Come to Create Technology at Telefónica's Chief Data Office Unit

Friday, December 29, 2017

Come to create technology at Telefónica's Chief Data Office unit

Hi Hacker!

Technology is in a constant evolution and so are we. Therefore, from Telefónica, throughout the Chief Data Office (CDO) led by Chema Alonso, which includes Aura -Cognitive Intelligence-, ElevenPaths -Cybersecurity-, LUCA -Big Data- and the 4th Platform, we are looking for new talents who are passionate about technology applied to artificial intelligence in Android development environments.

If you are someone who has the knowledge, the experience and the motivation to change the rules of the game, Telefónica’s CDO unit is the place for you.

#CyberSecurityPulse: The Boom of JavaScript Miners

Tuesday, December 19, 2017

The most common question in recent months derived from the rebound in the value of numerous cryptocurrency is: Do I invest or not invest? However, as we know, there are different ways to obtain cryptocurrencies and one of them is to start mining, but now it's an expensive option. It is at this point that the picaresque of certain attackers comes to light. Security researchers from F5 Networks spotted a sophisticated malware campaign, tracked as Zealot campaign, targeting Linux and Windows servers to install Monero cryptocurrency miners. Experts observed threat actors scanning the Internet for particular unpatched servers and hack them with two exploits, one for Apache Struts (CVE-2017-5638) and one for the DotNetNuke ASP.NET CMS (CVE-2017-9822).

Another recent case has been the one detected in the Starbucks of Buenos Aires where the clients' computers were connected to their Wi-Fi and started to mine secretly. The notification to the company was made by the CEO of Stensul, Noah Dinkin, who made last December 2 a question through Twitter if they were aware of the situation. Dinkin commented in his tweet that JavaScript miner offered by Coinhive was being used to mine Monero cryptocurrency.

#CyberSecurityPulse: Army Launches Direct Commissioning Program for Civilian Cybersecurity Experts

Tuesday, December 12, 2017

The Army has approved a program to recruit experienced cybersecurity experts directly into the service as cyber officers in an attempt to bolster a growing field that military leaders see as vital to national security. However, this measure, approved by the Pentagon and Congress, is a pilot. At the moment, it seeks to bring five new officers every year for five years.

In Spain, several initiatives have also emerged to counteract the budgetary and training difficulties of Army. Specifically, the last measure was published last November from the Joint Cyber ​​Defense Command, which is expected to have a group of experts only in those situations necessary without any compensation in return.

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome. Our Black Hat research

Monday, December 11, 2017

We have been for a long time researching about HSTS, HPKP, certificate pinning and TLS technologies in general. As a collateral effect of this work, we have found some interesting weaknesses in the way Firefox, Chrome and IE/Edge implement both mechanisms HSTS and HPKP. With this research we applied to Black Hat Europe 2017 and went to talk in London last December 7th, in the briefings section. Here are some details about what we talked then, as a "digest" of the presentation itself which may be found here.

ElevenPaths #CyberTricks

Sunday, December 10, 2017

Last Thursday, November 30th, Cybersecurity Day was celebrated internationally. At ElevenPaths we continue with commemoration, so that we have collected some #CyberTricks from our experts (Chema Alonso, Pablo San Emeterio, Yaiza Rubio, Carmen Torrano and Félix Brezo) into a Decalogue, to know where we have to pay attention when we are connected from our devices.

Who better than the great leaders of the cybersecurity sector, who know firsthand the most common vulnerabilities, to remind us of the importance of being informed about the real risks of the Internet and anticipating what we should do if we want to be protected while keeping our information safe in the net.

Chema Alonso at ElevenPaths CyberTricks

#CyberTricks Decalogue of ElevenPaths experts

1. "Hack your attitude and learn security!". Chema Alonso

2. "100% security does not exist. Do not reuse passwords and use two factor authentication." Félix Brezo

3. "If you accept by default the privacy options in your social networks, you can expose more information than you are aware of." Yaiza Rubio

4. "Update your devices and applications if you do not want to be exposed to known vulnerabilities.".Pablo San Emeterio

5. "Do not forget to close your session, use secure passwords and change them periodically." Carmen Torrano

6. "Be attentive to intrusive advertising, it can be deceptively trying to install malicious software"..Yaiza Rubio

7. "Beware of email attachments that you do not recognize, may include installations of malicious apps." Felix Brezo

8. "Check the URL of the emails before openning them to avoid phishing" Carmen Torrano

9. "If a company claims a debt by email verifies its authenticity in another way, it could be a ramsonware." Pablo San Emeterio

10. "Improve the security of all your digital identities using two factor authentication. Latch your digital life!" Chema Alonso

You may also like:

»Cybersecurity Week in ElevenPaths

#CyberSecurityPulse: Injection and XSS, the Most Critical Web Application Security Risks

Tuesday, December 5, 2017

The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013 but not much has actually changed. According to the list the top vulnerability remains injection and cross site scripting (XSS) is still in the top ten despite it plaguing web apps for a decade and a half now. In this sense, Verizon's Data Breach Investigations Report (DBIR) for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.

On the other hand, Black Duck's 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it's an inertia that's proving very costly. Many organizations do not effectively track and manage open source, and as a result are not fully aware of the risks that accompany its use.

SealSign integration with the Azure Key Vault

Thursday, November 30, 2017

ElevenPaths and Microsoft, thanks to Gradiant technology, have integrated the Azure Key Vault into the SealSign platform. This partnership provides a server-based digital signature and certificate safekeeping service, based on HSM, with a high degree of security, scalability and performance.

