ElevenPaths and Symantec plan a joint offer Security Solutions for IoT environments

Monday, October 31, 2016

ElevenPaths collaborates with Symantec as technology provider for its Security certificate service for IoT.

Madrid, October 31 2016.- ElevenPaths, Telefónica Cyber Security Unit, announce our intends to collaborate with Symantec, as a global cybersecurity leader, on integrating Symantec Managed PKI Service in order to protect IoT environments against cyberattacks.

In the Internet of Things millions of different devices are interconnected in an open digital environment and need to communicate securely at all times in order to preserve the trustworthiness of the IoT applications. Identity and Authentication is a cornerstone of building such trust, therefore Telefonica is developing ways to securely and indisputably identify those devices and secure the data transmitted among them.

That is, as in the physical world our ID card or passport identify us as people, in the context of the IoT Telefónica is in the process of developing its Trusted Public Key Infrastructure service, and will be relying on best- in-class Symantec Managed PKI Certificate Technology to ensure that the connected devices are exactly what they claim to be and that code running on IoT devices is authorized.

The high-volume, high-performance managed certificate service Symantec offers will allow Telefónica to embed certificates on hardware or issue them in real time as required for their specific use case. These code signing certificates and cloud based signing-as-a-service will be part of Telefonica’s comprehensive offer for IoT environment.

With the new technology incorporated by Telefónica companies that require large-scale IoT deployments will be able to manage certificates’ lifecycle for auto enrollment, renew and revoke the certificates to secure the communication and provide mutual identification, encrypt communications end-to-end and guarantee the integrity and traceability of the transactions.

Trusted Public Key infrastructure service is integrated with other security and IoT managed connecting as smart M2M and is part of  IoT Security solutions currently on offer by Telefónica: such CyberThreats, capable of detecting and identifying the modus operandi of the cybercriminals and the methods used in attacks against IoT infrastructure; and Faast IoT technology specialised in detecting and analyzing vulnerabilities in IoT ecosystems.

ElevenPaths and Symantec intend their future collaboration to deliver on 4 key cornerstones that are drivers for the IoT and its security: the protection of communications, securing the identity and authentication of the IoT devices, the protection of devices themselves, including host-based protection and reputation based security, the management of the devices including OTA management, and the understanding of the IoT environment, through security analytics helping flag any anomaly.

More information:

Now you can use Latch with Dropbox, Facebook and others digital services

Saturday, October 29, 2016

Many of you have asked us which services you can use Latch with, regretting that so far it could not be used in the more common services, such as Dropbox, Facebook or even Google itself. Well, the new version of Latch comes with a new functionality that will allow you to use Latch to protect your accounts in these and many other services. Now available for Android and Windows Phone, and coming soon the iPhone version.

What is this functionality about?
This new feature implements the TOTP protocol (Time-Based One Time Password), which generates a password valid for a period of time. This password may be requested to users by the services that support it (including the above) as a second factor authentication if the user specified so in the configuration. Thus, users of these services will receive this temporary code in the Latch application installed on their mobile phone, and use it as a second factor authentication (after having been authenticated with their user name and password) to access the services.

What’s new?
Apps already existing in the market for this purpose generate TOTPs associated with the mobile device so that if the user has a problem with it, such as loss or theft, or if they simply have to reset factory data for some reason, they will need to match the services protected with this second factor authentication with the application they use.

In Latch, we have created what we call Cloud TOTP, which consists in, instead of associating the TOTPs with the mobile device, associating them with the Latch account, thus simplifying the recovery process in case of loss of the device.

How can I use it?
To start using this new functionality, you just need to follow these steps:
  • First, create a Latch account and install the Latch app on your mobile device.
  • Then, go to the configuration of the service you want to protect with second factor authentication and enable it. If we take Dropbox as an example, you have to go to the Settings -> Security section, look for the “Two-step verification”, and enable it as shown below, after which you will be guided through a series of screens. When asked how you want to receive security codes, select “Use a mobile app”. 
Image 1. Enabling the two-step verification in Dropbox

Finally, add the new service to Latch capturing the QR code provided by Dropbox following the steps in the Latch app, as shown below.

