Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

ElevenPaths #CyberSecurityReport19H2 (EN)

365 Aufrufe

Veröffentlicht am

ElevenPaths cybersecurity 19H2 report aims to summarize latest information on cybersecurity (ranging from security on mobile phones to cyber risk, from the most relevant news to the most technical ones and the most common vulnerabilities) while covering most aspects of the field, in order to help the readers to understand the risks of the current outlook.

In this way, the readers will be provided with a tool to understand the state of cybersecurity from different approaches, so they will be able find out its current state as well as to determine short-term trends.

The information here presented is mostly based on the collection and synthesis of internal data that have been contrasted with public information from sources considered to be of quality.

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

ElevenPaths #CyberSecurityReport19H2 (EN)

  1. 1. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 0 of 28 CyberSecurity Report 2019 H2 From mobile security to cyber risk, from the most relevant news to the most technical ones and the most common vulnerabilities, this report covers the risks of the current outlook elevenpaths.com CyberSecurity Report 2019 H2
  2. 2. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 1 of 28 CyberSecurity Report 2019 H2 CONTENTS RELEVANT INCIDENTS OCCURRED OVER THE SECOND HALF OF 2019.................................................................................. 3 SMARTPHONES................................................................................................................................................................................. 4 Apple iOS........................................................................................................................................................................................ 4 Android........................................................................................................................................................................................... 9 RELEVANT VULNERABILITIES.......................................................................................................................................................12 Vulnerabilities in figures ............................................................................................................................................................13 WHO IS WHO IDENTIFYING MICROSOFT VULNERABILITIES ...................................................................................................17 Methodology...............................................................................................................................................................................17 The Data......................................................................................................................................................................................18 Conclusions .................................................................................................................................................................................19 APT OPERATIONS, ORGANIZED GROUPS AND ASSOCIATED MALWARE ..............................................................................20 CYBER RISK RATING BY SECTOR..................................................................................................................................................22 FINAL SUMMARY ............................................................................................................................................................................27 About ElevenPaths .........................................................................................................................................................................28
  3. 3. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 2 of 28 CyberSecurity Report 2019 H2 This report aims to summarize latest information on cybersecurity (ranging from mobile security to cyber risk, from the most relevant news to the most technical ones and the most common vulnerabilities), while covering most aspects of the field in order to help the readers understand the risks of the current outlook. Over the second half of 2019, the key actors have been again some remarkable ransomware attacks −probably because Emotet came back with renewed strength at the end of the year. Although Emotet is the most common input vector, there are many more complex ones intended to perform more complex and selective attacks. In early October, a serious issue on WhatsApp with several peculiarities was discovered. It originated in the code of an open source library of exploitable GIF processing when opening WhatsApp gallery. The execution got all the permissions of the vulnerable application. Later, WhatsApp suffered another serious security problem that allowed code execution on any platform running WhatsApp, just by sending an MP4 file. Following these issues and being aware that they were being performed against very specific targets, Facebook sued the NSO for attacking its users. Regarding spying, during this period it has been known that from May to December 2015 (when they left the company) two Twitter employees (Ahmad Abouammo and Ali Alzabarah) were at the service of Saudi Arabia to spy on dissidents on the platform. They had been recruited in 2014. They accessed private data from more than 6,000 accounts. IP, phone numbers, used devices ... All the data they could get from an account of someone interesting to the government was provided by internal workers thanks to their position. They even closed accounts of dissidents at the government's request. Precisely with the aim of improving privacy, during this period Firefox and Chrome have implemented DNS over HTTPS (DOH) more seriously, since they have applied two different formulas for such implementation. Firefox is more aggressive, while Chrome aligns itself more with ISP’s needs. Furthermore, during this period the group Magecart have kept innovating their attacks. They have attacked both minor and relevant websites. The group has slightly changed the strategy, and in some cases the attacks were performed after entering the delivery details. That was the time when the targets were redirected to a fake website to enter their credit card details. Then, they went back to the website that requested legitimately their credit card details. No matter if you are a cybersecurity professional or enthusiast. It is important that you can follow the rhythm of the relevant news on cybersecurity: What are the most relevant facts currently happening? What is the current outlook? This report will provide readers with a tool to understand the state of cybersecurity from different approaches, so they will be able find out its current state as well as to determine short-term trends. The information here presented is mostly based on the collection and synthesis of internal data that have been contrasted with public information from sources considered to be of quality.