SealSign integration with the Azure Key Vault

The use of secure cryptographic hardware or HSM (Hardware Security Module) provides a very adequate mechanism to safeguard and protect keys (in the fashion of a safe-deposit box). However, the cost and complexity related to installation and configuration hinder greater adoption of this hardware. For this reason, some as-a-service solutions have emerged, such as the Azure Key Vault, which offer the possibility of using HSMs as one more service within a public cloud.

Dumpster diving in Bin Laden's computers: malware, passwords, warez and metadata (II)

Tuesday, November 28, 2017

What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released additional materials recovered in the 2nd May 2011 raid on Bin Laden's compound in Abbottabad, Pakistan.  We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?

A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to "technical" issues. 8 days later, they released the data back but now all Office documents were converted to PDF and EXE files were "deactivated" removing their headers for "security reasons".

Dumpster diving in Bin Laden's computers: malware, passwords, warez and metadata (I)

Monday, November 27, 2017

What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released additional materials recovered in the 2nd May 2011 raid on Bin Laden's compound in Abbottabad, Pakistan.  We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?

A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to "technical" issues. 8 days later, they released the data back but now all Office documents were converted to PDF and EXE files were "deactivated" removing their headers for "security reasons". 

The Data Transparency Lab strengthens its work on data transparency after investing over one million euros in three years

  • Barcelona becomes the permanent headquarters of the DTL Annual Conference, which will take place from 11 to 13 December.
  • The DTL is a clear example of the various innovation projects that Telefónica develops at its headquarters in Barcelona.
  • The Laboratory is currently sponsoring research groups of prestigious universities such as Princeton or Berkeley.

Barcelona, 22 November 2017.- The Data Transparency Lab (DTL), created and promoted by Telefónica to carry out research in the field of transparency in the use of data in the digital environment, has established itself as a reference in its sector after making an investment of over one million euros in new applications and programs since its creation in 2014.

Security and electronic signature for any enterprise

Thursday, November 16, 2017

ElevenPaths, Microsoft and Gradiant have collaborated to allow companies to benefit from an advanced platform for electronic signatures and digital certificate safekeeping, integrated with a cloud service for HSM devices, through a simple pay-for-use model.

Guaranteeing confidentiality, integrity and access to information is the main objective of cyber security. The level of protection required varies according to each organization’s needs and the legal or normative requirements of the applicable sector.

#CyberSecurityPulse: The Last Disaster of Ethereum's Most Important Wallets

Monday, November 13, 2017

It is estimated that 587 wallets with around 513,774.16 ethers have been frozen after an anomaly in one of Ethereum's most important wallets was detected. Parity Technologies, a company focused on the development of software specialized in peer-to-peer solutions, published the security alert on November 8, stating that they had detected a vulnerability in the Parity Wallet library contract of the standard multi-sig contract. Specifically, the company considers that those affected are those users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

Following the fix for the original multi-sig vulnerability that had been exploited on 19th of July, a new version of the Parity Wallet library contract was deployed on 20th of July. Unfortunately, that code contained another vulnerability which was undiscovered at the time - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.

New tool: SKrYPtEd, your Skype conversations local database protector

Monday, November 6, 2017

Did you know your Skype conversations are stored in plaintext in your hard drive? Did you know anyone could just grab them with some kind of malware and upload it to a server of his own with a simple malware in just a second. Literally. SKrYPtEd is a service that runs in your Windows and keeps your database encrypted with a password. You do not need to enter your password every time Skype is used. SKrYPtEd encrypts the messages every time Skype is closed, and do not decrypt them when Skype runs unless you decide it with your password. So, unless you need to check for old messages on a daily basis, it is quite transparent for you. And if you do, it is just about typing a password to get your old messages back.

Skype stores database in plaintext in your profile. It is a SQLite database with lots of data. SKrYPtEd just encrypts the text of the messages so every metadata is kept. It protects from local or remote attacks if an attacker would be interested in conversations by grabbing or sending this database somewhere.

#CyberSecurityPulse: Last Update About Bad Rabbit Ransomware

Tuesday, October 31, 2017

On October 24th infections about a ransomware called Bad Rabbit began to spread. Less than one day, it has been targeting organizations and consumers, mostly in Russia, Ukraine, Turkey, Bulgaria and the United States.

The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.

Whitepaper “Windows Malicious Events Detection With Security Monitoring”

Friday, October 27, 2017

This whitepaper gathers the results of the work carried out by Telefonica Chief Data Officer and ElevenPaths Product Unit in order to detect a sucession of events, not necessarily security related, giving hints to consider a Windows Machine jeopardized, using for that purpose the ElevenPaths´ Product “Security Monitoring”. The Whitepaper was written by  Pablo González Pérez (Security Researcher, ElevenPaths), Santiago Hernández Ramos (Security Researcher, ElevenPaths) and Santiago Urbano López de Meneses (Product Manager, ElevenPaths).

Trend Report: State of Cybersecurity in Spanish companies

Friday, October 20, 2017

The team of analysts at ElevenPaths has carried out a study that aims to show the state of cybersecurity of both Spanish companies in general and those included in the IBEX 35.

This analysis has shown that more work is needed to integrate cybersecurity into the core of all businesses to prevent very basic errors from leading to the increased risks and incidents we see on a daily basis.

#CyberSecurityPulse: The Attack Against the WPA2 Encryption that Poses a Threat to Our Wireless Security

Tuesday, October 17, 2017

On October 16, a research has been published about an attack to the current recommended encryption standard for WiFi networks, WPA2. Although the risks to these networks are not new and attacks against WEP or WPA have already proliferated, making these protocols unsafe, the current scheme was considered robust. Until now.