Image 2. Dropbox QR Code
Image 3. Capturing the QR code with Latch

>>Stay tuned! We´ll post video tutorials using Cloud TOTP with services as Dropbox, GitHub, Facebook, Google, etc.

Find out much more about Latch!

Cryptographic Security in IoT (II)

Thursday, October 27, 2016

The proliferation of IoT services platforms and devices is occurring much faster than the adoption of security measures in its field. In the face of the urgent need for mechanisms that guarantee the authentication, integrity and confidentiality, of both communications and the devices themselves, the trend is to transfer cryptographic solutions contrasted in traditional IT, such as public key digital certificates over SSL/TLS protocols. We are moving forward in the state-of-the-art of cryptography solutions for IoT.

Given Atmel’s long history of developing security elements with cryptographic abilities, such as TPM modules, microcontrollers for SmartCards, cryptographic accelerators, crypto-memories, comparators, etc. it is only natural that the IoT ecosystem begin to integrate its Crypto-Authenticators to add cryptographic abilities. These have three different available variants:
  • SHA204A: simple authenticator based on MAC/HMAC-SHA-256.
  • AES132A: authenticator and cipher based on the AES/CCM symmetric algorithm with 128-bit keys.
  • ECCx08A: authenticator and cipher based on ECDSA and ECDH elliptic curve asymmetric algorithms, with 256-bit keys.
Their physical characteristics are practically identical and are therefore compatible and interchangeable. Choosing one or the other will be determined by the needs of the device storing them, and though they incorporate numerous characteristics of some complexity, it is possible to use their  basic functions easily.

They can be used as highly versatile cryptographic security elements: from simple device authentication, mutual or reciprocal authentication, session key negotiation for integral encryption of a communication, code or data authenticity verification during secure start-up (SecureBoot) or remote firmware updating (OTA), etc. All this for less than 1 euro. If we meet the program’s requirements for “samples”, Atmel sends free samples at no extra cost.

I2C Bus
Different small sized formats are produced, all of which are surface-mounted. Though there is a version with only three pins that uses an SWI communication protocol, which for a time was sold by Sparkfun on a mini board, the 8-pin encapsulations are the most common, with SOIC-8 being the most manageable. For the evaluation and testing stages, using a DIP-8 adaptor is advised; there are different types, including the most popular GROVE modules, and you can even make your own.

Only four of its pins are in use. Two for its flexible power supply, of extremely low consumption, which can vary from 2.0 to 5.5 watts; two for the I2C bus, which enables connection to microcontrollers such as the popular Arduino, and even desktop systems and servers by means of adaptors, generally USB types.

The I2C bus is a standard for serial communication, widely used in the industry to interconnect integrated circuits. It uses two lines to transmit information: a data line (SDA) and a clock line (SCL), both with ground reference (GND).

In systems such as BeagleBone and Raspberry PI, the I2C is easily accessible both physically, as it is exposed, and logically, through numerous tools available in GNU/Linux.
If we want to use a conventional system, either Windows, Linux or Mac, that does not have an accessible I2C bus, the most simple option is to use an I2C USB adaptor. There are commercial ones, however it is possible to build your own thanks to the i2c-tiny-usb standard driver, which allows any system to use an Atmel ATtiny 45/85 microcontroller by way of interface USB to I2C. Only a few brave people dare to use the I2C bus present in the connector of video cards, even though it is technically possible. Although it doesn’t provide the same functionality, it is also possible to use firmware that uses the LUFA library in any compatible Atmel microcontroller, for example the ATmega32u4 from Arduino Leonardo, creating a "Serial to I2C" interface, which is accessible from Python, for example. With the USB adaptors included in the official Atmel development kits, the Microsoft Word tools that are included for free can be used.

Communication in the I2C bus is conducted in a “master-slave” manner. The master initiates the dialogue, obtaining a response from the slaves that are identified by their 7-bit I2C address. This address comes factory ready, though many devices have mechanisms to modify it, allowing several similar devices to connect to the same I2C bus.

The “host” systems can only be masters of the I2C bus, with the majority of I2C devices being slaves. Some microcontrollers, for example those used in Arduino, can be programmed to behave as masters or as slaves, though it is most common for them to act as masters.