  4. 4. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 3 of 28 CyberSecurity Report 2019 H2 RELEVANT INCIDENTS OCCURRED OVER THE SECOND HALF OF 2019 In the following lines we will highlight those news that have had a high impact over this second half of 2019 OpenPGP Disaster A real disaster has happened (according to those affected) in the world of OpenPGP and asymmetric cryptography linked to identity in general. Basic OpenPGP functionalities are being attacked, and it cannot be fixed in the short term. Read more Vulnerability in CTF Tavis Ormandy finds out a relevant vulnerability on CTF. Dozens of commands can be sent through this weak protocol. Ranging from text messages to COM objects with parameters. And to do so, only some data must be sent ... that indeed are totally falsifiable. Read more Malware compiled from victims Malware samples that rapidly compile the payload from the target to avoid downloading the binary and thus bypass detection systems are being found. The interesting point is that they can achieve this thanks to the .NET environment, since most Windows have the necessary compilation tools, even if the target does not have programming environments installed. Read more Vulnerabilities in messaging systems Vulnerabilities do not know about programs, platforms or languages. These days two serious issues have been made public, one in WhatsApp and the other in Signal, two messaging systems with opposite philosophies. Read more and more Code execution in WhatsApp CVE-2019-11931 is not an ordinary issue. It is the second code execution issue in WhatsApp this year. Facebook has barely given technical details but has fixed a serious security flaw that enables code execution on any platform executing WhatsApp by simply sending an MP4 file to a WhatsApp user through instant messaging. Read more Avast is spying on you Mozilla removes four extensions for its Avast Firefox browser (and AVG, which belongs to it) because they breach user privacy. Read more GodLua: malware against DoH GodLua is a malware that exploits DoH (DNS over HTTPS), recently implemented in browsers, and enables name resolution through the browser's own integrated protocol without necessarily going through system resolvers. Read more Facebook key compromised to sign apps Facebook signed one of its apps with a certificate shared with other third-party apps and which were also on Google Play and other markets since 2015. Read more MASAD Clipper and Stealer MASAD Clipper and Stealer (formerly Qulab Stealer) is a malware sold on the black market. It has two very interesting features: on the one hand, it can replace automatically a cryptocurrency wallet from the clipboard with another. On the other hand, it uses Telegram as a command and control. Read more Windows joins DoH Windows aligns itself with DoH implementation and its reasons are really interesting. It implicitly assumes that initiatives such as Firefox’s are not positive (they aim to centralize all DNS in Cloudfare). They believe that the best way to boost decentralization is to universalize DNS, so that the more it is used in a higher number of programs, the more DoH servers there will be and the better the user will be able to choose to split the requests. And what better program than the operating system itself? Read more RSA is walking a tightrope At the First IEEE International Conference in Los Angeles researchers have presented an investigation to assure that RSA keys with reduced computational capabilities could be compromised. They use the well-known Batch GCD attack. Read more Magecart is back Magecart comes back with an overhaul of its strategy. They have managed to infect 17,000 domains thanks to its new formula, based on AWS buckets’ insecurity. Read more Voting against reduction of certificates’ lifetime The main Internet actors (Google, Microsoft, Apple, Mozilla...) and the CAs have already voted whether the lifetime of the TLS / SSL certificates should be reduced (even more), making them to have a maximum lifetime. The result is (again) no. Read more Issue in RealTek Wi-Fi CVE-2019-17666 is a very serious flaw that affects the Linux Kernel, even if it is not a vulnerability itself. The issue is in the Wi-Fi driver of certain components of the well-known brand RealTek: ‘rtlwifi’. Read more Problems with SharePoint Microsoft releases an out-of- cycle patch intended to fix an issue in SharePoint. Read more July August DecemberSeptember October November Ransomware mustn’t be paid The United States Conference of Mayors concluded that ransomware should not be paid at their Annual Meeting, composed of 1,400 mayors of cities with more than 30,000 inhabitants, . After 170 governmental systems attacked since 2013 (22 this year), they have finally joined together in a common speech to agree not to feed attackers. If they are paid, they are boosted to continue attacking. Read more Evolution of fileless techniques Nodersok or Divergent (depending on whether it is told by Microsoft or Talos) has been found out. An excellent example of how fileless techniques are evolving in the malware sector. Read more Ginp attacks Spanish banks Ginp is a new branch of banking malware for Android that is specializing in Spanish banks. Appeared in June, it attacks and mimics apps from relevant banks such as Santander, Evo, Bankia, Kutxa ... Ginp started working in June programmed from scratch, but little by little it has been copying and adding code and functionalities from other malware such as Anubis. Read more
  5. 5. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 4 of 28 CyberSecurity Report 2019 H2 SMARTPHONES Apple iOS Remarkable news As we announced in our last edition, Apple finally released version 13 of its iOS operating system on September 19. Three months later it had been announced (June 3) during the annual Apple Worldwide Developers Conference (WWDC). However, if there is noticeable news it is that since now iPad devices will have their own independent operating system (although it is an iOS derivative) called iPadOS. In this version, Apple has focused on user privacy. Regarding the security updates, we point out two brought by iOS 13. Users that upgrade to the new version will notice this, since when an application try to use Bluetooth a system notification will be showed asking the user if they authorize its use. This prevents the user from being tracked through devices called ‘Bluetooth beacons’. These are small transmitters installed in places open to the public (usually, stores)to, through the receiptofaunique code, determine when and how long a user stays in a given establishment. A subtle way to geolocate users and keep track of their shopping habits. Another notable milestone is the release of Apple ID, with options not to share user's email account. In such a case, Apple will create a proxy email account to avoid exposing the user's one. Even with the newly released version 13, a major update was released for iOS version 12 (iOS 13 is only available for iPhone 6S or higher). In particular this is version 12.4, that fixes almost 40 security flaws in various components. Some of these flaws could enable code execution in components such as WebKit (it fully affects Safari) and Core Data. By end August, Apple published a review, the 12.4.1 one, to patch an error in the kernel that would enable arbitrary code execution. An emergency update, out of the usual patch cycle. Following this update, three new reviews were performed over 12.4, 12.4.2, 12.4.3 and 12.4.4; in September, October and December respectively. Again, they fixed occasionally serious vulnerabilities in the form of arbitrary code execution. However, as a curiosity, there are no details of the newsletter corresponding to version 12.4.3 We didn’t have to wait too much to see a new update of version 13: just five days after being released. On September 24 13.1 was released. It fixed more than 20 vulnerabilities, some of them considered of high severity. A patch for a classic type of vulnerability (access to certain system functions and information from the locked screen) was also included. This time, to see the contact list through VoiceOver. Again, 48 hours later an upgrade to the version 13.1.1 was released. On this occasion, however, it was a functional flaw on the restrictions of the Sandboxing functionality, which were not properly applied to some extensions of third-party applications. A month later, the 13.2 version was released with almost 30 patched CVEs. A great update that covered numerous components, including WebKit and the system kernel itself. Patches 13.2.2 and 13.2.3 followed this update, but without any report on security vulnerabilities. Finally, closing this report, on December 10 iOS 13.3 is released with almost 15 patches. More than half of the fixed vulnerabilities enabled arbitrary code execution.
