Seguridad

We evaluate the hardware security level of the smart locks, disassembling one and analyzing the elements that make it up We got our hands on a Yale Linus smart lock, one that you can operate from your smartphone, so we thought it was an excellent opportunity to practice many of the hardware hacking concepts and IoT security testing methodologies we have seen here in the past. Over the following few articles, we will walk through the security assessment process of smart locks and tell you our conclusions. Obtaining information for hardware analysis of smart locks The existence of design flaws [...]

En la era de la digitalización, las ciudades están evolucionando rápidamente hacia modelos más inteligentes y sostenibles. Descubre cómo las innovaciones en alumbrado, conectividad y gestión de residuos están transformando nuestro entorno urbano para un futuro más brillante y eficiente.   Descubre cómo podemos implantar estas soluciones en tu ciudad     1.- Alumbrado inteligente y seguridad   Las ciudades modernas están adoptando sistemas de alumbrado inteligente que se adaptan al entorno. Estos sistemas detectan automáticamente la presencia de peatones o ciclistas y ajustan la intensidad de la luz según sea necesario. Además, pueden alertar a los conductores sobre peatones [...]

The vulnerability CVE-2023-4863 is found in the open source Libwebp library and affects browsers such as Mozilla, Chrome and Edge On September 6th, 2023 Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto reported a critical vulnerability affecting an image compression library used in Chromium and other software solutions that support WebP images. WebP is an image format that offers superior lossless and lossy compression for images on the Web. Thanks to WebP, developers and webmasters have the ability to generate more compact, high-quality images, which leads to a significant improvement in the loading [...]

ENISA has developed a framework to help companies implement the best practices in cybersecurity for AI The company Worldcoin, created by the founder of ChatGPT, has made an AI system designed to differentiate humans from robots once Artificial Intelligence becomes ubiquitous. A question long imagined by literature or audiovisual culture and which is becoming more and more real every day. To do so, they need to scan people’s eyeballs. This news shows that Artificial Intelligence systems already have enormous data on citizens and companies. Therefore, companies developing AI systems and their suppliers must implement good AI cybersecurity practices to prevent [...]

OWASP has published a ranking of the top vulnerabilities in LLM applications to help companies strengthen the security of generative AI If one technology has captured the public’s attention so far this year, it is undoubtedly LLM applications. These systems use Large Language Models (LLMs) and complex learning algorithms to understand and generate human language. ChatGPT, OpenAI’s proprietary text-generative AI, is the most famous of these applications, but dozens of LLM applications are already on the market. In the wake of the rise of these AIs, OWASP has just published version 1 of its Top 10 LLM application vulnerabilities. This [...]

Artificial Intelligence is set to revolutionize our economy and way of life. But… What are the AI security risks? What literature or movies raised as a possibility for decades has become today, a tangible reality. Artificial Intelligence is already part of our lives. It has become one of the significant issues of this era in the heat of Machine Learning or generative AI, so much so that Artificial Intelligence is set to change our productive fabric and how we live. But what are the security risks of AI? In recent years, and especially in 2023, various organizations have increased their [...]

El entorno actual, basado en la conectividad entre personas y dispositivos, ha abierto la puerta a nuevas amenazas en forma de ciberataques. El sector retail no es una excepción. No se trata solo de proteger los datos de los clientes, sino de garantizar la integridad de todo el ecosistema empresarial.   Solicita asesoramiento experto en retail   En un mundo cada vez más digital, ser proactivo en lugar de reactivo puede marcar la diferencia entre el éxito y el fracaso. Los puntos de venta son verdaderos tesoros de datos sensibles, desde información de tarjetas de crédito hasta preferencias de compra [...]

El último sábado de marzo de cada año se celebra en todo el mundo “La hora del planeta”. En esta jornada se invita a ciudades de todo el mundo a apagar las luces y aparatos eléctricos que no sean imprescindibles. Así, se impulsa la concienciación de la necesidad de tomar medidas frente al cambio climático, la contaminación y el desperdicio energético.   Descubre cómo podemos ayudarte   «La hora del planeta» es una gran iniciativa, pero ¿y si te dijera que está en nuestras manos hacer que los beneficios de esa jornada se convirtieran en un hecho habitual cada día [...]