The scope of the attack, proposed by Mathy Vanhoef and Frank Piessens and known as Key Reinstallation Attack (KRACK), exploits a severe weakness that would allow an adversary phisically located in the range of the wireless connection to have access to previously assumed information as safe. Once reviewed the information that has just been released, the consequences are serious if the attack is confirmed and would involve up to 10 different CVE whose content has not been published yet. However, that does not mean that all our connections are affected. The attack affects the WPA2 Wi-Fi networks and the most dangerous scenarios would assume the physical proximity of the attacker to the networks and would always affect the confidentiality of the communications within that WiFi network that would be potentially readable if they did not include another layer of additional encryption as HTTPS does for example. Under certain circumstances, the researchers have also been able to not only decrypt, but also inject packets into the network. In any case, the problem is still serious, because it would be expanding the range of attacks that have traditionally been implemented on public networks to a number of environments that we have assumed to be reliable.

Telefónica and ElevenPaths integrate its digital signature solution and biometric SealSign with Microsoft Azure

Thursday, October 5, 2017

The company presents its latest developments at the 5th Security Innovation Day

  • This integration of the SealSign platform with Microsoft Azure Key Vault, thanks to the Gradiant technology, will provide users with improved storage, scalability and availability with a saving of implementation costs of up to 80%.

  • A large number of Telcos around the world are joining together to tackle cybersecurity threats. This supplements the 2016 collaboration announcements with Fortinet, Symantec, McAfee, Cisco, Check Point Software Technologies, RSA, Microsoft o Palo Alto Networks.

  • Mikko Hyppönen, Chief Research Officer at F-Secure, and creator of various patents such as the US patent 6577920 “computer virus screening”, is the invited star of the event.

  • It is possible to follow the 5th Security Innovation Day via streaming at

Telefónica promotes the digital transformation towards ‘Industria Conectada 4.0’

Friday, September 15, 2017

* This post was translated and originally published here (Spanish) within the framework of the I Congreso de Industria Conectada taking place in Madrid the 21st of September. The Congress is organized by the Ministry of Economy, Industry and Competitiveness of Spain and is linked to its Connected Industry 4.0 strategy.

Telefónica Business Solutions Reinforces the Security of its Network with Clean Pipes 2.0

Thursday, September 14, 2017

MADRID, 14 September, 2017ElevenPaths, Telefónica’s cyber security unit, today announced the launch of Clean Pipes 2.0, a software-based security service, to prevent known and unknown threats across the Telefónica Business Solutions’ network. The service has been jointly designed by ElevenPaths, Telefónica’s cyber security unit; Telefónica Business Solutions; and Palo Alto Networks® (NYSE: PANW), the next-generation security company.

Securing a Cloud Environment With a Telco Cloud Provider

Tuesday, July 25, 2017

Nowadays, nobody can deny the remarkable benefits of cloud computing, both infrastructure as a service (IaaS) and software as a service (SaaS). Cloud computing drives cost savings, agility to support customer demands and innovation; definitively it is a fundamental factor in the corporate digital transformation. Otherwise, cloud computing also involves some level of complexity in dealing with IT security, since organizations delegate certain responsibilities to third parties in storing and controlling sensitive data. During this article, we aim to identify the cloud security handicaps and propose a security model according a Telco Cloud Provider perspective to make easier and safe the cloud voyage.

Telefónica and Subex sign a global framework agreement to provide a disruptive FMaaS solution

Saturday, July 22, 2017

Madrid— June 18, 2017—  Subex Limited, a leading telecom analytics solution provider, has been selected by ElevenPaths, Telefónica’s Cybersecurity Unit to offer a Fraud Management-as-a- Service (FMaaS) solution. Telefónica is one of the world’s largest telecommunications companies, with a global presence in 21 countries and an average of 125.000 professionals and 350 million accesses.

The agreement between Telefónica and Subex will result in the new ’Telefónica FMaaS Powered by Subex’ to protect against a comprehensive set of digital risks and threats, along with a library of fraud detection processes. The solution addresses Subscription Fraud, Internal Fraud, Premium Rate Service Fraud (PRS Fraud), and International Revenue Share Fraud (IRSF), amongst others. Additionally, ROC Fraud Management technology deployed by Subex will deliver the ability to deploy client-specific detection processes, techniques and strategies, based on particular business needs at each site.

ElevenPaths is a Fortinet's Alliance Technology Partner

Monday, July 17, 2017

Solutions Integration with Vamps and Metashield

Fortinet is a Strategic Partner of ElevenPaths, Telefónica Cyber Security unit, with more than 15 years working together, and on June 2016, we strengthened that strategic alliance by adding Fortinet’s Security Fabric architecture to deliver solutions integrated with some of Telefonica’s key managed security services.

ElevenPaths participates in AMBER (“enhAnced Mobile BiomEtRics”) project

Sunday, July 9, 2017

ElevenPaths participates in the AMBER ("enhAnced Mobile BiomEtRics") project since 1st January 2017 as an Industrial Partner. AMBER is a Marie Skłodowska-Curie Innovative Training Network under Grant Agreement No. 675087, addressing a range of current issues facing biometric solutions on mobile devices. This project will run until 31st December 2020 and it will lead the training and development of next-gen researches in the biometrics area. Helping them to accommodate their research activities both with academic goals but also with industrial and professional market’s requirements.  

New tool: PySCTChecker

Monday, July 3, 2017

This is a "Quick and dirty" Python script for checking if a domain properly implements Certificate Transparency. If so, it is possible to observe how Certificate Transparency is implemented on the server side.

When a server implements Certificate Transparency, it must offer at least one SCT (a proof of inclusion of the server TLS Certificate into a Transparency Log). A SCT can be offered by three different ways:

  • Embedded in the certificate
  • As a TLS extension
  • Via OCSP Stapling

Using PySCTChecker is possible to identify the delivery options that the server uses and the logs where certificate has been sent to. Also, it is possible to check if the offered SCTs are valid and legitimately signed by logs.

