Open source maintainer burnout as an attack surface

Wednesday, December 26, 2018

Software development has evolved greatly in the last decades. It is leaning towards an scenario based in third-party modules, components and libraries that help accelerate the development of our own software solving effectively frequently used tasks so that we do not need to reinvent the wheel.

While It is straightforward to see the advantages of this approach we need to realise that coupled with them comes a series of risks that need to be handled as well. To use a better known pattern that comes from the cloud computing world there’s a shared responsibility model regarding vulnerabilities and potential attacks as we can see in its different flavours: IaaS, PaaS or SaaS.

Foca Files Finder, our new Chrome extension to feed FOCA

Tuesday, December 25, 2018

Our Chrome extension is really simple. It takes advantage of the Bing technology (already used by FOCA) to perform a search of documents on the domain being visited at the moment with Chrome. This list (limited to 50) is quickly accessible from your browser. You can export it to a TXT file which can, in turn, be used by the FOCA.

Among the available options, you can choose what kind of documents you wish to search. Moreover, you can perform an automatic research, so you will not need to press the extension button. By doing so, every time you visit a domain, on the FOCA icon it will appear an indicator with the potential number of documents found.

New report: Twitter botnets detection in sports event

Thursday, December 20, 2018

New report: Twitter botnets detection in sports event imagen

We all know that a botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform DDoS attacks, steal data, send spam and allows the attacker to access the device and its connection. The owner can control the botnet using C&C software.

AuthCode: Our award-winning continuous-authentication system, jointly developed with the University of Murcia

Tuesday, December 11, 2018

Continuous-authentication systems aim to identify users’ behavior through interactions with their device. The main advantage of this type of authentication is that it improves users’ experience when using services or apps of their mobile device, free from intrusions. Fruit of a joint research with the University of Murcia, we were able to develop AuthCode. This project reached such a stage of maturity that we could present it over the Security Innovation Day 2018. Furthermore, it has won several awards and prizes. Let’s explain what AuthCode is in further detail.

In most cases, continuous authentication avoids using passwords, access patterns, biometric recognition, etc. when the user wish to have access to an app or service requiring authentication. In this sense, permanent authentication increases users’ security regarding the operations executed on the device. Moreover, we can take advantage of this continuous trust status to make user app interactions much simpler and more fluent by doing so, users’ experience gets better.

The Confirmation Bias: we seek the information that confirms our decisions, refusing their opposed evidences

Monday, December 10, 2018

Imagine yourself in a lab over an experiment. You’re asked to analyze the following number sequence:
2, 4, 6

This sequence follows a rule. What do you think the rule is? You can propose more three-number sequences to the experiment leader, who will tell you if the sequence proposed follows the rule or not. You can propose as many new three-number sequences as you wish. As soon as you discern the rule, announce it to the experiment leader for you to know if you got it or not. 

So, which is the first three-number sequence that you would propose to discern the rule followed by the sequence 2,4,6? Please, try to think about it before reading on, which three numbers would you use? 

Think about it a little more..., don’t read the answer yet...

The Framing Effect: you make your choices depending on how information is presented

Monday, November 26, 2018

The Framing Effect image

You have received an alert from cyber intelligence. A terrible and enormous cyberattack is approaching. You must ensure the protection of 600 positions within your organization. You don’t have much time, so you must decide on the implementation of one of two potential security programs, but the decision must be taken now!

Cyberintelligence Report: Global Banking Cyber Report

Thursday, November 22, 2018

As the world becomes more digital, new opportunities and threats arise and we tend to focus more on our daily business. As a result, when we are trying to develop a new product, website or application, we use to prioritize speed, convenience and ease of implementation over security.

ElevenPaths has conducted an analysis of 56 of the world's leading banks. This analysis is based on public archives, web applications and mobile applications from these banks and addresses three key aspects of cybersecurity:
  • Integrated security in mobile applications.
  • Metadata available in public documents.
  • The information we can obtain about service communications and their quality (i.e. open ports on servers, their vulnerabilities, etc.).

CapaciCard: an Elevenpaths' own physical technology materializing simple identification and authorization

Tuesday, November 20, 2018

Can you imagine to be able to authenticate or authorize a payment just by placing a plastic card on your mobile phone screen? (without circuitry, neither NFC connection nor additional hardware are required). So now try to imagine the same scenario but placing that card on a laptop touchpad. Over the last Security Innovation Day, we presented several technologies developed by our team, of which we are especially proud. Along this entry we will talk about CapaciCard.