  6. 6. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 5 of 28 CyberSecurity Report 2019 H2 Vulnerability evolution in iOS over the second half of 2019 Interestingly, in 2015 and 2017 the number of vulnerabilities was the same: 387. In total, 198 CVEshave beenpatched in the previous half year. Of these, 13 were critical and 6 of them allowed arbitrary code execution. The figures show an increase over the previous semester, thus exceeding the previous periods. Let’s bear in mind that an exploit that allows compromising completely an Apple device is publicly priced at 2 million dollars, according to Zerodium’s exploit acquisition program 27 32 37 112 96 122 387 163 387 125 156 6 14 10 69 50 51 211 78 222 63 13 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 VULNERABILITIES IN IOS 2019-H2 Vulnerability evolution per year Total Category within 'arbitrary code execution'
  7. 7. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 6 of 28 iOS fragmentation over the second half of 2019 As we can draw from the fragmentation data of this period,the adoption of the current version ofiOSis 66%. Only a pool of just over 12% are installations of versions earlier than 12 and 13 (especially iOS 11 and 10). The oldest device that supports version 13 is iPhone 6S, while version 12 is supported by at least iPhone 5S. Since the latter was released in September 2013, most of Apple's device pool is less than seven years old and, more than half of these, five years or less. As we have already mentioned in previous editions, iOS doesn’t have problems, or at least these are not significant, when it comes to fragmentation of versions. Apple users experience longer support terms on devices. Even when the operating system changes within a little more than a year, relatively old versions of iPhone are usually supported. This greatly favors the diffusion of a new version of iOS and the replacement of old versions. Apple Transparency Report Sometimes, governments need to rely on large corporations to be able to carry out their work. When a threat involves knowing the identity or having access to the data of a potential attacker or a victim in danger, the digital information stored by these companies may be vital for the investigation and avoid a catastrophe. Apple publishes a full six-monthly report on what data governments are askingfor as well as towhatextentand which requests are met. In the following lines, we take a look at some data that we have collected on the activities and requests of governments to the company. Device Requests These are requests from government agencies requesting information on Apple devices such as Apple serial number or IMEI. For example, when law enforcement agencies act on behalf of customers whose devices have been stolen or lost. Apple also receives requests related to fraud investigations: they typically request details of Apple customers associated with Apple devices or service connections. Financial Identifier Requests These requests take place when law enforcement agencies act on behalf of customers who require assistance related to credit or gift cards that have been fraudulently used to purchase Apple products or services. 13% 21% 66% Earlier iOS 12 iOS 13 APPLE IOS FRAGMENTATION 2019- H2 As measured by the App Store 2.915 4.711 8.850 11.457 21.368 121.011 78% 87% 61% 84% 81% 81% Spain Japan South Korea the US Germany Australia AUSTRALIA IS THE COUNTRY THAT REQUESTS THE MOST CUSTOMER DATA ASSOCIATED WITH DEVICES OR CONNECTED TO APPLE SERVICES Device requests and % where Apple provided data
  8. 8. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 7 of 28 CyberSecurity Report 2019 H2 Account Requests These requests are related to accounts that may have been used unlawfully or against Apple's terms of use. They are iCloud or iTunes accounts and their holder name, address and even content on the cloud (backup, photos, contacts ...). This is perhaps the most intrusive measure, since Apple provides real private content. China and the United States are the ones that request the most account data. Interestingly, China’s requests are considered 96% of the time, while the United States’ ones "only" 90%. Apple has the power to reject a given request if they consider that there is any formal or substantive defect. It must be kept in mind that Apple, in addition to providing data, can provide “metadata” not directly related to the data. This is not considered as a “met” request although also includes providing information. Account Preservation Requests Under the umbrella of the U.S. Electronic Communications Privacy Act (ECPA), Apple can be asked to "freeze" the data of an account and preserve it for 90-180 days. This is a step prior to requesting access to the account, while legal permission to request data is obtained and in order to prevent the account from being deleted by the person under investigation. Emergency Requests According to the U.S. Electronic Communications Privacy Act (ECPA) as well, it is possible to ask Apple to provide private data from accounts in emergency situations if it is believed that this may prevent a danger of death or serious physical injury to any person. 898 1.415 2.421 3.874 4.695 5.378 64% 88% 80% 77% 81% 85% Spain China the UK Japan the US Germany GERMANY IS THE COUNTRY THAT REQUESTS THE MOST FINANCIAL DATA Financial data requests and % where Apple provided data 99 603 1.056 2.745 15.301 15.666 58% 75% 89% 88% 90% 96% Spain Germany Taiwan Brazil the US China CHINA AND THE US ARE THE COUNTRIES THAT REQUEST THE MOST DATA ON APPLE ACCOUNTS Account requests and % where Apple provided data
  9. 9. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 8 of 28 CyberSecurity Report 2019 H2 Interestingly, the United Kingdom wins with 259 accounts requested (although their requests are not always met) followed closely by the United States. The rest of the countries submitted barely dozens of requests which were almost always granted. Is the United Kingdom mainly worried about emergencies and consequently it only requests data in such a case? App Removal Requests These requests can be based on alleged/suspected violations of local law and/or of App Store platform policies. The United Arab Emirates is far and away the country that requests more removal of apps. Followed by China, Vietnam and Russia. On thisoccasion, the United States, very active in the requests for data access in general, disappears completely. The report also examines the data requested by private third parties upon legal request. Up to 243 requests of which Apple has granted 69 accesses to data. Conclusions We could conclude that some governments request "too often" access to data, but also argue that justice may work in a more agile manner in these countries, or that fraud is based more on these locations. Interpretation is free. What does seem clear are some conclusions based on the data: ▪ The interest of the Arab Emirates in removing applications that they consider illegal. ▪ The involvement of the United Kingdom (and the United States, but the United Kingdom only appears in this category) in emergency situations. ▪ The preventive nature of the United States, which submits account preservation requests muchmore often than any other country in the world. ▪ Germany is very involved (again, together with the United States) in financial fraud related to Apple products. ▪ Australia, Germany, the US and South Korea, the countries that request the most personal data. Please note that we have represented those graphs published by Apple itself. It is important to point out that all requests are submitted by batches. For instance, Apple counts the number of app removal requests, and in turn each request may include an undetermined number of apps. The same for account requests and the number of accounts included in the request. When Apple talks about the percentage of granted requests, they are talking about requests, not about specific accounts. For example, Apple receives 10 requests, all of them adding 100 accounts. Later, they state that 90% of those requests have been granted, but we do not know how many individual accounts have been provided. However, the graphs show the total amount against that percentage. Even though it is not an exact exercise, it may give us an approximate idea of the actual amount of data provided. 1 14 20 33 206 259 100% 100% 95% 94% 90% 87% Spain Switzerl… Germany Canada the US the UK THE UK LEADS EMERGENCY REQUESTS Emergency requests and % where Apple provided data 16 46 196 275 94% 0% 99% 0% Russia Vietnam China Arab Emirates ARAB EMIRATES’ STRONG INTEREST IN REMOVING APPS WHICH THEY CONSIDER ILLEGAL App removal requests and % where Apple provided data
