Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome. Our Black Hat research

Monday, December 11, 2017

We have been for a long time researching about HSTS, HPKP, certificate pinning and TLS technologies in general. As a collateral effect of this work, we have found some interesting weaknesses in the way Firefox, Chrome and IE/Edge implement both mechanisms HSTS and HPKP. With this research we applied to Black Hat Europe 2017 and went to talk in London last December 7th, in the briefings section. Here are some details about what we talked then, as a "digest" of the presentation itself which may be found here.



ElevenPaths #CyberTricks

Sunday, December 10, 2017

Last Thursday, November 30th, Cybersecurity Day was celebrated internationally. At ElevenPaths we continue with commemoration, so that we have collected some #CyberTricks from our experts (Chema Alonso, Pablo San Emeterio, Yaiza Rubio, Carmen Torrano and Félix Brezo) into a Decalogue, to know where we have to pay attention when we are connected from our devices.

Who better than the great leaders of the cybersecurity sector, who know firsthand the most common vulnerabilities, to remind us of the importance of being informed about the real risks of the Internet and anticipating what we should do if we want to be protected while keeping our information safe in the net.

Chema Alonso at ElevenPaths CyberTricks


#CyberTricks Decalogue of ElevenPaths experts

1. "Hack your attitude and learn security!". Chema Alonso

2. "100% security does not exist. Do not reuse passwords and use two factor authentication." Félix Brezo

3. "If you accept by default the privacy options in your social networks, you can expose more information than you are aware of." Yaiza Rubio

4. "Update your devices and applications if you do not want to be exposed to known vulnerabilities.".Pablo San Emeterio

5. "Do not forget to close your session, use secure passwords and change them periodically." Carmen Torrano

6. "Be attentive to intrusive advertising, it can be deceptively trying to install malicious software"..Yaiza Rubio

7. "Beware of email attachments that you do not recognize, may include installations of malicious apps." Felix Brezo

8. "Check the URL of the emails before openning them to avoid phishing" Carmen Torrano

9. "If a company claims a debt by email verifies its authenticity in another way, it could be a ramsonware." Pablo San Emeterio

10. "Improve the security of all your digital identities using two factor authentication. Latch your digital life!" Chema Alonso


You may also like:

»Cybersecurity Week in ElevenPaths

#CyberSecurityPulse: Injection and XSS, the Most Critical Web Application Security Risks

Tuesday, December 5, 2017

The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013 but not much has actually changed. According to the list the top vulnerability remains injection and cross site scripting (XSS) is still in the top ten despite it plaguing web apps for a decade and a half now. In this sense, Verizon's Data Breach Investigations Report (DBIR) for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.

On the other hand, Black Duck's 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it's an inertia that's proving very costly. Many organizations do not effectively track and manage open source, and as a result are not fully aware of the risks that accompany its use.

SealSign integration with the Azure Key Vault

Thursday, November 30, 2017

ElevenPaths and Microsoft, thanks to Gradiant technology, have integrated the Azure Key Vault into the SealSign platform. This partnership provides a server-based digital signature and certificate safekeeping service, based on HSM, with a high degree of security, scalability and performance.

SealSign integration with the Azure Key Vault


The use of secure cryptographic hardware or HSM (Hardware Security Module) provides a very adequate mechanism to safeguard and protect keys (in the fashion of a safe-deposit box). However, the cost and complexity related to installation and configuration hinder greater adoption of this hardware. For this reason, some as-a-service solutions have emerged, such as the Azure Key Vault, which offer the possibility of using HSMs as one more service within a public cloud.

Dumpster diving in Bin Laden's computers: malware, passwords, warez and metadata (II)

Tuesday, November 28, 2017

What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released additional materials recovered in the 2nd May 2011 raid on Bin Laden's compound in Abbottabad, Pakistan.  We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?

A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to "technical" issues. 8 days later, they released the data back but now all Office documents were converted to PDF and EXE files were "deactivated" removing their headers for "security reasons".