OWASP SAMM is a model that helps companies assess their software security posture and implement a strategy to optimize it The Lace Tempest ransomware group, notorious for using Cl0p for extortion, has staged one of the most notorious and damaging cyberattacks in 2023 by exploiting a vulnerability in MOVEit Transfer software. This solution allows automated file transfers for sensitive data and is used by thousands of companies worldwide. As a result, cybercriminals have managed to attack energy companies, pension funds, insurance companies or public administrations in North America and Europe in sensitive areas such as education or health. This attack [...]

NIST Cybersecurity Framework v2 focuses on the importance of governance and supply chain in reducing security risks At the speed of the world moving today, enormous transformations can occur in less than a decade, especially in a field as dynamic as cybersecurity. That is why the National Institute of Standards and Technology (NIST), a U.S. government agency, has just made public the draft of version 2 of its Cybersecurity Framework, which saw the light of day in 2014. For the past nine years, this tool has been used by thousands of companies and cybersecurity experts around the globe to undertake [...]

DevSecOps is a model that enables software development companies to integrate security throughout the software lifecycle When do software applications need to be secured? The answer may seem obvious, but it is important to stress it: always. Or, to put it another way, throughout its entire life cycle, from the time the solution is first conceived until it is withdrawn from the market. This is what an increasingly relevant practice in the software development sector seeks to achieve: DevSecOps. According to OWASP, a genuinely global benchmark in developing cybersecurity methodologies, the DevSecOps approach aims to «detect security problems (by design [...]

CVE-2023-35082 is a critical vulnerability that allows access to APIs in older versions of MobileIron Core Ivanti is having a tough time as another critical vulnerability has been reported after the latest incident. This time, it’s the CVE-2023-35082 vulnerability, which affects older and unsupported versions of MobileIron Core. MobileIron Core is an unsupported product used for managing mobile devices such as phones and tablets. CVE-2023-35082 allows unauthenticated attackers to access the API in older versions of MobileIron Core (11.2 and earlier). This means a cybercriminal could gain access to API endpoints on the exposed management server without the need for [...]

CVE-2023-35078 is a critical vulnerability that allows access to restricted functionality of Ivanti mobile management software A new critical vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability, identified as CVE-2023-35078, affects all supported versions, including versions 11.10, 11.9, and 11.8. Older versions are also at risk. Ivanti Endpoint Manager Mobile (Ivanti EPMM) is mobile management software that allows companies to manage mobile devices, applications, and content. CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM that allows unauthorized users to access restricted functionality or resources of the application without proper authentication. [...]

SSVC is a system that helps to analyze vulnerabilities to make decisions that prevent security incidents and contain their consequences The BBC, British Airways, the US Department of Energy, PwC, and Shell are some organizations affected by successfully exploiting a vulnerability in the MoveIt file transfer software. These companies and public administrations have dealt with data breaches and the theft of confidential customer and employee information. This massive attack highlights the importance of detecting, analyzing, and mitigating IT vulnerabilities in the companies’ infrastructure. To help them in this complex task, companies, public institutions, and cybersecurity companies have indicators such as [...]

Advanced persistent threat groups seek to access critical information and destabilize companies in critical sectors and public administrations The era of the cautious and silent spies that John le Carré portrayed for posterity in novels such as The Spy Who Came in from the Cold ended with the end of the Cold War. Today, espionage occurs in the digital world through advanced persistent threats launched by state-sponsored cybercriminal groups that wish to obtain information from governments, companies, and foreign media or destabilize other countries. Two advanced persistent threat campaigns launched by a Chinese and a North Korean group have become [...]

On July 18, 2023, Citrix released information and updates to address a critical vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway.  This vulnerability allows unauthenticated remote code execution on affected systems. In addition, two other vulnerabilities, Cross-Site-Scripting (CVE-2023-3466) and elevation of privilege (CVE-2023-3467), have been patched in the updates. Citrix NetScaler ADC is an Application Delivery Controller built to optimize, manage and protect Layer 4 to Layer 7 (L4-L7) network traffic. Although no specific details about the vulnerability have been published, it has been known that it is being actively exploited, so an urgent update of the affected assets is [...]