CapaciCard, tecnología física de identificación y autorización de forma sencilla

m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths

Friday, November 16, 2018

On November 7th, while we were holding our Security Innovation Day, Cisco published a security advisory with CVE-2018-15446 associated to a vulnerability on the software Cisco Meeting Server reported by our Innovation and Labs team. Such vulnerability could allow a remote attacker to gain access to sensitive information as well as to join those meetings held through this software. Cisco Meeting Server (previously named “Acano”), is a video conferencing software enabling users to held meetings through different clients, such as Cisco Jabber, Cisco Meeting App, Skype for Business or via WebRTC with a supported browser.

m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths imagen

Stela FileTrack protagonist of the 6th Security Innovation Day Edition

Tuesday, November 13, 2018

Stela FileTrack protagonist of the 6th Security Innovation Day Edition imagen

The Telefónica’s Cybersecurity Unit helds its 6th Security Innovation Day, under the motto Game Is Never Over.

  • Stela FileTrack, a new solution to protect organization’s sensitive documentary information.
  • The Telefónica’s SOC located in Madrid, a highly-qualified incident response team available 24x7.
  • Faast for WordPress and mASAPP Online, focused on online sales, are put on the market.
  • New IoT security services, based on Telefónica’s SOCs strengths.

You are less rational than you think when you take decisions under uncertain conditions

Thursday, November 8, 2018

I propose you the following game of luck:
  • Option A: I give 1,000 € to you with a probability of 100 %
  • Option B: Let’s leave it to heads or tails: if it’s heads, you will win 2,000 € but if it’s tails, you will win nothing
Which option would you choose? A sure profit or the possibility to win twice more (or nothing)? If you think like 84% of the population, you may have chosen option A: a sure profit. Ok, so now I will propose you another scenario. You must pay a fine and you can choose how to do it:
  • Option A: You pay 1,000 € for the fine with a probability of 100 %
  • Option B: You flip a coin to decide it: if it’s heads, you will pay 2,000 € for the fine but if it’s tails, you will pay nothing
Which option would you choose now? Would you pay the fine or would you flip a coin, considering that you may pay nothing (or twice more)? In this case, if you are like 70 % of the population, you may have chosen option B. So, are you doing it well or not? Ok, let’s analyse what’s happening here purely from a rational point of view.

The State of Cyber Risk in Spain

Monday, November 5, 2018

In Spain, cybersecurity is becoming more of a priority among businesses across all industries. One way to quantify these cybersecurity postures is by looking at Spain’s security ratings across all markets in comparison with Europe. In Spain, Bitsight Security Ratings are on average 119 points below Europe as a whole. The highest performing industry is Real Estate, which has a security rating of 71 security rating points better than the European average. The lowest performing industries are Financial Services and Insurance, which are more than 200 security rating points lower than the average European rating. Given the sensitive data financial services companies possess, this report suggests there is a need for additional investment in cybersecurity and cyber risk management. As companies invest in digital transformation programs, their exposure to risk increases and requires an increased investment in risk management across their organization.

DNS over HTTPS (DoH) is already here: the controversy is served

Recently, the IETF has raised to RFC the DNS over HTTPS proposal. In other words, this means resolving domains through the well-known HTTPS, with its corresponding POST, GET and certifications exchange for authentication and encryption. This new is more important than it may seem. For two reasons: firstly, it’s a new resolving paradigm that shakes network foundations. Secondly, because the support of having RFC combined with the interest shown by browsers (greedy for the power granted by this) has led them to start its implementation in record time. It is said that privacy is granted, ok, but… Is it a good (or bad) idea?

DoH (DNS over HTTPS) is really simple. Instead of going to port 53 of a server (for instance, the well-known and asking for a domain through an UDP or TCP packet, DoH standardizes the construction of a GET or POST to a HTTPS domain, so the answer will be the A and AAAA records (the RFC doesn’t specify other records) with the IP. It has more details, such as the clever solution of turning the heading cache-control into the TTL. Everything encrypted carefully, of course. Do you remember when in a hotel you could tunnel the HTTP browsing via the DNS protocol (often unrestricted) to avoid paying the Wi-Fi? So now it’s the other way around.

A story about two minds: the vast difference between real and perceived risk

Wednesday, October 31, 2018

“In our society it is generally not considered justifiable to make a decision purely on an emotional response. We want to be considered scientific and rational, so we come up with reasons after the fact to justify our choice.” —Raj Raghunathan, McCombs School of Business, The University of Texas at Austin

Look carefully the following figures. Which one is the largest for you? The figure on the right or that one on the left?
Ebbinghaus visual illusion image

Yes, indeed they are identical. However, even if you know it, or even if you try to measure it with a ruler, you cannot avoid seeing the right one larger, right?

Rock appround the clock, our research in DEFCON

Wednesday, August 29, 2018

In the world of Threat Intelligence, determining the attacker’s geographical location of is one of the most valuable data for attribution techniques, even if not perceived like that, this information may lead a research one way or another. One of the most wanted information is where the author comes from, where he lives in or where the computer was located at the time of an attack.

