La futura versione del kernel Linux 6.13 include una patch che rielabora l’algoritmo per trovare il checksum CRC32C. La nuova implementazione ha permesso di ridurre la quantità di codice di circa dieci volte, da 4546 byte a 418 byte.

La riduzione del numero di operazioni e l’ottimizzazione della logica del loop hanno comportato un notevole aumento della velocità, particolarmente evidente quando la protezione retpoline contro gli attacchi Spectre era disabilitata.

Pertanto, sui processori AMD Zen 2 si registra un aumento delle prestazioni fino all’11,8%, su Intel Emerald Rapids – 6,4% e su Intel Haswell – 4,8%.

Con la protezione retpoline abilitata, l’effetto dell’ottimizzazione è ancora più pronunciato: le prestazioni su Intel Emerald Rapids aumentano del 66,8%, su Intel Haswell del 35,0% e su AMD Zen 2 del 29,5%.

In precedenza, CRC32C utilizzava 128 loop, il che aumentava significativamente la quantità di codice. Poiché i moderni processori supportano l’esecuzione di istruzioni fuori ordine, il numero eccessivo di istruzioni di salto all’interno dei cicli è diventato un ostacolo all’ottimizzazione.

Nella nuova implementazione, il numero di iterazioni è stato ridotto a quattro, il che ha ridotto significativamente la quantità di codice e allo stesso tempo ha migliorato la velocità dell’operazione.

L'articolo Linux 6,13 Performance Boost: La Nuova Patch di Porta Vantaggi Incredibili! proviene da il blog della sicurezza informatica.

Introduction

Organizations often rely on a layered defense strategy, yet breaches still occur, slipping past multiple levels of protection unnoticed. This is where compromise assessment enters the game. The primary objective of these services is risk reduction. They help discover active cyberattacks as well as unnoticed sophisticated attacks that occurred in the past by doing the following:

• Tool-assisted scanning of all endpoints;
• Host and network equipment log analysis;
• Threat intelligence analysis, including darknet search;
• Initial incident response to contain discovered threats.

In this article, we delve into the root causes of real-world cases from our practice, where despite having numerous security controls in place, the organizations still found themselves compromised. In all the cases in question, compromise assessment was the last line of defense that successfully detected incidents.

Patch management issues

The vulnerability patching process typically takes time for a variety of reasons: from actual patch release all the way to identifying vulnerable assets and “properly” patching them, considering any pre-existing asset inventory and whether the accountable personnel will learn about the vulnerability in time. There are multiple factors that may delay this process, including formality in business continuity requirements, e.g. inability to reboot the server without a downtime window.

That’s why insufficient patch management processes on the customer side are one of the most common root causes of incidents we observe in compromise assessment projects. Moreover, exploitation of a public-facing application was the root cause in 42.37% of cases investigated by the Kaspersky Global Emergency Response Team (GERT) in 2023.

During the investigation of one case, we identified that the web server was patched a month after the attacker infiltrated the network: this delay was a treasure trove for the threat actor, since the organization was left unprotected and the attack went unnoticed.

• Immediately after compromising the server, the attacker deployed a SILENTTRINITY C2 stager.
• They attempted to dump credentials via a custom packed version of Mimikatz on the first day, and by dumping the LSASS process memory to disk on the fourth day.
• During that month, they conducted internal reconnaissance of SMB shares until they obtained the credentials of the domain administrator.

Policy violations by employees

Most organizations focus on external threats; however, policy violations pose a major risk, with 51% of SMB incidents and 43% of enterprise incidents involving IT security policy violations caused by employees. An “employee” here is any person who has a regular employee’s level of access to the organization’s systems.

In one of our compromise assessments, we identified an incident whose root cause was traced to a contracted cybersecurity consultant. During an interim report meeting, we presented a list of compromised accounts (a result of darknet search playbook execution) to the customer’s board of directors along with statistics on the accounts on the list. Of all the compromised accounts, 71% belonged to the customer’s employees, with 63% of these being employees’ accounts in the services accessible from outside the company.