Through the "i2cdetect" command in Linux, or with a simple sketch in Arduino, the I2C bus can be scanned to detect connected slave devices.

In this scanning example, performed in either Linux, with an "i2c-tiny-usb” adaptor, or in Arduino, the real I2C addresses (in 7-bit format) for the crypto-devices connected to the bus can be obtained. Many manufacturers, Atmel included, usually indicate the I2C addresses in 8-bit format in their specifications, which can result in some confusion.

Open Source libraries
Together with detailed documentation, Atmel facilitates open source libraries for cryptographic device management from their line of micro-controllers and SoCs.

From these libraries, adaptations to different environments began to appear, once again emphasising Josh Datko’s work which, from Cryptotronix, facilitates numerous examples for both Linux and Arduino.

The Atmel SHA204A Linux driver, called Hashlet, particularly stands out, and has served as a starting point for many other developments.

There are different adaptations for the Arduino platform, each of which has its pros and cons, so a choice must be made to find the one that adapts best to each particular need.

Atmel SHA204A
The Atmel SHA204A is one of the simplest and most easy to use cryptographic devices, though it has a wide variety of functions in relation to its relative complexity.

Its functioning is based on the computing of SHA-256 summaries, used to generate MAC/HMAC (Message Authentication Code) from internally stored keys. It has 16 slots to store keys that are 256 bits (32 bytes) in length, and can, in turn, have different access and usage configurations, defined when personalising the device. Together with an 88 byte configuration zone and an OTP (One Time Programmable) zone that is 64 bytes in length.

It has a random number generator, with which it implements challenge-response operations without exposing keys (MAC, CheckMac, GenDig). Supporting "Key Rolling” mechanisms (DeriveKey). It is unequivocally identified by an unmodifiable, factory-defined 72 bit serial number (SN).

It has an abundance of official documentation which is available on the internet, as well as a large number of examples developed by the Open Source community. Though it implements 14 commands, it is possible to make complete functional use of it with only two of them, as we will see next.

Before being able to use any cryptographic device, it is necessary to establish its unique keys and configuration options, and to lock the configuration and OTP zones. This process is known as "personalisation", and is irreversible; once this has been performed, there is no possibility of turning back, the established parameters will remain unchangeable.

ATSHA204A personalisation is easily performed through Linux by using the Cryptotronix “hashlet”, as described in the documentation. Once the personalisation command has been executed, the unique keys will be defined and configured in the following manner:

If you have an official Atmel development kit, it is possible to perform the personalisation process from the incorporated tools, but, in any event, it is essential to follow the manufacturer’s indications.

Stay tuned! In the following post about Cryptographic security in IoT, we will take a look at how the HMAC calculation works in technical terms in ATSHA204A. And as a proof of concept (PoC), we will implement the practical use case of an IoT device that must be robustly authenticated by a web service and using cryptographic hardware.

*Related Content:
Cryptographic Security in IoT (I)
Cryptographic Security in IoT (III)

ElevenPaths acquires Shadow technology from Gradiant

Wednesday, October 26, 2016

Chema Alonso (Chief Data Officer of Telefónica and Chairman of ElevenPaths) announced during Security Innovation Day 2016, the purchase of the Gradiant's solution for document security, SHADOW.
The acquisition is one of the first derivatives of the recent agreement signed between Gradiant and ElevenPaths, the cybersecurity division of Telefonica worldwide. Both parties also stated that this acquisition is only the first step in what they hope will be a long history of mutual successes.

What is SHADOW?

