ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
Gonzalo Álvarez Marañón Blockchain, Cryptocurrencies, zkSTARKs and the Future of Privacy in a Decentralised World In the Renaissance Italy, duels between mathematicians were common, but not by crossing steels, but by solving difficult problems. One of the hardest bones to crack at the time...
ElevenPaths Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.This solution has the capability of learning and modelling the legitimate behaviour...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
Innovation and Laboratory Area in ElevenPaths EasyDoH Update Hot off the Press: New Improvements and Functionalities Just a few weeks ago, we launched EasyDoH: an extension for Firefox that simplifies the use of DNS over HTTPS. We have been asked about its improvements and several...
ElevenPaths Cyber Security Weekly Briefing March 6-12 FluBot botnet behind messaging company impersonation campaign Last Friday, researchers at Threat Fabric named the threat behind the campaign to impersonate SMS messaging companies. Specifically, they talk about the Cabassous malware, a...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
ElevenPaths Cybersecurity Weekly Briefing October 17-23 New banking trojan called Vizom IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to...
Diego Samuel Espitia TypoSquatting: Using Your Brain to Trick You Our brain capacity is outstanding but it also creates some cybersecurity risks. Discover why in this post.
Zoom Seeks to Be More Secure and Purchases KeybaseGonzalo Álvarez Marañón 26 May, 2020 The confinement declared as an exceptional measure to stop the spread of the COVID-19 has forced millions of people in businesses, schools and households to interact virtually. Pushed to use group video calling apps for work, classes, or simply to be in touch with family and friends; users were faced with the daunting challenge of choosing which app to use. Typically, the prevailing criterion for choosing one has been popularity or free −without considering security or privacy. After all, if it’s free and “everyone uses it”, why bother? For better or worse, the most popular app among the public turned out to be Zoom. Weeks after the beginning of the quarantine, it is still at the top of the list of the most downloaded free apps for both iOS and Android, with the fabulous figure of 300 million daily users. As it is well known, the more popular a program or application becomes, the more it attracts cybercriminals. Perhaps even Zoom itself couldn’t imagine its overwhelming success, or maybe they didn’t take security seriously from the beginning, but the truth is that they didn’t come prepared. The Three Big Blows to Zoom Security Among the many security and privacy issues and scandals, three were particularly significant: Zoombombing: This attack consists of breaking into a Zoom room and sharing the screen while showing images of extreme violence, pornography or any other form of trolling. Zoombombing became popular in schools and universities, forcing teachers to suspend classes. Many education institutions went so far as to ban Zoom replacing it with other applications. Zoom learned its hard lesson and implemented numerous measures to combat zoombombing: mandatory passwords, session blocking, removing of participants, restricted screen sharing and chat operation, more visible security icon, etc. They also published a guide called Best Practices for Securing Your Virtual Classroom.Data sharing with Facebook: Like many other apps, Zoom on iOS uses a Facebook SDK to allow its users to log in through their Facebook account. This is called social login. This SDK collects some data about users, such as the device model, app version, or telephone operator. Then it sends such data to Facebook servers, even if they do not have a Facebook account and therefore do not use it to log in. It is not known how Facebook uses this information, but in response to numerous complaints, Zoom removed the Facebook SDK completely.False claims about secure end-to-end encryption: Zoom claimed on their website to be using end-to-end encryption on their connections. But it turned out that they were actually using TLS encryption to encrypt communications between clients and servers, which means that Zoom’s servers have access to all video calls. The company had no choice but to retract its statement: “In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption”. 90-day Security Plan With the aim of restoring their image and user base, on April 1st Zoom surprised with a 90-day security plan. As part of this plan, on April 8 Zoom created a security board including some very prominent CISOs. On the same day, they hired Stanford’s well-known cybersecurity expert Alex Stamos, a former CISO of Facebook, as a security advisor to review the platform. On April 27th, Zoom 5.0 was released, with support for AES 256-bit GCM encryption. But (and this is a huge “but”) the encryption keys for each meeting are generated by Zoom servers. In other words, a cybercriminal can’t spy on a conversation between two users but Zoom would if they wanted to. In contrast, other services such as Facetime, Signal or WhatsApp do use true end-to-end encryption: no one but the two users at either end of the communication can view their content because they generate the encryption keys themselves. As a result, neither the cybercriminals nor the service provider’s servers can spy on the conversations. Without end-to-end encryption, Zoom could be forced to turn over meeting records to a government in response to legal requests. These requests are made all the time around the world. In fact, companies such as Apple, Google, Facebook and Microsoft publish transparency reports detailing how many user data requests they receive, from which countries and how many of them they grant. However, Zoom does not publish such transparency reports. The Keybase End-to-end Encryption That Zoom Seeks for Its Video Calls On paper, end-to-end encryption seems simple: Clients generate the temporary session keys and exchange them with the recipient’s public key. Unfortunately, generating and managing all these keys to provide scalable end-to-end encryption for high-quality video calls with dozens of participants and over 300 million users connecting daily to your servers is a huge technological challenge. That’s why Zoom turned to Keybase. On 7 May, they bought the messaging and file transfer company with end-to-end cryptographic protection Keybase.io, and they paid an undisclosed amount. Thanks to this help, Zoom aims to provide an end-to-end encrypted meeting mode. However, this is only for payed accounts. Furthermore, as they state: They will continue to work with users to improve the feedback mechanisms available to meeting hosts in order to report unwelcome and problematic attendees.Zoom does not and will not proactively monitor meeting content, but its security team will continue to use automated tools to search for evidence of abusive users on the basis of other available data.Zoom has not and will not develop a mechanism to decrypt live meetings for lawful interception purposes.Nor do they have a means of including their employees or other users into meetings without them being showed within the list of participants. They will not build any cryptographic backdoors to allow secret surveillance of the meetings. In short, Zoom is committed to remaining transparent and open while developing their end-to-end encryption solution. As a matter of fact, Zoom plans to release a draft detailing the cryptographic design by Friday, May 22nd. How Zoom Is Seen after the Purchase of Keybase Zoom’s reaction was admirable. Far from denying criticism or suing researchers who found their vulnerabilities, Zoom’s answer has been an ambitious 90-day security plan whose Holy Grail will be the end-to-end encryption provided by Keybase. Zoom made some bad security decisions in the past but seems clearly determined to become the most powerful and secure video calling app on the market. They are showing how self-criticism and transparency help to emerge strengthened from a serious security crisis. ElevenPaths has achieved AWS Security Competency status20 Questions about Covid-19 Tracing Apps
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
ElevenPaths What is VPN and What is It For? VPN connections are nothing new, they have been with us for a long time, always linked to the business world. The great versatility and its different uses have made...
ElevenPaths Cyber Security Weekly Briefing March 20-26 Analysis of the new cyber-espionage group SilverFish The PRODAFT Threat Intelligence team (PTI) has discovered a highly sophisticated cybercriminal group called SilverFish, which operates exclusively against large enterprises and public...
ElevenPaths Cyber Security Mechanisms for Everyday Life It is becoming more and more common to find in the general media news related to cyber-attacks, data breaches, privacy scandals and, in short, all kinds of security incidents....
ElevenPaths Everything You Need to Know About SSL/TLS Certificates What is a digital certificate? Secure Sockets Layer/Transport Layer Security digital certificate is the most widely used security protocol that enables encrypted data transfer between a web server and a...