This script needs just a list of domains as input. For each domain, it will check if the server implements Certificate Transparency. If the server offers any SCT, the script will show extra information about it, such for example the logs where the TLS certificate has been sent and which method the server uses to deliver the SCT.


python PySCTChecker/ [domain1 domain2 ...] 

Output example:

This is a quick and dirty implementation since it uses OpenSSL for some features, but we hope it helps understand how certificate transparency works.

You can download and check source code from here.

This tool reinforces our set of tools related with Certificate Transparency developed from ElevenPaths:

Innovación y laboratorio

The Intelligent MSSP

Thursday, June 15, 2017

During years, Managed Security Services (MSS) have been the most effective strategy to tackle the increasing and changing threat landscape. Otherwise, some disruptive factors are compelling a new approach for corporate information security. Specifically, we refer to technology factors, such as the blurring of the organization’s boundaries or the explosive growth advanced threats, operational factors like the increasing complexity of the organizations processes and business ones, for instance, the compulsory requirement of implementing an efficient risk management to invest the precise budget in security, no more, no less.

How to address these requirements keeping in control the complexity of a Managed Security Service?
This article identifies which are the compelling factors and proposes a layer-framework for MSS that ensure the right coordination among technology, operation and business to protect the organizations of the future.

ElevenPaths and BitSight deliver enhanced visibility into supply chain risk with continuous monitoring

Tuesday, June 13, 2017

Security Ratings Market Leader Expands Global Reach with New Strategic Alliance

CAMBRIDGE, MA—June 13, 2017. ElevenPaths, Telefónica Cibersecurity Unit specialized in the development of innovative security solution, and BitSight, the Standard in Security Ratings, have announced a new alliance that will enhance visibility into supply chain risk for Telefónica customers worldwide.

The agreement between ElevenPaths and BitSight provides Telefónica customers with access to the BitSight Security Ratings Platform for security benchmarking and continuous supply chain risk management. This new offer will be part of CyberThreats, 11Paths’ threat intelligence service, delivering:

  • Objective, outside-in ratings measuring the security performance of individual organizations within the supply chain.
  • Comprehensive insight into the aggregate cybersecurity risk of the entire supply chain, with the ability to quickly generate context around emerging risks.
  • Actionable information included in Security Ratings that can be used to communicate with third parties and mitigate identified risks.

Wannacry chronicles: Messi, korean, bitcoins and ransomware last hours

Monday, June 12, 2017

It is hard to say something new about Wannacry, (the ransomware itself, not the attack). But it is worth investigating how the attacker worked during last hours before the attack. It does not let us uncover the creator, but for sure makes him a little "more human", opens up a question about his mother language, location and last hours creating the attack.

Wannacry (the ransomware again, not the attack) is a very easy to reverse malware. No obfuscation, no anti-debugging, not a single mechanism to make life harder for reversers. Aside from the code, some companies have even tried linguistic analysis (it has been widely used recently) to try to know where the author comes from (although it turns out to be from China, "more than often"). Result is usually "maybe English native speaker, maybe not, maybe native Chinese trying to mislead analysis..." who knows. But one thing we may know for sure: he likes football, is not greedy and usually types in Korean language.

Metadata to the rescue

It has been proved, during recent years, how useful is to analyze and extract metadata and hidden information from files. Data is the new oil. Not only sensitive information about the user or organization, software, emails, paths... but others like dates, titles, geopositioning, etc. We have heard about spying, politics scandals because of altered documents, insurance frauds..., and everything revealed thanks to metadata.

ElevenPaths announces that its security platform complies with the new european data protection regulation one year earlier than required

Wednesday, May 31, 2017

  • The European regulations will enter into force in May 2018, when entities that do not comply can be penalized with fines of up to 4% of their annual turnover. 
  • ElevenPaths introduces new technology integrations with strategic partners such as Check Point and OpenCloud Factory, with Michael Shaulov, Director of Check Point Product, Mobile Security and Cloud, who will be the special guest of ElevenPaths annual event. ElevenPaths also works with Wayra, Telefónica's corporate start-up accelerator.
  • ElevenPaths collaborates with the CyberThreat Alliance to improve and advance the development of solutions that fight cybercrime. 

Telefónica WannaCry File Restorer: How can we recover information deleted by WannaCry?

Thursday, May 18, 2017

When cyberattacks occur in large organizations, it is crucial to remember where duplicate files are stored, as this information is also subject to infection by a malware virus or more importantly in this case, by ransomware. Best practice involves first tracking where the information is located and then starting the data clean up, both for Wannacry and other future incidents:
  • Files that are not encrypted were not affected by the malware because the malware did not have time to affect them. There are ways to partially recover files affected by Wannacry, which will be shown throughout the course of this article.
  • It is important to always have backups and security copies that are available offline.
  • Information surrounding the shared units and the cloud units.
  • Information from Office365 email and the data units.
  • Information from removable devices, i.e. Pen drives.
  • Temporary Office files (Word, Excel, PowerPoint). If the infection was present when a document was open, a temporary file will also have been generated. These files will not be on the radar of Wannacry, meaning these files will not become encrypted. Once the files have been cleaned up, Office files can be recovered to the point they were at when Wannacry started. Once the system has been cleaned up, the temporary files generated at the time of infection can be restored.