We focused our research in taking advantage of this kind of “time zone” bugs for tracking Android malware developers. We will describe two very effective ways to find out the developer's time zone. We have also calculated if these circumstances has some real relation with malware, diving in our 10 million APKs database.

CryptoClipWatcher, our new tool against crypto clipboard hijacking techniques

Tuesday, July 17, 2018

Since 2017, this technique is becoming quite popular. Cryptocurrency in general is a new target for malware, and mining Bitcoins is not profitable anymore in regular computers (maybe Monero is). But, targeting the clipboard to steal cryptocurrency is a new, easy and interesting way that malware creators are exploiting. We have created a simple tool that watches your clipboard to alert you if the destination cryptocurrency address changes.

CryptoClipWatcher tool cybersecurity

By the end of 2017, malware creators launched Cryptoshuffle. It was a malware able to hijack the clipboard and modify the cryptocoin address in it. Poisoning clipboard was nothing new, but this was one of the first times that attackers used it as a way to steel bitcoins, modifying the destination address of the transaction. A bit later, someone saw some business in it and started to sell the platform itself "as a service" calling it "Evrial". That was around the beginning of 2018 when Cryptoshuffle started to "disappear" and Evrial saw light. It was a .NET malware able to steal passwords from browsers, FTP clients, Pidgin and, the best part, able to modify the clipboard on the fly and change any cryptocurrency address to whatever address the attacker wanted to. So, the malware is checking the format of whatever is in the clipboard. If the victims copies for example a Bitcoin or Litecoin address, it is quickly replaced by another, on the fly and dynamically (the new address is requested to a server).

In March, ESET discovered that there was some software hosted for years in that used this technique.

Aside, not that long ago, ElevenPaths analyzed N4O botnet, which, among other very interesting techniques, used clipboard hijacking as a way to steal bitcoins, although it was focused in banking.

Since then, we have seen some more examples, like this sample that monitored 2.3 million addresses and replaced them if they were in the clipboard. We know, this makes no sense since it could just use a regular expression and monitor them all but this is how the malware works.

This other sample, called ClipboardWalletHijacker, did that. But, interestingly, it distinguished between the day of the month. If the current date was earlier than 8th of the month, it replaced the address to "19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL". Otherwise, used "1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1" instead.

This ctrl-c and ctrl-v way of hijacking has become popular even in "traditional" Trojan bankers. They inject javascript into the bank webpages implementing some quick keyboard shortcuts in the computer and modifying the legitimate webpage. This malware sets the clipboard of the victim with some malicious javascript, opens the developer console of the target web, and pastes there the javascript. It even works pasting javascript into the address bar.

Introducing CryptoClipWatcher
This a very very simple program, still in beta phase. Install it and it will check if, once you have copied a cryptocurrency wallet or address into your clipboard, it is modified before you replace it from your clipboard. If so, a warning will pop up. If you did it on purpose, you may add that address to a list that the program will remember, so it does not disturb you anymore with that particular wallet. This is pretty much it. Of course, we have implemented some security checks so the malware (if it is aware of the tool) has to elevate privileges to kill the watcher).

Here is a little video that explains how it works.

You can download it from here.

This a preliminary beta version that we plan to improve. We will try to make it easier to use and even more secure with each version. For you to be up to date as soon as possible, the program will check for updates everytime is run. We have great plans for it!

Please send us improves or bugs if you find them to

Innovation and laboratory

#CyberSecurityPulse: Private enterprise's sad contribution to sharing threat intelligence in the United States

Monday, July 9, 2018

social networks image After just over two years of Congress passed a major bill that encouraged businesses to share with the government how and when threat actors were trying to get into their systems, only six companies and other non-Federal entities have shared that information, according to Nextgov media. These figures have been compared to the 190 entities and 60 federal departments and agencies that are receiving threat data from the automated national security indicators exchange program. This low level of private sector involvement is an additional blow to the program, which has struggled to provide businesses and government agencies with the kind of actionable intelligence promised by the 2015 Cybersecurity Act.

#CyberSecurityPulse: New proposal to adapt U.S. Marine Corps capabilities to the new times

Tuesday, June 26, 2018

social networks image The head of the U.S. Marine Corps wants to remodel his team. The Marine Corps is considering offering bonuses and other benefits to attract older, more experienced Marines to re-enlist and develop cybersecurity capabilities as well. The measure marks a historic change that could transform a force composed primarily of high school graduates. "It's going to be a little bit older, a little bit more experienced because as much as we love our young Marines, we need a little more age because it takes time to acquire these kinds of skills", General Robert Neller told defense leaders at a conference in San Diego.

ElevenPaths Announces Strategic Security Alliance with Devo

Thursday, June 14, 2018

Strategic alliance ElevenPaths and Devo imagen

Provides Telefónica Customers Advanced Cybersecurity Monitoring and Protection Services Through Devo Data Operations Platform.

