There’s no cloud, it’s just…

By now, everyone knows what the cloud is. Many of our readers probably have hosted services in the cloud or projects underway to migrate to it. That is because, while it has changed significantly since Salesforce started with its SaaS in 1999, it’s a model that, as we know it today, has been around for well over a decade.

It is true that the number of players has grown significantly, processes have been consolidated and the number of services has increased (and continues to do so), and new standards, organizations and certifications have appeared (and continue to do so) linked to this new paradigm, but with more or less detail, we are now understanding what this “cloud” thing is all about.

And perhaps the problem is that “we are now understanding” or “with more or less detail”, because it is clear that, always generalizing, there is still a long way to go in the adoption and integration of purely cloud practices, and of course, in the implementation of the secure cloud. And that is precisely the idea of this series: to start from that “more or less detail” to gradually increase the degree of depth.

[Read more…]

Supplier Management. Between Deming’s principles and those of the European Union

Undoubtedly, all of you will know the famous American statistician William Edwards Deming, a strong advocate of the need to transform American industry in the last third of the 20th century and who, at the same time, would develop a prosperous and relevant professional career during the reconstruction of post-WWII Japan.

In all likelihood, most of you will be familiar with Deming’s “14 Principles of Total Quality,” the fourth principle of which states that:

Don’t award business based on price; minimize total cost by having single suppliers on long-term relationships of loyalty and trust

In other words, something like: “end the practice of doing business based on price; instead, minimize total cost through a few suppliers based on long-term relationships built on loyalty and trust.”

Naturally, a principle is a fundamental idea that should govern a thought or behavior … which does not mean that it is possible to put it into practice at all times and under all circumstances!

Source: Melián Abogados
READ MORE

Evading web blockages by using a web server on port-forwarder GO

After his last dispute (https://www.securityartwork.es/2018/02/26/evadiendo-av-shellter-tambien-sysmon-wazuh-i/), Pepote decided to rehire Pepito, who at heart  was a good worker. But before that, Pepote took a couple of precautions, such as blocking web pages with “hacking” content that could make it easier for Pepito to perform improper actions.

Pepito accepted, but still holds a grudge from the time he was in prison, so on his first day on the job he is already trying to find ways to carry out malicious actions against his boss. (Already from here it smells like a promising and cordial working relationship, but that’s for another day).

[Read more…]

Business Continuity Plan: before and after COVID-19

The current pandemic situation caused by the infamous COVID-19 (or Coronavirus) is impacting all areas of society: the first and most important, that of public health and the individual’s inherent primary survival instinct. Probably, the second concern is the economic impact that, as a worker or as an entrepreneur, the epidemic is causing in the operations and forecasts of companies and corporations of any sector and nature.

But the world does not stop … and organizations cannot afford to stop their business operations either!

Ilustración 1: Fuente Ejército de Tierra

[Read more…]

China: From culture to conflict in the cyberspace

Since in 2013 the US cybersecurity consultancy Mandiant published its famous report about APT1, showing its links with different agencies presumably associated with the Chinese government, the news about its actions in cyberspace has been significantly increased.

Among others, we find APT15, APT27 or Winnti Group (APT41); the US DoJ’s allegations of cyber espionage towards five Chinese military members associated with the APT1 group; the links that the FBI has established between Zhu Hua and Zhang Shilong and APT10; or the alleged link of PLA unit 61398 (People’s Liberations Army) with APT1.

With the permission of Russia and its popular operation against the DNC, China has become the main actor in cyberspace, developing an uncountable number of operations against all kind of sectors as: IT, military or naval industries and different governmental organizations. Sometimes using more sophisticated malware, and sometimes less, but more and more with its own seal linked to its extensive tradition.

[Read more…]

Guide to Assessing Your Organization’s Internal Cybersecurity Readiness in 2020

Today’s post is authored by Robert Mardisalu, co-founder & editor of TheBestVPN.com, a computer security professional, privacy specialist and cybersecurity writer.
He has written for many insightful blogs that help readers to think beyond the surface.


