Sinologic

Etiqueta: security

  • Basic Security Recommendations in Development

    A few days ago, while reading a tweet on X, I came across someone who reported that all their cryptocurrency had been stolen from their wallet. This person is technically knowledgeable (they work professionally in IT), meaning they should have never experienced security issues at this level. In this tweet (which you can see below), they explain step by step what happened and how we can avoid the same fate:

    Although the thread focuses primarily on crypto (cryptocurrencies and digital trading), as always, I like to consider problems from multiple perspectives. I realized this is an issue that could affect others, too—and if this wake-up call can inspire some security improvements for everyone, that’s even better…

    Summarizing the extensive thread (which I highly recommend reading in full), a browser extension (for the Cursor development interface) managed to access the .env file, transmitted the user’s private key to the attacker, and the attacker drained the wallet in just a few hours. The loss was minor (only a few hundred dollars), but this incident demonstrates how even the most cautious can fall victim to supply chain attacks.

    It’s true that storing secrets in .env files is a common practice; however nowadays, for applications handling highly sensitive credentials, it’s recommended to use secure vault solutions, such as:

    • HashiCorp Vault (open source)
    • AWS Secrets Manager
    • Google Secret Manager

    These systems allow secure storage of credentials and generate temporary, encrypted tokens for access—so that an attacker can only obtain a limited token, not critical credentials.

    Another key principle of any secure development system is “environment separation”: that is, have fully separated environments for development, testing, and production (and any parallel systems for quality assurance, additional testing, etc.)

    This means each environment must have different access authorizations so that developers—or anyone else involved—never have direct access to production configuration data.

    So, summarizing these recommendations:

    • Do not store secrets in .env files.
    • Verify the authenticity of software authors and any extensions you use.
    • Use cold wallets exclusively for significant funds.
    • Audit extensions regularly.
    • Separate your working environments to enhance security.
    • Monitor systems regularly.

    I’ve always said that “security is the opposite of convenience.”

    We usually aim to simplify users’ lives, but once we add “security,” that simplicity often becomes “inconvenience.” Like needing to open an OTP app in addition to entering your credentials—that’s not supposed to be easy.

    Still, those of us working on the frontline developing solutions sometimes need to take more security measures—and tolerate greater discomfort than usual—for the sake of both the project at hand and other projects within the company.

    Whenever someone secures their systems with just a username and password, I’m reminded that:

    • Most people reuse their passwords across some—or all—services…
    • Some services have already been compromised, exposing usernames, passwords, etc. (e.g., via haveibeenpwned.com) …
    • An encrypted password can be decrypted in a short time…

    So, if you ever wonder, “should I do this to enhance security?”—the answer is always YES. Better to err on the side of paranoia than to have something stolen… especially since the ultimate goal is to avoid ending up in a situation like that poor guy experienced. Right?

  • How to quickly add a watermark to your ID or identification document

    How to quickly add a watermark to your ID or identification document

    It is clear that sending a photo of our ID to anyone over the internet is a bad idea: we run the risk of it being stolen, copied, or ending up in the wrong—or a stranger’s—hands, where someone could impersonate us, authorize transactions, or carry out illegal activities on our behalf.

    Unfortunately, there are procedures that require us to submit data from our ID, so it’s better to use a black-and-white photo with some of the information pixelated and a watermark indicating its authorized use.

    It might seem like something any photo editing application could handle, but there have been times when I needed to send an ID immediately and didn’t have time to add a watermark.

    For this reason, I have created a tool to add a watermark to our photos of our ID, passport, or any other identification document, featuring several interesting characteristics:

    • First and foremost: No image is ever shared; all editing is done using JavaScript in your own browser, making it completely secure.
    • It allows you to edit, censor, pixelate, or crop any part of the image you need, so you can conceal portions of your identifier.
    • You can fully customize the watermark: add any text you want, select the font, size, thickness, the number of times it appears, the color of the watermark, its opacity, etc.
    • This will generate your own modified image, ready to be shared with all the changes you have made.

    The tool is available at: https://sinologic.net/proyectos/watermark/

    If it suits you, feel free to bookmark it for whenever you need it.

  • What is Matrix messaging, and why should we not confuse it with the Matrix protocol?

    What is Matrix messaging, and why should we not confuse it with the Matrix protocol?

