Andrés Naranjo

We already know that the weakest link in the cyber security chain is the user. Studies show that the main reason why a cyber-attack on a company is successful is because of the email entry vector. The whole disaster often starts with an email with an attached file. Therefore, Telefónica Tech has developed a technology that tackles the problem of analysing office documents in a totally innovative way: DIARIO. Now, the famous cyber security incident response platform (SIRP) TheHive, has included the possibility of integrating DIARIO in its systems. DIARIO is a technology 100% developed by the ElevenPaths Innovation Area and Laboratory. It is part of the new Telefónica Tech, whose artificial intelligence engine is capable of scanning documents to detect signs of malicious code used by cybercriminals, giving the user a quick and convenient verdict about its danger. DIARIO: Not Another Antivirus DIARIO's ability, using artificial intelligence, to detect common elements used to introduce malicious code into office documents is extremely useful in those areas where the antivirus cannot help, making it a truly effective detection task. DIARIO does not try to replace traditional antivirus, it complements them by doing a totally different type of analysis on everything that has not been able to be detected by traditional antivirus methodologies, usually based on signatures. DIARIO is very effective in what " escapes " the detection of antivirus software. Privacy as The Core of DIARIO's Design DIARIO is entirely focused on business use and therefore, given the possibility of document confidentiality, it has been designed for confidentiality. Often, in case of suspicious files, employees use as additional virus-free validation online file scanning platforms that record and store both the information and metadata of those documents they receive. This can pose a serious privacy problem because of the sensitive or confidential content stored in these documents. DIARIO, however, only extracts those parts of the documents that could be suspicious to be analysed, and never the content of the document itself. So the sensitive or confidential information contained in the document does not circulate or is not stored in any way outside the corporate environment, maintaining the privacy of that information. TheHive DIARIO's trained artificial intelligence is also available for use or integration through other tools or technologies thanks to its developer interface (API). This is why it is very useful as part of TheHive. TheHive is a cyber security incident response platform (SIRP) that is responsible for receiving alerts from all our cyber security technologies (SIEM, IDS/IPS, firewalls, etc...). TheHive is a highly automated platform and ready to be integrated with other technologies to improve its efficiency and functionality. In this way, from TheHive, using DIARIO's artificial intelligence, we can directly scan suspicious files that arrive attached to an alert, thus making a quick and direct analysis of the content of office files that allow an automatic early warning in case of malicious files. DIARIO is a cross-platform solution that runs on Windows, Linux and MacOS, and can be run directly in the cloud, from the Office365 webmail client as well as in the Outlook desktop application. You can test DIARIO's document analysis capabilities quickly and easily from its website: diario.elevenpaths.com. If you are interested in enjoying the benefits of DIARIO in any of its forms, you can contact Telefónica Cybersecurity & Cloud Tech by filling in the related form on the DIARIO site: diario.elevenpaths.com or in the following email: lab-tcct@telefonica.com.

We often find ourselves in situations where we are faced with a mission and, as the mission goes on, we realise that the first choices we made were not good. At that point, we have two options: start over from scratch or make up for that poor decision making with extra work and effort. The Internet Was Created in an Unsecured Way This is a phrase that you will surely have heard from cyber security professionals at some point. This exciting change that the digital transformation has meant, one of the most drastic in the history of humanity, has always been built on things that had not been done before. Along the way, we have made choices that have sometimes proved to be wrong. But, as we said before, we find ourselves in the situation where we cannot "reset" the Internet and start from scratch. One of those bad choices we've been making since the beginning of the Internet is identity management, or in other words, how a system knows who is the user using it. For example, who is the person accessing their email and how is it different from another individual. Traditionally this has been based on the use of passwords, which only the user in question should (I must repeat this: should) know. But, either because of the security of the systems themselves (where the password can be intercepted or stolen both on the network and on the device where it is used) or because the user does not make a responsible use of them, this system has proved to be extremely fragile. The User: The Weakest Link in The Chain This point is extremely easy to check: just take a walk through the "underground" channels of Telegram or the Deep Web (or Dark Net) to see how many premium service accounts are for sale: Netflix, Spotify, PrimeVideo, Twitch Gaming and almost any other type. It is logical to infer that these low-cost and unexpired accounts have been stolen from other users whose credentials, and therefore identity, management can clearly be improved, either in the online service or in their personal use. Prestigious studies on the subject, such as Forrester's The Identity And Access Management Playbook for 2020, warn us that 81% of security breaches are caused by a weak, stolen or default password. This happens for a multitude of reasons, both because of the user's responsibility and because of defects in the design or implementation of security. To a large extent, this is due to the user's ignorance or lack of zeal, who thinks that no one can be interested in violating his security as a private user. This has a much greater impact when the user's identity is the gateway to a larger entity such as a company or organisation. So much so that, currently, it has proved to be the weakest link in the chain: a user vulnerable to cyberattacks