ElevenPaths Cybersecurity Weekly Briefing October 17-23 New banking trojan called Vizom IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to...
ElevenPaths ElevenPaths approaches the cyber security paradigm shift and the new era’ s digital transformation in the SID 2020 Telefónica Tech’s cyber security company is holding its 8th Security Innovation Days, this time in a virtual format and extending from one to three half-days, on October 20th, 21st...
ElevenPaths How are we preparing ourselves for the RSA Conference 2018? 2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s...
Diego Samuel Espitia Business Continuity Plan: From Paper to Action How many Business Continuity Plans considered a global pandemic among the possible causes of business blockage?
ElevenPaths Cybersecurity Weekly Briefing October 17-23 New banking trojan called Vizom IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to...
Gonzalo Álvarez Marañón Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands?...
ElevenPaths How to forecast the future and reduce uncertainty thanks to Bayesian inference (I) Imagine that you come back home from San Francisco, just arrived from the RSA Conference. You are unpacking your suitcase, open the drawer where you store your underwear and…...
ElevenPaths Expanding Neto capabilities: how to develop new analysis plugins In previous posts we have introduced Neto as a browser extension analyzer. The first version we released, 0.5.x included a CLI, a JSON-RPC interface and could be used directly...
ElevenPaths Cybersecurity Weekly Briefing October 17-23 New banking trojan called Vizom IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to...
Gonzalo Álvarez Marañón Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands?...
Gonzalo Álvarez Marañón Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands?...
Diego Samuel Espitia TypoSquatting: Using Your Brain to Trick You Our brain capacity is outstanding but it also creates some cybersecurity risks. Discover why in this post.
Zoom Seeks to Be More Secure and Purchases KeybaseGonzalo Álvarez Marañón 26 May, 2020 The confinement declared as an exceptional measure to stop the spread of the COVID-19 has forced millions of people in businesses, schools and households to interact virtually. Pushed to use group video calling apps for work, classes, or simply to be in touch with family and friends; users were faced with the daunting challenge of choosing which app to use. Typically, the prevailing criterion for choosing one has been popularity or free −without considering security or privacy. After all, if it’s free and “everyone uses it”, why bother? For better or worse, the most popular app among the public turned out to be Zoom. Weeks after the beginning of the quarantine, it is still at the top of the list of the most downloaded free apps for both iOS and Android, with the fabulous figure of 300 million daily users. As it is well known, the more popular a program or application becomes, the more it attracts cybercriminals. Perhaps even Zoom itself couldn’t imagine its overwhelming success, or maybe they didn’t take security seriously from the beginning, but the truth is that they didn’t come prepared. The Three Big Blows to Zoom Security Among the many security and privacy issues and scandals, three were particularly significant: Zoombombing: This attack consists of breaking into a Zoom room and sharing the screen while showing images of extreme violence, pornography or any other form of trolling. Zoombombing became popular in schools and universities, forcing teachers to suspend classes. Many education institutions went so far as to ban Zoom replacing it with other applications. Zoom learned its hard lesson and implemented numerous measures to combat zoombombing: mandatory passwords, session blocking, removing of participants, restricted screen sharing and chat operation, more visible security icon, etc. They also published a guide called Best Practices for Securing Your Virtual Classroom.Data sharing with Facebook: Like many other apps, Zoom on iOS uses a Facebook SDK to allow its users to log in through their Facebook account. This is called social login. This SDK collects some data about users, such as the device model, app version, or telephone operator. Then it sends such data to Facebook servers, even if they do not have a Facebook account and therefore do not use it to log in. It is not known how Facebook uses this information, but in response to numerous complaints, Zoom removed the Facebook SDK completely.False claims about secure end-to-end encryption: Zoom claimed on their website to be using end-to-end encryption on their connections. But it turned out that they were actually using TLS encryption to encrypt communications between clients and servers, which means that Zoom’s servers have access to all video calls. The company had no choice but to retract its statement: “In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption”. 