Security Day 2017_ Cyber Security beats

Tuesday, May 9, 2017

The motto of the fourth edition of our Security Day is Cybersecurity Beats. A conference about security and technology where this year we will teach how our security tools get a feel for your company’s information systems. Some of the topics we have chosen for this day are the mandatory compliance with the GDPR regulations as of May 25, 2018, and how to be prepared with our SandaS GRC platform, the latest additions to the ElevenPaths alliances and partners program, and the integration of security solutions to help companies fight cyber attacks against their technological infrastructures. In addition, some of our partners will actively take part, with whom we will be on stage to show you the latest integrations that we have jointly carried our, for example with Check Point MTP and Tacyt. This year, as new features, we will present our Path6 (it finally has a name!), which we will unveil to you, some of the cyberattacks in which we have taken part this year, awards ceremony of the winning plugins and hacks of our annual Latch Plugins Contest, hosted by Chema Alonso and much more.

Mum, I want to be a hacker

Friday, May 5, 2017

Mum, I want to be a hacker

The hacker concept is most often associated with male ‘techies’ and ‘geeks’. But why is it so difficult to find female role models in the world of technology? We could find the reason in this passionate and lively TED talk given by Christopher Bell, media studies scholar and father of a Star Wars-obsessed daughter, who addresses the alarming lack of female superheroes in the toys and products marketed to children, and how this impacts their view of the world. In the same way, according to various studies, at the age of 11 many girls feel drawn towards technology, science and mathematics, but they lose interest when they turn 15.

In response to this challenge, from Telefónica, throughout the Chief Data Office (CDO) led by Chema Alonso, which includes Aura (Cognitive Intelligence), ElevenPaths (Cybersecurity) and LUCA (Big Data), we thought about this recurring trend and we have decided to "hack" diversity.

ElevenPaths and the University of Piraeus in Greece work together using Tacyt as an educational and research unit

Monday, May 1, 2017

ElevenPaths and the Department of Informatics of the University of Piraeus in Greece work together using Tacyt as an educational and research unit. ElevenPaths and the Department of Informatics of the University of Piraeus in Greece start a joint collaboration which aims to perform studies and research activities on mobile applications. In addition, providing an educational platform for researchers and students.

Squeezing the numbers and facts of Google’s annual Android security report

Monday, April 24, 2017

Last month Google published its third annual security report on Android’s security protections, aiming to send a clear message to the world about mobile malware (or Potentially Harmful Applications (PHAs), as they like to call them): devices, apps, and Android users are safer than ever. And the entire Android ecosystem is now more secure.

Sending positive messages is ok, but is good to be realistic as well. That is what makes us all improve. We have squeezed some numbers and facts included on the report, to finally determine that it's hard to believe that actually the Android ecosystem is as secure as Google claimed, as the used terminology is not clear and some showed numbers are not aligned.

It is all about “malware” definitions
According to the report, PHA are “applications that could put users, user data, or devices at risk”. This include among many others trojans, spyware, or phishing apps. That is ok, but, as Google recognized, “we are also less strict in our definition of certain PHAs than some users expect. A classic example is advertising spam, which we define as an app that pushes advertising to the user in an unexpected way, such as on the device home screen or lock screen”. This means Google does not count aggressive adware as PHA, which is the most common problem for Google Play users. There is no evidence of aggressive adware definition included in The Google Android Security Team’s Classifications for Potentially Harmful Applications. How this “advertising spam” or aggressive adware may it be? We do not know. Some “so called” advertising campaigns ended up rooting the device. This definitely makes the numbers go down and it is maybe one of the gaps antivirus companies and Google play with.

Latch and IoT, a perfect symbiosis

Wednesday, April 19, 2017

The Internet of Things stopped being the future to become our present. It’s rare that on any given day we do not interact in one way or another with an IoT device: the radio we use in the mornings, the camera that “takes care” of our baby, the heart rate monitor/watch that we use when we go running or the car that takes us to work. IoT is almost everywhere.

Figure 1: Latch plugin video for Mosquitto

Limiting the use scope of our secrets in Latch with “Limited Secrets”

Wednesday, April 12, 2017

When creating a Latch app as a developer, Latch provides us with an application identifier (appId) and a secret.

These two keys allow us to sign the requests sent to the API, in order to ensure that we are the legitimate owners of that app.

Example of app ID and secret in an application.

ElevenPaths is now a associated partner

Sunday, April 9, 2017

Ransomware has a severe impact for IT companies and users. The increasing popularity of this security threat along with the profitable business for criminals make ransomware one of the most urgent and complex cybersecurity challenges nowadays. In this context NoMoreRansom (NMR) initiative has gained prominence and nine months after the launch it has received considerable attention from law enforcement and private partners belonging to the cybersecurity sector.

The platform has a clear mission: on one hand, to support and enable ransomware victims to get their files back without paying the criminals. On the other hand, share information among security forces to legally track attackers. ElevenPaths brings the expertise in this field, devloping and offering a tools to the NMR alliance. Thanks to the innovation and lab area, has allowed the company to become part of the alliance, as one of the seven associated partners with Avast, Bitdefender, CERT de Polonia, Check Point, Emsisoft y Kasperksy.

ElevenPaths creates an addon to make Firefox compatible with Certificate Transparency

Monday, March 27, 2017

Certificate Transparency will be mandatory in Chrome for new certificates in late 2017. This means that the webpages will show an alert if protected by certificates not present in the logs that Chrome checks by that time. No other browser supports Certificate Transparency yet. Mozilla is in its way to make it work but there is no official date to release it. ElevenPaths creates an addon to cover this feature.

Checking the SCT embedded in our certificates

Certificate Transparency is a new layer of security on top of TLS ecosystem. Sponsored by Google, it basically makes all the issued certificates to be logged (in some special servers), so if an eventual attacker would want to create a rogue one, it would face a dilemma: If the rogue certificate is not logged, that would rise up some eyebrows… if logged, that would allow a faster detection. A certificate is considered "logged" if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates. But there are some good news and bad news:

This is how Chrome checks the SCT
 The good news

Our addon, created in cooperation with our lab in Buenos Aires, works with most of known logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google 'Pilot', Google 'Aviator', DigiCert Log Server, Google 'Rocketeer', Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google 'Submariner', Izenpe 2nd, StartCom CT, Google 'Skydiver', Google 'Icarus' , GDCA, Google 'Daedalus', PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

This makes our solution quite complete but...