#CyberSecurityPulse: Changing stereotypes in the security sector

Tuesday, June 12, 2018

social networks image Ripples of outrage spread across the cybersecurity industry last week after women in red evening gowns were seen promoting a product at the Infosecurity Europe 2018 conference. The event's organisers condemned the move, saying vendor contracts ban the use of so-called 'booth babes'. Thankfully, this behaviour is in the minority. In fact, it is perceived that there is beginning to be greater gender diversity, that more women are participating in conferences and that multiple programmes and initiatives are being implemented, including a renewed focus on recruitment.

New tools: Metashield Bots, analyzing and cleaning metadata for everyone, from everywhere

Tuesday, June 5, 2018

You all know Metashield. Basically, it is a technology from our own to analyze and clean metadata, that is used in several of our own products. Although metadata seems to be an old problem, it is still useful when you analyze leaked data, as in the Bin Laden hard disk case that we covered, and even it was a key piece in our research about Wannacry author, when we found out how the creator worked and even what his default language in Word was. We are introducing today a new way to use Metashield, for everyone and from everywhere since we have created bots for Telegram, Skype and Slack. It is easier than ever now. Let’s see.

ElevenPaths further strengthens its reputation as a cybersecurity services provider

Tuesday, May 29, 2018

Security Day - Cybersecurity On Board imagen

Today was the fifth edition of the Security Day event, organized by ElevenPaths, the Telefónica Cybersecurity Unit, which took place in Madrid, under the slogan "Cybersecurity On Board". This important event brought together more than 400 people, and served as a framework to present the new technological integrations carried out with strategic partners, with the aim of helping companies to combat cyber-attacks against their technological infrastructures. The company's cybersecurity unit works to accompany its clients on their digital journeys, providing end-to-end protection and peace of mind.

#CyberSecurityPulse: Google's project to fight election attacks

social networks image On the night of the primary elections in May, the residents from the county Knox, Tennessee, did not know who had won for about an hour. They did not have access to the website which was following the county’s elections, as the page was blocked at 8pm when they had just closed the polls. The county IT director, Dick Moran, said that the website had seen “extremely unusual and heavy network traffic”. Their mayor asked for an investigation in regards to the attack, whose signs showed that it was most likely an attack by DDoS.

Expanding Neto capabilities: how to develop new analysis plugins

Monday, May 28, 2018

In previous posts we have introduced Neto as a browser extension analyzer. The first version we released, 0.5.x included a CLI, a JSON-RPC interface and could be used directly from your scripts. In the 0.6.x series we have gained stability and added some interesting features like the interactive console which makes the analyzer a tool to interact with. However, we have not yet discussed how we can extend Neto's functionality to suit our needs.

A system of plugins to gain flexibility

Despite the research needs that we may have from ElevenPaths, it may happen that other security analysts also want to carry out other tasks that we have not thought about. In order to make its use as flexible as possible, we have thought of a system of plugins that allows you to design your own modules. Remember at this point that we can always install the latest version from PyPI with:

$ pip3 install neto --user --upgrade

Analyzing browser extensions with Neto Console

Monday, May 21, 2018

Fifteen days ago we published the first version of Neto, our extensions analyzer in Github. It was published under a free license, also during this time we have worked on a series of features which allow the analysts to have a better interaction with each one of the tool’s uses, in addition to improving their settings. In this post we will see some of the new changes which we have included in this version whilst highlighting their interactive interface.

#CyberSecurityPulse: The eternal dispute: backdoors and national security

Wednesday, May 16, 2018

social networks image A bipartisan group of legislators from the house of representatives has introduced a piece of legistation which will prevent the federal government of the United States from demanding companies to design technology with backdoors to ensure law enforcement can have access to certain information. This bill represents a last effort from legislators in Congress to eliminate the battle between the federal officials in charge of making them comply to the law and the technology companies’ which are for the encryption. It reached a boiling point in 2015 when the FBI fought with Apple in regards to a blocked iPhone which was linked to the terrorist attack case in San Bernadino.

Technically analysing a SIEM… are your logs secure?

Monday, May 14, 2018

The SIEMs are usually utilized within highly secure of regulated environments, where regular log monitoring and analysis is required to search for security incidents. They help to make the web safer, even so, we question it a bit more; are the logs in our system infrastructure adequately protected? We are going to address this within this entry, by showing the minimum steps which you should take into account in order to secure a SIEM; using the particular investigation of Splunk as an example and case study, which is one of the most well-known SIEMs.

New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software

Thursday, May 10, 2018

ElevenPaths has spotted an enhanced and evolving Brazilian banking trojan (probably coming from KL Kit,) through using a new technique to bypass the SmartScreen reputation system and avoid detection in Windows. It targets mainly Chilean banks, and this Trojan downloads legitimate programs and uses them as a "malware launcher" injecting itself inside, in order to take advantage of "dll hijacking" problems in the software. In this way, the malware can be launched "indirectly", and bypass the SmartScreen reputation system and even some antiviruses.