  10. 10. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 9 of 28 CyberSecurity Report 2019 H2 Android Remarkable news Candies are over. Google changes the name that referred to cake and candy names. Android 9 "Pie" was the last system to have a nickname derived from confectionery. From now that pseudonym will not be used anymore and the versions will be named only by their number. We have Android 10 since September 3. Regarding the updates brought by the new system, it may be highlighted in terms of privacy the management of geolocation permissions per application in the background. This new feature allows a given user to decide if an application can obtain positioning data if it is not running in the foreground. There is no doubt that this will be positively valued by those users concerned about their privacy. A method to generate random MAC addresses by default is added. This enables or makes it difficult to track the device via Bluetooth beacons or Wi-Fi access points. Although there is a method in the developer API so that applications can obtain the actual hardware address of the vendor. Regarding encryption and certificates, since this version the certificates signed with SHA1 are no longer reliable. This means that connections with servers having a certificate signed with this algorithm will be rejected. More new encryption features: the SHA-2 encryption sets based on CBC (Counter-Block Chain), considered less secure than its alternative GCM, are no longer supported. Android fragmentation Fragmentation is still an unfinished business for developers and users in the Android mobile platform ecosystem. Currently, the Android project no longer publishes statistics on the developer portal to show the status fragmentation of versions, so the data available are those from public sources. That is, not contrasted with official sources. In particular, no data is available regarding the introduction of Android 10, a system that is more than three months old. However, we can see how its predecessor, Android 9, still has a little more than 22% share, followed by 8.1, 8.0 and 6.0 with a share around 15% each one. Below the double digit it is stratified between versions 7, 5 and 4. As we can see, older Android terminals refuse to take retirement. This confirms that itis possible toextend the life of a terminal more years than the normal replacement cycle. Nevertheless, in consideration of it there is a risk of using an unsupported operating system. This, from a security perspective, is evident: we are exposed to losing control of the device, as well as of its contents. The impact on our privacy may be equally critical. Vulnerability evolution in Android over the second half of 2019 A total of 463 vulnerabilities for the Google mobile platform have been published. However, some of them only affect certain configurations dependent on the vendor. For example, the CVE-2019-14783 only affects 39,2 14,4 8,7 7,9 5,5 12,1 6,7 1,6 2,4 Pie Oreo 8.1 Oreo 8.0 Nougat 7.0 Nougat 7.1 Marshmallow Lollipop 5.1 Lollipop 5.0 KitKat ANDROID FRAGMENTATION 2019-H2
  11. 11. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 10 of 28 CyberSecurity Report 2019 H2 phones of the vendor Samsung N(7.x), O(8.x) and P (9.0). 15 vulnerabilities out of 463 have a base CVSS scoring equal to or greater than 9 along with the possibility of executing arbitrary code. An Android vulnerability is priced at 2.5 million dollars accordingto Zerodium. It must be clarified thatthis price is paid if the exploit can compromise an Android device regardless of the victim. Finally, these prices must be treated with caution, since negotiations between investigators and brokers are not public and final prices are rarely filtered. Vulnerability figures leave no doubt. Android is a fairly popular platform for vulnerability hunters. But it doesn't have to be considered unsecure, it simply gets more traction or attracts more interest due to different reasons, including the reward program and the marketing of exploits. Removal of apps from Google Play During this period, Google Play has removed around 250,000 apps from the market. Every month, between 2% and 3% of them are detected by two or more OPSWAT Metadefender antivirus engines. OPSWAT's biggest source of APKs is its partnership with Telefónica who is constantly submitting most of the new APK and IPA files published on several mobile app markets. The rest of the APKs come from the MetaDefender Cloud community of users submitting files to scan, as well as malware sharing partnerships. 13 125 525 843 611 463 4 70 73 206 84 15 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 VULNERABILITIES IN ANDROID 2019-H2 Vulnerability evolution per year Total Category within "arbitrary code execution"
  12. 12. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 11 of 28 CyberSecurity Report 2019 H2 Malware analysis in Android apps Overall, the OPSWAT’s system has analyzed 3,607,759 unique APKs during the second half of 2019 and has found 356,571 of them infected. Infected files can be grouped into the following types of threats (an APK may be classified into more than one type of threat): 42.432 50.425 36.536 49.359 53.206 29.233 1.091 1.153 992 964 878 454 J A S O N D BETWEEN 2 AND 3% OF APPS REMOVED BY GOOGLE PLAY ARE DETECTED BY TWO OR MORE ANTIVIRUS ENGINES Number of apps removed from Google Play Removals analyzed Removals: two or more detections 1 1 11 22 36 65 327 343 843 1.139 1.230 3.469 3.833 45.858 54.963 99.536 216.166 program ddos joke tool worm miner hacktool exploit virus spyware backdoor pua ransom adware agent unknown trojan WITHIN THE LESS GENERIC CATEGORIES, ADWARE AND RANSOMWARE FOR ANDROID ARE HIGHLY DETECTED Types of threats in infected files (an APK may be in several categories)
