Is it easier to attack a company via a remote connecting worker? Why?

Not quite. Currently, almost all companies of a certain size provide employees with work tools such as secure platform laptops, VPNs for remote connection to the intranet, remote access protection, remote access infrastructures, etc. All this means that a company that is already prepared to work remotely will not have any variation or loss of security in its remote access policies. At most, when many unintended workers work remotely, you may have some performance, connection speed, or bandwidth issues. The problem occurs when the company has not previously defined remote access policies, practices, and methodologies for teleworking and is currently facing a multitude of employees accessing its intranet from abroad. Haste and lack of preparation can and often create situations of insecurity and even chaos, leading to malfunctions, denials of service and even unforeseen security vulnerabilities, which will put you in a dangerous situation. Security policies and architectures must be prepared in advance and tested in advance, just as making decisions or legislating on impulse is never a good idea. Medium and small companies are much worse prepared for this change and put themselves in more vulnerable situations at the technical and organizational level, depending on insecure and heavy access programs, depending in many cases on personal computers in the teleworker’s home to connect to their remote jobs. This is indeed a security risk for them since the level of security will depend on the security configuration of the employees and not on the corporate security policies.

We usually associate teleworking with good access to the management platform and intranet, but what other aspects do we have to take care of?

Teleworking is associated with many technical and organizational aspects within the structure of a company. Creating good planning for this new capacity is necessary to implement good policies, compliance regulations, standards, management and operating regulations, privacy policies, human resources policies, support structures, etc. It is not something banal that can be organized in a couple of days and affects many organizational and technical aspects. It is very important to take all this into account when implementing efficient and safe remote work policies, which also continue to meet all regulatory and legal requirements. In addition there is the secure access infrastructure that allows sustaining all of the above in an efficient, redundant and reliable way. If all this has been taken into account, the truth is that teleworking today is a great solution to improve our quality of life and work, reconcile work and family and not agglomerate the population around large cities, in addition to lowering production costs for companies.

What would be the best solution? What must be provided to the worker?

The best solution is planning and organization as I already mentioned. If the worker is provided with the necessary access and control tools, safety and efficiency problems are avoided in most cases. A well-configured laptop, platform by the company and equipped with the necessary programs and utilities to do the job well, will only depend on a good VPN-type remote access and a good access speed both for the employee’s internet access and for the width of the company’s access band. This allows using the same platforms, tools, programs, devices as if we were inside the facilities. On the other hand, it allows us to hold conferences, person-to-person or group videoconferences with different employees and departments. In general, in corporations the work changes little when it is executed remotely than locally. In small and medium-sized companies it is usually different and it is not prepared for this type of structural changes, although they can be adapted normally if they do not depend on production environments, such as manufacturing, machines, warehouses, products, etc.

From the worker’s point of view, what measures do you have to take? Especially if you work with your own teams

The worker is not responsible in any case for providing the security or the necessary infrastructure for remote access, especially when this situation has not been contracted with the company. The latter must not provide the access platform, or even their own personal equipment for the development of their work, unless they were freelance or self-employed. A similar situation occurs when employees use their laptops within the intranet or even their own smartphones in many cases. Safety planning should always start with the company and never with the employee.

The post Cybersecurity in remote work appeared first on Yago Hansen CV.

How would you summarize the main keys of the technological solution that they propose.

One of the most important, most private and most protected types of personal data by fundamental rights, by international laws and by private organizations must always be that of a health nature. A pandemic, which is a threat that we have previously faced, although now in a fully digital era, is not sufficient reason to modify this fundamental right of each individual. Justifying the benefits of digitizing everything is not enough reason to renounce inalienable rights that protect us from digital totalitarianism.

Faced with this type of news, I face the two faces of technology, the one that affects me as an individual and the one that affects me as an expert hacker in cybersecurity.

The one that affects me as a person, obliges me to protect at all times the integrity of private data about any other common interest. The common interest should not be achieved by forcing the renunciation of the fundamental rights of each citizen.

As a hacker, I think that everything must be analyzed, all the information must be verified before deciding to use it as the basis of a project of this size. All sources must be questioned and any project must be thoroughly tested before being published.

Looking at the case as a project that aims to help society in the face of the dangers of COVID-19, I think that it would not benefit us so much to live wondering if any person to whom we have been exposed, is the neighbor of the next door, or the dealer of food delivery, or anyone who passes me in the supermarket … may be infected. It does not seem so useful to me, nor do I think it solves too many health problems, although it will, however, force us to grow in paranoia, hatred or suspicion of others. Has it been studied what this would bring to society at the health or psychological level? What if the app constantly detects a positive when I’m at home … maybe a neighbor?