Every new year presents new cybersecurity issues and challenges for organizations. Skimming through the latest cybersecurity statistics will show how much of a threat cyberattacks pose. Handling information means you are charged with ensuring its availability, confidenciality and integrity against attackers, and be ready for the possible threats it may face.

In order to determine whether your organization is prepared to face these threats, you need to assess its cybersecurity readiness. This guide will help you do just that.

[Read more…]

What Recent Supply Chain Attacks On IOTA and Monero Can Teach Us About Blockchain Security

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. If you are interested in learning about blockchain technology, we recommend you to check the recently created Cryptonics Academy. Please enjoy.


A False Sense of Security

Blockchains are protected by complex mathematical protocols and by decentralization. Cryptographic primitives, such as digital signatures and hashing, are used to verify transaction authenticity and the integrity of the data stored on the blockchain. It is only through these primitives that the concept of digital ownership can be secured. Decentralization makes it incredibly hard for an attacker to gain sufficient control over a blockchain to alter transaction history or apply censorship.

This means that blockchains are quite secure at the protocol level. Although there are confirmed incidents of protocol-level breaches, such as 51% attacks, these are relatively rare and confined to smaller blockchains. Nevertheless, digital assets represented on blockchains are stolen on an alarmingly regular basis, even from large established networks.

In a recent article, we already identified smart contracts as a significant risk vector. In this article, we look at two recent high profile attacks, in order to highlight hidden dangers in the security of support systems that allow attackers to sidestep the sophisticated cryptographic defense mechanisms blockchain protocols provide. This type of attack is typically called a supply chain attack, as it focuses on less secure parts of a project’s supply chain.

[Read more…]

The 5 Most Common Smart Contract Vulnerabilities

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. Please enjoy.


Smart contracts are hard to get right. Their three main properties, the ability to hold value, transparency, and immutability, are essential for them to work. However, these properties also turn smart contracts into a security risk and a high-interest target for cybercriminals. Even without deliberate attacks, there are plenty of examples of funds getting stuck and companies losing money due to smart contract bugs and vulnerabilities.

Over the last two years, we have audited the smart contracts of more than 40 projects here at Cryptonics. The contracts audited include different types of asset tokenization, insurance policies, decentralized finance platforms, investment funds, and even computer games. We have observed certain trends in the types of vulnerabilities that we usually encounter, and some issues seem more common than others. In this article, we will describe the five most common issues we detect in our daily auditing activities.

[Read more…]

The Importance of Server Hardening – Part 2. Hardening the Server

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 4th July 2019)

Today we publish the second of three articles courtesy of Jorge Garcia on the importance of server bastioning. You can find the first one here: The importance of server hardening – I


All right, we have the mission of hosting an online commerce web application and offering it to the world on a server that we own. Our goal is to make it as impregnable as possible at all levels. Since it is a web application, it is foreseeable that the main attack entry vector is through vulnerabilities of the application itself. Really, let’s not fool ourselves, all CMS are sure candidates for severe vulnerabilities. The scheme of how the platform will be organized is the usual one in a virtual server:

Therefore, the issue is to choose a CMS with these premises:

  1. That it is actively developed and supported by a large community of developers or by a large company. This ensures that when a vulnerability is published, it is quickly corrected.
  2. That the installed CMS is the last available version of a branch that has support, and that it is expected to continue having it for quite some time. Do not forget that, since we do not have a development environment at home, updates or migrations mean a loss of service which in turn means potential loss of money.
  3. That it is compatible with the operating system of the server that we have. A consideration that is obvious but important.
  4. May the history of critical vulnerabilities be as low as possible. A CMS that is actively developed and has good support but that on average finds a critical vulnerability every week is not viable to maintain or safe to use.

[Read more…]

The fight for privacy

The post, next week.

Own text. Original comic strip by RaphComic. Modified with permission.