Securing a Cloud Environment With a Telco Cloud Provider

Tuesday, July 25, 2017


Nowadays, nobody can deny the remarkable benefits of cloud computing, both infrastructure as a service (IaaS) and software as a service (SaaS). Cloud computing drives cost savings, agility to support customer demands and innovation; definitively it is a fundamental factor in the corporate digital transformation. Otherwise, cloud computing also involves some level of complexity in dealing with IT security, since organizations delegate certain responsibilities to third parties in storing and controlling sensitive data. During this article, we aim to identify the cloud security handicaps and propose a security model according a Telco Cloud Provider perspective to make easier and safe the cloud voyage.

Telefónica and Subex sign a global framework agreement to provide a disruptive FMaaS solution

Saturday, July 22, 2017


Madrid— June 18, 2017—  Subex Limited, a leading telecom analytics solution provider, has been selected by ElevenPaths, Telefónica’s Cybersecurity Unit to offer a Fraud Management-as-a- Service (FMaaS) solution. Telefónica is one of the world’s largest telecommunications companies, with a global presence in 21 countries and an average of 125.000 professionals and 350 million accesses.

The agreement between Telefónica and Subex will result in the new ’Telefónica FMaaS Powered by Subex’ to protect against a comprehensive set of digital risks and threats, along with a library of fraud detection processes. The solution addresses Subscription Fraud, Internal Fraud, Premium Rate Service Fraud (PRS Fraud), and International Revenue Share Fraud (IRSF), amongst others. Additionally, ROC Fraud Management technology deployed by Subex will deliver the ability to deploy client-specific detection processes, techniques and strategies, based on particular business needs at each site.

ElevenPaths is a Fortinet's Alliance Technology Partner

Monday, July 17, 2017

Solutions Integration with Vamps and Metashield

Fortinet is a Strategic Partner of ElevenPaths, Telefónica Cyber Security unit, with more than 15 years working together, and on June 2016, we strengthened that strategic alliance by adding Fortinet’s Security Fabric architecture to deliver solutions integrated with some of Telefonica’s key managed security services.

ElevenPaths participates in AMBER (“enhAnced Mobile BiomEtRics”) project

Sunday, July 9, 2017

ElevenPaths participates in the AMBER ("enhAnced Mobile BiomEtRics") project since 1st January 2017 as an Industrial Partner. AMBER is a Marie Skłodowska-Curie Innovative Training Network under Grant Agreement No. 675087, addressing a range of current issues facing biometric solutions on mobile devices. This project will run until 31st December 2020 and it will lead the training and development of next-gen researches in the biometrics area. Helping them to accommodate their research activities both with academic goals but also with industrial and professional market’s requirements.  



New tool: PySCTChecker

Monday, July 3, 2017

This is a "Quick and dirty" Python script for checking if a domain properly implements Certificate Transparency. If so, it is possible to observe how Certificate Transparency is implemented on the server side.

When a server implements Certificate Transparency, it must offer at least one SCT (a proof of inclusion of the server TLS Certificate into a Transparency Log). A SCT can be offered by three different ways:

  • Embedded in the certificate
  • As a TLS extension
  • Via OCSP Stapling

Using PySCTChecker is possible to identify the delivery options that the server uses and the logs where certificate has been sent to. Also, it is possible to check if the offered SCTs are valid and legitimately signed by logs.

This script needs just a list of domains as input. For each domain, it will check if the server implements Certificate Transparency. If the server offers any SCT, the script will show extra information about it, such for example the logs where the TLS certificate has been sent and which method the server uses to deliver the SCT.

Usage: 

python PySCTChecker/ct_domains_sct_checker.py [domain1 domain2 ...] 

Output example:




This is a quick and dirty implementation since it uses OpenSSL for some features, but we hope it helps understand how certificate transparency works.

You can download and check source code from here.

This tool reinforces our set of tools related with Certificate Transparency developed from ElevenPaths:

Innovación y laboratorio
www.elevenpaths.com

The Intelligent MSSP

Thursday, June 15, 2017

During years, Managed Security Services (MSS) have been the most effective strategy to tackle the increasing and changing threat landscape. Otherwise, some disruptive factors are compelling a new approach for corporate information security. Specifically, we refer to technology factors, such as the blurring of the organization’s boundaries or the explosive growth advanced threats, operational factors like the increasing complexity of the organizations processes and business ones, for instance, the compulsory requirement of implementing an efficient risk management to invest the precise budget in security, no more, no less.


How to address these requirements keeping in control the complexity of a Managed Security Service?
This article identifies which are the compelling factors and proposes a layer-framework for MSS that ensure the right coordination among technology, operation and business to protect the organizations of the future.

ElevenPaths and BitSight deliver enhanced visibility into supply chain risk with continuous monitoring

Tuesday, June 13, 2017


Security Ratings Market Leader Expands Global Reach with New Strategic Alliance

CAMBRIDGE, MA—June 13, 2017. ElevenPaths, Telefónica Cibersecurity Unit specialized in the development of innovative security solution, and BitSight, the Standard in Security Ratings, have announced a new alliance that will enhance visibility into supply chain risk for Telefónica customers worldwide.

