ElevenPaths with triple representation at the eCrime 2015 conference

Tuesday, May 26, 2015

This year, the antiphishing working group organizes the eCrime 2015 conference in Barcelona from May 26 to 29. This symposium on eCrime investigation is attended by professionals who have conducted interesting investigations in this area in 2015. ElevenPaths takes part with three different proposals.

Join the phishing dots to detect suspicious mobile apps

Carlos Díaz presents this study that shows how with the help of Tacyt and Sinfonier it is easy to find apps on Google Play that make reference to other different apps in alternative locations, which represent potential "downloaders" or "adware". The goal is to visually present the relationships existing between these "embedded" programs, the GP apps that reference them and the developers. By analyzing the aspect of these graphs, an analyst can identify patterns of embedded apps that could be potentially malicious.

Oh! the BIOS

David Barroso, CTO of ElevenPaths, will be talking about the BIOS, that component we have all heard of, but whose operation we know nothing about. In theory, it is the ideal place for running malicious code, since it is the first thing that runs when we turn on a computer. The perfect place for storing malicious code because (almost) nobody is going to look if there's something unusual there... Although there have been public investigations of BIOS infections for nearly 10 years, it became really popular with the #BadBIOS controversy and later with Snowden's documents, giving rise to much concern on this issue. There have been investigation groups for many years in several countries that are investigating how to take control of the BIOS (or UEFI in the latest computers) and Snowden has shown that some countries are actively using these investigations in CNE operations.

Chasing Shuabang in App Stores

We will also present in detail the investigation we carried out in the lab in late-2014, which discovered a completely new malware model hosted on Google Play. It was Shuabang. ElevenPaths detected dozens of malicious apps hosted on Google Play that were intended for Shuabang, or BlackASO (Black Hat App Store Optimization). The malicious apps linked false accounts with the victim's actual device, thus achieving very credible accounts. With these accounts, the attacker would send tasks to the victims so they would download new apps. The user's account remained safe, but not their personal data on the phone. The attacker needed a database with more than 12,000 Gmail accounts to complete the attack, which represented a real novelty in the world of malware for Android. .

Faast already detects "Logjam": Imperfect Forward Secrecy

Wednesday, May 20, 2015

Faast teams have been working all day long to add a new plugin to our list of detected vulnerabilities. There has been found a new security problem in TLS protocol that allows to force the use of insecure 512 bits keys during Diffie-Hellman exchange. The use of such a short key, plus a bad practice in servers using over and over basically the same 512 bits primes, allows an attacker to break into most of supposed secure connections. This vulnerability, reported today, is known as Logjam and could affect 80% of TLS connections.

Detection of Logjam included in Faast knowledge base

After analyzing the vulnerability, our developer teams in Faast have added to our knowledge base a plugin to detect Logjam that, after going through QA process, has been released tonight. All our persistent pentesting clients will be getting security warnings related to this problem if it is detected in their infrastructures.

Latch, the best mobile app of 2015

Wednesday, May 13, 2015



We are the winners!
Latch, our mobile app to protect your online accounts and services when your are not connected, has just been recognized as the best mobile app of 2015 by receiving the first prize on the Internet Day Awards.

When we are all connected, we are vulnerable. If you not close the latch, download Latch (it's free!) on your mobile device from your official market store. Discover the services where you can use Latch and improve the security for your digital life.

Internet Day Awards
The Internet Day Awards is one of the main events of the World Day of the Internet, and has gathered the best initiatives, people and organizations that improve user experience on the Internet and new technologies.

Thanks again to all who have trusted in the security of Latch, those of you who are part of our community, everyone online whose votes were collected and the recognition of the jury of the Awards.

ElevenPaths finds a XSS problem in Play Framework

Monday, May 11, 2015

Play Framework is defined as "The high velocity Web Framemork for Java and Scala". We use it internally in some of our products. Ricardo Martín from our QA team has found a (could be permanent) XSS that has now been solved by the official team. This XSS could make all the platforms based on Play Framework, more prone to phishing attacks or able to steal data from users.

When Play framework had a problem with the URL parameter. When it parses the view, it translates it to an URL that will work as a GET request. If the parameter value starts with ":", some exception is launched and fails to escape the value:

@{Controller.action(URLparameterWithInjection)}

How to get the URL parameter:

How to get the URL parameter where the XSS may be encoded

Then, URL goes through the program. Example of XSS injection encoded:


Result of the injected URL, encoded (which is Ok)

But once we "inject" the ":" character...

Result of the injected URL, not encoded (which is a problem)

There is a condition that does not allow to encode the injection. In fact, the code in Play Framework made it clear:

There is an specific condition that does not encode strings beginning with ":"

Whenever the view is interpreted, when translating to an URL that will work as a GET request, we may use it as a parameter to print it as a result.

We developed a PoC and sent it to developers. Versions 1.2.7 to 1.3.0 have been tested to be vulnerable. Just a week after making them aware of the problem, this alert has been released, that solves the problem: https://www.playframework.com/security/vulnerability/20150506-XssUrlParamerter.