Carlos Ávila

Carlos Ávila

Chief Security Ambassador at ElevenPaths. Degree in Information Systems. Computer Security Consultant and Instructor on related subjects.
Cyber Security
Using DIARIO Through FOCA For Malware Analysis
Web servers are one of the main channels for the spread of malware on the internet. They are frequently attacked in search of security flaws that allow them to be infected, so that they, in turn, serve as agents for spreading malware, controlling botnets and mining cryptocurrencies, among other malicious activities. For this purpose, one of the moves made by attackers is to upload infected files to servers in order to deploy such malicious code to users. In this article we focus on files (office and pdf) that could be infected and hosted on compromised web servers. This is where, through the FOCA tool (opensource), we can use the DIARIO plugin to analyse whether or not these files contain malware in embedded macros and thus prevent the spread of such files on the internet or to your own users. DIARIO, How to Detect Malware While Protecting Your Privacy But what is DIARIO? DIARIO is a platform that incorporates Artificial Intelligence specifically trained to detect malware that generally eludes traditional antivirus solutions and, to do so, performs a process of analysis of the documents without the need to access the content of the same, which is essential in the case of files of a private or sensitive nature. Through the FOCA tool (opensource), and after searching the documents on the web server, you can use DIARIO to periodically analyse the files uploaded to your web servers to find out whether they contain malware or not (at macro level) so that you can carry out some mitigation and control action on this risk. The analysis can be run individually or for all the files crawled or found by FOCA and its search methods. At the end, you can also get a tabulated summary of the results. The truth is that these files should not even be on web servers, as they should be checked before they reach the server. But criminals keep updating and improving their techniques, so in case you want to give it a try, you have one more tool to analyse your documents from a different perspective in order to defend yourself against this type of threat.
April 29, 2021
Cyber Security
WhatsApp Terms and Conditions Update: A Cheeky Move?
Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data, and many others have even decided to switch to Telegram and start abandoning the green messenger... Why so much fuss about this new policy update? To explain briefly, with the acceptance (Figure 1) of this update of the conditions and privacy policy - mandatory from 8 February - you will allow your WhatsApp data to be shared with the rest of the Facebook services, which was optional a few years ago where the user could decide directly what to share and what not to share between the Facebook companies. Notification of update of conditions and privacy policy Users are talking a lot about this controversial topic because if you do not accept this update you will not be able to continue using the application. In recent days several articles have been written about these giving details, so we decided to focus this entry on what are the alternatives we have to the manifest intentions of Facebook on using our data. Considerations on acceptance of the new terms and conditions We are interested in analysing what will happen to users who accepted these new terms by mistake or in a hurry and want to revoke this acceptance, even if this means that on 8 February this year they will have to stop using the platform if they do not agree. Will they be able to do so? Is there any place where this acceptance can be revoked? The answer is currently simply NO. Nevertheless, we thought about verifying some actions that users might try to execute in order to reverse this "unconscious" acceptance, especially after reading so many articles or messages on Twitter about the subject, and we decided to start with the most obvious one: Search for an option in the account settings... of course there is no such option... The second option we thought was harder, to delete the user and then create it again or even load another user into the application and see if the policy acceptance sign appeared again. However, when running WA, the application takes the last update (version 2.20.206.24) and accepts the new policy. To be more incisive, the third option the user has is to uninstall the application completely and reinstall everything with previous versions from the official shop. However, when carrying out this procedure we verify that it is not possible to install a previous version since it is not available as an alternative in an official way (of course, if we already have the installer of a previous downloaded version or we download it from an unofficial shop, which we do not recommend, there we could install another version with the previous policy). More details It is also interesting to highlight that for the European community, the new privacy policy does not fully apply (sic), generating an exclusive policy for users resident in this area of the world and this is due to the GDPR regulations, which prevent both Facebook and any other company from sharing their users' data with their other companies, or from being used for various interests, without the explicit and clear approval of the user involved. Thanks to this, WhatsApp users in the European community have now won the battle over the control of their privacy. In short, we can say that WhatsApp users who have already accepted the privacy policy, without reading or considering what it implies for the handling of their data, only have two options: Delete the account and leave this messaging service by migrating to another of the many similar services that have emerged in recent years. For those who choose this option, they can select from several services that have taken off recently. Continue with the use of this service taking into account that it is not possible to revoke the new privacy policy and accepting that your data will be shared among all the companies on Facebook, for purposes that as indicated in the policy are intended to "operate, provide, improve, understand, customize, support and promote our services".