  13. 13. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 12 of 28 CyberSecurity Report 2019 H2 RELEVANT VULNERABILITIES This section addresses some of the vulnerabilities −maybe not so popular but notable from our point of view− of this second half of 2019. That is, those that must be highlighted for their special relevance or danger. CVE ID TARGET DESCRIPTION SCORING (CVSS V3.0) CVE-2019- 12643 Cisco IOS XE At the end of August a vulnerability in the virtual services container of the Cisco REST API for Cisco Software IOS XE was published. This vulnerability could allow an unauthenticated remote attacker to avoid authentication on a Cisco IOS XE device. The vulnerability is due to an inadequate verification in the authentication service management of the REST API. An attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to avoid authentication and execute privileged actions through the virtual service container interface of the REST API on the affected Cisco IOS XE device. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci sco-sa-20190828-iosxe-rest-auth-bypass 10.0 CVE-2019- 1372 Microsoft Azure Stack In August as well, Microsoft published a security newsletter that affected its hybrid cloud computing platform: Azure Stack. The flaw was due to the fact that the buffer size was not correctly verified before copying memory into it. An attacker could make a non-privileged function executed by the user be enabled in the context of the NT AUTHORITYsystem account. This would make it possible to avoid the sandbox. https://portal.msrc.microsoft.com/en-US/security- guidance/advisory/CVE-2019-1372 10.0 CVE-2019- 13917 CVE-2019- 15846 Exim mail server A bad period for Exim. September began with two serious vulnerabilities that virtually handed the system on a plate, since a successful exploitation enabled arbitrary code execution with root permissions. One of them was due to the “sort” expansion operator, the other one to a buffer overflow that occurred during the TLS negotiation with the Exim server. In neither case was it necessary to have a user on the server, so the flaw was particularly critical for one of the “open source” mail servers with more installations. 10.0
  14. 14. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 13 of 28 CyberSecurity Report 2019 H2 Vulnerabilities in figures In the following graph you can observe the precise figures representing the vulnerabilities discovered (with CVE and severity assigned). The distribution of CVEs by level of severity (scored according to CVSSv3) is as follows: Top 25 companies with the highest number of CVEs gathered As on other occasions, data here presented must be relativized. This is due to the fact that some vendors have various products that may be candidates for getting a CVE, such as Oracle and its large product portfolio (high dispersion). Conversely, companies with a lower number of products that might get a CVE do have a high concentration of CVE in some products. Examples of this are Adobe with Flash and Reader, that gather a high number of vulnerabilities. We must also highlight that there are shared vulnerabilities. That is, Canonical (synonymous with 0 8 30 153 598 1516 300 1906 826 755 Score 1 2 3 4 5 6 7 8 9 Score 10 VULNERABILITIES Classified by severity 668 609 489 441 440 364 360 321 257 254 229 197 187 171 170 162 148 129 119 118 112 108 92 75 72 Microsoft Google Oracle Adobe Cisco IBM Debian Cpanel Redhat Jenkins Apple Canonical Fedoraproject Qualcomm Linux Foxitsoftware Opensuse HP Gitlab Mozilla Netapp Apache Intel SAP Magento VULNERABILITIES Top 25 vendors by CVEs gathered
  15. 15. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 14 of 28 CyberSecurity Report 2019 H2 Ubuntu), Debian, FedoraProject, openSUSE and ReadHat share a high number of binaries and libraries, in addition to the same operating system kernel: the Linux kernel. When they share the same vulnerability or CVE, the relevant patch is distributed among all the vendors, who create a package for their particular distributions. Top 10 the most representative CWEs CWE (Common Weakness Enumeration) is a list of common security weaknesses identified in software products. Similar to the CVE effort to label the specific vulnerabilities found per product, CWE is focused on abstractly defining the security weakness types. This allows direct mapping between CVE and CWE. This list includes the 10 most-assigned CWEs per number of CVE, allowing us to observe the most frequent category of weaknesses occurred over the period analyzed. 795 749 506 465 331 245 228 220 210 190 CWE-79 CWE-20 CWE-200 CWE-119 CWE-125 CWE-284 CWE-89 CWE-787 CWE-416 CWE-352 VULNERABILITIES Top 10 the most representative CWEs
  16. 16. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 15 of 28 Descriptive table of each CWE CWE NAME DESCRIPTION NUMBER CWE-79 Improper Neutralization of Input During Web Page Generation It basically includes the three well-known types of vectors used to perform a Cross-site scripting: Reflected, stored and DOM based 795 CWE-20 Improper Input Validation Generic category that includes errors consisting of an inappropriate or non-existent control of user data input 749 CWE-200 Information Exposure It generally includes compromising sensitive information due to a lack or flaw of controls that could prevent an information leakage from happening 506 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer It generally includes programming errors where the bounds of a memory buffer are not being controlled, both in reading and writing operations 465 CWE-125 Out-of-bounds Read Highly related to CWE-119, it includes read memory operations exceeding the control bounds of an intended buffer 331 CWE-284 Improper Access control The application does not correctly restrict access to resources. It is a generic category where you can find those flaws related to the lack of an appropriate control or prohibition when third parties can access resources even if they do not have the appropriate permissions 245 CWE-264 Permissions, Privileges and Access Controls It is a generic category including all the flaws related to the permissions and privileges granted to users and processes, as well as to resource access control (in this sense, it is related to CWE-284) 238 CWE-89 Improper Neutralization of Special Elements used in a SQL Command (SQL Injection) Basically, it collects the injection of SQL code in a query string through parameters or data input to the application 228 CWE-787 Out-of-Bounds Write Related to CWE-125, it groups those vulnerabilities that allow writing beyond the designated limits to a reserved buffer region 220
  17. 17. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 16 of 28 CyberSecurity Report 2019 H2 CWE-416 Use After Free Failure of memory management over a process. It allows to call an object or reference a heap from a previously freed memory region 210 CWE-352 Cross-site Request Forgery (CSRF) These are those vulnerabilities (usually in a web environment) that cause a lack or defect in the validation of correct requests from a client. That is, an application doesn’t know or cannot distinguish whether the request has come from a legitimate action of given a user, or if it is a request maliciously created and triggered by a user from a site controlled by an attacker 190 Conclusions Again, and this is not surprising, there are vulnerabilities that show a lack of control over the limits of writing/reading of buffers, poor management in the memory free up or lack of filtering in the requests or parameters from the user. Vulnerabilities continue to grow. The exploit market continues to rise. With this outlook, it is difficult to consider a different scenario. Industrialization in the search for security flaws in systems and applications has created a perfect ecosystem for the discovery of new vectors and new tools. Despite even the adoption of new languages (Go, Rust ...) that allow to obtain a more adequate memory management, better tooling and new libraries that give a leading role to security, it is still too early to experience a noticeable improvement in this sense. Without a doubt, an effect that will take much longer than desired; and even then, new paths and ways will be discovered to compromise a system.