The agreement between ElevenPaths and BitSight provides Telefónica customers with access to the BitSight Security Ratings Platform for security benchmarking and continuous supply chain risk management. This new offer will be part of CyberThreats, 11Paths’ threat intelligence service, delivering:

  • Objective, outside-in ratings measuring the security performance of individual organizations within the supply chain.
  • Comprehensive insight into the aggregate cybersecurity risk of the entire supply chain, with the ability to quickly generate context around emerging risks.
  • Actionable information included in Security Ratings that can be used to communicate with third parties and mitigate identified risks.

Wannacry chronicles: Messi, korean, bitcoins and ransomware last hours

Monday, June 12, 2017

It is hard to say something new about Wannacry, (the ransomware itself, not the attack). But it is worth investigating how the attacker worked during last hours before the attack. It does not let us uncover the creator, but for sure makes him a little "more human", opens up a question about his mother language, location and last hours creating the attack.

Wannacry (the ransomware again, not the attack) is a very easy to reverse malware. No obfuscation, no anti-debugging, not a single mechanism to make life harder for reversers. Aside from the code, some companies have even tried linguistic analysis (it has been widely used recently) to try to know where the author comes from (although it turns out to be from China, "more than often"). Result is usually "maybe English native speaker, maybe not, maybe native Chinese trying to mislead analysis..." who knows. But one thing we may know for sure: he likes football, is not greedy and usually types in Korean language.

Metadata to the rescue

It has been proved, during recent years, how useful is to analyze and extract metadata and hidden information from files. Data is the new oil. Not only sensitive information about the user or organization, software, emails, paths... but others like dates, titles, geopositioning, etc. We have heard about spying, politics scandals because of altered documents, insurance frauds..., and everything revealed thanks to metadata.


ElevenPaths announces that its security platform complies with the new european data protection regulation one year earlier than required

Wednesday, May 31, 2017

  • The European regulations will enter into force in May 2018, when entities that do not comply can be penalized with fines of up to 4% of their annual turnover. 
  • ElevenPaths introduces new technology integrations with strategic partners such as Check Point and OpenCloud Factory, with Michael Shaulov, Director of Check Point Product, Mobile Security and Cloud, who will be the special guest of ElevenPaths annual event. ElevenPaths also works with Wayra, Telefónica's corporate start-up accelerator.
  • ElevenPaths collaborates with the CyberThreat Alliance to improve and advance the development of solutions that fight cybercrime. 

Telefónica WannaCry File Restorer: How can we recover information deleted by WannaCry?

Thursday, May 18, 2017



When cyberattacks occur in large organizations, it is crucial to remember where duplicate files are stored, as this information is also subject to infection by a malware virus or more importantly in this case, by ransomware. Best practice involves first tracking where the information is located and then starting the data clean up, both for Wannacry and other future incidents:
  • Files that are not encrypted were not affected by the malware because the malware did not have time to affect them. There are ways to partially recover files affected by Wannacry, which will be shown throughout the course of this article.
  • It is important to always have backups and security copies that are available offline.
  • Information surrounding the shared units and the cloud units.
  • Information from Office365 email and the data units.
  • Information from removable devices, i.e. Pen drives.
  • Temporary Office files (Word, Excel, PowerPoint). If the infection was present when a document was open, a temporary file will also have been generated. These files will not be on the radar of Wannacry, meaning these files will not become encrypted. Once the files have been cleaned up, Office files can be recovered to the point they were at when Wannacry started. Once the system has been cleaned up, the temporary files generated at the time of infection can be restored.

Security Day 2017_ Cyber Security beats

Tuesday, May 9, 2017





The motto of the fourth edition of our Security Day is Cybersecurity Beats. A conference about security and technology where this year we will teach how our security tools get a feel for your company’s information systems. Some of the topics we have chosen for this day are the mandatory compliance with the GDPR regulations as of May 25, 2018, and how to be prepared with our SandaS GRC platform, the latest additions to the ElevenPaths alliances and partners program, and the integration of security solutions to help companies fight cyber attacks against their technological infrastructures. In addition, some of our partners will actively take part, with whom we will be on stage to show you the latest integrations that we have jointly carried our, for example with Check Point MTP and Tacyt. This year, as new features, we will present our Path6 (it finally has a name!), which we will unveil to you, some of the cyberattacks in which we have taken part this year, awards ceremony of the winning plugins and hacks of our annual Latch Plugins Contest, hosted by Chema Alonso and much more.

Mum, I want to be a hacker

Friday, May 5, 2017

Mum, I want to be a hacker


The hacker concept is most often associated with male ‘techies’ and ‘geeks’. But why is it so difficult to find female role models in the world of technology? We could find the reason in this passionate and lively TED talk given by Christopher Bell, media studies scholar and father of a Star Wars-obsessed daughter, who addresses the alarming lack of female superheroes in the toys and products marketed to children, and how this impacts their view of the world. In the same way, according to various studies, at the age of 11 many girls feel drawn towards technology, science and mathematics, but they lose interest when they turn 15.

