ElevenPaths We Announce Our Digital Operation Centers, Where All Our Digital Services Are Focused The Telefónica Cybersecurity Unit holds its VII Security Innovation Day, under the motto ‘Guards for Digital Lives.’With speakers such as Chema Alonso, Pedro Pablo Pérez, Julia Perea and Ester...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
ElevenPaths Telefónica promotes the digital transformation towards ‘Industria Conectada 4.0’ * This post was translated and originally published here (Spanish) within the framework of the I Congreso de Industria Conectada taking place in Madrid the 21st of September. The...
ElevenPaths The post-quantum future is around the corner and we are still not prepared Every year we have more powerful computers with a higher calculation capacity, is that fact good or bad? Think twice before giving an answer. It depends. Because if global information...
ElevenPaths We Announce Our Digital Operation Centers, Where All Our Digital Services Are Focused The Telefónica Cybersecurity Unit holds its VII Security Innovation Day, under the motto ‘Guards for Digital Lives.’With speakers such as Chema Alonso, Pedro Pablo Pérez, Julia Perea and Ester...
Innovation and Laboratory Area in ElevenPaths EasyDoH Update Hot off the Press: New Improvements and Functionalities Just a few weeks ago, we launched EasyDoH: an extension for Firefox that simplifies the use of DNS over HTTPS. We have been asked about its improvements and several...
Sergio De Los Santos Facebook signed one of its apps with a private key shared with other Google Play apps since 2015 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version...
ElevenPaths Analyzing browser extensions with Neto Console Fifteen days ago we published the first version of Neto, our extensions analyzer in Github. It was published under a free license, also during this time we have worked...
ElevenPaths We Announce Our Digital Operation Centers, Where All Our Digital Services Are Focused The Telefónica Cybersecurity Unit holds its VII Security Innovation Day, under the motto ‘Guards for Digital Lives.’With speakers such as Chema Alonso, Pedro Pablo Pérez, Julia Perea and Ester...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
ElevenPaths If you want to change your employees’ security habits, don’t call their will, modify their environment instead You’re in a coffee bar and you need to connect your smartphone to a Wi-Fi, so you check your screen and see the following options. Imagine that you know...
ElevenPaths You’ve got mail? You’ve got malware A few weeks ago I was ‘compromised’. A well-known vulnerability was exploited and I was left financially exposed, with my reputation potentially at risk. “What happened?” I hear you...
Social engineering is more active than everFlorence Broderick 22 April, 2016 The fact that Social Engineering has been the easiest method used by the scammers is not new. What we are going to describe in this blog today has been mentioned in some relevant Security reviews and newspapers, but at Elevenpaths, we are still surprised how easy this is happening. A few months ago, our customers in the Middle East asked us how to overcome the so-called C-level scam (or Business E-Mail Scams as baptised by the FBI or also known as the “Fake President” fraud). For the most basic scam, the “bad guy” should need to know the following information: If a company (let’s call it acme.com) is going through a merger or it has in mind acquiring a company (information obtained over the news, twitter comment insight, general gossip …). Let’s call this company Muntaleyxp. C-level members and associated domains of the company (not mandatory). Let’s assume miky.wunderbalr@acme.com. Financial controllers or under C-level people in the company. Information can be gathered through Linkedin for example. Let’s assume tom.xly@acme.com. If the merger or acquisition process is done through a third company, find out one of the most relevant person in this company (let’s call it Kmiop). Let’s assume dan.panly@kmiop.com. With this information the scam occurs as described below: If the scammer has accessed Miky’s email account though a Trojan for example, it is even easier. But let’s assume it is not the case. If the domain of the company has a letter you can trick such an “l” or “m” … then register a new domain and use it to send the main email. If not, then he/she can use a Gmail account. For example: miky.wunderbalr@acne.com. miky.wunderbalr@gmail.com. Send the email to tom.xly@acme.com and put dan.panly@kmiop.com in CC (it can even be the real domain but ensuring Dan does not receive the email [misspell it] avoiding he will trigger the alarm and hoping Tom will not contact Dan). Many variants can be used (such as Dan is also part of the scam [this time do not misspell it] and he will provide the bank account details) to perform the scam, but the general idea is there. The receiver (Tom) will be surprised with such message that he may act and do the transfer! From Elevenpaths we have five suggestions to overcome this problem: Easiest and obvious one: Pick up the phone and ask the C-Level executive about his/her e-mail. A technical one with its limitations: Try to set-up incoming email rules trying to cover as many misspelling options with C-Level executive names & surnames (with any associated domain), and blocking them. C-Level executive: Miky Wunderbalr (authorised e-mail: miky.wunderbalr@acme.com). niky.wunderbalr, miky.wunderba1r, miky_wunderbalr, miky-wunderbalr, wunderbalr.niky. Along with an e-mail filtering system against identity theft in the Company (acme) properly configured with its associated SPF, DKIM y DMARC registers. A second technical option related to a second/simultaneous factor of authentication: Our Latch product will provide the same concept we used to watch in those Hollywood movies such as Crimson Tide (with Denzel Washington and Gene Hackman) where two keys are needed from different people in order to launch a missile. If we assume “the missile” is the bank transfer itself, then Tom can authorise the transfer and Miky, with his latched account active is also required to do the transfer. Miky will ensure that his latched account is never active during “strange” hours. The costly one: Have a “powerful” cybersecurity insurance covering social Engineering attacks. Any C-level manager should avoid sharing any news about possible company merger or acquisitions. Just remember: The weakest link is always us! sebastian.garcia@11paths.com pablo.alarcon@11paths.com eSIM cards are here to boost the IoTMobile Threat Protection
Sergio De Los Santos New App to Clean Metadata More Easily We are not going to repeat the dangers of metadata, since it has been discussed for quite some time now. However, we can try to make its management and cleaning simpler. Some...
ElevenPaths We Announce Our Digital Operation Centers, Where All Our Digital Services Are Focused The Telefónica Cybersecurity Unit holds its VII Security Innovation Day, under the motto ‘Guards for Digital Lives.’With speakers such as Chema Alonso, Pedro Pablo Pérez, Julia Perea and Ester...
Innovation and Laboratory Area in ElevenPaths EasyDoH Update Hot off the Press: New Improvements and Functionalities Just a few weeks ago, we launched EasyDoH: an extension for Firefox that simplifies the use of DNS over HTTPS. We have been asked about its improvements and several...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
Innovation and Laboratory Area in ElevenPaths EasyDoH: our new extension for Firefox that makes DNS over HTTPS simpler A year ago, the IETF has raised to RFC the DNS over HTTPS proposal. This new is more important than it may seem. For two reasons: firstly, it’s a...
Sergio De Los Santos Facebook signed one of its apps with a private key shared with other Google Play apps since 2015 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version...