More than half of the companies worldwide (54%, according to data from 2013 Nielsen Report) have had at some point losses or leaks of sensitive information. Despite the security measures currently available (DMS, access control mechanisms, firewalls), there are still security holes.
The strongest chain always break at the weakest link. And in documents security, that weak link is -very often- equal to the human factor.
The leaks of confidential documents, depending on their origin, leads to sensationalist or damaging public disclosures for companies victims of such leaks. In other cases, such information although not made public, ends up getting to competitors, or even worse, criminals.
The damages caused by leaks of documents are very visible, and almost always very serious. They can be financial, reputational or in competitiveness.
SHADOW is an automated tool that allows the traceability of documents by using techniques of digital watermarking. Shadow provides evidences in the event that confidential information leaks happen, helping to identify those responsible for the infringements. Converts each copy of a document through the insertion of invisible water marks. In this way, SHADOW ensures that each copy is unique and at the same time, virtually identical to the original document. This watermark -hidden information that identifies the owner or the recipient of the document- is resistant to distortions, such as those produced in the printing process or the scanning of documents.
It works as a deterrent against information leaks: it is perfect for hiding information on the origin and destination of confidential documents in order to identify those responsible if a leak occurs, once the documents are outside the trusted area for which they were created.
It also provides automatic classification of scanned documents: adding information about the contents of the documents, SHADOW can perform automatic classification.
It is a 100% compatible software solution with any printer or scanner devices. Ensures traceability in text documents, both digital and printed formats. The information associated with the watermark is fully configurable, being possible to establish a link to the document owner, to its receptor, or to the date and time when the document was printed. To retrieve that information afterwards, it is not necessary to be in possession of the original document.
In addition, SHADOW is resistant to distortions, printing and scanning, and is able to recover all the hidden information even from incomplete, broken, wrinkled or stained documents.
SHADOW family
SHADOW FILES: web platform that allows secure sharing fo documents. The platform allows sending documents to recipients previously registered in the system. Each recipient receives a single copy of the document containing hidden information that links the copy to the intended recipient.
SHADOW PRINT: Virtual Print Driver for Windows that allows automatic watermarking as soon as a document is sent to any printer. The printed document includes hidden information about the user account from which it is printed.
SHADOW READER: Tool for extracting information from the document’s watermark.

SHADOW MOBILE: Mobile application for extracting information from the document’s watermark.(available for iOS and Android).

“State-of-the-art” Partners to tackle the new NIS and GDPR legislation

Friday, October 21, 2016

With a continued rise in cybercrime, and considering our global economy is dependent on data driven decision-making, the EU has published new legislation that will have an impact on every business: the new Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR).

The NIS Directive is focused purely on security, to promote a culture of risk management and ensure that the most serious incidents are reported, and applies to (i) “operators of essential services”- organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, banking …; and (ii) “digital service providers” - Cloud providers, internet exchanges, online marketplaces, which are not micro- and small enterprises.

The GDPR is focused on data privacy, aiming to bring data protection legislation up-to-date and into the modern age, and applies to all companies that process EU citizen data, except organisations with fewer than 250 employees with regard to record-keeping, and some exceptions that relate to national security.

By the end of May 2018, the NIS Directive (as it is an EU directive, rather than a regulation, needs to be implemented as local legislation before 9th May 2018 in each EU member state) and the GDPR will have entered into force in the European Union, giving organisations covered by these pieces of legislation until this date to establish compliance. Till then, organizations need urgently to plan and improve its overall security strategy to comply or potentially, in the event of a breach (NIS has notification requirements around security incidents, whereas GDPR on personal data breaches) an entity will likely have to defend its use — or lack of use — of a range of technologies and procedures.

The penalties for non-compliance are substantial, the primary effect of which will be to raise network information security and data protection as a business risk attention directly into the boardroom. No board member will want to have to explain to shareholders why profits and stock price have fallen due to a security or data breach resulting in a substantial fine. In the case of the NIS Directive, it is the responsibility of each EU member state to determine penalties, but the Directive does specify that penalties must be “effective, proportionate and dissuasive”. NIS grants authorities the power to initiate audits of private industry for suspected non-compliance. Enforcement will be combined with related regulations, in particular the penalties and fine included in the GDPR: dependant of the type of infringement, the fine will reach up to €10m or 2% of global turnover; or up to €20m or 4% of its annual worldwide turnover.

Security Requirements: “State of the Art”
NIS and GDPR have different rules and scope, but regarding their respective security requirements stated for the operators of essential services, digital services providers, data controller or data processors, both pieces of legislation require public or private entities to “have regard to1  and “take into account2  state of the art (NIS and GDPR, respectively) for their cybersecurity. Organisations must therefore take into account technologies and practices that are state of the art in security in deciding how to invest in mitigating risks associated with the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive), and with data protection (in the case of GDPR).