In response to this challenge, from Telefónica, throughout the Chief Data Office (CDO) led by Chema Alonso, which includes Aura (Cognitive Intelligence), ElevenPaths (Cybersecurity) and LUCA (Big Data), we thought about this recurring trend and we have decided to "hack" diversity.

ElevenPaths and the University of Piraeus in Greece work together using Tacyt as an educational and research unit

Monday, May 1, 2017

ElevenPaths and the Department of Informatics of the University of Piraeus in Greece work together using Tacyt as an educational and research unit. ElevenPaths and the Department of Informatics of the University of Piraeus in Greece start a joint collaboration which aims to perform studies and research activities on mobile applications. In addition, providing an educational platform for researchers and students.





Squeezing the numbers and facts of Google’s annual Android security report

Monday, April 24, 2017

Last month Google published its third annual security report on Android’s security protections, aiming to send a clear message to the world about mobile malware (or Potentially Harmful Applications (PHAs), as they like to call them): devices, apps, and Android users are safer than ever. And the entire Android ecosystem is now more secure.

Sending positive messages is ok, but is good to be realistic as well. That is what makes us all improve. We have squeezed some numbers and facts included on the report, to finally determine that it's hard to believe that actually the Android ecosystem is as secure as Google claimed, as the used terminology is not clear and some showed numbers are not aligned.

It is all about “malware” definitions
According to the report, PHA are “applications that could put users, user data, or devices at risk”. This include among many others trojans, spyware, or phishing apps. That is ok, but, as Google recognized, “we are also less strict in our definition of certain PHAs than some users expect. A classic example is advertising spam, which we define as an app that pushes advertising to the user in an unexpected way, such as on the device home screen or lock screen”. This means Google does not count aggressive adware as PHA, which is the most common problem for Google Play users. There is no evidence of aggressive adware definition included in The Google Android Security Team’s Classifications for Potentially Harmful Applications. How this “advertising spam” or aggressive adware may it be? We do not know. Some “so called” advertising campaigns ended up rooting the device. This definitely makes the numbers go down and it is maybe one of the gaps antivirus companies and Google play with.



Latch and IoT, a perfect symbiosis

Wednesday, April 19, 2017

The Internet of Things stopped being the future to become our present. It’s rare that on any given day we do not interact in one way or another with an IoT device: the radio we use in the mornings, the camera that “takes care” of our baby, the heart rate monitor/watch that we use when we go running or the car that takes us to work. IoT is almost everywhere.


Figure 1: Latch plugin video for Mosquitto

Limiting the use scope of our secrets in Latch with “Limited Secrets”

Wednesday, April 12, 2017

When creating a Latch app as a developer, Latch provides us with an application identifier (appId) and a secret.

These two keys allow us to sign the requests sent to the API, in order to ensure that we are the legitimate owners of that app.

Example of app ID and secret in an application.

ElevenPaths is now a NoMoreRansom.org associated partner

Sunday, April 9, 2017

Ransomware has a severe impact for IT companies and users. The increasing popularity of this security threat along with the profitable business for criminals make ransomware one of the most urgent and complex cybersecurity challenges nowadays. In this context NoMoreRansom (NMR) initiative has gained prominence and nine months after the launch it has received considerable attention from law enforcement and private partners belonging to the cybersecurity sector.



The www.nomoreransom.org platform has a clear mission: on one hand, to support and enable ransomware victims to get their files back without paying the criminals. On the other hand, share information among security forces to legally track attackers. ElevenPaths brings the expertise in this field, devloping and offering a tools to the NMR alliance. Thanks to the innovation and lab area, has allowed the company to become part of the alliance, as one of the seven associated partners with Avast, Bitdefender, CERT de Polonia, Check Point, Emsisoft y Kasperksy.








ElevenPaths creates an addon to make Firefox compatible with Certificate Transparency

Monday, March 27, 2017

Certificate Transparency will be mandatory in Chrome for new certificates in late 2017. This means that the webpages will show an alert if protected by certificates not present in the logs that Chrome checks by that time. No other browser supports Certificate Transparency yet. Mozilla is in its way to make it work but there is no official date to release it. ElevenPaths creates an addon to cover this feature.

Checking the SCT embedded in our certificates


Certificate Transparency is a new layer of security on top of TLS ecosystem. Sponsored by Google, it basically makes all the issued certificates to be logged (in some special servers), so if an eventual attacker would want to create a rogue one, it would face a dilemma: If the rogue certificate is not logged, that would rise up some eyebrows… if logged, that would allow a faster detection. A certificate is considered "logged" if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates. But there are some good news and bad news:

This is how Chrome checks the SCT
 The good news

Our addon, created in cooperation with our lab in Buenos Aires, works with most of known logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google 'Pilot', Google 'Aviator', DigiCert Log Server, Google 'Rocketeer', Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google 'Submariner', Izenpe 2nd, StartCom CT, Google 'Skydiver', Google 'Icarus' , GDCA, Google 'Daedalus', PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

This makes our solution quite complete but...