    A few days ago, we woke up to the news that the National Police, together with Europol and other security forces, had carried out an operation in Marbella. They searched several homes and seized hundreds of thousands of euros in cash and cryptocurrencies. But the most striking detail was that they had dismantled a mobile phone repair workshop that specialized in fixing and modifying phones so they could communicate in a completely encrypted and secure manner—exactly the kind of service criminals seek to avoid detection. The tool they installed on these phones is called “Matrix,” an application that not only enabled encrypted calls but also allowed users to connect to the internet while concealing their trail through a network of up to 40 servers.

    The first thing that crossed my mind when I saw the newspaper headline was the protocol I learned about at ElastixWorld 2014 (Colombia) from Matthew Hodgson himself. He had explained the security advantages and potential uses of the protocol they were developing. Without reading the full article, I jumped to the conclusion that some clever individuals had used the Matrix protocol to communicate in such a way that European law enforcement agencies couldn’t intercept them. Nothing could be further from the truth. Shortly afterward, on the BlueSky network, the great Fred Posner and others set me straight. Although they share the same name, these two things are very different.

    What is the Matrix messaging service?

    On one hand, the Matrix messaging service is what criminals were using to communicate anonymously and what has now been taken down. This service also goes by other names such as Mactrix, Totalsec, X-quantum, and Q-safe. It had over 8,000 accounts worldwide, with each user paying between €1,300 and €1,600 in cryptocurrencies to acquire a modified Google Pixel phone that included this service.

    What is the Matrix protocol?

    The messaging service known as Matrix is a decentralized, secure communication protocol that allows for end-to-end encrypted exchange of messages, files, and both voice and video calls among its users. Unlike centralized platforms, Matrix is based on a federated architecture, where multiple independent servers (instances) communicate with each other. This gives users greater control over their data and the ability to choose which server will host their account.

    It’s essentially like a “Mastodon for communications,” where you can have your own server and connect to the Matrix network so that others can talk to you, call you, or even send files and much more.

    Although it is a secure system, this is not the system that was shut down. It’s important to emphasize that it’s still fully operational, completely legal to use, and every day more and more people rely on it.

    If you want to learn more about Matrix (the good one), I suggest you take a trip to Fosdem 2025 and get to know the RTC community. There, you can find out more about this and many other interesting protocols that are free, open, secure, and fantastic for everyday use.

  • The CNMC suffers an attack and 2 billion mobile phone line owners’ data records are leaked

    The CNMC suffers an attack and 2 billion mobile phone line owners’ data records are leaked

    According to a note issued by the Audiencia Nacional, the CNMC (National Commission for Markets and Competition) has just suffered an attack on its servers, resulting in the leaking of data from more than two billion mobile phone line holder records in Spain. (There are currently around 60 million active mobile lines, so the remaining data presumably correspond to former subscribers and numbers that were still in the CNMC’s possession.)

    Over 240GB of data have been stolen and, as the CNMC was the target, it is considered that national security has been compromised. As a result, the case now falls under the jurisdiction of the Audiencia Nacional and has been classified as a cyberattack offence.

    For Judge María Tardón, it is too early to determine what purpose the perpetrator or perpetrators might have pursued with this action. However, she stated: “What is already clearly evident, even at this initial stage of the investigation, is that we are dealing with a massive cyberattack against an entity whose position within the State’s structure and essential role, as described, represents a serious and undeniable institutional breach. This is particularly significant in such a sensitive and critical area for normal operations, namely ensuring the proper functioning, transparency, and effective competition across all markets and productive sectors, to the benefit of consumers and users.”

    I was personally unaware that the CNMC held personal data on mobile line owners (I had thought that only the mobile operators had this information), but if that is the case, it could be one of the largest data breaches of the year. The attackers’ motivation remains unknown.

    More information: https://www.poderjudicial.es/cgpj/es/Poder-Judicial/Noticias-Judiciales/La-Audiencia-Nacional-investiga-un-ciberataque-masivo-contra-la-CNMC-que-supuso-la-exfiltracion-de-datos-de-titulares-de-telefonia-movil

  • If you use GDMS, update your credentials.

    If you use GDMS, update your credentials.

    Yesterday, we received a message from Grandstream notifying us that they have detected «suspicious activity» on the GDMS servers. As a result, they are advising all users of this platform to update and change their passwords as soon as possible.

    Specifically, the notice they sent is as follows:

    Officially, there is no confirmation of any attack or data leak from Grandstream. The notice appears to be more of a precautionary measure rather than a response to a confirmed issue. However, from our perspective, it is crucial to update the passwords for all SIP systems registered on GDMS.

    As dictated by basic cybersecurity practices, passwords should be changed every few months. Therefore, this is an excellent time to put this into practice, change them, and reset the counter.