Wednesday, November 30, 2016

Don't play with cybercrime

The report of the week

Like every night, you put on your heavy armour and travel through the Eastern Kingdoms of Azeroth riding your black horse. Inside your favourite video game you feel like a hero. You could spend hours and hours in front of the computer, killing ferocious dragons, rising levels and acquiring new weapons and powers. Along the way you will find other virtual characters. Behind the Night Elf, the Magician and the Werewolf there are people like you; with some of them you could even create a friendly bond. But you can’t trust everyone: cybercriminals hide in the forest too.

One day, just when you are about to defeat one of the most powerful monsters, your enemy manages to escape. “Don’t worry, I know how to finish this. Someone passed me an infallible trick, there is a tutorial…”, Nyto723 writes to you on a private chat. Immediately, he sends you a link from where you can download the file. And you don’t think it twice because you’ve known him for a long time and also because you are looking forward to passing that level. So you press on the link… without knowing it is infected by malware… and you end up downloading a Trojan. Game over. 

Monday, November 28, 2016

Coal for the "cyber bad guys"

Today, one year ago...

“Dear Wise Men… This year I have been a very good child and I would like to ask you for an electronic toy which I can connect to the Internet, play with, send photos and write chats…”. If your son begins this way the letter to the Three Wise Men or Santa Claus, perhaps it’s time to sit down with him or her to talk about a very serious issue: cybersecurity.  

Just a year ago, VTech, China’s smart toy company, suffered a cyberattack that triggered the data leak of 6.5 million children accounts worldwide and 5 million accounts from their parents. According to the journalist who published the scandal, in the leaked information there were emails, passwords, IP addresses, birth dates, chats history, physical addresses and a huge amount of photographs, in total: 190 GB of images.

Nevertheless, the company tried to calm down the big commotion by assuring users that their credit card numbers were safe. The problem had affected several countries: the United States, France, the United Kingdom, Germany, Canada and Spain, among others.

Friday, November 25, 2016

Be careful on Black Friday

The best of the week in Cybersecurity

Today is Friday, but not an ordinary one. It's Black Friday. You already knew it. You have spent several weeks thinking about what to buy. Discounts of 30%, 50%, up to 70% will make you end up spending more money than you expected, because you will end up buying stuff you didn't  plan.

Since 1975, the fourth Friday of November was officially established as the beginning of Christmas shopping, in order to reduce the crowds in the stores in December. Over the years it was called Black Friday because deficit red numbers became surplus black numbers for many businesses. And that's because a lot of Santa Claus and Wise Kings (in Spain) take advantage of this day to buy Christmas gifts, before the products return to the original prices.

But before taking out your bank card and start buying all these wonderful and irresistible online offers, you should know that cybercriminals are as excited about it as you. Or more!

Wednesday, November 23, 2016

A 'mole' by mistake

The report of the week

The 70s. George Smiley is a spy who is forced to put an end to his career with the British Secret Services because of a failed mission in Budapest. However, just when he had already accepted his destiny, in the last minute, his boss gives him a new task. And now, discretion will be everything. It is suspected that among the members of the dome there is a mole who is spreading secrets that endanger all their other missions. Who will it be? Smiley must gather information and put all the pieces of the puzzle together to unmask the traitor.

This is the plot of Tink Tailor Soldier Spy (2011), a British espionage film that received three nominations to the Oscars and is based on the homonymous novel by John le Carré. Its structure is quite complex to make the spectators open their eyes widely and pay attention to every single detail, until finally the million dollar question is revealed: the mole’s identity.

We spend so much energy protecting ourselves from external threats, from the competitors and cyber-attacks, that we don’t care so much about who we have in the company. What would happen if one of our employees, either out of ignorance or perhaps with treachery, opened the security barrier and let our confidential information escape? Without wanting it or not, he or she would be a “mole” that could endanger our most precious assets: our data.

Monday, November 21, 2016

Danger: rock path

Today, one year ago...

It’s been said you need to learn from the past if you don’t want to repeat the same mistakes in the future, but the human being is the only animal to stumble over the same stone twice. Twice? And many more times! We can even feel attached to the rock and not let it go. That’s the way we are.

Over a year ago, we laughed (because we didn’t want to cry) at a series of “epic fails” that seemed to come from a comedian’s monologue rather than from real life. Among them, a photo of a Greek minister that went viral.   

Sitting down at his desk, he was looking at the camera smiling, without noticing there was a post-it note with confidential information on it. And because nowadays we can zoom and scan everything with virtual magnifiers as if we were detectives 2.0, many people realized that he had written the user name and the fantastic and unpredictable hyper-secure password: 123456. Read the last part with irony, please.