The bad news

SCT may be delivered by three different ways: 
  • Embedded in the certificate.
  • As a TLS extension.
  • In OCSP.
It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. So our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.

Another bad news is that plugins have to be validated by Mozilla to be published in its addons store. Once uploaded the plugin gets in a queue. If it contains "complex code" it may be there for longer, so Mozilla can make a better work reviewing and checking its security and quality. After waiting for more than two months, we have decided not to wait anymore. The queue seems to be stuck for days and days and the is no hope to make it work faster. Mozilla reviewers are working as much as they can, but they can not deal with so many addons as fast as they would like to. We thank them anyway. That is why we have decided to distribute it outside addons store. Once it gets reviewed released, we will let you know.

The addon is available from here.

To install it, just drag and drop the file into a new tab.

Or, from the extensions menu, settings, install from a file.

Innovation and Lab

ElevenPaths and iLife Security signed an agreement for implementing services in support, IT management and security

Monday, March 6, 2017

Aiming to help clients to adapt their systems in this new technological reality and its growing challenges in security matters, ElevenPaths and iLife Security, company specialized in Full Outsorcing in IT Management, had signed an agreement for implementing personalized services in support, IT management and security.

This collaboration will have the goal of sharing knowledge and technical resources, to implement products and services based on digital security and correct IT management, also using ElevenPaths technologies: Latch, Security Monitoring and Metashield.

ElevenPaths and Opencloud Factory signed an agreement to provide a unique solution for access control in corporative networks

Wednesday, March 1, 2017

ElevenPaths and Opencloud Factory signed a technological agreement, aiming to develop a unique solution for controlling the access in corporative networks.

Thanks to this agreement, Mobile Connect a multi-operator solution led by the GSMA (Global System for Mobile Communications Association) that Telefónica lead by ElevenPaths is a perfect complement for the OpenNAC technology of Opencloud Factory.

ElevenPaths along with Kaspersky uncover several malicious apps on Google Play

Monday, February 27, 2017

ElevenPaths, along with Kasperksy Lab and its team GReAT (Global Research and Analysis Team), published recently an investigation revealing how malicious apps are opperating in Google PLay, by subscribing users under special tariff numbers. They analysed which type of app is mostly used to get potential victims' attention, which tactics were used to disseminate the app, the infrastructure code and the management panels used in the campaigns

ElevenPaths and Consultores de Firma Avanzada together to protect Digital Banking, Insurance and Utility sectors

Wednesday, February 22, 2017

The scientific advances in facial and voice recognition, or biometric recognition for signatures are already a reality. In this context, we announce our most recent technological partnership with Consultores de Firma Avanzada. From their part, we have Firming, the biometric platform for secure contract signing created by Consultores de Firma Avanzada, and from our part, SealSign, created to be an electronic and biometric signature solution.

This partnership is the answer for the existing demand in the world of Digital Banking, and also for Insurance and Utilities Companies that were looking for an independent and mobile solution, so their customers could sign their contracts in a protected and faster way through Smartphones, Tablets and other devices.

Latch Plugins Contest 2016: Videos and Documentation

Tuesday, February 21, 2017

You can find here the compilation of plugins submitted to the Latch Plugins Contest 2016. Congratulations to all participants for the work done and the results!

ElevenPaths and Enigmasec associated to help small and medium organizations in face of the invasion of systems

Monday, February 20, 2017

The last week, we announced a partnership with Enigmasec, a company specialized in incident responses for cybersecurity, with the goal of improving its capabilities in cyber attacks that breaks into the traditional mechanisms of defenses.

Nowadays, there’s no accessible tool that can compile the information from a security incident, helping to reduce its response time. In this context rises Enigmabox, a tool created by Enigmasec to detect security incidents and collect data for analysis. Igor Lukic, Enigmasec’s CEO, tell us that “Enigmabox works like an airplane’s black box, so in case our customer has some security issue, all its information will be stored in the same place. It also works as a warning system to provide responses to security incidents”.

ElevenPaths and Cyber Threat Alliance (CTA) collaborates in sharing information intelligence about cyber threats

Friday, February 17, 2017

In 2015, ElevenPaths, together with another market leader companies, such as Check Point, Cisco, Fortinet, Intel Security, Palo Alto and Symantec, brought together their strength to join a community that aims to exchange information about intelligence in cyber threats. This community is called CyberThreat Alliance (CTA).
In January 2017, the CyberThreat Alliance was converted into a non-profit organisation and, after that, announced Michael Daniel, ex-coordinator of cybersecurity in the White House, as President of the institution. In this context, ElevenPaths and CyberThreat Alliance renewed and accelerated the commitment in exchanging information about intelligence in cybersecurity, in order to provide better support and security to our customers.

ElevenPaths joins Saint Patrick Technology to offer security solutions based on the latest Big Data technologies

Thursday, February 16, 2017

We announce today our most recent partnership with Saint Patrick Technology, the leading company in the development of solutions based on the latest technologies, such as AR, VR, NFC, RFI and Big Data.

With this collaboration, we aim to share knowledge, synergies and technical resources to develop products and services for digital security. ElevenPaths' Vice Presidente for Strategic Alliances, Rames Sarwat, says "thanks to this partnership, ElevenPaths and Saint Patrick Technology will work together for the development and distribution of products and services for both companies. We want to reach the Spanish market and also, the markets in Ireland and UK.".