makes a company vulnerable. This can be caused, for example, by using a password that is too easy to guess, too common or reused on more than one site or online service. I also recommend reading this other article on the proper use of passwords. For these inappropriate uses of passwords, cybercriminals have designed techniques which we will talk about in the second part of this series of articles. So, in order not to delegate that trust to the end user, cyber security companies like ElevenPaths strive to avoid this type of risk to users, by designing products and services that add an additional layer of security to the traditional and obsolete user/password pair. In addition to including innovative improvements to identity services that we will also discuss in part 3 of this series of articles. SmartPattern: The Path to Robust Identity Management So, where is the challenge? In being able to develop technology that guarantees that extra layer of security without harming the user experience and without forcing the user to learn or adapt to a new identification system. We call robust identity or level 3 authentication: Something you have: for example, a physical device or card. Something you know: for example, a pin or password. Something you are: for example, your fingerprint. So, as a culmination and, in a way, a spoiler of where this journey of digital transformation is taking us in terms of identity management, we will put forward an example of robust identity management that is both convenient and usable by the common user of technology: SmartPattern. SmartPattern is a new concept in the process of robust authentication, as well as in the authorisation and signature of documents through a simple mobile pattern gesture, which can be used in any smartphone, tablet or touchpad laptop as an identity service. In other words, the user does not need to remember or save hundreds of passwords, but simply remember a single pattern for all online services, whereby the service uses a machine learning engine that is capable of detecting unique features in the route, which even if intentionally shown to another user, will fail in 96% of cases. We were able to verify this in a field study at the University of Piraeus, Greece. Artificial Intelligence training from SmartPattern Thanks to its versatility, SmartPattern can be integrated with a multitude of authentication and authorisation services. For example, logging in and/or authorizing a banking transaction, as we have already demonstrated in Nevele Bank's demo portal: a bank without passwords! The SmartPattern website offers more information on this subject but let this innovative and advanced element show that the path to a secure identity will have many more avenues beyond the well-known duplicates that we have hitherto considered secure. This is all for the moment. In the next part we will talk about cybercrime and the market for stolen credentials that continues to grow, both on the Deep Web and on underground Telegram channels.

“It is not the strongest of the species that survives, not the most intelligent that survives. It is the one that is the most adaptable to change”. Charles Darwin One of the greatest and most rapid changes in recent human history is this "new normality" caused by the Covid-19 pandemic since it started in March. In this change, most companies had to find a way to maintain their activity at whatever the price, at least as far as possible. This subject, which is not easy, is critical whenever we talk about technology companies: We see many companies whose previous success and strength have been of no use when having to face the current market or financial scenario. They have gone from the greatest of successes (their previous strength) to the most resounding of failures. Failure to adapt to change can mean being sentenced to death or long agony: let´s recall the case of Nokia, for example, which at the beginning of the century was comfortably established on the hegemonic throne of mobile telephony, both in terms of production and reputation, and nowadays it is no longer what it used to be, after smartphones arrived. But going back to March of this year 2020, as we were saying, companies in most countries that have suffered lockdowns had to have the means to maintain their activity. And often these urgent processes never consider the necessary protective measures. To a large extent, this adaptation has meant enabling the possibility of homeworking, which it seems has arrived to stay since governments are trying to regulate this type of work. However, as we will show down below, this capacity to manage remotely and/or to enable teleworking has meant a greater number of assets exposed to well-known vulnerabilities. BlueKeep vulnerability The study presented here is based on the CVE-2019-0708 vulnerability which is known as "BlueKeep". A vulnerability of remote code execution in Remote Desktop Services (previously known as Terminal Services) when an unauthenticated attacker connects to the target system via RDP and sends specially designed requests. This remote code execution can mean total control and compromise of the system. The reason for studying this vulnerability in particular is because the RDP protocol enables easy remote access by simply opening the 3389 port to the desired machine. But each open port, as we know, is an entry vector, especially in the case that basic system protection measures have not been taken. Likewise, it is actually not a recent vulnerability (dating from May 2019) and we must also bear in mind that it affects obsolete Microsoft operating systems: XP, Vista, Windows Server 2008 that are not properly updated. César Farro has collaborated in this study, and in May last year he published the first exhibition study on "BlueKeep". Public tools such as masscan and rdpscan, both written by Robert Graham, have been used for this purpose. BlueKeep Vulnerability Study – May 2019 The methodology for this work has been simple: The IP range for each country has been scanned using public sources where the IPv4 ranges assigned to each are published, such as Lacnic and RIPE. The tools described above have been used to analyse whether the asset exposed under the 3389 open port is vulnerable. It should be noted that the analysis is not decisive and there are several undiagnosable assets, which are listed as "unknown". We establish a comparison between January 2020 and August 2020, to compare the number of assets with the open port and to draw conclusions regarding the level of exposure. Let's see for example, data in Spain before and after the pandemic: Taking the percentages as data, we can see a clear evolution: We can draw the following conclusions for the case of Spain: While the number of assets with the 3389 port has almost doubled, the percentage of assets objectively vulnerable to this vulnerability has clearly fallen from 11% to 4% of the assets exposed. 