The bad news

SCT may be delivered by three different ways: 
  • Embedded in the certificate.
  • As a TLS extension.
  • In OCSP.
It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. So our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.

Another bad news is that plugins have to be validated by Mozilla to be published in its addons store. Once uploaded the plugin gets in a queue. If it contains "complex code" it may be there for longer, so Mozilla can make a better work reviewing and checking its security and quality. After waiting for more than two months, we have decided not to wait anymore. The queue seems to be stuck for days and days and the is no hope to make it work faster. Mozilla reviewers are working as much as they can, but they can not deal with so many addons as fast as they would like to. We thank them anyway. That is why we have decided to distribute it outside addons store. Once it gets reviewed released, we will let you know.

The addon is available from here.

To install it, just drag and drop the file into a new tab.

Or, from the extensions menu, settings, install from a file.






Innovation and Lab
www.elevenpaths.com

ElevenPaths and iLife Security signed an agreement for implementing services in support, IT management and security

Monday, March 6, 2017



Aiming to help clients to adapt their systems in this new technological reality and its growing challenges in security matters, ElevenPaths and iLife Security, company specialized in Full Outsorcing in IT Management, had signed an agreement for implementing personalized services in support, IT management and security.

This collaboration will have the goal of sharing knowledge and technical resources, to implement products and services based on digital security and correct IT management, also using ElevenPaths technologies: Latch, Security Monitoring and Metashield.

ElevenPaths and Opencloud Factory signed an agreement to provide a unique solution for access control in corporative networks

Wednesday, March 1, 2017


ElevenPaths and Opencloud Factory signed a technological agreement, aiming to develop a unique solution for controlling the access in corporative networks.

Thanks to this agreement, Mobile Connect a multi-operator solution led by the GSMA (Global System for Mobile Communications Association) that Telefónica lead by ElevenPaths is a perfect complement for the OpenNAC technology of Opencloud Factory.

ElevenPaths along with Kaspersky uncover several malicious apps on Google Play

Monday, February 27, 2017

ElevenPaths, along with Kasperksy Lab and its team GReAT (Global Research and Analysis Team), published recently an investigation revealing how malicious apps are opperating in Google PLay, by subscribing users under special tariff numbers. They analysed which type of app is mostly used to get potential victims' attention, which tactics were used to disseminate the app, the infrastructure code and the management panels used in the campaigns


ElevenPaths and Consultores de Firma Avanzada together to protect Digital Banking, Insurance and Utility sectors

Wednesday, February 22, 2017


The scientific advances in facial and voice recognition, or biometric recognition for signatures are already a reality. In this context, we announce our most recent technological partnership with Consultores de Firma Avanzada. From their part, we have Firming, the biometric platform for secure contract signing created by Consultores de Firma Avanzada, and from our part, SealSign, created to be an electronic and biometric signature solution.

This partnership is the answer for the existing demand in the world of Digital Banking, and also for Insurance and Utilities Companies that were looking for an independent and mobile solution, so their customers could sign their contracts in a protected and faster way through Smartphones, Tablets and other devices.

Latch Plugins Contest 2016: Videos and Documentation

Tuesday, February 21, 2017


You can find here the compilation of plugins submitted to the Latch Plugins Contest 2016. Congratulations to all participants for the work done and the results!

ElevenPaths and Enigmasec associated to help small and medium organizations in face of the invasion of systems

Monday, February 20, 2017



The last week, we announced a partnership with Enigmasec, a company specialized in incident responses for cybersecurity, with the goal of improving its capabilities in cyber attacks that breaks into the traditional mechanisms of defenses.

Nowadays, there’s no accessible tool that can compile the information from a security incident, helping to reduce its response time. In this context rises Enigmabox, a tool created by Enigmasec to detect security incidents and collect data for analysis. Igor Lukic, Enigmasec’s CEO, tell us that “Enigmabox works like an airplane’s black box, so in case our customer has some security issue, all its information will be stored in the same place. It also works as a warning system to provide responses to security incidents”.

ElevenPaths and Cyber Threat Alliance (CTA) collaborates in sharing information intelligence about cyber threats

Friday, February 17, 2017

In 2015, ElevenPaths, together with another market leader companies, such as Check Point, Cisco, Fortinet, Intel Security, Palo Alto and Symantec, brought together their strength to join a community that aims to exchange information about intelligence in cyber threats. This community is called CyberThreat Alliance (CTA).
In January 2017, the CyberThreat Alliance was converted into a non-profit organisation and, after that, announced Michael Daniel, ex-coordinator of cybersecurity in the White House, as President of the institution. In this context, ElevenPaths and CyberThreat Alliance renewed and accelerated the commitment in exchanging information about intelligence in cybersecurity, in order to provide better support and security to our customers.

ElevenPaths joins Saint Patrick Technology to offer security solutions based on the latest Big Data technologies

Thursday, February 16, 2017

We announce today our most recent partnership with Saint Patrick Technology, the leading company in the development of solutions based on the latest technologies, such as AR, VR, NFC, RFI and Big Data.