"The products developed by Saint Patrick Technology fits perfectly with the ElevenPaths' Identity and Access Solutions" says Roberto Rodríguez Gómez, Partner Director in Saint Patrick Technology. Along these lines, Saint Patrick Technology joins the Partners Program of ElevenPaths as SSP (Solution & Services Partners).

This new deal supports ElevenPaths and Saint Patrick Technology's objective to develop and implement mobile apps specialised in technologies as  AR, VR, NFC, RFI and Big Data. Both ElevenPaths and Saint Patrick Technology will include these services in their portfolios, increasing the options for technological and consultancy solutions and also last generation developments.

For more information, check the Partners Section in our webpage.
Do you want to know more about the ElevenPaths Partner Program? Contact us!

To see the Press Release done by ElevenPaths and Saint Patrick Technology, click here.

Latch Plugins Contest 2016: we finally have winners!

Wednesday, February 15, 2017

We can now announce the winners of our "Latch Plugins Contest 2016", showing the creativity, ideas and imagination of the participants in the submitted proposals. This edition of the contest results in its consolidation and the consolidation of the community of developers who feed and develop Latch.

In our community, you can find the documentation, videos and plugins of all participants who have shown great interest, effort and quality in the works submitted. Here is a brief description of the winning plugins and hacks:

First prize – 5.000 USD
Winner: Álvaro Caso
Plugin: Mosquito MQTT

This plugin easily adds a second factor authorization to the IoT ecosystem, performing the integration on the MQTT Broker platform (lightweight M2M message protocol), rather than on the devices.

This way of functioning frees resources and improves compatibility and scalability.

What we liked:
The approach to the proposed solution looks interesting and original. The integration with a protocol like MQTT increases the usability of Latch and allows a great diffusion in commercial solutions, such as IoT Stack of Telefónica.


Second prize – 2.000 USD
Winner: Juan Camero
Plugin: Latch OpenWRT

Plugin for the OpenWRT open firmware used on neutral routers. It manages the internet connection of wireless devices through a Smartphone with the Latch app in a simple and intuitive way. It adds an extra layer of security for the Internet access by router, avoiding access to the network if an attacker surpasses the first security measures, such as the key of the access point or a MAC filter, with Mac Spoofing techniques, etc.

What we liked:
The approach applied is good and with great possibilities of development. The scope of OpenWRT is wide because of its community of users and its compatibility with neutral routers of the market. The integration with the webGUI (Luci) is excellent and with a simple installation.


Third prize – 1.000 USD
Not awarded

We want to thank all the participants for the contribution and the outpouring of eagerness, as well as for being part of our community and the exchange of ideas. Congratulations to the winners!
Share your knowledge, experience and curiosities with our experts. Talk to them in our community. They are waiting for you! And remember to visit the website with the Latch plugins and strengthen your systems.

For more information:

Jam Session with Greg Day Madrid 2017 Roundup

Tuesday, February 7, 2017

Estrenamos el mes de febrero uniéndonos a nuestros colegas de Palo Alto para celebrar nuestra primera Jam Session del año en Madrid. Este año iniciamos nuestras sesiones de visión sobre temas de tendencia en el ámbito de la ciberseguridad con Greg Day, VP y CSO de Palo Alto Networks, experto en temas de normativa GDPR y Directiva NIS.

Este evento reunió a nuestros expertos, clientes y socios de Palo Alto donde compartimos pensamientos y buenas prácticas sobre los incipientes cambios en ciberseguridad para cumplir con la nueva legislación europea en la protección de datos.

¿Cómo adaptarse a la nueva normativa de Protección de Datos? ¿Sabías que el nuevo reglamento europeo en materia de protección de la información será de obligado cumplimiento a partir de mayo de 2018? ¿Sabes cómo puede afectar a la seguridad de la información de tu empresa?

Aquí te recomendamos la lectura de otro post sobre este tema de actualidad con la visión de nuestro experto Pablo Alarcón, para que puedas conocer todo lo que necesitas saber sobre el nuevo Reglamento Europeo en materia de Protección de la Información.

¿Te interesa conocer más sobre los eventos de ElevenPaths? Visita nuestra página de eventos para obtener más información.

New Report: Most common errors when implementing HPKP, HSTS and preload conditions

Tuesday, January 17, 2017

We have collected and visited two different sources of domains and webpages, Alexa top million domains, and Shodan. These results come from November 2016 searches. From those domains, we have restricted the search to be able to determine which ones use HSTS or HPKP over HTTP or HTTPS, and even which of them uses different configurations for the headers. We have tried to determine not only the quantity but the "quality" of the implementation. Just 0,02% of most popular domains are implementing HPKP in the best possible way, and just 0,74% are doing so with HSTS. Even or have some errors.

We show now some excerpts from the report you cand find here.

Number of pins

When implementing HPKP it is important to respect the number of pins required. Despite the recommended values are using between 3 and 4 pins, some domains use from just one pin (violating the RFC) up to 17, which seems to be an irregularity that reduces the efficiency. Regarding Alexa top million domains, 282 out of 450 domains use 2 or 3 pins, which is correct. 89 (19,8%) use zero or just one, which is useless from the browser standpoint since it will ignore it.

Number of pins offered by top 1 million Alexa domains using HPKP.