3745 devices could still be considered a very high number of easily accessible machines and therefore vulnerable to a security flaw published more than a year ago. The increase in cases labelled as unknown is mainly due to a correction of the query methods from unknown IP’s and should be attributed to a better configuration. This can be done, for example, by limiting RDP access to certain IPs, which results in a more secure access. You can check all the data for the 12 countries under study in the following table: In summary The new normality imposed by the pandemic has forced many companies and agencies to enable remote access resources to maintain their business. But like everything has changed, it must be done while maintaining our security strategy to ensure business continuity. The use of RDP or other remote access methods must always be planned and executed from security by design so that our adaptation to this change is carried out without putting our entity at risk. As a tip, it is a good idea to have our assets properly listed with their corresponding versions of operating systems and software and/or services running, always keeping an eye out for security updates.

Taking advantage of all the attention this issue is attracting, the official app markets, Google Play and Apple Store, have been daily deluged with applications. Both platforms, especially Android, has already limited the publication and search of terms such as "covid" or "coronavirus": Google has declared war against those who try to take advantage of fear to win downloads. Currently, only those belonging to official government bodies remain on Google Play. For this rapid analysis we will use ElevenPaths' Tacyt tool, the mobile cyberintelligence ecosystem, where its Big Data structure monitors, stores, analyses and correlates thousands of new applications every day. In addition to collate or compare information which we have access to through easy and simple queries. One of the advantages that Tacyt offers is that we can have all applications accessible regardless of location. Since Google Play can only offer results based on our country of origin according to the availability proposed by the developer. We go to the Official Google Play repository in Spain and search for those apps related to COVID19. Official Apps in Spain accessible in Google Market (10 altogether) Nothing to do with the amount of applications found in any unofficial market: Apps found in APTOIDE, an alternative market using the term: “coronavirus” As with other markets, Aptoide, for example, does not directly download the app we have requested but the "downloader" through which the actual download will be requested. This can easily be guessed by checking that the file size is exactly the same: Downloaded Apps through APTOIDE In fact, we easily check it out at Tacyt when uploading these applications. It detects them as one, with identical hash: This is due to Tacyt not only including its own application discovery drivers and applications downloading, but also, using the upload function (either via web or API) the user can upload the applications to be analysed. These can be seen labelled as "userUpload" and can also be tagged with our own identification labels (as in the image: the author of the upload or the market from which it was downloaded). This upload function can be very useful to detect altered versions of our legitimate applications in unofficial markets, for example, from a bank. Tacyt includes a button on the interface to compare applications. In any case, we do not miss the opportunity to totally discourage the installation of applications from unofficial sources. Google Play Search Using Tacyt for COVID19 Related Apps Since the Beginning of the Pandemic We will focus the research on Google Play. The filters are used to form the next search in Tacyt. As you can see these usual composite queries (dorks) in Google search, for example, are easy to read: ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (origin:"GooglePlay") AND (createDate:"2020-03-14 00:00:00 - today") “Dorking" to search using Tacyt apps in Google Play related to COVID-19 published since the beginning of the alarm state Tacyt’s respond to the previous search: Apps related to COVID-19 published overseas in Google Play We now search for unofficial apps related to COVID19 using Tacyt from the official date of the start of the pandemic. For this task, we can use the parameter ORIGIN indicating the exclusion of all those whose origin is not the official one. For example -origin:GooglePlay. ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (-origin:GooglePlay) AND (createDate:"2020-03-14 00:00:00 - today") Unofficial apps published since the beginning of the pandemic For example we have a look at the permissions of the app with "coronavirus.tracker.news" package name and do a quick scan. The following permissions are suspicious: (we only comment on permissions different to the "normal" official apps that violate privacy or security) android.permission.CHANGE_WIFI_STATE: allows the APP to change the state of Wi-Fi connectivity. android.permission.INTERNET: allows the APP to open network connections. android.permission.WRITE_EXTERNAL_STORAGE: allows the APP to write in the external storage of the device. android.permission.READ_EXTERNAL_STORAGE: allows the APP to read on the external storage of the device. android.permission.WAKE_LOCK: allows you to use PowerManager WakeLocks to prevent the processor from going into sleep mode or the screen from getting dark. For any research, we can load the apps in batches into Tacyt and then search for them using a custom label and locating, for example, as we said, suspicious permissions: Likewise, we could have used the expiry date of the certificate (sometimes suspiciously long), apikeys, text or emails chains associated with malware, and a long etc... We will see in the next part some more information about the findings.