However, neither piece of legislation defines clearly the term or explicitly requires use of specific technologies. Surely the reason is because security capabilities and IT evolve and mature relatively quickly, while legislation is typically long term.

As the NIS Directive requires each EU member state to implement it locally, maybe we could expect greater precision in future legislation. The NIS Directive indicates3  that member states shall encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems, and that ENISA, in collaboration with member states, shall draw up advice and guidelines regarding the technical and security requirements. In the case of GDPR4 , associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation. It seems you would need to continuously monitor such standards and codes of conduct, or to follow ISO standards, PCI DSS…, to obtain some kind of guidance and be compliant.

Companies must therefore have a view on what “state of the art” means to them and be prepared to conclude that they don't need to deploy it based on an assessment of risk, or to defend that view in the event of a breach, aiming to avoid the penalties and fine, and more importantly, not to harm your customers and Brand Reputation.

This is what IDC and Palo Alto Networks have recently called the “State of the Art Paradox”, a research on how businesses in Europe perceive the upcoming EU requirements of “state of the art” cybersecurity. The study found that many companies don’t have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency. IDC conducted research into companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom.

Moreover, if you don’t know how to tackle the security requirements of GDPR, so do as well the 82 percent of global IT and business professionals responsible for data security at both SMBs and enterprises, according to Dell global survey on the European Union’s new General Data Protection Regulation (GDPR), revealing that organizations ‒ both SMBs and large enterprises ‒ lack general awareness of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes. 97% said their companies didn’t have a plan in place to implement the new privacy law.

Be prepared and know how to address “state of the art” at your organization is critical: in any post-breach investigation a company will have to defend its use — or lack of use — of a range of technologies or procedures. You need to have a view on what “state of the art” means to your organisation, and be prepared to defend that viewpoint.

Boardroom issue: what should CEOs, CIOs, CISOs, CDOs, CPOs or DPOs do to incorporate “state of the art” into your cybersecurity/data privacy strategy?
Urgently build a Readiness Plan in order to address this knowledge gap, asking some fundamental questions about your companies’ readiness for NIS Directive and/or GDPR, as suggested by IDC/Palo Alto Networks Call to Action recommendations – Download the full report from IDC.

Basically, as recommended also by Palo Alto Networks Executive Advisory Report, ask your CISO and Chief Privacy Officer (or Digital Protection Officer (DPO)5 - new data-focused post required by GDPR) these questions:
  • Does GDPR or the NIS Directive, or both, apply to our company? Who in the business is accountable for these legislative requirements?
  • What is the company view on state-of-the-art security? How did we define it, and who advised us on this?
  • What is the timescale for us to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
  • How will the business continue to maintain compliance, and what metrics will the business use to validate this to itself and, when required, to any third parties?

This new regulation provides uniform data protection rights across the EU, and, to be in compliance, both European organizations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of predict, prevent, detect and respond. To be NIS and GDPR-compliant, you will need “state of the art” security solutions and Partners that enable you to predict and prevent attacks, detect a potentially dangerous presence in your networks, respond quickly to that threat, and analyze and report on the health of your networks in real time. By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk – Gartner, June 2016.

Additionally, every organisation should consider taking out a cyber-security insurance policy. GDPR introduces the concept of continuous compliance, in which an organization must regularly carry out audits of compliance. This means not once a year, or even once every six months, but arguably on a weekly or even daily basis. At any point an auditor can ask your company to demonstrate compliance, and your company must be able to do that more or less immediately. Insurers will demand a certain standard of security and may be unable to quote you properly if you cannot demonstrate the greater consistency of your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018.

In summary, you will need to launch a Readiness Plan, be sure you have the most modern (state of the art) technology and processes to address the NIS Directive and GDPR legislation, work with the best (state of the art) Partners, and take out a cyber-security insurance policy, so that it can be proven to whomever needs to know that your organization is doing it all correctly.

ElevenPaths Partners Program: State of the Art Partners
We have recently announced during our Security Innovation Day 2016 the launch of our ElevenPaths Partners Program, as we believe in the idea that “together we are stronger", aiming to continue and to innovate together in the fields of security and privacy. We have defined five Type of Partners, and we are continuously evaluating the market to partner with those ones that better will help us to integrate our experienced security services with your security strategies, in order to help you to keep your critical information safe and your business resilient while you focus on your business.