With this collaboration, we aim to share knowledge, synergies and technical resources to develop products and services for digital security. ElevenPaths' Vice Presidente for Strategic Alliances, Rames Sarwat, says "thanks to this partnership, ElevenPaths and Saint Patrick Technology will work together for the development and distribution of products and services for both companies. We want to reach the Spanish market and also, the markets in Ireland and UK.".


"The products developed by Saint Patrick Technology fits perfectly with the ElevenPaths' Identity and Access Solutions" says Roberto Rodríguez Gómez, Partner Director in Saint Patrick Technology. Along these lines, Saint Patrick Technology joins the Partners Program of ElevenPaths as SSP (Solution & Services Partners).

This new deal supports ElevenPaths and Saint Patrick Technology's objective to develop and implement mobile apps specialised in technologies as  AR, VR, NFC, RFI and Big Data. Both ElevenPaths and Saint Patrick Technology will include these services in their portfolios, increasing the options for technological and consultancy solutions and also last generation developments.

For more information, check the Partners Section in our webpage.
Do you want to know more about the ElevenPaths Partner Program? Contact us!

To see the Press Release done by ElevenPaths and Saint Patrick Technology, click here.

Latch Plugins Contest 2016: we finally have winners!

Wednesday, February 15, 2017



We can now announce the winners of our "Latch Plugins Contest 2016", showing the creativity, ideas and imagination of the participants in the submitted proposals. This edition of the contest results in its consolidation and the consolidation of the community of developers who feed and develop Latch.

In our community, you can find the documentation, videos and plugins of all participants who have shown great interest, effort and quality in the works submitted. Here is a brief description of the winning plugins and hacks:

First prize – 5.000 USD
Winner: Álvaro Caso
Plugin: Mosquito MQTT

Description:
This plugin easily adds a second factor authorization to the IoT ecosystem, performing the integration on the MQTT Broker platform (lightweight M2M message protocol), rather than on the devices.

This way of functioning frees resources and improves compatibility and scalability.

What we liked:
The approach to the proposed solution looks interesting and original. The integration with a protocol like MQTT increases the usability of Latch and allows a great diffusion in commercial solutions, such as IoT Stack of Telefónica.

Video:




Second prize – 2.000 USD
Winner: Juan Camero
Plugin: Latch OpenWRT

Description:
Plugin for the OpenWRT open firmware used on neutral routers. It manages the internet connection of wireless devices through a Smartphone with the Latch app in a simple and intuitive way. It adds an extra layer of security for the Internet access by router, avoiding access to the network if an attacker surpasses the first security measures, such as the key of the access point or a MAC filter, with Mac Spoofing techniques, etc.

What we liked:
The approach applied is good and with great possibilities of development. The scope of OpenWRT is wide because of its community of users and its compatibility with neutral routers of the market. The integration with the webGUI (Luci) is excellent and with a simple installation.

Video:




Third prize – 1.000 USD
Not awarded


We want to thank all the participants for the contribution and the outpouring of eagerness, as well as for being part of our community and the exchange of ideas. Congratulations to the winners!
Share your knowledge, experience and curiosities with our experts. Talk to them in our community. They are waiting for you! And remember to visit the website with the Latch plugins and strengthen your systems.

For more information:
elevenpaths.com
latch.elevenpaths.com

Jam Session with Greg Day Madrid 2017 Roundup

Tuesday, February 7, 2017

Estrenamos el mes de febrero uniéndonos a nuestros colegas de Palo Alto para celebrar nuestra primera Jam Session del año en Madrid. Este año iniciamos nuestras sesiones de visión sobre temas de tendencia en el ámbito de la ciberseguridad con Greg Day, VP y CSO de Palo Alto Networks, experto en temas de normativa GDPR y Directiva NIS.

Este evento reunió a nuestros expertos, clientes y socios de Palo Alto donde compartimos pensamientos y buenas prácticas sobre los incipientes cambios en ciberseguridad para cumplir con la nueva legislación europea en la protección de datos.




¿Cómo adaptarse a la nueva normativa de Protección de Datos? ¿Sabías que el nuevo reglamento europeo en materia de protección de la información será de obligado cumplimiento a partir de mayo de 2018? ¿Sabes cómo puede afectar a la seguridad de la información de tu empresa?

Aquí te recomendamos la lectura de otro post sobre este tema de actualidad con la visión de nuestro experto Pablo Alarcón, para que puedas conocer todo lo que necesitas saber sobre el nuevo Reglamento Europeo en materia de Protección de la Información.

¿Te interesa conocer más sobre los eventos de ElevenPaths? Visita nuestra página de eventos para obtener más información.