  18. 18. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 17 of 28 CyberSecurity Report 2019 H2 WHO IS WHO IDENTIFYING MICROSOFT VULNERABILITIES Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed the data of the last three and a half years with the aim of understanding who fixes what in the world of Microsoft products as well as the severity of these flaws. Thanks to this report we will gain an interesting insight into who really investigates Microsoft products, reports them in a responsible manner, as well as how many vulnerabilities are attributed to someone and how many are not (which might suggest that they are discovered by attackers). On the second Tuesday of each month, Microsoft publish their traditional security patches in a single package to update Windows. Such update fixes a number of CVEs or vulnerabilities. However, this has not been always the case. For many years, they published bulletins hiding several CVEs, usually grouped by product. For many years, Microsoft have incorporated in their Security Development Lifecycle practices an audit of their own code with the aim of improving their security. We wished to know exactly how many security flaws are found by the company over their internal audits to get an idea not only of how much Microsoft contribute to the improvement of their products in terms of security, but also of how much the rest of usual ‘bug hunters’ of the industry do it. Methodology We have performed a very simple analysis. We have collected and processed all the information of attributed CVEs during the second half of 2019. The source of information has been mainly the following webpage: https://portal.msrc.microsoft.com/en-us/security- guidance/acknowledgments These are the attributed vulnerabilities (that is, the ones reported by a given identifiable user, either individual or company). During this period, we have analyzed 390 attributed vulnerabilities. From all of them, we have extracted their severity through the NIST’s official CVSS. Nevertheless, these figures do not represent the total number of flaws discovered. Actually, we have also considered those flaws thatwere not directly attributed. We understand that most of these flaws may come from vulnerabilities found in 0-days or under other circumstances where the author is not known and the vulnerability has not been reported anonymously. In such cases, Microsoft do not attribute the finding to anyone in particular. This difference between attributed and ‘non-attributed’ vulnerabilities (which is not the same as ‘anonymous’) is represented in the following chart.
  19. 19. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 18 of 28 From the credits, we have extracted the company that found the vulnerability.If there wereseveral discoverers, we have considered only the one that appeared in the first place in order to make the calculations simpler and since we understand that the one who reported them first is shown as the main analyst. While this might be inaccurate, it results in the simplest formula. Moreover, we have considered two flaws found by the Hiper-V team as discovered by Microsoft. From that point, we have performed different calculations to analyze who contributes more and better to improve the security of Microsoft products, in a responsible manner. The Data Qihoo is the company that has discovered the most vulnerabilities in Microsoft products in 2019-H2 Qihoo is undoubtedly the company that most collaborates in the reporting of vulnerabilities in Microsoft products: they report over 20% of the flaws. Around 23% of the flaws found inMicrosoft products are reported by the category ‘other’, which includes small companies that do not usually report, or freelance analysts. The third position is for Microsoft, since they detect more than 12% of their own flaws. Google finds 9% of the flaws. Special mention deserves Trend Micro’s Zero Day Initiative, a private initiative that acts as a broker of vulnerabilities. Experts can join this program and will be paid for the vulnerabilites found in exchange for transferring them to ZDI, which will report them in a responsable manner to the vendors. This initiative is the most popular formula: 16% of vulnerabilities reported to Microsoft (ranking second after Qihoo). 0 20 40 60 80 100 120 140 160 2016 2017 2018 2019 NOT ALL VULNERABILITIES COME FROM ATTRIBUTED SOURCES Number of vulnerabilities (Attributed and Non-Attributed) during 2019 H2 Attributed Non-Attributed
  20. 20. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 19 of 28 CyberSecurity Report 2019 H2 Qihoo and ZDI report more vulnerabilities, but less severe If we correlate both values (severity and number), we observe that although Qihoo finds indisputably more than any other vendor, they move within a range of gravity lesser than that of Microsoft. Those reported by Google, which finds almost the same number of flaws as Microsoft, are usually of similar severity. Conclusions During the second half of 2019, Qihoo and ZDI have led the discovery of vulnerabilities in Microsoft products: they have reported 20% and 16% of the vulnerabilities, respectively. Around 23% of the vulnerabilities are reported by the category ‘other’, which includes small companies that do not usually report, or freelance analysts. The third position is for Microsoft, since they detect more than 12% of their own flaws. 7% of vulnerabilities were not attributed to anyone in particular. We can conclude that most of the vulnerabilities found in Microsoft, of severity around 7, are found by four main actors: Qihoo, ZDI (which includes freelance analysts), Microsoft and Google. Also striking is the significant decrease of non-attributed vulnerabilities (found in anon-responsible manner). From 25% in 2016 to 9% in 2019, which implies a better vulnerability management, precisely through platforms such as ZDI, where researchers are rewarded and encouraged to report vulnerabilities in a responsable manner. 2 2 2 2 2 2 2 3 3 3 4 4 4 4 4 5 6 7 9 10 35 48 65 79 90 McAfee Viettel University of Birmingham Polar Bear ING Hyundai CyberArk iDefense Diffense Preempt Alibaba Cisco Palo Alto Netflix Suresh C kdot Tencent NCC Check Point Qi An Xin Google Microsoft ZDI Qihoo Other QIHOO DISCOVERS THE MOST VULNERABILITIES IN MICROSOFT PRODUCTS Distribution among the discoverers of the 397 vulnerabilities in 2019-H2 Qihoo ZDI Microsoft Google Qi An Xin Check PointNCC Tencent 0 10 20 30 40 50 60 70 80 90 6,5 7,0 7,5 8,0 8,5 QIHOO AND ZDI REPORTS MORE VULNERABILITIES, BUT LESS SEVERE Vulnerability distribution by scoring and by discoverer (the size of the bubble is proportional to the number of vulnerabilities discovered during 2019 H2)