At ElevenPaths we strive to partner with state-of the art technologic and start-ups companies, aiming to develop and combine together modern, innovative and disruptive security products, helping you to ensure the security of your network and information systems, to report your incidents, and to manage your data privacy, as required by NIS Directive and GDPR respectively. This is what we call our Paths, on which we work every day to offer security today and in the future for these challenges:
  1. Identity and Privacy: To give people control over their personal information and privacy in their digital lives. Identity and access management (IAM) is an important category of technology in the delivery of GDPR compliance, because through effective IAM an organization is able to show who has or had access to what, why, when, and what they did with that access; it is a core principle of defense of important data;
  2. Data Protection: A data protection solution which achieves compliance with GDPR and covers the lifecycle of your company’s information, both in cloud and hybrid or private environments, helping to protect the most valuable asset: information;
  3. Mobility: A secure mobility solution designed to help companies manage and secure access to corporate information from anywhere, at any time and from any device;
  4. Risks and Security Management: A comprehensive and efficient managed security solution for security governance from strategic business units, to help you address the GDPR concept of continuous compliance, in which an organization must regularly carry out audits of compliance;
  5. AntiFraud: A comprehensive, convergent and adaptive solution based on the application of intelligence to detect digital fraud, both in advance and at the moment it is being committed;
  6. CyberThreats:  A solution which helps you continuously prevent, detect and respond to potential cyber-threats that can have a major impact on your organizations' business model, addressing therefore the adaptive security approach suggested by the NIS Directive;
  7. Vamps: A Persistent Vulnerability Assessment & Management solution to help you identify security threats and potential attack methods against your network and systems and allowing a quick management of their correction;
  8. Sandas: A behavioural analysis solution which categorizes and reports incidents and allows you to visualize that information, providing you with automatic responses in real time; and
  9. Sandas GRC: A Government, Risks and Compliance solution which helps you to support your business strategy, to increase your visibility of risk assessment and improve your operational performance, reduce operational risks and ensure regulatory compliance with NIS Directive and GDPR.

As the NIS Directive and GDPR will enter into force soon, time is running out to get your house in order. The timescale for achieving compliance is tight, and we think that organizations of any sizeable scale and complexity will struggle with even the first steps in compliance, such as understanding what information security technologies and procedures should be implemented, and what data they have and its sensitivity. Don't put off early consideration of NIS Directive and GDPR by the less than two-year implementation period. The scale, complexity, cost and business criticality of both legislation means that it will take (at least) two years for most companies to achieve full compliance. You need to start now.

Although both laws may require substantial investments for companies to reach compliance, both the NIS Directive and GDPR represent an opportunity for your Boardroom to re-build your security capabilities with a focus on better mitigating cyber risks, become cyber-resilience, and together create a safer digital world.

Pablo Alarcón Padellano, Alliances & Partnerships

1Arts. 14.1 and 16.1 of NIS Directive
2Arts. 25.1 and 32.1 GDPR
3Standardisation Art.19.1 NIS Directive
4Codes of Conduct Art. 40.2 h) GDPR
5The DPO is responsible for conducting regular audits of GDPR compliance, which means that firms will have to demonstrate their compliance on a regular basis. The DPO's job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues.

Latch Plugins Contest: Remember the story!

Thursday, October 13, 2016

Last week ElevenPaths launched a new edition of the Latch Plugins Contest, where you can win up to 5,000 dollars. But remember, what we're looking for is imagination, talent, creativity and a solution provided with Latch.

It all begin in 2014 when, after a slight problem with an ElevenPaths job, Chema Alonso asked for your help and offered a financial reward to the person who could come up with the best Plugin for Latch. In view of the interest sparked and all the talent out there, a new contest was launched in 2015, giving rise to some very interesting projects that you can discover on our Blog

If you want to find out how to register for the contest, visit our Community where we explain how to enter and give you some handy tips. You can also join the conversation on the Latch Plugins Contest. And if you want the full low-down on the contest, you can check out the rules.

