The Framing Effect: you make your choices depending on how information is presented

Monday, November 26, 2018

The Framing Effect image

You have received an alert from cyber intelligence. A terrible and enormous cyberattack is approaching. You must ensure the protection of 600 positions within your organization. You don’t have much time, so you must decide on the implementation of one of two potential security programs, but the decision must be taken now!

Cyberintelligence Report: Global Banking Cyber Report

Thursday, November 22, 2018

As the world becomes more digital, new opportunities and threats arise and we tend to focus more on our daily business. As a result, when we are trying to develop a new product, website or application, we use to prioritize speed, convenience and ease of implementation over security.

ElevenPaths has conducted an analysis of 56 of the world's leading banks. This analysis is based on public archives, web applications and mobile applications from these banks and addresses three key aspects of cybersecurity:
  • Integrated security in mobile applications.
  • Metadata available in public documents.
  • The information we can obtain about service communications and their quality (i.e. open ports on servers, their vulnerabilities, etc.).

CapaciCard: an Elevenpaths' own physical technology materializing simple identification and authorization

Tuesday, November 20, 2018

Can you imagine to be able to authenticate or authorize a payment just by placing a plastic card on your mobile phone screen? (without circuitry, neither NFC connection nor additional hardware are required). So now try to imagine the same scenario but placing that card on a laptop touchpad. Over the last Security Innovation Day, we presented several technologies developed by our team, of which we are especially proud. Along this entry we will talk about CapaciCard.

CapaciCard, tecnología física de identificación y autorización de forma sencilla

m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths

Friday, November 16, 2018

On November 7th, while we were holding our Security Innovation Day, Cisco published a security advisory with CVE-2018-15446 associated to a vulnerability on the software Cisco Meeting Server reported by our Innovation and Labs team. Such vulnerability could allow a remote attacker to gain access to sensitive information as well as to join those meetings held through this software. Cisco Meeting Server (previously named “Acano”), is a video conferencing software enabling users to held meetings through different clients, such as Cisco Jabber, Cisco Meeting App, Skype for Business or via WebRTC with a supported browser.

m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths imagen

Stela FileTrack protagonist of the 6th Security Innovation Day Edition

Tuesday, November 13, 2018

Stela FileTrack protagonist of the 6th Security Innovation Day Edition imagen

The Telefónica’s Cybersecurity Unit helds its 6th Security Innovation Day, under the motto Game Is Never Over.

  • Stela FileTrack, a new solution to protect organization’s sensitive documentary information.
  • The Telefónica’s SOC located in Madrid, a highly-qualified incident response team available 24x7.
  • Faast for WordPress and mASAPP Online, focused on online sales, are put on the market.
  • New IoT security services, based on Telefónica’s SOCs strengths.

You are less rational than you think when you take decisions under uncertain conditions

Thursday, November 8, 2018

I propose you the following game of luck:
  • Option A: I give 1,000 € to you with a probability of 100 %
  • Option B: Let’s leave it to heads or tails: if it’s heads, you will win 2,000 € but if it’s tails, you will win nothing
Which option would you choose? A sure profit or the possibility to win twice more (or nothing)? If you think like 84% of the population, you may have chosen option A: a sure profit. Ok, so now I will propose you another scenario. You must pay a fine and you can choose how to do it:
  • Option A: You pay 1,000 € for the fine with a probability of 100 %
  • Option B: You flip a coin to decide it: if it’s heads, you will pay 2,000 € for the fine but if it’s tails, you will pay nothing
Which option would you choose now? Would you pay the fine or would you flip a coin, considering that you may pay nothing (or twice more)? In this case, if you are like 70 % of the population, you may have chosen option B. So, are you doing it well or not? Ok, let’s analyse what’s happening here purely from a rational point of view.

The State of Cyber Risk in Spain

Monday, November 5, 2018

In Spain, cybersecurity is becoming more of a priority among businesses across all industries. One way to quantify these cybersecurity postures is by looking at Spain’s security ratings across all markets in comparison with Europe. In Spain, Bitsight Security Ratings are on average 119 points below Europe as a whole. The highest performing industry is Real Estate, which has a security rating of 71 security rating points better than the European average. The lowest performing industries are Financial Services and Insurance, which are more than 200 security rating points lower than the average European rating. Given the sensitive data financial services companies possess, this report suggests there is a need for additional investment in cybersecurity and cyber risk management. As companies invest in digital transformation programs, their exposure to risk increases and requires an increased investment in risk management across their organization.

DNS over HTTPS (DoH) is already here: the controversy is served

Recently, the IETF has raised to RFC the DNS over HTTPS proposal. In other words, this means resolving domains through the well-known HTTPS, with its corresponding POST, GET and certifications exchange for authentication and encryption. This new is more important than it may seem. For two reasons: firstly, it’s a new resolving paradigm that shakes network foundations. Secondly, because the support of having RFC combined with the interest shown by browsers (greedy for the power granted by this) has led them to start its implementation in record time. It is said that privacy is granted, ok, but… Is it a good (or bad) idea?

DoH (DNS over HTTPS) is really simple. Instead of going to port 53 of a server (for instance, the well-known 8.8.8.8) and asking for a domain through an UDP or TCP packet, DoH standardizes the construction of a GET or POST to a HTTPS domain, so the answer will be the A and AAAA records (the RFC doesn’t specify other records) with the IP. It has more details, such as the clever solution of turning the heading cache-control into the TTL. Everything encrypted carefully, of course. Do you remember when in a hotel you could tunnel the HTTP browsing via the DNS protocol (often unrestricted) to avoid paying the Wi-Fi? So now it’s the other way around.