ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths Cybersecurity Weekly Briefing August 15-21 EmoCrash: stopping Emotet for almost 6 months Emotet’s comeback after a 6 month-period absence has hinted that the hiatus in the malware’s operations could be due to the discovery of...
ElevenPaths Telefónica Business Solutions Reinforces the Security of its Network with Clean Pipes 2.0 MADRID, 14 September, 2017 – ElevenPaths, Telefónica’s cyber security unit, today announced the launch of Clean Pipes 2.0, a software-based security service, to prevent known and unknown threats across...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Innovation and Laboratory Area in ElevenPaths TheTHE: The Threat Hunting Environment, our tool for researchers TheTHE, a unique tool within its category that allows analysts and hunters to carry out their research tasks in a more agile and practical way.
Diego Samuel Espitia Using Development Libraries to Deploy Malware Cybercriminals seek strategies to achieve their objectives: in some cases, it is users’ information; in others, connections; sometimes they generate networks of computers under their control (botnets), etc. Any...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Alberto Cuesta Partida We Acquire iHackLabs to Boost the Training of Our Ethical Hackers Telefónica Tech, through ElevenPaths, incorporates the platforms and knowledge about cyber security training of the iHackLabs startup.
ElevenPaths Cybersecurity Weekly Briefing October 24-30 Critical vulnerability in Hewlett Packard Enterprise SSMC Hewlett Packard Enterprise has fixed a critical authentication evasion vulnerability (CVE-2020-7197, CVSS 10) affecting its StoreServ Management Console (SSMC) storage management software. HPE...
Zoom Seeks to Be More Secure and Purchases KeybaseGonzalo Álvarez Marañón 26 May, 2020 The confinement declared as an exceptional measure to stop the spread of the COVID-19 has forced millions of people in businesses, schools and households to interact virtually. Pushed to use group video calling apps for work, classes, or simply to be in touch with family and friends; users were faced with the daunting challenge of choosing which app to use. Typically, the prevailing criterion for choosing one has been popularity or free −without considering security or privacy. After all, if it’s free and “everyone uses it”, why bother? For better or worse, the most popular app among the public turned out to be Zoom. Weeks after the beginning of the quarantine, it is still at the top of the list of the most downloaded free apps for both iOS and Android, with the fabulous figure of 300 million daily users. As it is well known, the more popular a program or application becomes, the more it attracts cybercriminals. Perhaps even Zoom itself couldn’t imagine its overwhelming success, or maybe they didn’t take security seriously from the beginning, but the truth is that they didn’t come prepared. The Three Big Blows to Zoom Security Among the many security and privacy issues and scandals, three were particularly significant: Zoombombing: This attack consists of breaking into a Zoom room and sharing the screen while showing images of extreme violence, pornography or any other form of trolling. Zoombombing became popular in schools and universities, forcing teachers to suspend classes. Many education institutions went so far as to ban Zoom replacing it with other applications. Zoom learned its hard lesson and implemented numerous measures to combat zoombombing: mandatory passwords, session blocking, removing of participants, restricted screen sharing and chat operation, more visible security icon, etc. They also published a guide called Best Practices for Securing Your Virtual Classroom.Data sharing with Facebook: Like many other apps, Zoom on iOS uses a Facebook SDK to allow its users to log in through their Facebook account. This is called social login. This SDK collects some data about users, such as the device model, app version, or telephone operator. Then it sends such data to Facebook servers, even if they do not have a Facebook account and therefore do not use it to log in. It is not known how Facebook uses this information, but in response to numerous complaints, Zoom removed the Facebook SDK completely.False claims about secure end-to-end encryption: Zoom claimed on their website to be using end-to-end encryption on their connections. But it turned out that they were actually using TLS encryption to encrypt communications between clients and servers, which means that Zoom’s servers have access to all video calls. The company had no choice but to retract its statement: “In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption”. 90-day Security Plan With the aim of restoring their image and user base, on April 1st Zoom surprised with a 90-day security plan. As part of this plan, on April 8 Zoom created a security board including some very prominent CISOs. On the same day, they hired Stanford’s well-known cybersecurity expert Alex Stamos, a former CISO of Facebook, as a security advisor to review the platform. On April 27th, Zoom 5.0 was released, with support for AES 256-bit GCM encryption. But (and this is a huge “but”) the encryption keys for each meeting are generated by Zoom servers. In other words, a cybercriminal can’t spy on a conversation between two users but Zoom would if they wanted to. In contrast, other services such as Facetime, Signal or WhatsApp do use true end-to-end encryption: no one but the two users at either end of the communication can view their content because they generate the encryption keys themselves. As a result, neither the cybercriminals nor the service provider’s servers can spy on the conversations. Without end-to-end encryption, Zoom could be forced to turn over meeting records to a government in response to legal requests. These requests are made all the time around the world. In fact, companies such as Apple, Google, Facebook and Microsoft publish transparency reports detailing how many user data requests they receive, from which countries and how many of them they grant. However, Zoom does not publish such transparency reports. The Keybase End-to-end Encryption That Zoom Seeks for Its Video Calls On paper, end-to-end encryption seems simple: Clients generate the temporary session keys and exchange them with the recipient’s public key. Unfortunately, generating and managing all these keys to provide scalable end-to-end encryption for high-quality video calls with dozens of participants and over 300 million users connecting daily to your servers is a huge technological challenge. That’s why Zoom turned to Keybase. On 7 May, they bought the messaging and file transfer company with end-to-end cryptographic protection Keybase.io, and they paid an undisclosed amount. Thanks to this help, Zoom aims to provide an end-to-end encrypted meeting mode. However, this is only for payed accounts. Furthermore, as they state: They will continue to work with users to improve the feedback mechanisms available to meeting hosts in order to report unwelcome and problematic attendees.Zoom does not and will not proactively monitor meeting content, but its security team will continue to use automated tools to search for evidence of abusive users on the basis of other available data.Zoom has not and will not develop a mechanism to decrypt live meetings for lawful interception purposes.Nor do they have a means of including their employees or other users into meetings without them being showed within the list of participants. They will not build any cryptographic backdoors to allow secret surveillance of the meetings. In short, Zoom is committed to remaining transparent and open while developing their end-to-end encryption solution. As a matter of fact, Zoom plans to release a draft detailing the cryptographic design by Friday, May 22nd. How Zoom Is Seen after the Purchase of Keybase Zoom’s reaction was admirable. Far from denying criticism or suing researchers who found their vulnerabilities, Zoom’s answer has been an ambitious 90-day security plan whose Holy Grail will be the end-to-end encryption provided by Keybase. Zoom made some bad security decisions in the past but seems clearly determined to become the most powerful and secure video calling app on the market. They are showing how self-criticism and transparency help to emerge strengthened from a serious security crisis. ElevenPaths has achieved AWS Security Competency status20 Questions about Covid-19 Tracing Apps
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Innovation and Laboratory Area in ElevenPaths 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD) Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time...
Carlos Ávila WhatsApp Terms and Conditions Update: A Cheeky Move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...