To see the plugins developed to date and all the documentation, go to the ElevenPaths GitHub. Remember, all the Latch SDKs are Open Source, as are 99% of the available Latch plugins. The Latch web contains detailed information about the API. Integrating Latch with applications couldn't be easier, and our YouTube channel offers loads of content for you to test it. 

Remember, the contest deadline is December 12, 2016. Tap into your inner hack and send us your entry!

*Related content: Winners of the Latch Plugins Contest

New tool: PESTO, PE (files) Statistical Tool

Monday, October 10, 2016

One of the fundamental threats in security are vulnerabilities in general and, in particular, being able to exploit them to execute code. Historically, dozens of technologies have been developed to mitigate exploits in Windows, creating barriers for stopping a vulnerability ending up in a code execution. Many of this countermeasures or barriers need the "to-be-protected binary" to be compiled with a particular option enabled for the protection to be real. PESTO PE(files) Statistical Tool has been created to be able to analyze how and how many files are protected in the operative system.

PESTO sample of execution

This is a Python script (that needs to import pefile library) that extracts and saves in a database some PE file security characteristics or flags, searching for every PE binary in a whole directory, and saving results into a database. It checks for architecture flag in the header, and for the following security flags: ASLR, NO_SEH, DEP and CFG. It searches for every PE binary in a whole directory, and saves results into a database. Code is clear enough to modify flags and formats to your own needs.

More details and flag explanation in here: https://www.slideshare.net/elevenpaths/anlisis-del-nivel-proteccin-antiexploit-en-windows-10


The script just needs a path and a tag. The program will go through the path and subdirectories searching for .DLL and .EXE files and extracting the flags in the PE header (thanks to pefile python library). The program requires a tag that will be used as a suffix for logs and database filenames, so different analysis can be done in the same directory. The information provided by the script is:
  • Percentage of .DLL and .EXE files with i386, AMD64 or other architecture.
  • Percentage of ASLR, NO_SEH, DEP and CFG flags enabled or disabled in the headers.
  • After finishing the analysis it will prompt to export results in a SQL or CSV format.
It will create as well a .db file which is a sqlite file with the information collected.

PESTO is available from our GitHub. Hope you find it useful.

Latch Plugins Contest: the plugins and hacks contest in which you can win up to 5,000 USD

Friday, October 7, 2016

ElevenPaths is announcing a new edition of the LatchPlugins Contest, a challenge for daring doers passionate about technology. Would you like to win 5,000 dollars? Then let your imagination run wild and release the hacker inside you.

Taking part could not be easier. You can present any kind of work or project, such as a final year project for your degree or master's degree, a homebrew plugin to protect your own software, hardware, or processes, and so on. What matters is originality, ingenuity and how the solution contributes to Latch.

To help you on your way, we have left some tips on how to develop a plugin on our Community. All Latch SDKs are open source and this is also the case for 99% of currently available Latch plugins. From the Latch website, you can find all the information on the API, which is documented for developers. Integrating Latch with applications is very straightforward and there is now a lot of content available on the website for you to give it a go. If you want to find out more about the plugins (and associated documentation) developed to date, just head to the Github of ElevenPaths. Once there, you can download and analyze the source code of all current Latch plugins.

If you are unsure of how the contest works, please be sure to consult the legal terms, and visit our Community, where you can ask questions, post comments and join in conversations relating to the Latch Plugins Contest.

The deadline for entries is 12 December 2016, so don't leave it until the last minute and take part now in Latch Plugin Contest!

There are a lot of things we can "latch onto". Your smart TV? Your Xbox? A hack to control Facebook sessions? You set the limit.

Good luck!