Sometimes changes occur in society and bring us new ways of addressing daily tasks, cultural, social or other changes that establish a new practice as a way of life to solve or ease a new reality. That way, with the arrival of coronavirus in Spain, the terms 'teleworking' or 'home working' are on everyone's lips to try to maintain work activity while minimizing interpersonal contact to prevent further spread of the virus. However, this ability to work remotely is not new, teleworking is very positive both for society and for the individual himself, as almost all studies on it show. As a case in point, teleworking involves fewer trips and emissions. In a few weeks, China has reduced its environmental pollution by more than 25%. Similarly, accidents on the way to work are also avoided. Another great advantage is that home working is family-friendly. If we can adapt working hours to other family-related responsibilities, worker’s quality of life is increased, and stress reduced. Resources Required to Enable Teleworking and Its Risks It is obvious that nothing happens for its own sake. For a change of this size you must be prepared, particularly at the technological level. Mainly, secure access to all company's resources must be ensured, have a way to hold online meetings with the appropriate connections and tools, as well as a synchronization method of all this that allows managing the meeting agenda. Also access to corporate mail, network or cloud folders to share data and, of course, the devices to be used remotely. But, like any change, there are drawbacks as well. When we work from home using our own technological means in terms of both network and devices, the company no longer has control over the cybersecurity measures applied if the company did not have this contingency planned. Working from Home Securely To begin with, the use of our own connection may generate a technological security risk for the company if it is not properly secured, both in terms of passwords and network segmentation. The work device should be isolated from other devices at home, potentially more insecure, particularly if they are managed by minors. In the same way, the system provided by the company must include the appropriate connection tools to transfer that connection to the company and, from there, secure the connections by using the usual perimeter security, for example. Let’s focus on those essential solutions to ensure security when working from home: Secure Connection to the Corporate Network: These conveniently-encrypted Virtual Private Network (VPN) services guarantee us, on the one hand, a point-to-point encryption of the connection, so that if someone 'listens' when penetrating into the communication, this would be illegible. These attacks, called man-in-the-middle, are usually more common than people might think (for example when using public Wi-Fi), and everything that happens through HTTP traffic, which is not encrypted, may be accessed. By the way, by connecting to the corporate network and "going out" to the Internet by its security measures we will be more protected and, if necessary, we will be allowed to access the Intranet or necessary network folders. Robust Identity Management: Any remote access must imperatively avoid delegating access to the username / password pair. It must be avoided at all costs since a potential theft or leakage of them will surely end up with unauthorized access to the company's resources. Here, two-factor authentication systems or adaptive authentication play a major role and that’s why cybersecurity companies have identity services that, in short, guarantee that users are who they claim to be. Device Protection Tools or EDR tools, the evolution of old 'antivirus softwares' that perform a comprehensive and centralized management of the company's security policy locally on the employees' devices. Awareness about the Responsible Use of Technology: There is no science that advances at a faster pace than technology, so its use must be considered continuous training since every day more aspects of companies are related with the use of technologies. It is highly recommended that all companies train their employees in the appropriate use of technological means. Currently, more than 90% of successful cyberattacks are related with human errors. In short, whether due to the threat of coronavirus or not, your company may be considering allowing telework at least partly. This requires a study of the feasibility and risks in this regard. ElevenPaths has products and services to secure this digital transformation of the world of work.