New tool: Neto, our Firefox, Chrome and Opera extensions analysis suite

Monday, May 7, 2018

In the innovation and laboratory area at ElevenPaths, we have created a new tool which is used to analyze browser extensions. It is a complete suite (also extensible with its own plugins) for the extensions analysis; it is easy to use and provides useful information about extension features of both Firefox and Chrome or Opera.

Neto herramienta imagen

You’ve got mail? You’ve got malware

Wednesday, May 2, 2018

You’ve got mail? You’ve got malware imagen
A few weeks ago I was ‘compromised’. A well-known vulnerability was exploited and I was left financially exposed, with my reputation potentially at risk. “What happened?” I hear you cry? Well, my debit card was cloned. Not necessarily the end of the world, but a big inconvenience.

Rogue transactions were credited back into my account, a new card issued and no real harm was done. But then the ‘payment declined’ messages started to occur. Certain services I use keep my card details on record for repeat use – my Amazon account, a razor blade subscription, eBay, etc. Basically anything that isn’t a Direct Debit or Standing Order. So it was whilst in this frame of mind – willingly adding new card details to various provider websites – that I was nearly caught out by something which could have been far more damaging.

#CyberSecurityPulse: Monero and EternalRomance, the perfect formula

Tuesday, May 1, 2018

social networks image Last year's release by ShadowBrokers about tools belonging to the National Security Agency continues to be a talking point. A new malware which utilizes the EternalRomance tool has appeared on the scene along with Monero-mining. According to the FortiGuard of Fortinet laboratory, the malicious code has been called PyRoMine as it was written in Python, and it has been discovered for the first time this month. The malware can download it as an executable compiled file with PyInstaller, thus, there is no need to install Python in the machine where PyRoMine will be run. Once installed, it silently steals CPU resources from the victims with the aim of obtaining Monero’s profits.

Facebook changes the logic of their TLS policy (partly due to our research), by implementing a ‘two-way’ HSTS

Monday, April 30, 2018

Facebook and privacy. The recent scandal from the social network within the last few weeks does not exactly make it the best example in regards of privacy or secure connections in general. Yet, this is not the issue now. It is certain that it has been the first website (or rather, ‘platform’) to take a very interesting and innovative step in the TLS renewal policy, which the internet has seen within the last few years. Which involves the reinforcement of the TLS concept in general on all fronts: "TLS Everywhere", free and accessible certificates, HSTS, Certificate pinning, Certificate Transparency, in order to set aside the old protocols... This is a deep revision of the ecosystem in which Facebook (and Instagram) unite together with a more than interesting proposal.

You already know what HSTS is all about… the server sends a header to the browser in order to remember that the redirection of the HTTP and HTTPS must be done ‘locally’ (through a redirect type 307), omitting the danger from a network abduction. The web which provides this header, should obviously, be available for HTTPS, and guarantees a minimum good practice with the authentication and encryption which TLS provides. So far, so good, we have talked about this issue a few times, but what if we turn the tables? This is what they thought from Facebook; therefore, they ended up with a more than interesting concept in order to improve overall security, which could be imitated by other platforms.

In search of improved cryptocurrency privacy with Dash, Zcash and Monero

Tuesday, April 24, 2018

When we talk about cryptocurrencies we often find ourselves with the belief that their use is completely anonymous. However, those who have investigated a little about them (because it is impossible to know about all of the ones which exist) will know that this is not necessarily the case; taking into account that many of the operations are perfectly traceable in the corresponding block chains.

In this way, if we come across Bitcoin or Litecoin addresses in an alleged criminal activity, we can trace the operations back to those which have been found involved, as well as navigating forwards or backwards in time in the block chains. At the same time, we should also get to know the internal history of this cryptocurrency, as if a hard fork has been produced it could be spending these bitcoins in different block chains under different rules. An example of this is the investigation which we published a few weeks ago about the Wannacry addresses tracking the clues through both the Bitcoin and Bitcoin Cash block chains.

So what should we do if during the course of the investigation we end up finding ourselves with a cryptocurrency which we do not have under our radar or which we do not know? Well firstly, most of the time, we will search in Google. However, the project could be used as a first reference, as it can further provide information about the average rate, which includes official websites of the project and some explorers from the block chain of each cryptocurrency.