Which certificate to pin

When using HPKP, choosing the right certificate to pin may be an important decision. Administrators may use whatever pin in the chain (root, intermediate or leaf) but this decision may impact directly in their usability and security from the administrator standpoint and user security. There is a tradeoff between security and maintenance.
  • Pinning the root offers less security, but an easier way for the administrator to deal with HPKP. This means that, as long as the administrator does not change its CA provider, no additional changes should be done, so less maintenance is required. But, on the other hand, if an attacker gets a fake certificate from the same CA, the browser would not detect the difference, since the root remains the same.
  • Pinning the intermediate certificate is the best choice, maybe. The attacker should get a certificate from the same subCA to make the "perfect" attack. The administrator, on the other hand, may change its leaf certificate as long as it comes from the same subCA with no extra cost of changing pins.
  • Pinning the leaf is the most secure way, but the most "dangerous" as well. If the certificate expires or for whatever reason the certificate changes (more specifically, the public key), even if issued by the same CA or subCA, the administrator has to modify its pins or use the backup one. On the other hand, an attacker may not be able to create a valid certificate (unless the private key is stolen) to create a man in the middle "perfect" scenario.
So we have checked what certificate does administrators pin, and this is what we have found. Most of them (73,65%) use the intermediate certificate to pin.

Pinned certificates in the trust chain for the top million Alexa domains using HPKP.

Pins reuse

Reusing pins among different domains is not an invalid practice at all. Considering that most of the pins used in HPKP are "intermediate" pins mostly from subCAs, it is even absolutely normal to share some pins between domains. But this procedure brings a little risk. Thus, from an attacker standpoint, knowing which subCAs or even CAs are pinned may allow to plan a specific APT for that domain. For example, if a domain issues its intermediate certificates with a specific subCA and pins this intermediate certificate, an attacker that gets a rogue leaf certificate for that domain issued from the same subCA will still have a perfect MiTM situation, since the browser will not show any warning message. Therefore, from the attackers standpoint, if they are able to determine if a domain pins its intermediate certificate, and furthermore, which one is the pinned subCA, it allows him to know better who to target. Additionally, if the attacker wants to maximize its scope, he would try to get a rogue certificate signed by this "popular" subCA.

The following map represents which certificates (and its pins) are pinned with more domains. These are the top 25 most pinned certificates. Since the protocol allows to know just the pin and not the certificate itself, it is necessary to "unhash" the certificate. We have collected several millions of certificates and hashed them to compare it with the pins associated to the domains. The results show how an intermediate certificate from Comodo is the most pinned certificate (klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=). It pins 40 different domains from Alexa and Shodan.

Pins reuse map. Click to enlarge.


To avoid "Trust on first use" issue, "preload" mechanism was introduced. This preload works as a root CA embedded in the browser. It is basically a list of domains that are willing to be accessed with HSTS securely from the first time. This list is maintained by Google and some conditions have to be satisfied to belong to this list.
  • Have a valid certificate chain and redirect from HTTP to HTTPS in the same host (of course)
  • Serve all subdomains under HTTPS. WWW is mandatory if it exists in DNS server.
  • Serve HSTS header via HTTPS with this properties:
    • max-age is at least 18 weeks (10886400 seconds).
    • includeSubDomains directive must be included.
    • preload directive must be included.
    • If serving an additional redirect from the HTTPS site, it must still use the HSTS header (rather than the page it redirects to).
If all these conditions are satisfied, the domain owner may apply to the list in here: and the domain will be eventually included in the list. This webpage allows as well to check if a domain satisfies or not all these conditions. There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.

Preloading status in Alexa's top million domains

In the background, uses a public API providing the reasons why a specific domain may be preloaded or not. We have checked all the top million Alexa domains against this API, to know if preloaded domains do really validate all this conditions to be preloaded. When a domain is checked against this API or preload list, the domain is visited in real time and errors checked. It is interesting to prove that, from those 2056 preloaded domains in top Alexa list, 662 contain some errors, thus, strictly speaking, they should not be preloaded. We have even detected that, 67 out of those 2056 preloaded domains in the list, do not contain the preload directive in the header, which as well violates the condition. and are domains that do not keep the mandatory conditions to be preloaded, but they actually are.


Although HSTS and HPKP protocols are intended to provide an additional layer of security to HTTPS communications, their implementation is not widespread. At server level, many of the most relevant Internet domains do not even implement them. Moreover, among the minority of domains that do use them, there exist a significant number of implementation errors, even a disregard of the recommendations of their respective RFCs. This situation shows both low level adoption and, somehow, some misunderstanding about how to take full advantage of these protocols. Some of the most interesting figures are:

  • From Alexa, we have collected 632648 HTTPS domains, and 901958 HTTP domains. We retrieved 30886979 HTTPS (port 443) domains and 45330802 HTTP (port 80) domains (a total of 76217781) from Shodan.
  • Only 1,9% of domains in Shodan use HSTS correctly over HTTPS, while just a 5,35% from the Alexa top million do so.
  • 4717 (roughly a 0.74%) of the top million domains in Alexa using HTTPS (632648) are implementing HSTS in the best possible way.
  • 175 of the top million domains in Alexa (a roughly 0,02%) using HTTPS (632648) are implementing HPKP the best possible way.
  • 20% of top Alexa domains using HPKP over HTTPS use zero or just one pin, which is useless from the browser standpoint since it will ignore it. Most of them (a 73,65%) use the intermediate certificate to pin.
  • 17% of domains in Alexa implementing HPKP are using a wrong or ignored max-age value.
  • The most used pin (a certificate from Comodo) pins 40 different domains from Alexa and Shodan.
  • There are a total of 18197 domains preloaded in Chromium list (shared with Firefox). As of December 2016, only 2056 domains from the top 1 million from Alexa are in that list.
  • From those 2056 preloaded domains in top Alexa list, 662 contain some errors if checked against the official preloading API, so, strictly speaking, they should not be preloaded. Whatsapp and Facebook are among those domains that do not keep the mandatory conditions to be preloaded, but they actually are.
Here is the whole report.