Friday, November 18, 2016

Sex, shopping and virtual reality

The best of the week on Cybersecurity

Sex is overrated nowadays. In the past, virginity and I am ‘the girl-who-doesn’t-kiss-anybody-on-the-first-date’ was a value, today this seems to be the opposite. You have to go out and flirt. The Internet has changed the way of meeting people. Ask the millennials, they have learnt everything through a mobile phone and a computer. In the past, meeting someone was free and you just had to approach him or her in a pub; now you have to pay.   

The recent Adult Friend Finder data breach corroborates what we just said. About 339 million accounts may have been hacked. To get the idea: Spain has 47 million inhabitants. That is, there are six times as many users of Adult Friend Finder as Spanish people. The United States has about 320 million inhabitants. The Ashley Madison data breach in 2015, compared to this, is just a children’s game. On that occasion, there were 32 million accounts, and even the ironmonger on the corner got nervous.

Wednesday, November 16, 2016

The black nurse

You are convalescing. You need to sleep. The smell of the chemicals enters your nostrils and you know you are not at home. You are in a hospital. You know you are going to be safe there. You will be protected and they will take care of you. You don’t need to worry, they will look after you, even when the night comes. You are disconnected from the outside dangers. When the lights go out, a nurse enters the room but you can only see a shadow. Yes, a shadow. But she is dressed as a nurse. And she is not coming with good intentions.

BlackNurse is the name that a group of researchers have given to a recently discovered cyberattack. This method allows massive DDoS attacks, capable of knocking down large servers with limited resources. Their biggest danger lies in their ability to perform the attack on their own, and what is more important, when victims are offline or disconnected.

Tuesday, November 15, 2016

Cybersecurity: classic myths and common sense

Today, one year ago...

Born in 1901 in Berlin and getting the USA nationally later, Marlene Dietrich is considered one of the greatest myths of the Seventh Art. Apart from her participation in the big screen, she was a political activist that gave us quotes to remember like: "The imagination exaggerates, the mind underestimates and the common sense moderates". Eleven words that almost any cybersecurity expert would endorse, whether being in the bad or the good side (or both, which is possible too). Neither magnifying the risks nor despising them: placing each risk in the better place is the best tip. 


This quote is still worth it today, as it was worth it one year ago, when the news related to cybersecurity seemed to claim the prevalence of common sense over any other way of facing the situations involved. Thus, we find an F-Secure report about logging automatically on certain platforms through other services such as Facebook. After a long debate, the text said: “Yes, but no”. That is to say: the login via Facebook is safe, but it is better to take certain precautions before doing so from any website that requests it.

Friday, November 11, 2016

The change of millennium

The best of the week in cybersecurity

If something describes the change of millennium is technology. And if there is something in common between all those who were born in the last two decades of the last century is their relation with technological advances. Some people call them ‘millenials’ and there are a lot of articles and reports about them. In some ways, social networks, such as Facebook, Twitter and instant messaging apps  like Whatsapp or Telegram, determine their interactuation with the world.

David Zuckerberg is one of them. He knows that an account in a social network can be everything. This week we have found out that Facebook has bought passwords in the black market to keep their users’ accounts safe. The security chief of the company said that account safety is about more than just building secure software. Apparently, when passwords are stolen en masse and traded on the black market, it becomes apparent just how many of them are the same: “123456”. Using these type of easy-to-remember passwords makes them more vulnerable to being compromised. And this is something Facebook is keen to prevent.

Thursday, November 10, 2016


In the Greek mythology, pride and arrogance were elements that often defined the different character’s actions in their myths. Hibris is a term in mythology that describes a personality quality of dangerous overconfidence and refers to the excesses of wanting to challenge and transgress the boundaries of the gods. According to Isaiah, in the Judeo-Christian tradition, Lucifer fell to the ground because of his pride and vanity, when he rebelled against the Creator. Lucifer was not only beautiful but also wise. Hence in Latin, his name means “the light-bearer”. 

The survey was conducted among two thousand executives of companies that have an invoice of more than 1 billion euros per year. Of them, 3 out of 4 are convinced that they will be able to catch the cyber attackers. But this overconfidence would be putting their organizations at risk. The report also revealed that more than the half of the respondents were fully convinced that they could stop the most complicated breaches in just a few months. However, a third of these attacks are never discovered. 