Telefónica and ElevenPaths present new Path6 solution, alliances and investments

Thursday, October 6, 2016

Third anniversary of leadership in innovation and cybersecurity


  • New alliances with prominent technology partners of the sector, such as Fortinet, F5 Networks, Spamina, Logtrust, Apple and Gradiant, and investments in CounterCraft, 4iQ and IMBox, among many others, remain a strategic focus for the company

  • Hugh Thompson, CTO at Symantec + Blue Coat, and one of the world's five most influential thinkers on the subject of information security, is guest and keynote speaker at the IV Security Innovation Day

  • ElevenPaths presents “Path6”, a platform allowing for the continuous detection and analysis of vulnerabilities in mobile apps on a global scale

  • This international event can be followed via live-stream at securityinnovationday.elevenpaths.com/streaming

Madrid, Thursday, 6 October 2016.- Chema Alonso, Chief Data Officer at Telefónica and Chairman of ElevenPaths, has been tasked with presenting the IV Security Innovation Day, a key national and international event on innovation and security, at which the company is presenting its cybersecurity strategy. In the words of Pedro Pablo Pérez, CEO of ElevenPaths: “We are committed to innovation and to forging alliances with the leading players in the market, as our chosen path towards a more secure future”.

In attendance as a special guest was Hugh Thompson, widely considered one of the world's five most influential thinkers on the subject of information security and CTO at Symantec + Blue Coat. Both companies have just developed a technological integration enabling Telefónica customers to control security breaches and define security policies when using SaaS services (cloud services such as Dropbox, Outlook 365, OneDrive, Salesforce, etc.) by using Symantec + Blue Coat's new Elastica service

The importance of joining forces with the best partners

For ElevenPaths –Telefónica Cybersecurity Unit- it is essential to join forces with the best partners so as to be able to offer the most innovative solutions to businesses and private customers in a bid to counter the increasing number of cyberthreats.

During the event, the company also discussed the alliance collaboration with Apple. The result of their partnership is a handwritten biometric signature recognition solution intended for companies of the healthcare sector. Combining the advanced functionalities of ElevenPaths' SealSign BioSignature and the iPad Pro, iPhone/iPod family, users can now obtain secure authentication by signing with the full legal force of signed documents. This solution is soon to be customized to meet specific regulatory requirements and other needs of other clients from the financial, energy and services sectors, as well as public authorities.

The new Partners Program of ElevenPaths is the perfect foundation on which to construct agreements such as the one recently signed with Gradiant -Centro Tecnolóxico de Telecomunicacións de Galicia (Telecommunications Technology Centre of Galicia) -to innovate together in the fields of security and privacy. Furthermore, and with the aim of making new services and market-ready solutions, ElevenPaths is also collaborating with security start-ups CounterCraft -a counter-intelligence company operating in the field of cybersecurity-, IMBox -an encrypted and secure instant messaging solution- and 4iQ -a platform for monitoring information leaks- in which Telefónica has recently invested money through its Open Future open innovation programme.

Innovation and catalogue of solutions

ElevenPaths has unveiled a project with code name “Path6”; a proprietary technology developed to detect large-scale vulnerabilities in mobile apps. A totally new approach that allows businesses to analyse even those applications they did not even know existed.

The events have provided an excellent platform for the company to share its catalogue of security solutions to combat the cybercrime industry. These solutions are intended for small and large companies alike and include the following brand new offerings:
In addition, Telefónica has recently opened its ninth Security Operations Centre (SOC) in Mexico and in November it is set to open its new Advanced Global Centre (Telefónica Advanced Global SOC -TAGS-). This extensive network will allow the company to tackle security threats and problems with a global focus but without having to distance itself from customers.

Three years of history 

Telefónica, as part of its drive to make the digital transformation a reality, flagged cybersecurity as a key part of the process. As a result, ElevenPaths was born in April 2013, immediately strengthening the group's long-term commitment to innovation and security and cementing its position as a front-running telco in championing and rolling out a new order within the cybersecurity market. 

The value of its range of cybersecurity solutions has been increased further following the signing of strategic alliances with the main manufacturers, companies and organisations from the sector. The new agreements with Fortinet, F5 Networks, Spamina and Logtrust, which can be added to the existing partnerships with Alien Vault, Symantec+Blue Coat, Intel Security, Palo Alto Networks, RSA and Vaultive, are all essential in that they allow the company to offer the very best cybersecurity products currently in demand.

ElevenPaths is celebrating three years of cybersecurity, during which time it has combined the development of innovative proprietary technologies with the best alliances possible in the world of security. Three years giving reason to believe that a more secure digital world is possible. 

More information:

» Download the press release Telefónica and ElevenPaths present new Path6 solution, alliances and investments in the IV Security Innovation Day