Facebook changes the logic of their TLS policy (partly due to our research), by implementing a ‘two-way’ HSTS

Facebook and privacy. The recent scandal from the social network within the last few weeks does not exactly make it the best example in regards of privacy or secure connections in general. Yet, this is not the issue now. It is certain that it has been the first website (or rather, ‘platform’) to take a very interesting and innovative step in the TLS renewal policy, which the internet has seen within the last few years. Which involves the reinforcement of the TLS concept in general on all fronts: "TLS Everywhere", free and accessible certificates, HSTS, Certificate pinning, Certificate Transparency, in order to set aside the old protocols... This is a deep revision of the ecosystem in which Facebook (and Instagram) unite together with a more than interesting proposal.

You already know what HSTS is all about… the server sends a header to the browser in order to remember that the redirection of the HTTP and HTTPS must be done ‘locally’ (through a redirect type 307), omitting the danger from a network abduction. The web which provides this header, should obviously, be available for HTTPS, and guarantees a minimum good practice with the authentication and encryption which TLS provides. So far, so good, we have talked about this issue a few times, but what if we turn the tables? This is what they thought from Facebook; therefore, they ended up with a more than interesting concept in order to improve overall security, which could be imitated by other platforms.

In search of improved cryptocurrency privacy with Dash, Zcash and Monero

When we talk about cryptocurrencies we often find ourselves with the belief that their use is completely anonymous. However, those who have investigated a little about them (because it is impossible to know about all of the ones which exist) will know that this is not necessarily the case; taking into account that many of the operations are perfectly traceable in the corresponding block chains.

In this way, if we come across Bitcoin or Litecoin addresses in an alleged criminal activity, we can trace the operations back to those which have been found involved, as well as navigating forwards or backwards in time in the block chains. At the same time, we should also get to know the internal history of this cryptocurrency, as if a hard fork has been produced it could be spending these bitcoins in different block chains under different rules. An example of this is the investigation which we published a few weeks ago about the Wannacry addresses tracking the clues through both the Bitcoin and Bitcoin Cash block chains.

So what should we do if during the course of the investigation we end up finding ourselves with a cryptocurrency which we do not have under our radar or which we do not know? Well firstly, most of the time, we will search in Google. However, the Coinmarketcap.com project could be used as a first reference, as it can further provide information about the average rate, which includes official websites of the project and some explorers from the block chain of each cryptocurrency.

Figure 1. Information provided by coinmarketcap about Bitcoin Cash

AMSI, one step further from Windows malware detection

At the beginning it was a virus; pieces of assembly code which connected to the files, so that they could modify the “entrypoint”. Afterwards, this technique was twisted and improved as much as possible, they searched for automatic execution, reproduction, and independence of the “guest” (the malware has already beenstandalone since some time), and also so that it could go under the antivirus radar. “Touch Hard Disk” was the premise (how could they infect it?) and in turn the malware anathema. If it managed to avoid this toll as much as possible, it could get away from the detectors. This technique is called “Fileless”, which sought for an ethereal formula in order to survive within the memory for as long as possible. Hence, it does not touch the disk or delay it too much and it does not land upon what the antivirus firmly controls. "Fileless" has been perfected to such an extent (are you familiar with the malware which combines macros and Powershell?), that there is already a native formula in Windows to mitigate it as much as possible. Yet, it's not getting the attention that it should.

The basic AMSI structure, provided by Microsoft

#CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties

Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case of Facebook, they pay millions of dollars every year to investigators and bug hunters to detect security flaws in their products and infrastructure, in order to minimize the risk of being subject to specific attacks. Though, after the Cambridge Analytica scandal, the company has launched a new type of bug bounty to compensate those that report "data abuse" on their platform. Through the new program 'Data Abuse Bounty', Facebook will ask third parties to help them find application developers who are misusing their data. "Certain actors can maliciously gather and abuse Facebook user’s data even when security vulnerabilities do not exist. This program has the intention of protecting us against abuse", according to the publication carried out by the company.

How are we preparing ourselves for the RSA Conference 2018?

2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s dedicated cyber security unit, we have been working on a new approach, which we will officially announce at the world-leading annual security event, the RSA Conference.

This event will take place from the 16th to the 20th April, in San Francisco (USA), where we will be exhibiting from our stand #2207 in the South Hall of the Moscone Center. You can visit us here for free by registering for an Expo Hall Pass via the official RSA Conference website using our unique access code: X8ETELEF (the deadline to use this code is the 19th April 2018).

A Technical Analysis of the Cobalt phases, a nightmare for a bank’s internal network

A few days ago, a key member from a group of attackers known as Cobalt/Carbanak (or even FIN7 for some of them) was arrested in Alicante. This group has been related to different campaigns against banking institutions, which has caused substantial losses through transfers and fraudulent cash withdrawals in cash machines. We are going to see some technical details from modus operandi, the last wave, how it functions and some ideas about how to mitigate the impacts.

The objective of the group is to access the infrastructure of a financial entity in order to compromise cash machines and withdraw cash fraudulently. Although it seems like science fiction, they do it with network control of the cashpoints, to the point of being able to do it at a specific time, so that it starts to release all of the cash that it contains. Thus, at this moment the ‘mule’ who finds themselves in front of the cash machine will be able carry out the action. More than in the sample analysis, we will focus on the most interesting aspects of the attack phases.

Monero says goodbye to the ASIC miners (at least for now)

Last Friday, 6th April marked an important date for the community of Monero users and developers, as one of the cryptocurrencies led the defense of anonymity for its users. As already commented upon within previous posts, Monero utilizes the CryptoNote protocol which was proposed in October 2013. This conceals who the sender and receiver are of the transaction by utilizing circular signatures or a ring, which mixes the transactions from different users. Furthermore, from January 2017, you can also conceal the transferred balance in each transaction, by strengthening the privacy with the implementation of Ring Confidential Transactions, an improvement of its algorithm.

Figure 1. Iconography of the Monero project.

Accelerating European cyber security between the United Kingdom and Telefonica (Wayra) – Part one of two

The GCHQ (Government Communications Headquarters) is not very well known outside of the United Kingdom. The governmental organization is almost a century old (it will celebrate its 100th anniversary next year), in 1919 it started as the government's school of codes and encryption (Government Code & Cypher School) and it was not until 1946 that it changed its name to what it is now.

The GCHQ’s job is to maintain Great Britain´s security through information assurance and also signals intelligence (SIGINT).

The GCHQ was founded after the first world war and had the important role during the second world war of working on how to break the German Enigma codes and also during the Cold War, from its famous center in Bletchley Park.

Bletchley Park ©GCHQ

#CyberSecurityPulse: Tell me your social networks and you will be welcome in the United States (or maybe not)

The US Department of State wants to ask visa applicants to provide details of their social networks which they have used within the last five years, as well as their phone numbers, email addresses and international trips during this period. The plan, if approved by the US Office of Management and Budget, will extend the background screening to those who have been marked for additional immigration screening; for all of the immigrant visa applicants and for all of the non-immigrant visa applicants, such as business travellers and tourists.