#CyberSecurityPulse: The Transparent Resolution of Vulnerabilities Is Everyone's Business

Monday, January 8, 2018

The new year has started with a story that has taken the covers of specialized and generalist media all around the world. The vulnerabilities named as Meltdown and Spectre have put on the table that even aspects that we took for granted as the architecture of the hardware that makes operate almost all of our systems is likely to have to be reinvented. The correction of this type of failures in the future should be put to the test with new designs that prevent them, but until these new systems go on the market it is necessary to find contingency software solutions that mitigate the problem in the meantime.

The different operating systems have tried to deal with a vulnerability that was notified to several operating systems security teams on November 9, 2017. In fact, the proofs of concept included in the Meltdown paper are made on Firefox 56, which was the current stable version until the arrival of Firefox Quantum (version 57) on November 14 of that same month. According to the managers of Canonical, the company responsible for the development and maintenance of Ubuntu, this date is important providing that this was used on November 20 as a reference to establish a consensus about January 9, 2018 as the date for the publication of the details of the vulnerability by its authors.

Come to Create Technology at Telefónica's Chief Data Office Unit

Friday, December 29, 2017

Come to create technology at Telefónica's Chief Data Office unit

Hi Hacker!

Technology is in a constant evolution and so are we. Therefore, from Telefónica, throughout the Chief Data Office (CDO) led by Chema Alonso, which includes Aura -Cognitive Intelligence-, ElevenPaths -Cybersecurity-, LUCA -Big Data- and the 4th Platform, we are looking for new talents who are passionate about technology applied to artificial intelligence in Android development environments.

If you are someone who has the knowledge, the experience and the motivation to change the rules of the game, Telefónica’s CDO unit is the place for you.

#CyberSecurityPulse: The Boom of JavaScript Miners

Tuesday, December 19, 2017

The most common question in recent months derived from the rebound in the value of numerous cryptocurrency is: Do I invest or not invest? However, as we know, there are different ways to obtain cryptocurrencies and one of them is to start mining, but now it's an expensive option. It is at this point that the picaresque of certain attackers comes to light. Security researchers from F5 Networks spotted a sophisticated malware campaign, tracked as Zealot campaign, targeting Linux and Windows servers to install Monero cryptocurrency miners. Experts observed threat actors scanning the Internet for particular unpatched servers and hack them with two exploits, one for Apache Struts (CVE-2017-5638) and one for the DotNetNuke ASP.NET CMS (CVE-2017-9822).

Another recent case has been the one detected in the Starbucks of Buenos Aires where the clients' computers were connected to their Wi-Fi and started to mine secretly. The notification to the company was made by the CEO of Stensul, Noah Dinkin, who made last December 2 a question through Twitter if they were aware of the situation. Dinkin commented in his tweet that JavaScript miner offered by Coinhive was being used to mine Monero cryptocurrency.

#CyberSecurityPulse: Army Launches Direct Commissioning Program for Civilian Cybersecurity Experts

Tuesday, December 12, 2017

The Army has approved a program to recruit experienced cybersecurity experts directly into the service as cyber officers in an attempt to bolster a growing field that military leaders see as vital to national security. However, this measure, approved by the Pentagon and Congress, is a pilot. At the moment, it seeks to bring five new officers every year for five years.

In Spain, several initiatives have also emerged to counteract the budgetary and training difficulties of Army. Specifically, the last measure was published last November from the Joint Cyber ​​Defense Command, which is expected to have a group of experts only in those situations necessary without any compensation in return.

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome. Our Black Hat research

Monday, December 11, 2017

We have been for a long time researching about HSTS, HPKP, certificate pinning and TLS technologies in general. As a collateral effect of this work, we have found some interesting weaknesses in the way Firefox, Chrome and IE/Edge implement both mechanisms HSTS and HPKP. With this research we applied to Black Hat Europe 2017 and went to talk in London last December 7th, in the briefings section. Here are some details about what we talked then, as a "digest" of the presentation itself which may be found here.