New Report: Most common errors when implementing HPKP, HSTS and preload conditions

Tuesday, January 17, 2017

We have collected and visited two different sources of domains and webpages, Alexa top million domains, and Shodan. These results come from November 2016 searches. From those domains, we have restricted the search to be able to determine which ones use HSTS or HPKP over HTTP or HTTPS, and even which of them uses different configurations for the headers. We have tried to determine not only the quantity but the "quality" of the implementation. Just 0,02% of most popular domains are implementing HPKP in the best possible way, and just 0,74% are doing so with HSTS. Even Whatsapp.com or Facebook.com have some errors.

We show now some excerpts from the report you cand find here.

Number of pins

When implementing HPKP it is important to respect the number of pins required. Despite the recommended values are using between 3 and 4 pins, some domains use from just one pin (violating the RFC) up to 17, which seems to be an irregularity that reduces the efficiency. Regarding Alexa top million domains, 282 out of 450 domains use 2 or 3 pins, which is correct. 89 (19,8%) use zero or just one, which is useless from the browser standpoint since it will ignore it.

Number of pins offered by top 1 million Alexa domains using HPKP.

Which certificate to pin

When using HPKP, choosing the right certificate to pin may be an important decision. Administrators may use whatever pin in the chain (root, intermediate or leaf) but this decision may impact directly in their usability and security from the administrator standpoint and user security. There is a tradeoff between security and maintenance.
  • Pinning the root offers less security, but an easier way for the administrator to deal with HPKP. This means that, as long as the administrator does not change its CA provider, no additional changes should be done, so less maintenance is required. But, on the other hand, if an attacker gets a fake certificate from the same CA, the browser would not detect the difference, since the root remains the same.
  • Pinning the intermediate certificate is the best choice, maybe. The attacker should get a certificate from the same subCA to make the "perfect" attack. The administrator, on the other hand, may change its leaf certificate as long as it comes from the same subCA with no extra cost of changing pins.
  • Pinning the leaf is the most secure way, but the most "dangerous" as well. If the certificate expires or for whatever reason the certificate changes (more specifically, the public key), even if issued by the same CA or subCA, the administrator has to modify its pins or use the backup one. On the other hand, an attacker may not be able to create a valid certificate (unless the private key is stolen) to create a man in the middle "perfect" scenario.
So we have checked what certificate does administrators pin, and this is what we have found. Most of them (73,65%) use the intermediate certificate to pin.

Pinned certificates in the trust chain for the top million Alexa domains using HPKP.


Pins reuse

Reusing pins among different domains is not an invalid practice at all. Considering that most of the pins used in HPKP are "intermediate" pins mostly from subCAs, it is even absolutely normal to share some pins between domains. But this procedure brings a little risk. Thus, from an attacker standpoint, knowing which subCAs or even CAs are pinned may allow to plan a specific APT for that domain. For example, if a domain issues its intermediate certificates with a specific subCA and pins this intermediate certificate, an attacker that gets a rogue leaf certificate for that domain issued from the same subCA will still have a perfect MiTM situation, since the browser will not show any warning message. Therefore, from the attackers standpoint, if they are able to determine if a domain pins its intermediate certificate, and furthermore, which one is the pinned subCA, it allows him to know better who to target. Additionally, if the attacker wants to maximize its scope, he would try to get a rogue certificate signed by this "popular" subCA.

The following map represents which certificates (and its pins) are pinned with more domains. These are the top 25 most pinned certificates. Since the protocol allows to know just the pin and not the certificate itself, it is necessary to "unhash" the certificate. We have collected several millions of certificates and hashed them to compare it with the pins associated to the domains. The results show how an intermediate certificate from Comodo is the most pinned certificate (klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=). It pins 40 different domains from Alexa and Shodan.

Pins reuse map. Click to enlarge.

Preload

To avoid "Trust on first use" issue, "preload" mechanism was introduced. This preload works as a root CA embedded in the browser. It is basically a list of domains that are willing to be accessed with HSTS securely from the first time. This list is maintained by Google and some conditions have to be satisfied to belong to this list.
  • Have a valid certificate chain and redirect from HTTP to HTTPS in the same host (of course)
  • Serve all subdomains under HTTPS. WWW is mandatory if it exists in DNS server.
  • Serve HSTS header via HTTPS with this properties:
    • max-age is at least 18 weeks (10886400 seconds).
    • includeSubDomains directive must be included.
    • preload directive must be included.
    • If serving an additional redirect from the HTTPS site, it must still use the HSTS header (rather than the page it redirects to).
If all these conditions are satisfied, the domain owner may apply to the list in here: htstpreload.appspot.com and the domain will be eventually included in the list. This webpage allows as well to check if a domain satisfies or not all these conditions. There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.

Preloading status in Alexa's top million domains

In the background, htstpreload.appspot.com uses a public API providing the reasons why a specific domain may be preloaded or not. We have checked all the top million Alexa domains against this API, to know if preloaded domains do really validate all this conditions to be preloaded. When a domain is checked against this API or preload list, the domain is visited in real time and errors checked. It is interesting to prove that, from those 2056 preloaded domains in top Alexa list, 662 contain some errors, thus, strictly speaking, they should not be preloaded. We have even detected that, 67 out of those 2056 preloaded domains in the list, do not contain the preload directive in the header, which as well violates the condition. Whatsapp.com and Facebook.com are domains that do not keep the mandatory conditions to be preloaded, but they actually are.