90-day Security Plan With the aim of restoring their image and user base, on April 1st Zoom surprised with a 90-day security plan. As part of this plan, on April 8 Zoom created a security board including some very prominent CISOs. On the same day, they hired Stanford’s well-known cybersecurity expert Alex Stamos, a former CISO of Facebook, as a security advisor to review the platform. On April 27th, Zoom 5.0 was released, with support for AES 256-bit GCM encryption. But (and this is a huge “but”) the encryption keys for each meeting are generated by Zoom servers. In other words, a cybercriminal can’t spy on a conversation between two users but Zoom would if they wanted to. In contrast, other services such as Facetime, Signal or WhatsApp do use true end-to-end encryption: no one but the two users at either end of the communication can view their content because they generate the encryption keys themselves. As a result, neither the cybercriminals nor the service provider’s servers can spy on the conversations. Without end-to-end encryption, Zoom could be forced to turn over meeting records to a government in response to legal requests. These requests are made all the time around the world. In fact, companies such as Apple, Google, Facebook and Microsoft publish transparency reports detailing how many user data requests they receive, from which countries and how many of them they grant. However, Zoom does not publish such transparency reports. The Keybase End-to-end Encryption That Zoom Seeks for Its Video Calls On paper, end-to-end encryption seems simple: Clients generate the temporary session keys and exchange them with the recipient’s public key. Unfortunately, generating and managing all these keys to provide scalable end-to-end encryption for high-quality video calls with dozens of participants and over 300 million users connecting daily to your servers is a huge technological challenge. That’s why Zoom turned to Keybase. On 7 May, they bought the messaging and file transfer company with end-to-end cryptographic protection Keybase.io, and they paid an undisclosed amount. Thanks to this help, Zoom aims to provide an end-to-end encrypted meeting mode. However, this is only for payed accounts. Furthermore, as they state: They will continue to work with users to improve the feedback mechanisms available to meeting hosts in order to report unwelcome and problematic attendees.Zoom does not and will not proactively monitor meeting content, but its security team will continue to use automated tools to search for evidence of abusive users on the basis of other available data.Zoom has not and will not develop a mechanism to decrypt live meetings for lawful interception purposes.Nor do they have a means of including their employees or other users into meetings without them being showed within the list of participants. They will not build any cryptographic backdoors to allow secret surveillance of the meetings. In short, Zoom is committed to remaining transparent and open while developing their end-to-end encryption solution. As a matter of fact, Zoom plans to release a draft detailing the cryptographic design by Friday, May 22nd. How Zoom Is Seen after the Purchase of Keybase Zoom’s reaction was admirable. Far from denying criticism or suing researchers who found their vulnerabilities, Zoom’s answer has been an ambitious 90-day security plan whose Holy Grail will be the end-to-end encryption provided by Keybase. Zoom made some bad security decisions in the past but seems clearly determined to become the most powerful and secure video calling app on the market. They are showing how self-criticism and transparency help to emerge strengthened from a serious security crisis. ElevenPaths has achieved AWS Security Competency status20 Questions about Covid-19 Tracing Apps
ElevenPaths Cybersecurity Weekly Briefing October 17-23 New banking trojan called Vizom IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to...
Gonzalo Álvarez Marañón Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands?...
ElevenPaths ElevenPaths approaches the cyber security paradigm shift and the new era’ s digital transformation in the SID 2020 Telefónica Tech’s cyber security company is holding its 8th Security Innovation Days, this time in a virtual format and extending from one to three half-days, on October 20th, 21st...
Alejandro Maroto Steps to move security solutions forward in the face of current world challenges Palo Alto Networks founder Nir Zuk recently addressed the Telefónica Global Security Summit with some thoughts to share on the direction of security and implications of the COVID-19 pandemic....
ElevenPaths Cybersecurity Weekly Briefing October 10-16 Coalition of IT Companies Tries to Eliminate TrickBot Botnet A technology business conglomerate including Microsoft, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Symantec, have participated in the removal of...
Franco Piergallini Guida Thinking About Attacks on WAFs Based on Machine Learning One of the fundamental pieces for the correct implementation of machine and deep learning is data. This type of algorithm needs to consume, in some cases, a large amount...