Información proporcionada por coinmarketcap sobre Bitcoin Cash imagen
Figure 1. Information provided by coinmarketcap about Bitcoin Cash

AMSI, one step further from Windows malware detection

Monday, April 23, 2018

At the beginning it was a virus; pieces of assembly code which connected to the files, so that they could modify the “entrypoint”. Afterwards, this technique was twisted and improved as much as possible, they searched for automatic execution, reproduction, and independence of the “guest” (the malware has already beenstandalone since some time), and also so that it could go under the antivirus radar. “Touch Hard Disk” was the premise (how could they infect it?) and in turn the malware anathema. If it managed to avoid this toll as much as possible, it could get away from the detectors. This technique is called “Fileless”, which sought for an ethereal formula in order to survive within the memory for as long as possible. Hence, it does not touch the disk or delay it too much and it does not land upon what the antivirus firmly controls. "Fileless" has been perfected to such an extent (are you familiar with the malware which combines macros and Powershell?), that there is already a native formula in Windows to mitigate it as much as possible. Yet, it's not getting the attention that it should.

Estructura básica AMSI imagen
The basic AMSI structure, provided by Microsoft

#CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties

Thursday, April 19, 2018

social networks Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case of Facebook, they pay millions of dollars every year to investigators and bug hunters to detect security flaws in their products and infrastructure, in order to minimize the risk of being subject to specific attacks. Though, after the Cambridge Analytica scandal, the company has launched a new type of bug bounty to compensate those that report "data abuse" on their platform. Through the new program 'Data Abuse Bounty', Facebook will ask third parties to help them find application developers who are misusing their data. "Certain actors can maliciously gather and abuse Facebook user’s data even when security vulnerabilities do not exist. This program has the intention of protecting us against abuse", according to the publication carried out by the company.

How are we preparing ourselves for the RSA Conference 2018?

Tuesday, April 17, 2018

2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s dedicated cyber security unit, we have been working on a new approach, which we will officially announce at the world-leading annual security event, the RSA Conference.

This event will take place from the 16th to the 20th April, in San Francisco (USA), where we will be exhibiting from our stand #2207 in the South Hall of the Moscone Center. You can visit us here for free by registering for an Expo Hall Pass via the official RSA Conference website using our unique access code: X8ETELEF (the deadline to use this code is the 19th April 2018).

RSA 2018 imagen

A Technical Analysis of the Cobalt phases, a nightmare for a bank’s internal network

Monday, April 16, 2018

A few days ago, a key member from a group of attackers known as Cobalt/Carbanak (or even FIN7 for some of them) was arrested in Alicante. This group has been related to different campaigns against banking institutions, which has caused substantial losses through transfers and fraudulent cash withdrawals in cash machines. We are going to see some technical details from modus operandi, the last wave, how it functions and some ideas about how to mitigate the impacts.

The objective of the group is to access the infrastructure of a financial entity in order to compromise cash machines and withdraw cash fraudulently. Although it seems like science fiction, they do it with network control of the cashpoints, to the point of being able to do it at a specific time, so that it starts to release all of the cash that it contains. Thus, at this moment the ‘mule’ who finds themselves in front of the cash machine will be able carry out the action. More than in the sample analysis, we will focus on the most interesting aspects of the attack phases.

Monero says goodbye to the ASIC miners (at least for now)

Tuesday, April 10, 2018

Last Friday, 6th April marked an important date for the community of Monero users and developers, as one of the cryptocurrencies led the defense of anonymity for its users. As already commented upon within previous posts, Monero utilizes the CryptoNote protocol which was proposed in October 2013. This conceals who the sender and receiver are of the transaction by utilizing circular signatures or a ring, which mixes the transactions from different users. Furthermore, from January 2017, you can also conceal the transferred balance in each transaction, by strengthening the privacy with the implementation of Ring Confidential Transactions, an improvement of its algorithm.

Iconografía del proyecto Monero
Figure 1. Iconography of the Monero project.

Accelerating European cyber security between the United Kingdom and Telefonica (Wayra) – Part one of two

Thursday, April 5, 2018

The GCHQ (Government Communications Headquarters) is not very well known outside of the United Kingdom. The governmental organization is almost a century old (it will celebrate its 100th anniversary next year), in 1919 it started as the government's school of codes and encryption (Government Code & Cypher School) and it was not until 1946 that it changed its name to what it is now.

The GCHQ’s job is to maintain Great Britain´s security through information assurance and also signals intelligence (SIGINT).

The GCHQ was founded after the first world war and had the important role during the second world war of working on how to break the German Enigma codes and also during the Cold War, from its famous center in Bletchley Park.

Bletchley Park imagen
Bletchley Park ©GCHQ

#CyberSecurityPulse: Tell me your social networks and you will be welcome in the United States (or maybe not)

Tuesday, April 3, 2018

social networks The US Department of State wants to ask visa applicants to provide details of their social networks which they have used within the last five years, as well as their phone numbers, email addresses and international trips during this period. The plan, if approved by the US Office of Management and Budget, will extend the background screening to those who have been marked for additional immigration screening; for all of the immigrant visa applicants and for all of the non-immigrant visa applicants, such as business travellers and tourists.