Conclusions

Although HSTS and HPKP protocols are intended to provide an additional layer of security to HTTPS communications, their implementation is not widespread. At server level, many of the most relevant Internet domains do not even implement them. Moreover, among the minority of domains that do use them, there exist a significant number of implementation errors, even a disregard of the recommendations of their respective RFCs. This situation shows both low level adoption and, somehow, some misunderstanding about how to take full advantage of these protocols. Some of the most interesting figures are:

  • From Alexa, we have collected 632648 HTTPS domains, and 901958 HTTP domains. We retrieved 30886979 HTTPS (port 443) domains and 45330802 HTTP (port 80) domains (a total of 76217781) from Shodan.
  • Only 1,9% of domains in Shodan use HSTS correctly over HTTPS, while just a 5,35% from the Alexa top million do so.
  • 4717 (roughly a 0.74%) of the top million domains in Alexa using HTTPS (632648) are implementing HSTS in the best possible way.
  • 175 of the top million domains in Alexa (a roughly 0,02%) using HTTPS (632648) are implementing HPKP the best possible way.
  • 20% of top Alexa domains using HPKP over HTTPS use zero or just one pin, which is useless from the browser standpoint since it will ignore it. Most of them (a 73,65%) use the intermediate certificate to pin.
  • 17% of domains in Alexa implementing HPKP are using a wrong or ignored max-age value.
  • The most used pin (a certificate from Comodo) pins 40 different domains from Alexa and Shodan.
  • There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.
  • From those 2056 preloaded domains in top Alexa list, 662 contain some errors if checked against the official preloading API, so, strictly speaking, they should not be preloaded. Whatsapp and Facebook are among those domains that do not keep the mandatory conditions to be preloaded, but they actually are.
Here is the whole report.




See You at the RSA Conference 2017

Monday, January 16, 2017


The U.S. city of San Francisco is to host once again, as it does every year, one of the most important events worldwide in the field of security, RSA Conference. From 13 to 17 February, the most relevant players within the industry worldwide will gather, and ElevenPaths, Telefónica's cyber security unit, will be there among them of course.

We offer you a pass to the exhibition area absolutely free of charge. To get your ticket you only need to register here using the code: XE7TELFNCA. Deadline for registration February 10th.



We look forward to seeing you at stand #410 in the South Hall of the Moscone Center, where you will discover: 
  • Enjoy a one-on-one ElevenPaths' senior executives and cyber experts.*
  • Join our Cyber Security lovers’ day party on Tuesday 14 February at 3:00 p.m.


Remember! We look forward to seeing you from 13 to 17 February at the RSA Conference in San Francisco, at the Moscone Center, South Hall, stand #410.

*In order to book your one-on-one with our experts you should complete the mail with your name, surname, title, availability schedule, company, meeting purpose. Deadline for booking February 9th.

Browser Extension Usage by the Islamic State Propaganda

Friday, January 13, 2017

One of the tools that the Islamic State has been using to spread its propaganda is the use of social networks. In the past they have shown how capable they are of expanding their capabilities to cover smartphones and mobile devices, but recently they have also opted for the development of browser add-ons in order to further facilitate access to their content.

Although Firefox extensions are mainly distributed by means of the official market run by Mozilla, the Amaq News Agency, identified as part of the Islamic State’s propaganda apparatus, is also distributing .xpi files in related websites. These files are compressed in .zip and renamed to a .xpi that contains the Javascript, CSS and HTML code that defines the behaviour of the extension.


About this extension, we have identified at least two different versions, 1.0.1 and 1.0.2, whose folder structure contains the same series of source and data files.
.
├── bootstrap.js
├── data
   ├── safe-16.png
   ├── safe-32.png
   ├── safe-48.png
   ├── safe-64.png
   ├── safe.png
   ├── unsafe-16.png
   ├── unsafe-32.png
   ├── unsafe-48.png
   ├── unsafe-64.png
   └── unsafe.png
├── icon.png
├── install.rdf
├── lib
   └── main.js
├── META-INF
   ├── manifest.mf
   ├── mozilla.rsa
   └── mozilla.sf
└── package.json

The most interesting files are three: package.json, install.rdf and the Javascript source file found at lib/main.js:
  • package.json contains metadata and information about the extension like the name, the author, the licenses or the permissions required.
{
    "name": "amaq",
    "title": "Amaq AR",
    "id": "jid1-5Fs7iTLaaUaZBgwdar@amaq",
    "description": "Amaq AR.",
    "author": "Amaq AR",
    "license": "MPL 2.0",
    "version": "1.0.2",
    "icon": "icon.png",
    "permissions": {
        "private-browsing": true
    },
    "engines": {
        "firefox": ">=38.0a1",
        "fennec": ">=38.0a1"
    },
    "main": "lib/main.js",
    "devDependencies": {
        "gulp": "^3.8.11",
        "gulp-image-resize": "^0.6.0",
        "gulp-rename": "^1.2.2"
    }
}
  • install.rdf defines in the field em:targetApplication that the extension is thought to be installed in certain versions. In this case, it explicitly shows that it is valid for different versions of Firefox Browsers, including Firefox for Android (this is defined by the tag <em:id>{aa3c5121-dab2-40e2-81ca-7ea25febc110}</em:id> tagasda).