What do you think Google and Apple can contribute if local initiatives such as Singapore or South Korea have not arrived, which have received so much praise?

First of all, as I indicated earlier, when a project of this size is carried out, we can build on the famous initiatives “that have been so successful” in totalitarian countries, as the basis of the virtues for this project. But that means that we now take for “verified and totally valid information” the censored information we receive from these countries regarding the benefits of their digital systems in controlling the epidemic.

And now it turns out that this is “verified information for us”, when we cannot even confirm in a certain way the number of affected, deceased or the real impact of the digital surveillance data of citizens in the fight against the pandemic within these countries. . Therefore, if the foundations that justify this project fail, the project itself is questionable, especially when it comes from digitally totalitarian countries.

Currently the developers, Apple and Google indicate that the user through an official APP of each government would enter the data of being positive in COVID voluntarily and personally. But the legal, privacy and regulatory framework are constantly changing and who guarantees that this does not change in a while and that the government itself enters this data through the health system from the COVID tests of its hospitals and health centers? Recall that this information about Apple and Google that we handle today was already prepared weeks / months ago by manufacturers and that by chance the Spanish regulatory framework changed days ago preparing for this technology.

Do you think that it is possible by pulling the bluetooth and not the GPS to offer an effective tracking of these contacts?

Technically it is. Bluetooth also offers close location technologies that can be related to the GPS of the smart device. We must not forget that it is already geolocated constantly on smartphones by Google and Apple, something that already allows them to constantly obtain the location of any individual. This initiative cannot be valued as something unique and independent. The information obtained can always be added to other sources, such as the real-time geolocation of the devices. If I already have a record of a user’s location, day after day, hour after hour, minute and minute, second after second … I can contrast, compare this information with any other, such as bluetooth to add data that will allow it soon discourage her. Example: I have a list of anonymous mobile identifiers that have passed by me today. Tomorrow I do the same tour again, I bump into the same or similar people and also collect information from anonymous identifiers. On the third day, I do the same, but he informs me that I have stumbled upon a COVID positive. Logically I can mentally identify who it could be. On a digital level, for large companies such as these, it is even easier to de-anonymize the information, since they have enough information to compare this local database with other more powerful ones, such as geolocation of devices by common places, etc.

With the information they have published, can it be assumed that the data is really private and not?

It is difficult to affirm that something determined is private today. Technology indicates that the information stays for fourteen days on each person’s device, until a positive is entered in the application.

This technology is not a simple application but a major modification to the Bluetooth stack of Google’s Android and Apple’s iOS-based operating systems. It is implemented through updates on the phones and not a simple APP that we install, which gives the device full control over what is done, what is collected, what is stored or what is sent. It is a radical change in technology and as such is dangerous.

I have always defended the idea that what today is private, protected or encrypted data does not mean that tomorrow it cannot be converted, through technology or cybercrime, into public and accessible data. A database encrypted with a encryption type of ten years ago can easily be broken today to decrypt and extract your information. Therefore, when handling such private or confidential data, we cannot think from a short-term point of view.

What if another application (such as a gaming APP) accesses the information saved by this protocol and sends it to your cloud, in addition to using your own geolocation of the game to add more data? There would be a risk of data leakage that would have nothing to do with Google or Apple, but that occurs on their devices.

¿Cuáles son las principales dudas que te genera?

Moxie Marlinspike, uno de los principales criptógrafos prácticos actuales y desarrolador del sistema de cifrado de Whatsapp afirma que hay graves dudas de seguridad en este planteamiento. Se podría, desde atacar al sistema generando falsa información, denegar el servicio impidiendo que funcione correctamente, o generar falsos positivos impidiendo que los datos sean fiables y útiles .

Personalmente dudo de las bondades de este sistema, además de la seguridad del mismo en su aplicación real. Además este tipo de tecnologías son muy “fáciles” de implementar pero resultan, por experiencia, difíciles de desimplementar. Si de verdad es una solución provisional para este caso de alarma, se debería dejar claro que se desimplentará definitivamente tras la alarma.

The post Privacy and COVID-19 appeared first on Yago Hansen CV.

This is my first post inside yagohansen.com blog. I wish to thank you to visit my personal website and to show interest in my profile and career. I decided to create this profile website because I really don’t feel so comfortable with social networks, even using professional ones like LinkedIn or Twitter. It seems a better chance to me to create my own space where I can handle the most important events, experiences, facts, opinions, etc. I will try to keep it updated with all the new stuff I will do in my life.

Diariodeunhacker.com was a website about hacking and cybersecurity that I created and managed many years ago. As I could not continue with the project because I was too busy, I decided to bring it back to life in some way now.

Thank you again, and have a good day!

The post Hello world! appeared first on Yago Hansen CV.