  21. 21. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 20 of 28 APT OPERATIONS, ORGANIZED GROUPS AND ASSOCIATED MALWARE In this section we will go over the activity of those groups that are supposed to have performed APT operations or noteworthy campaigns. We point out that the authorship of this kind of operations, their structure as well as the origin and ideology of the organized groups is highly complex, so it must not be, by definition, entirely reliable. This is due to the anonymity and deception capacity inherent in this kind of operations. This way, actors may use the means to mishandle information in order to hide their actual origin and purposes. It is even possible that in certain cases some groups adopt other groups’ modus operandi, so that they can divert attention and undermine them. Significant APT operations detected over the second half of 2019 Winnti Although it has been operating since 2010, the Chinese group Winnti has typically aimed at software developers in general and video games developers in particular. They are believed to have institutional support from the Chinese government, although this does not exclude that they may have an economic purpose as well. The group has been monitored and analyzed by a group of ESET experts, who have published an extensive research on the operations of that group. It must be highlighted the use of obscuring techniques once they have got in an organization, such as the use of a Microsoft SQL server used as a backdoor. FIN7 or Carbanak We have talked about this group before: FIN7 (also known as Carbanak), especially when news broke in general media on the arrest of its alleged leader in Spain. During this period, experts from FireEye have detected the use of two new techniques used by thisgroup: BOOSTWRITE, a dropper with the ability to decrypt embedded payloads withouthavingto touch the disk by downloading an encryption key from a server of control. The other new component, RDFSNIFFER, is a module for BOOSTWRITE, specifically designed to attack the RDFClient process of Aloha Control Center Client. This software is used in payment terminals of NCR Group. As we see, it is a group that continues to focus on attacking the financial sector. Together they are new techniques, but with a known base: fly below the radar line of antiviruses. It is necessary to avoid detection and extend the lifespan of each infection in order to maximize the benefits that an attack may report. APT41 Another of the major actors currently. APT41 strengthens ties with groups such as Winnti or BARIUM, previously mentioned −especially due to their the modus operandi and the use of some common techniques and tools. In fact, many of APT41's targets are the same as Winnti, such as video game developers. FireEye has followed the steps of this group's operations by drafting a history in a detailed report. It describes the techniques used and how the resources they extract from their victims are exploited, such as, for example, the theft of valid certificates for malware signature; a
  22. 22. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 21 of 28 CyberSecurity Report 2019 H2 way that simplifies the installation of implants on the operating systems of the group's targets. These techniques: take advantage of the resources from a software developer, etc., is known as ‘supply chain compromise’. It includes attacks and exploitation of victims' resources that allow or facilitate the task of spreading and installing malware under the control of this type of organized groups. APT41 is believed to come from China and is well-known for the large amount of malware they produce. Up to 46 types of different families and almost 150 tools such as backdoors, keyloggers or rootkits have been identified. Lazarus The name of this group is linked to an operation known as "Sony Pictures hack". The group, attributed to North Korea and active since 2009, has been identified as the responsible for an attack on an Indian nuclear power plant. The facts were notified by the technical managers of the plant to the Indian CERT on September 4. In particular, the detection of malware in the administrative department of the Kudankulam Nuclear Power Plant (KKNPP). That is, it was not detected within the networks of the control systems of the plant. The malware detected, named DTrack and thoroughly analyzed by the Russian Kaspersky, would be responsible for collecting information from infected computers, as well as for network traffic and keylogging. The attack can be considered an approach with the aim of monitoring and learning more about energy production (strategic resource). Although the control networks are isolated from the rest of the networks, the administrative network has information about maintenance dates, messages, data, etc. Vital information for the preparation of more planned attacks on control networks.
  23. 23. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 22 of 28 CyberSecurity Report 2019 H2 CYBER RISK RATING BY SECTOR We have used the BitSight Security Ratings Platform to set out a security comparison between industries. BitSight measures the security performance of a company based on externally-observable data. Instead of evaluating the existence of policies, rules and controls, BitSight rates the effectiveness of any controls and policies based on these non-intrusive external measurements. Evidence of compromised systems, file sharing, diligence and disclosed breaches all are factored into BitSight’s algorithm, with each company receiving a daily rating from 250 to 900 indicating the security posture of each company. Using BitSight’s data, we have been able to distil relevant information on the security practices undertaken by the European industrial sector, and also compared to Spain, as you can observe in the following examples. Data on infections detected and neutralized (by economical sector) The following figures show the average number of effective days from threat detection to its neutralization by the organization (grouped by affected economical sector), for both Europe and Spain.
  24. 24. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 23 of 28 Food production 11,17 Food production 9,63 Manufacturing 7,83 Manufacturing 5,93 NGO 2,99 NGO 5,59 Health 5,08 Health 5,38 Aerospace/Defense 5,94 Aerospace/Defense 3,15 Engineering 5,78 Engineering 8,75 Service management 6,05 Service management 6,81 Transport 5,47 Transport 4,95 Media/Entertainment 4,92 Media/Entertainment 4,87 Tourism 6,53 Tourism 4,15 Education 2,89 Education 2,77 Technology 4,97 Technology 4,16 Energy/Resources 5,05 Energy/Resources 4,46 Real estate 4,91 Real estate 8,74 Trading 6,56 Trading 6,76 Government 3,96 Government 3,62 Consumption goods 2,97 Consumption goods 3,34 Finances 3,73 Finances 3,60 TBD 4,20 TBD 3,78Telecommunications 3,94 Telecommunications 4,13 Legal 2,74 Legal 3,33 Insurance 5,25 Insurance 3,42 2019-H1 2019-H2 SECURITY PRACTICES IN EUROPE Average number of effective days needed by an European company to fix a malware threat (grouped by sector).