<em:targetApplication>
    <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>38.0a1</em:minVersion>
        <em:maxVersion>43.0</em:maxVersion>
    </Description>
</em:targetApplication>
<em:targetApplication>
    <Description>
        <em:id>{aa3c5121-dab2-40e2-81ca-7ea25febc110}</em:id>
        <em:minVersion>38.0a1</em:minVersion>
        <em:maxVersion>43.0</em:maxVersion>
    </Description>
</em:targetApplication>

  • lib/main.js defines the code of the extension itself. In this case, it opens a new tab pointing to a given URL as shown in lines 107 and 108. The only difference between versions is the IP address shown in line 108.

var tabs=require("sdk/tabs");
tabs.open("http://190.14.37.220/v/");


Using the extension as a bookmark

In the case of the first release of the add-on 1.0.1, the URL opened was hosted at 88.80.20.1 IP address (a non-accessible address linked to an internet services provider settled in Sweden) while in the most recent version this IP address is 190.14.37.220. This address, still accessible at the moment of writing this article, is linked to an anonymous hosting provider settled in Panama that runs a nginx 1.6.2. However, this resource seems not to be hosting the contents itself because if we access to this URL it responds a 302 Moved Temporarily code and redirects us to jkikki.at, the agency website.  There, this Firefox extension can also be downloaded as amaq_news_agency_ar-1.0.2.xpi together with a hash of the file that would ultimately allow users to verify the legitimacy of the extension.

$ curl http://190.14.37.220/v/ -I
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Tue, 10 Jan 2017 11:02:55 GMT
Content-Type: text/html
Content-Length: 160
Connection: keep-alive
Location: https://jkikki.at/

The referred website is hosting news in Arabic about Amaq and the Islamic State and is protected by Cloudflare making it impossible to know the real location of the systems used to serve the contents.  By using this approach, banning the access to jkikki.at would not be enough to stop their propagation mechanisms considering that the application developer would only need to modify the Location field to redirect to the new domain in which the content would be hosted.



Identifying other affiliated websites

The structure of the URL found in the extension suggested the possibility of the existence of other domains. The tests conducted have returned new 302 responses that pointed to at least 6 other domains also protected by Cloudflare and whose content is also tied to the Islamic State. The details of the certificates used indicate recent validity periods as can be seen in the following table.

URL
Redirected domain
Language
Certificate valid since
http://190.14.37.220/b/
bibifm.at
Arabic
2017/01/10
http://190.14.37.220/f/
vosn.pw
N/F
2016/01/06
http://190.14.37.220/g/
baqiya.ga
German
2017/01/01
http://190.14.37.220/h/
halummu.at
N/F
N/F
http://190.14.37.220/t/
nikmat.gq
Bengali
2017/01/10
http://190.14.37.220/u/
vijestiummeta.ga
Bosnian
2017/01/05
http://190.14.37.220/v/
jkikki.at
Arabic
2016/12/31

Apart from this extension, there is no evidence of the existence of others with a similar behavior that point to the rest of domains. However, the recent creation of the certificates suggests that newer similar add-ons could be created easily by modifying only the URL of the original file to point to one of the URL shown before.


Registrant information and other metadata

Regarding the registry of identified domains, those that do not present special privacy protection measures have been registered email accounts using the tutanota.com encrypted email provider taking into account that the @keemail.me, @tuta.io, @tutamail.com and @tutanota.com (used to register a domain linked to the organization which is no longer used like jkikki.de) are different domains that make use of this service.

Domain
Registrant
bibifm.at
francnomoli@keemail.me
vosn.pw
e12b69957ce848b0b00e47a96a5682ef.protect@whoisguard.com
baqiya.ga
N/F
halummu.at
elana.samra@tuta.io
nikmat.gq
N/F
vijestiummeta.ga
N/F
jkikki.at
stephenjells@tutamail.com
jkikki.de
tomorrowdoma@tutanota.com

On the other hand, the rest of files identified in the extensions do not show too many details apart from some EXIF data found in the agency logos and icons. These files seem to have been edited with various Adobe products for Windows according to its metadata.


Assesment

The Islamic State has shown in the past that it has used the means at its disposal to massively spread its content in both, social networks and mobile applications. In this case, the use of a browser plug-in is another example of how the individuals linked to this organization are capable of adapting themselves to ensure the dissemination of content using not only a technological assets located in different countries, but tools and systems such as Cloudflare and various servers and methods to ensure the effectiveness of the difussion of their message. 

Félix Brezo
Intelligence Analyst at ElevenPaths

Yaiza Rubio
Intelligence Analyst at ElevenPaths