Employees have the freedom to select in which language they want to express themselves.
You can find more entries selecting Spanish language in the top left corner link.

Archivo para la categoría 'Innovation'

Full-disclosure vs responsible disclosure. Following chapter

1 Malo2 Mejorable3 Normal4 Bueno5 Excelente (Votos: 1. Media: 5.00/5)
Loading ... Loading ...

Author: David Barroso

The eternal discussion between full-disclosure vs responsible-disclosure has a relatively brand-new area: the critical infrastructure protection (CIP). It is quite common, that from time to time it is discussed the best way of reporting a  vulnerability to a manufacturer. A procedure that can satisfy both sides(the one who finds the vulnerability and the manufacturer) has not been institutionalized yet . There is all kind of choices; none of them is more successful though: acknowledging the researcher’s help (i.e. Microsoft), paying a certain amount of money (Google), or simply, using some company which works as a broker in order to pay the vulnerabilities (i.e. (iDefense VCP or Tippingpoint ZDI). But the truth is that these methods don’t work; the better example happened last year when vulnerability was discovered by Tavis Ormandy in Windows. This case proves the needs of having some type of procedure which pleases all sides.

Unfortunately, nowadays some manufacturers don’t think security is essential  to avoid risk to their users ( ZDI’s list about unpatched vulnerabilities is quite illustrative). On the other hand, some researchers also think that manufacturers have to fulfill their requirements immediately, even involving extortions to manufacturers. Although there have always been some attempts of proceduralising the vulnerability’s reporting (from the well-known RFPs procedure),ranging from an IETF’S attempt , Responsible Vulnerability Disclosure Process which ended up becoming the  Organization for Internet Safety procedure base, to No More Free Bugs initiative promoted by several researchers. If we deal with critical infrastructure protection, recently we witness what happened some years ago, after trying to do things right, realizing that it doesn’t work often, we come across different positions like  Digital Bond’s, whose vulnerability reporting policy is as simple as: we’ll do what we like; because they have had enough seeing how manufacturers , after incidents such as Stuxnet  or the vulnerabilities found by Dillon Beresford, don’t seem to react , not even when ICS-CERT is involved ( the manufacturer can even report you).

By the end of the day what really matters is how each manufacturer is concerned about handling and coordinating these incidents (communication with researchers and companies), because, if we’ve finally realized that none of the global vulnerability reporting policies works, it is the manufacturer’s task to fix its own policy ,what’s more pleasing both sides. For instance, MozillaBarracudaGoogleFaceBook or Twitter have already done it. And not all of them pay for vulnerability found, but some of them simply acknowledge the help of it.

In short, prevention is better than cure, and all large firms must be running a clear and published policy about the vulnerabilities that third parties find over their products, services or simply, over their webs, and they must recognize as well the work of people that collaborate positively  in enhancing the network security.

I know where you have been….

1 Malo2 Mejorable3 Normal4 Bueno5 Excelente (Votos: 1. Media: 5.00/5)
Loading ... Loading ...

 Author: Carlos Plaza

In the Internet, many features that were designed for doing the “good” are used for doing the “evil” when we talk about security&privacy.

For example, the fact that a http request includes information about screen size, browser version& language, or available fonts ,etc was intended to allow websites to customize the layout or the localization of the content being served.

However, this information is also used to fingerprint  devices in order to track users.

The same way, the feature we are used to of displaying in different colours a visited link and a non-visited link has been used for “history stealing”: for example, a dubious visited website includes a list of links, and with JavaScript it checks the colour of the links to find out whether you have visited one of them.

This way, that site can learn” interesting things” such as the banks you have visited, in order to target a phishing attack

There’re even companies that sell products or services to be used by web developers for history stealing (BeenCounter)  or companies that want to know whether a visitor to its website has previously visited other sites with information about the company (Tealium).

This feature has been exploded for compromising the user privacy in a sophisticated way, as researches at Stanford University have published recently: a deep study of  an online tracking company which checks whether the user has visited any of a list of more than 15.000 links, carefully segmented in categories such as group purchases, home appliances, cars, or even sensitive information such as health or financial issues…

 And which user protection is available?

Browsers such as Firefox has included in its recent versions a fix to protect from history stealing, although there’s never a 100% guarantee that attackers are not going to be able to circumvent the protection (for example, not using JavaScript but background images for visited links)… in fact, it has taken several years of discussion in the Mozilla community to choose a mechanism, since there was not a clear option to eliminate the attack without affecting other functionalities.

So it’s not a bad idea to use some free add-ons -such as Ghostery or other tools that prevent tracking and avoid execution of scripts from blocked trackers- or NoScript to selectively block/allow scripts. And of course, to configure your browser to delete the history as you close it.

FCC plans PSTN’s extinction

1 Malo2 Mejorable3 Normal4 Bueno5 Excelente (Votos: 1. Media: 5.00/5)
Loading ... Loading ...

Author: Ignacio Berberana

By looking for information about other issues( specifically about “small cells”) , in  last session presentation of the American telecommunication’s regulator Technological Advisory Council (TAC), I have come across with recommendations such as FCC (available here) should fix a date leading to switched telephone’s network extinction. This will probably lead to a consultation that will enable an organized death, which will take into consideration matters such as service supplies to those users to whom PSTN is currently the only available choice, the emergency call systems  or the market competition impact ( some operators, like AT&T, have been promoting PSTN’s end for several years).