  25. 25. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 24 of 28 CyberSecurity Report 2019 H2 Media/Entertainment 1,00 Media/Entertainment 1,00 Engineering 8,06 Engineering 25,21 Technology 4,57 Technology 2,14 Tourism 8,51 Tourism 4,11 Transport 5,23 Transport 6,00 Manufacturing 5,60 Manufacturing 2,90 Health 17,18 Health 1,69 Aerospace/Defense 4,00 Aerospace/Defense 2,92 Public services 2,64 Public services 6,20 Service management 8,25 Service management 17,02 Finances 6,39 Finances 5,94 Food production 4,66 Food production 5,47 Consumption goods 6,30 Consumption goods 3,43 Telecommunications 2,55 Telecommunications 2,60 Trading 2,98 Trading 10,80 Energy/Resources 2,88 Energy/Resources 3,20 Insurance 2,56 Insurance 1,75 2019-H1 2019-H2 SECURITY PRACTICES IN SPAIN Average number of effective days needed by a Spanish company to fix a malware threat (grouped by sector).
  26. 26. 2019 © Telefónica Digital España, S.L.U. All rights reserved. CyberSecurity Report 2019 H2 Page 25 of 28 The following graph compares the response time between Spain and Europe over the second half of 2019 (grouped by sector). This means that, for instance, in the European engineering sector they need about 9 days on average to neutralize athreat, while in Spain they need about 25. The 25 families of malware and infections detected in Europe The 25 malware families affecting most systems in Europe are detailed below, as well as their increase compared to the previous scoring. 0,00 10,00 20,00 30,00 Transport Trading Tourism Telecommunications Technology Service management Media/Entertainment Manufacturing Insurance Health Food production Finances Engineering Energy/Resources Consumption goods Aerospace/Defense COMPARISON DETECTION- NEUTRALIZATION BETWEEN SPAIN AND EUROPE OVER 2019-H2 (BY SECTOR) In average number of days Europe Spain 0 10.000 20.000 30.000 40.000 AndroidBauts Conficker Conficker.C Cooee Coudw Gamarue Gamut GinkgoSDK Gozi HummingBad Necurs Nymaim Powmet PrizeRAT Ramnit Rerdom Sality SimpleLocker SpeesiPro Triada Uupay ZeroAccess Zeus Ztorg Zusy EVOLUTION OF THE 25 MOST AGGRESIVE MALWARE FAMILIES IN EUROPE Increase (orange) or decrease (blue) experienced from 2019-H1 to 2019-H2 (measured on infected systems)
  27. 27. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 26 of 28 CyberSecurity Report 2019 H2 The 25 families of malware and infections detected in Spain The 25 malware families affecting most systems in Spain are detailed below, as well as their increase compared to the previous scoring. 0 1.000 2.000 3.000 Gamarue AllSharezDownloader Conficker GinkgoSDK Ramnit Sality Zeus SpeesiPro Uupay Powmet PrizeRAT Zusy Bondat Triada Conficker.C Nymaim Necurs Gozi Bifrose RootSTV ZeroAccess BHProxies Rerdom Conficker.A SimpleLocker EVOLUTION OF THE 25 MOST AGGRESIVE MALWARE FAMILIES IN SPAIN Increase (orange) or decrease (blue) experienced from 2019-H1 to 2019-H2 (measured on infected systems)
  28. 28. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 27 of 28 CyberSecurity Report 2019 H2 FINAL SUMMARY During this second half of the year, 198 CVEs for iOS have been patched. 13 were critical and 6 of them allow arbitrary code execution. The figures show an increase over the previous half year, thus exceeding the previous periods. Australia is the country that requests the most customer data associated with Apple devices or connected to Apple services; Germany, the one that requests the most financial data, while China and the US information on accounts. The Arab Emirates have submitted 275 app removal requests, but no request has been granted. A total of 463 vulnerabilities for Android have been published. 15 of them with a base CVSS score equal to or greater than 9, together with the possibility of executing arbitrary code. During this period, Google Play has removed around 250,000 apps from the market. Every month, between 2% and 3% of them were detected by two or more antivirus engines. During the second half of 2019, Qihoo and ZDI have led the discovery of vulnerabilities in Microsoft products: they have reported 20% and 16% of the vulnerabilities, respectively. Around 23% of the vulnerabilities were reported by the category ‘other’, which includes small companies that do not usually report, or freelance analysts. The third position was for Microsoft, since they detected more than 12% of their own flaws. 7% of vulnerabilities were not attributed to anyone in particular. Conficker goes down but remains, according to BitSight, one of the most aggressive threats detected in all sectors. In Spain, the sectors "Service management" and “Trading” are the ones that take the longest to fix an infection.
  29. 29. 2020 © Telefónica Digital España, S.L.U. All rights reserved.Page 28 of 28 CyberSecurity Report 2019 H2 About ElevenPaths At ElevenPaths, the Telefónica’s Cybersecurity Unit, we believe in the idea of challenging the current state of security, since security constitutes a feature that must be always present in technology. We are continuously redefining the relationship between security and people, with the aim of developing innovative products capable of renovating the concept of security. Thanks to this, we stay a step ahead of attackers, that are increasingly present in our digital life. 2020 © Telefónica Digital España, S.L.U. All rights reserved. Information contained herein is owned by Telefónica Digital España, S.L.U. (“TDE”) and/or by any other entity within Grupo Telefónica or their licensors. TDE and/or any other entity within Grupo Telefónica, or TDE’s licensors, reserve all industrial and intellectual property rights (including any patent or copyright) derived from or applied to this document, including its design, production, reproduction, use and sale rights, unless such rights have been expressly granted to third parties in written form. Information contained herein can be modified at any time without prior notice. Information contained herein may not be totally or partially copied, distributed, adapted nor reproduced by any means without prior and written consent of TDE. This document is only intended to assist the reader in the use of the product or service herein described. The reader is committed and required to use information herein contained for their own use and not for any other purpose. TDE shall not be liable for any loss or damage derived from the use of the information herein contained, for any error or omission in such information, or for the unappropriated use of the service or product. The use of the product or service herein described shall be regulated in accordance with the terms and conditions accepted by the user. TDE and its trademarks (or any other trademarks owned by Grupo Telefónica) are all registered trademarks. TDE and its subsidiaries reserve all rights over these trademarks.

×