January 8, 2021
Cyber Security
Security and Privacy on the "Internet of Health”
At the time of writing this article, there are many companies around the world that are innovating, creating and improving various applications, robots and gadgets to monitor our health. In fact, many of these are already a reality and are being sold in the application market and implemented in hospitals around the world. All these watches with sensors, chips inserted in our bodies, smart phones and other devices are fantastic and store a lot of user data but, is this data being protected? Will it be used to issue diagnoses? What about the security of the software of these devices? What do we get, for example, from surgeries performed by robots by remote control? The Digitization of the Healthcare Industry We talk about innovation, digitalisation and robotisation in the health industry and this has led mankind to carry out interesting projects such as the well-known DaVinci (the robot with the most advanced surgical system in the world) or perhaps lesser-known projects such as the microrobot called ViRob, designed to clean and drain "pipes" from the body as a necessity in operations. But if we talk about common devices and accessibility for users, we find hearing aids to monitor your overall health in real time. In terms of mobile applications, we see how a photograph taken with a mobile device and advanced image processing could detect certain types of skin cancer. So much so that GoogleLeNet project, originally designed to interpret images for smart cars, has been working on this for a long time. At present it is impossible to keep up with such a large number of devices that generate information and this is no exception for doctors. A doctor can make diagnoses from his experience with several patients, but a computer is currently doing so based on data and comparisons of results that were obtained from hundreds or millions of similar cases. Health Comes First, As Long As It's Secure The data that is processed today by all these gadgets in the health industry needs to be reliable and secure in order to make a reliable diagnosis through analysis. Therefore, the software developments that make these technological devices work must be protected and tested. The cybersecurity community, as well as security companies in general, have been conducting research on this topic, where they have exposed attack vectors and vulnerabilities on this type of environment. Similarly, the FDA (US Food and Drug Administration) has created guidelines and makes frequent calls to the creators of medical technologies to ensure the security of their products. The health industry, like many others, depends largely on technology to understand our health status. Each new device we use is likely to share data in some way with other platforms for physician decision-making. The “Internet of Health” Just as the "Internet of Things" refers to interconnecting various devices so that in many cases they interact automatically, the "Internet of Health" will perhaps allow all our medical data to be connected together, so that through various systems they can be condensed into a comprehensive report. We are now at the point where all this data is being stored in environments that should have a level of security that is managed, evaluated and monitored frequently, because decision making will depend on it. It is really important that we get involved in this problem as a community and as users. Furthermoe, it is necessary that both governments and legal entities ensure full commitment of all actors in this industry on a permanent basis through laws and regulations. In this way, we will be able to maintain an adequate level of security that will allow us to feel a little calmer in the face of cyber threats.
July 9, 2020
Cyber Security
The Pharmaceutical Retail Industry and Their Mobile Applications
The pharmaceutical retail industry has been forced to act much faster in this race of the so-called "digital transformation" due to the global pandemic that society is currently going through. Therefore, pharmaceutical companies have had to use applications already deployed or they have had to deploy applications quickly. These applications are the same ones that move their business to manage prescriptions and orders for drugs, discounts, etc. and that make the use of their services attractive to customers in this period of high demand for drugs. On the other hand, many governments around the world established the mandatory quarantine, which led people make greater use of digital media for the purchase of medicines, food, and other products. As a result, mobile applications and the infrastructure supporting them play a key role today and are likely to be introduced into our daily lives more than ever before. What Are the Implications of This? All the data generated through the customers are managed by your mobile device and the technological infrastructure (in-house or third-party) of the pharmaceutical companies. As you might expect, these applications could have vulnerabilities and pose a risk to customer data. Many of these applications have direct communication with company devices and systems running internal processes, creating an additional attack vector for cybercriminals seeking this type of information. Image 1: Description and functionalities of pharmaceutical applications For this analysis, we have selected the latest version of 29 applications (iOS/Android) from pharmaceutical companies where the user can access various services. These include, mainly, online purchase of drugs and management of medical prescriptions. The applications were randomly selected from pharmaceutical companies in South America, Spain, and the United States. Within this set of application samples, we focused on analysing only the mobile application. Although weaknesses were discovered on the server side (backend), these were not included. For this analysis, we employed an Android device (rooted), an iPhone 5S (no jailbreak) and our platforms mASAPP (continuous security analysis of mobile applications) and Tacyt (mobile threat cyberintelligence tool). Analysis Results The OWASP Top 10 Mobile Security Controls performed general tests. These are only an overview of the number of tests that could be done on these mobile applications in a comprehensive manner. In our case, the results showed that, although security controls were implemented for the development of these types of applications, several weaknesses to be fixed were found and, above all, maintain continuous improvement in the development process. The vulnerabilities found according to the controls evaluated are in the following summary matrix: General summary of analysed control results (-) Feature applicable only on Android platforms Firstly, we wish to highlight several weaknesses that we found in easily-readable structures such as XML, API Keys, or configuration files. This denotes insecure local storage. Image 2: Certificate/Key Hardcoded files Image 3: Readable API Keys Hardcoded Files While a large number of these applications establish secure communication channels (HTTPS) with their backends, some unencrypted HTTP channels are still working, as showed in our results box. We also found applications that do not verify the authenticity of their certificates or self-signed certificates. This shows that security needs to be improved in this regard. Image 4: Use of Self-Signed Certificates Also, among other unsecure application programming practices, we noted the lack of code obfuscation features (depersonalization) to make the reversing process harder in almost all Android applications. Image 5: Review of java classes after reversing process Image 6: Documentation and technical comments in detail A not-insignificant fact in this analysis is that 5 of the applications were found by Tacyt on unofficial markets. In many cases they were deployed by users who did not necessarily own the application (we do not know for what purpose). Image 7: Sample of an application found on other unofficial markets Conclusions We believe that these findings are a further contribution to the progress towards enhanced security and hope that they will help application developers from the pharmaceutical sector. In this global health crisis, there have been many other cases where industries have had to transform abruptly many of their traditional services into digital services, with all the IT risks that this entails. Managing the security and privacy of the user data of pharmaceutical applications is essential since these store private data of our health. It is important for companies within this sector to be aware that their customer data is exposed to computer risks and that, by performing appropriate controls and continuous evaluations, they should protect it −also keeping their technological infrastructure safe from potential cyberthreats.
May 14, 2020