The Wannacry authors also want their Bitcoin Cash

Tuesday, March 27, 2018

The 12th of May 2017 was a day for many of us which we will not easily forget. Wannacry was one of those incidents which had a major impact upon public opinion. Taking advantage of the already famous EternalBlue vulnerability, the programme maliciously managed to encrypt the files of thousands of computers asking in exchange for a ransom of $300 of bitcoins. The question is, what happened to these ransoms paid by the victims?

The balance of the addresses
The three identified Bitcoin addresses managed to raise more than 51 bitcoins (available here, here and here). To date, more than half a million dollars have been exchanged. However, the design of the ransom collection system could be improved. Presenting the same address to different victims made it difficult for the attackers to determine which victim had made the payment. Taking into account that the Bitcoin transactions remain registered in a chain of blocks within Bitcoin, the victims could impersonate other victims who had paid by taking credit for a particular transaction.

#CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack?

Tuesday, March 20, 2018

A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers. Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea. However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. "Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer," said Vitaly Kamluk, researchers with Kaspersky Lab who co-authored a report released on the attacks. "Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda."

In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. "How the industry responded was a disaster," Kamluk said. "There was too much finger pointing with no certainty." Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).

New plugins for FOCA: HaveIBeenPwned and SQLi

Monday, March 19, 2018

Following the publication of Foca OpenSource, a lot of people are now enthusiatic about the idea of adding new plugins or improving existing ones. On this occasion, we present two new plugins to get even more out of FOCA.

In a joint effort between the Laboratory team and CSAs team, mainly, at the hands of José Sperk and Carlos Ávila, we have set to work to improve a plugin  which has been in high demand: the one of SQLinjection. To do this, we have decided to interact with one of the most utilised hacking tools in the market, the famous SQLMap. From this, we have advanced with the development of a plugin which allows us to detect and exploit SQL injection vulnerabilities in web applications, using REST-JSON API of SQLMap, but from a friendlier and more well-known graphic environment, such as that of the FOCA.

The following video shows you how to download and utilise the SQLI plugin in FOCA, taking into account that previously you must download and install SQLMap on your computer to launch the scans from there.

If you prefer or you have installed SQLMap on another computer, you can also select "Remote Server API" and connect from the FOCA OpenSource to launch scans remotely

As if that was not enough, we have also created another new haveibeenpwned plugin for Foca which interacts through the APIs and with In this way, the email addresses which you find whilst analyzing the metadata with FOCA OpenSource, can be directly consulted from the application against those two data bases. Likewise, if you have a file with an address list which you want to verify, you can do it directly from this plugin. The following video shows how it works.

Finally, we have released the source code for PluginApi.dll, in charge of communicating the plugins with FOCA, providing different options to make the most of the results of the analyses of which we carry out.

Remember that if you want to add new plugins, we have provided several examples that contain everything you need to develop a new one. All of this is available in our FOCA market, where you are welcome to participate with your proposals.

Claudio Caracciolo
Team Leader of the CSA and the Bs. As. Research Office at ElevenPaths
Innovation and Laboratory

#CyberSecurityPulse: Biggest-Ever DDoS Attack Hits Github Website

Monday, March 5, 2018

At the end of 2016, a DDoS attack on DynDNS blocked major Internet sites such as Twitter, Spotify and PayPal. The Mirai botnet was used to take advantage of the full bandwidth of thousands of Internet-connected devices. However, last Wednesday 28th of February we witnessed the largest DDoS attack ever seen on the GitHub website, reaching a record 1.35 Tbps and 126.9 million packets per second.

Interestingly, the attackers did not use any botnets, but misconfigured Memcached servers to amplify the attack. Memcached operation is based on a distributed hash table. To prevent misuse of Memcached servers, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use. In this sense, Akamai estimates that at least 50,000 servers are vulnerable.

New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module

This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in the middle attacks once a target has been compromised. It is available from the post exploitation module in Metasploit project.

Evrial, malware that steals Bitcoins using the clipboard... and the scammed scammers

Monday, February 26, 2018

Evrial is the latest cryptocoin malware stealer, and uses the power to control the clipboard as its strongest bet to get "easy money". Elevenpaths has took a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that whoever he is… scammed the scammers themselves.

Qutra, the creator, selling its malware

#CyberSecurityPulse: Dude, Where Are My Bitcoins?

Monday, February 19, 2018

Numerous types of attacks are affecting cryptocurrency users: families of malware that steal wallets, phishing attacks that try to forge platforms where users manage their bitcoins, applications that use the CPU of users to mine... And, in addition, those that prefer to manage their own money without delegating responsibility to a third party they will also have to deal with the problem of losing private keys or not remembering the password with which we protected the wallet.