Especially in the English-speaking world you can appreciate this kind of poor performance when it comes to detecting successful breaches. To the 30% of the organizations in the United States and the 26% of British companies, it takes more than a year to detect sophisticated cyber attacks. Most of these attacks happen in English-speaking companies. British are the second ones in the world, after the Germans, that believe they can detect everything that is happening in their systems.

Managers from the largest companies in 15 countries stated that they have fully inserted the culture of cybersecurity in their environments. However, successful cybercrime happens on an average of two to three times a month. Despite the overconfidence, around 54% of the executives would invest in an additional budget. Only 17% would invest in cybersecurity, and 28% would invest in mitigating the financial losses.

Speaking of pride and vanity, Donald Trump’s triumph in the United States has crashed the Canadian Inmigration website because of people who may be thinking of crossing the borders to the North. His success has provoked fear in a large sector of the population that is still in shock by the election results. 

In the world of cybersecurity, unlike other environments, vanity or overconfidence can be paid dearly. The best thing is, perhaps, to behave with more modesty and precaution. 

Original image source:

Monday, November 7, 2016

Everybody gets a 'prize'

Today, one year ago...

We should always keep in mind that the weakest link in the chain is the most powerful vector of infection. But, many times, the user doesn’t take part on it or his intervention is minimal. The risk exists and  it happens because we are online, and prevention is important but not always enough. In our weekly review about what happened just one year ago, we find some turbulent news related to online forums, Twitter, emails… The daily routine for any of us, under little and not very friendly crossfire.

The creators of vBulletin, a software on which many popular opinion forums are based, woke up on a November morning with such an overwhelming threat that those forums decided to close temporarily. The attacker, under the identity of Coldzero, put the 0-day on sale, almost at the same time that the vBulletin released a patch that solved the problem. Of course, the bug on which the exploit was based had been online for three years.

Friday, November 4, 2016


The best of the week in Cybersecurity

If in the past decades youth was associated with sex, drugs and rock and roll, nowadays this may have changed. The novel ‘The Girls’, by Emma Cline, published this year, tells the story of a teenage girl who gets into Charles Manson’s band at the end of the sixties and begins to feel intense emotions.

Technology has made young people and teenagers change, even their way of approaching crime. This week we have found out that a 19-year-old British boy has been convicted of creating a DDoS tool, used in 1.7 million attacks. Prosecutors say Adam Mudd would have earned more than 300,000 euros since he created Titanium Stresser when he was 15 years old. The software is a booter service that has been used by thousands of cybercriminals and the attacks were made against 181 IP addresses. 

But not all cyber attackers are so young. This week we have discovered the identity behind one of the hackers that leaked private photographs of celebrities. Ryan Collins, 36, from Pennsylvania, is one of the suspects of leaking the pictures known as ‘Fappenning’ or ‘CelebGate’, which affected artists such as Jennifer Lawrence, Kate Upton, Rihanna or Avril Lavigne. The other one is Edward Majerczyk, 28, from Illinois. Between the two of them, it is presumed that they affected about 600 victims

In countries like the United States, where distances are so long, having a car means to be able to travel more comfortably. Otherwise there would not be another way of moving around certain cities. Nowadays connected cars may face some problems if they are victims of hackers. The main problem is, perhaps, that there is no antivirus to solve those attacks. As we can read on Hipertextual website, according to engineer Charlie Miller, there are two types of attacks: one directed to the multimedia system and the other one focused on the breaks and the car control.

To Miller, the problem starts because of the connection between both systems, since if one can be accessible, the other one can also be accessed. This threat could change our way of pre-warning ourselves when driving in a not very distant future. It’s not just about driving carefully, but to be sure that it’s us who are driving the car.

In the previous post we talked about certain threats of today that were not possible before. It’s true that technology has made things easy, but it’s also true that it has changed a lot of other aspects. For instance: a kid can become rich illegally at the age of 15; if you are famous your privacy can be attacked, or the new fear that your car can be controlled by someone else. As Bob Dylan would say: times are changing.

Original image:

Wednesday, November 2, 2016

Today threats

During the second half of the twentieth century, the world was in constant fear of a possible nuclear war. The atomic bomb made clear the horrible consequences if the two Cold War Blocs surrendered to the temptation of a nuclear war.

Nowadays that fear still remains, but in the world of computer science and cybernetics the attacks may be already happening. Atomic Bombing (AtomBombing) is the name that a group of researchers are using to name the technique of introducing malicious code that would affect PC users. The study, by eSilo, has found out that cyber attackers can use this technique, which is called this way because it uses a Windows function called Atom Tables, to bypass the security systems that would prevent the infection.