is important for companies within this sector to be aware that their customer data is exposed to computer risks and that, by performing appropriate controls and continuous evaluations, they should protect it −also keeping their technological infrastructure safe from potential cyberthreats. Business Continuity Plan: From Paper to ActionBestiary of a Poorly Managed Memory (IV)
ElevenPaths Cybersecurity Weekly Briefing July 4-10 RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902) Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows...
Diego Samuel Espitia How to Protect Yourself from Pandemic Cyberattacks Using Free Tools Find out which free tools you can use to protect your computer from common cyberthreats and how to configure them correctly.
ElevenPaths ElevenPaths Radio English #1 – Skills of a Cybersecurity Professional In this first episode, our CSA Deepak Daswani discusses what a true cybersecurity professional must have to be valuable to companies.
Franco Piergallini Guida Adversarial Attacks: The Enemy of Artificial Intelligence What happens when the data used by artificial intelligence to predict behaviour is manipulated? Is this an attack vector?
ElevenPaths Telefónica Invests in Nozomi Networks, a Leading Company in OT and IoT Security The investment reinforces an earlier joint services agreement with Nozomi Networks and ElevenPaths, Telefónica Tech’s cybersecurity company
Sergio De Los Santos OpenPGP: Desperately Seeking Kristian Open Source applications run on a server system that has never worked properly. Why does this happen?