If it has happened to you and you have protected your wallet with a password, maybe you do not have everything lost. John the Ripper, a password cracking software tool, contains plugins that crack differents wallets: bitcoin2john, blockchain2john, electrum2john, ethereum2john and multibit2john. In the first place, we will have to select the type of plugin that we are going to use depending on the type of wallet that you are using. Then, you pass that content to a text file, launch John The Ripper ./john with the file name and, finally, cross the fingers!

SandaS GRC, the best way to perform the GSMA IoT Security Assessment

Wednesday, February 14, 2018

SandaS GRC
ElevenPaths SandaS GRC allows organizations to support their business strategy, improve operational performance, mitigate operational risks and ensure regulatory compliance. Is the perfect complement with which you can create a governance program, risk management and effective compliance of the security of your organization’s information.

With the aim of extending this control to the IoT deployments, SandaS GRC has incorporated a set of controls to secure IoT deployments. These controls are those collected in the GSMA IoT Security Guidelines through the GSMA IoT Security Assessment, where Telefónica has actively contributed.

#CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations

Monday, February 5, 2018

The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United States military bases worldwide. Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit. Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.

However, information from cartographic systems on facilities of interest to the defense, such as military bases, has always been available. Subject to errors or inaccuracies, but always available given the inability of governments to limit their dissemination. In this sense, this type of information has been used to perpetrate attacks, to the point that India raised in 2009 the closure of Google Earth as a measure to avoid attacks like those in Bombay.

Managed Detection & Response: Prevention is Not Enough, You Need to Become Cyber-Resilient

Thursday, January 25, 2018

Managed Detection & Response cybersecurity imagen
You want your organization to be cyber-resilient but you have no means?

You have advanced security solutions in place, but you lack skilled staff trained to take advantage of them?

You are unable to detect and respond to a security breach and you fear the consequences for your business of the NIS and GDPR legislation?

If you are concerned about these issues, we are also concerned, and that is why we have been working with our skilled analysts, Test Lab and Strategic Partners strive to offer our customers a Managed Detection and Response service beyond the traditional approaches.

Tackling Cybercrime: Three Recommendations for 2018

Wednesday, January 24, 2018

Tackling Cybercrime: Three Recommendations for 2018 cybersecurity imagen

In 2017 we saw ransomware variants such as Wannacry wreak havoc across computer networks in the UK. Not only were these variants of malware almost impossible to remove from computers without causing data loss but they caused real damage – we saw awful scenes when hospitals and doctors’ surgeries had to close their doors as a result.  We know in 2016 the UK cost of cybercrime was estimated at around £29 billion and in 2017 we saw a 22% growth on that figure. It’s clear the problem is not going away anytime soon.

#CyberSecurityPulse: Guess Riddle... How Is Information Stored In a Bitcoin Address?

Tuesday, January 23, 2018

As we have seen in previous post on ElevenPaths blog, the OP_RETURN field of a Bitcoin transaction is used to store a small portion of information (up to 80 bytes) that is usually used to timestamp information taking advantage of the fact that the Bitcoin network is distributed and replicated throughout the network. Numerous projects are used to create use cases to certify that something has happened as the Proof of Existence project, validate academic certificates or even publish the orders to execute the infected nodes inside a botnet. However, did you know what was the technique used before 2013 to store information in the blockchain?

In this sense, the Bitcoin addresses were used (and still are used). At the end, an address does not stop being a text string encoded in Base58Check that contains useful data of up to 20 bytes in length relative to the hash of the public key associated with the address. Knowing this, small quantities were sent to these arbitrarily generated addresses, and therefore, no known private key. This has the consequence that the balance sent to those addresses for which the private key is not available will not be able to be spent, but at least it guaranteed that the operations will be stored in the chain of blocks.

#CyberSecurityPulse: The Transparent Resolution of Vulnerabilities Is Everyone's Business

Monday, January 8, 2018

The new year has started with a story that has taken the covers of specialized and generalist media all around the world. The vulnerabilities named as Meltdown and Spectre have put on the table that even aspects that we took for granted as the architecture of the hardware that makes operate almost all of our systems is likely to have to be reinvented. The correction of this type of failures in the future should be put to the test with new designs that prevent them, but until these new systems go on the market it is necessary to find contingency software solutions that mitigate the problem in the meantime.

The different operating systems have tried to deal with a vulnerability that was notified to several operating systems security teams on November 9, 2017. In fact, the proofs of concept included in the Meltdown paper are made on Firefox 56, which was the current stable version until the arrival of Firefox Quantum (version 57) on November 14 of that same month. According to the managers of Canonical, the company responsible for the development and maintenance of Ubuntu, this date is important providing that this was used on November 20 as a reference to establish a consensus about January 9, 2018 as the date for the publication of the details of the vulnerability by its authors.