El entorno tecnológico en el sector minorista es mucho más complejo de lo que podría percibirse a primera vista. Como partner tecnológico, trabajamos con varios clientes de retail, desde cadenas de distribución hasta tiendas de moda, y hemos desempeñado un papel fundamental en su proceso de digitalización.   Solicita una propuesta personalizada   En el sector retail nos encontramos con una diversidad de elementos interconectados y de naturaleza heterogénea, como balanzas inteligentes, tótems de turnomatic, selfcheckers, TPVs, PDAs y etiquetas electrónicas. Esta variedad implica que abordar las particularidades y requisitos de conectividad de cada uno de estos componentes. En este [...]

The OWASP API Security Top 10 highlights the top vulnerabilities in application programming interfaces Few acronyms are more relevant to explain the digitization of our world than API. Behind these three letters lies the concept of Application Programming Interfaces. These application programming interfaces are specifications or rules that facilitate communication between different applications. APIs define and protocolize how one software interacts with another. As a result, APIs have become vital elements in developing new software and the connection between applications. The role of APIs in the development world has attracted cybercriminals, making them the target of attacks. This is why [...]

Companies must detect emerging vulnerabilities affecting their assets and anticipate the actions of cybercriminals In May, Barracuda, a company specializing in security solutions for corporate mail and networks, made public that some of its 200,000 customers worldwide have been attacked as a consequence of the exploitation of a zero-day vulnerability in its email security gateway since October 2022. Criminals exploited this unknown vulnerability to deploy backdoors, gain persistence on compromised systems and steal data from companies and administrations. A few weeks earlier, Google had released a new version of its browser, Chrome, to patch another zero-day vulnerability exploited by hostile [...]

Las empresas de todos los tamaños y sectores se enfrentan a la amenaza constante del cibercrimen. Para ayudarte ante este escenario, contamos con una solución que incluye todo lo necesario para conectar y proteger a tu organización.   Descubre ahora Fibra Segura+   Desde su lanzamiento en 2016, Fibra Segura ha sido una solución FTTH muy popular entre las empresas. Cuenta con una conexión simétrica con respaldo 4G, conmutación automática, un panel de monitorización avanzada y soporte técnico ágil y cercano. Con la opción de Fibra Segura Dual, las empresas pueden incluso disfrutar de otra línea FTTH como respaldo automático, [...]

On June 19, 2023, Fortiguard published the information and updates to fix a critical vulnerability (CVE-2023-33299) in its FortiNAC software, which can allow an unauthorized access on affected systems through the deserialization of untrusted data in the network service on port 1050/TCP. FortiNAC defines itself as a zero-trust access solution that oversees and protects all digital assets connected to the enterprise network. It can be provided as a hardware appliance or as a virtual machine. Between its use cases, this solution can: Perform inventory management, providing visibility over the assets connected to the network, classifying and monitoring them. Identifies security [...]

CVSS v4 expands the focus on the issues to be taken into account when assessing IT vulnerabilities and making decisions to remediate them Even today, many people are still unaware that a cyber-attack has direct consequences for the companies and individuals affected by it. To the extent that security incidents affecting sectors such as industry or healthcare can compromise people’s physical safety and even cause fatalities. CVSS v4, the new version of a key indicator when assessing the severity of known vulnerabilities, pays attention to this issue, including several metrics that pay attention to the safety of human beings. However, [...]

MITRE ATT&CK is a framework that systematizes hostile actors’ tactics, techniques, and procedures If the Allies succeeded in carrying out a massive landing like Normandy, it was mainly because Nazi Germany could not anticipate the tactics and techniques they put in place to get thousands of soldiers to take control of the coastline of this French region. When fighting an enemy, it is essential to have information about their strategies and procedures to shape one’s own and improve resilience to attack. It is precisely this information that MITRE ATT&CK dissects, a framework that compiles the main tactics, techniques, and sub-techniques [...]

BlueTrust is a Bluetooth vulnerability that allows information about devices and users to be obtained and trust relationships to be traced BlueTrust is a mechanism for discovering trust relationships between Bluetooth devices discovered by Tarlogic, which allows tracing networks of devices and obtaining information about their usage and users. In the previous post about BlueTrust, a Bluetooth vulnerability, we presented the research conducted by the Tarlogic Innovation team and the proof of concept that resulted from it. In this article, we continue detailing how the Bluetooth vulnerability works and the steps that have been necessary to implement it. BlueTrust relies [...]