If you want to change your employees’ security habits, don’t call their will, modify their environment instead

Wednesday, March 13, 2019

You’re in a coffee bar and you need to connect your smartphone to a Wi-Fi, so you check your screen and see the following options. Imagine that you know or can ask for the key, in case it were requested, which one would you choose?

Wi-Fi networks image

Depending on your security awareness level, you will choose the first one: mi38, that seems to have the best signal; or v29o, that has not such a bad signal but is secured and requests a password. Imagine now that you are in the same coffee bar, but in this case you have the following list of Wi-Fi networks on your smartphone screen. Which one would you choose now?

Don’t confuse the frequency of an incident with the ease you remember it

Monday, March 4, 2019

Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go running around the park next to your home, so these incidents will quickly come to your mind, and this fact will make you think about the probability of being a victim of a robbery (or something worse) in that park. Your mind will make the following association:

Park = Danger!!!

The images you have watched on the TV and the Internet will make you overestimate the probability that you may be the next victim in any other park from a different town. As a consequence, you could avoid going running around the park near your home (or any other park) until the media echo ends. Only when you stop thinking "Park = Danger!!", you will frequent parks again.


GSMA IoT Security Champion: Award to our IoT Security team

Wednesday, February 27, 2019

We have a lot to be happy about! Our IoT Security team, dedicated to cybersecurity specialized in the increasingly relevant world of the Internet of Things, has received a well-deserved award for its contribution to the dissemination and application of the IoT security guides of the GSMA, an entity that represents the interests of the most important mobile operators around the world and is in charge of the Mobile World Congress events around the world, among which is the Barcelona event that takes place this week.

The hugest collection of usernames and passwords has been filtered…or not (II)

Monday, February 4, 2019

Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing millions of passwords is announced, the reality is not entirely what it seems to be. After all, what it has been filtered is the collection of leaks, gathered over time by a certain group of people or by someone.

The leak we have examined has 640 Gb of content. We must clarify that it is not just the leak called "Collection #1" or the subsequent "Collection #2" and so on (the best-known ones). These types of collections are on the Internet, on several forums or uploaded on servers where anyone, with some patience, can access.

The post-quantum future is around the corner and we are still not prepared

Wednesday, January 30, 2019

Post-quantum future image

Every year we have more powerful computers with a higher calculation capacity, is that fact good or bad? Think twice before giving an answer. 

It depends. Because if global information security is based on the computing complexity of some functions, then the fact that computers are becoming ever faster will be very bad news.

In fact, the sword of Damocles is hanging over our public-key encryption systems: RSA, DSA, ECDSA. Their security relies on the difficulty of achieving certain mathematical problems currently considered as untreatable, such as factoring large integers or solving discrete logarithms. The quantum computing big promise is that these mathematical problems will be rapidly solved. Is cryptography mortally wounded? Is there a hope for the world? Will we be able to continue communicating securely after the first quantum computers? Let’s see it step by step.

The hugest collection of usernames and passwords has been filtered…or not (I)

Monday, January 28, 2019

Sometimes, someone frees by mistake (or not) an enormous set of text files with millions of passwords inside. An almost endless list of e-mail accounts with their passwords or their equivalent hash. Consequently, headlines start to appear again and again in the media: "Millions of passwords have been filtered…". Even if it is not a fake headline, sometimes it may be tricky. In particular, we are talking about the last massive leak, named "Collection #1".

We have analyzed this huge leak. Beyond the "Collection #1" that has reached the media, we have got a superset with more than 600 GB of passwords. It is so great that over our analyses we could count more than 12,000,000,000 combinations of unfiltered usernames and passwords. It is an astronomical figure. However, the important point here is that they are "in-raw". What is still interesting after having performed any cleaning? We must consider that a filtration of a filtration is not a filtration. If some months or years ago someone filtered a database of a given website, this is called “leak”. Conversely, if someone concatenates that file with other ones and publishes them, it is not a filtration: they are simply making available their particular collection of leaks on the Internet.

#CyberSecurityReport18H2: our new periodic report on cybersecurity

Monday, January 21, 2019

Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just launched an own cybersecurity report, summarizing the most significant information from the second semester 2018. The report’s philosophy is providing a global, targeted and useful vision on the most relevant data and facts on cybersecurity. It is addressed to cybersecurity professionals and enthusiasts, in a simple and visually-appealing format. Let’s go over some of the data from this first edition, that will be continued and, without a doubt, further improved.

Nowadays there is a flood of information on cybersecurity. Nevertheless, it does not mean that this flood of information is correctly understood and analyzed, thus such information is not properly exploited to improve processes and be less vulnerable. Lack of information is as harmful as its excess. To be updated and inform people is not enough, but it is also necessary to analyze and be able to prioritize, learn what is important and why.

Detected an extension in Chrome Web Store, active from February, that steals credit cards

Tuesday, January 15, 2019

We have detected an extension for Google Chrome, still active, that steals data from web site forms visited by the victims. This extension, which is still available on Chrome Web Store –the extension market for Chrome– has been active from February 2018. It is hidden within the searches performed on the Web Store, and it can only be accessed through a link that the attackers are spreading by means of JavaScript injection attacks on web sites that make them to be redirected to that extension using that link.

Chrome web store Javascript cybersecurity image

2019 won’t be the year when quantum computers replace the cryptography that we all use

Wednesday, January 9, 2019

 2019 won’t be the year when quantum computers replace the cryptography that we all use image

What would happen if a fully error corrected quantum computer of several thousands of logical qubits started working today? Public key infrastructures would fall down. The secrets of the world would be discovered. There would be chaos. How far or close that day is? How would it affect our cryptography? What to do to protect our sensitive information ahead of the forthcoming arrival of quantum computers?