Statistics on the organization’s compromised accounts. Source: Kaspersky Digital Footprint Intelligence

The list contained a C-level officer’s account, among others. Since this was a critical situation, with everyone suspecting that officer’s laptop had been compromised, we ran a quick investigation during the meeting and figured out that credentials had been leaked from a third-party consultant’s machine. The chairman created an account in an external system with his own corporate email and shared the credentials with the consultant. Since it was clear that consultant’s laptop might contain other confidential data, we developed the following tactical response plan.

1. Collect a forensic triage package from the consultant’s laptop.
   
   • Analyze the package to identify all leaked credentials.
   • Check the consultant’s laptop for malware.
   • Run a keyword-based search to identify potential leaked documents.

   
   

2. Review email/VPN/other logs of likely affected services available from outside the organization to detect any abnormal activity by compromised accounts.
3. Double-check if multi-factor authentication was enabled for the compromised accounts at the time of compromise.
4. Update the incident response plan based on the findings. Reset the password and install a new OS image on the laptop at a minimum.

This incident could have been prevented by ensuring that employees and any third party with access to the network followed the policies. This is easy to say but it sometimes gets tricky and requires time, effort and deep technical knowledge in practice.

MSP/MSSP issues

Usually, MSSPs are more focused on continuous monitoring and alerting, ignoring detection gaps identification and visibility enhancements: a periodic review of the customer’s event audit policy, enabling a disabled log source or highlighting a poorly configured log source. For example, the X-Forwarded-For HTTP header is often not enabled on web servers. As a result, the SOC can’t see the original IP of the connection and determine the attack source, which complicates incident investigation.

In our compromise assessment practice, we frequently identify incidents that external SOCs have missed. During one project, we reviewed third-party antivirus logs and identified multiple webshell detections on the same server for several days.

The MSSP SOC analysts had failed to raise an alert, because the malware was deleted by the antivirus each time. This is a textbook example of a junior’s mistake. If a motivated adversary has access to the server via a vulnerability, they would try a range of techniques and tactics to try to bypass security. This is where the human analyst’s attention is needed to add an additional layer of protection and prevent this from happening.

This was exactly our case: the Kaspersky experts initiated deep forensic analysis and found out that the attacker tried different webshells over a few weeks. They finally found one that was not detectable by the AV vendor at the time, so they were able to get into the network. Further investigation revealed that the entire domain remained compromised for several months.

Monitoring and verifying the quality of service from your MSP or MSSP is often challenging. Contractual agreements typically prevent clients from accessing the provider’s internal systems for a thorough review. Additionally, customers may lack the technical expertise or time required to oversee every action taken by their subcontractors.

MSPs and subcontractors might not have enough cybersecurity awareness, which poses a challenge, where they might inadvertently expose the network to a cybersecurity risk by misconfiguring some security control or not following the best practice.

Incomplete incident response

Post-breach eradication of a threat actor requires planning of multiple actions to ensure complete removal of the attacker from the network or systems:

• Removal of malware, scripts, tools, and backdoors installed by the attacker.
• Changing the passwords for the compromised accounts and deleting any unauthorized service accounts that attackers might have created
• Rolling back system configurations that might increase the attack surface or introduce new vulnerabilities

Even after the malware is deleted, certain forensic artifacts remain in the system. Therefore, it is common to identify past attacks during compromise assessment. Intentional misconfiguration introduced by an attacker is a rarer case, but we occasionally find that enterprise incident response teams fail to eradicate these procedures.

As part of the Active Directory configuration review playbook, Kaspersky analysts identified a Group Policy with several suspicious properties.

1. A modification to the AllowReversiblePasswordEncryption property of each AD account, which made domain controllers store passwords in decryptable form (without using the one-way hash function). This configuration would enable the attacker to dump credentials in plaintext via attacks like DCSync.
2. Disabling the audit of operations related to Kerberos Tickets. This configuration would hide attacker logons on all endpoints managed via Active Directory.

False sense of security

It’s crucial to remember that the effectiveness of even top-tier products is at its highest when these are properly installed, configured, and integrated. Without proper configuration, organizations cannot fully harness the potential of their cybersecurity solutions, which hinders their ability to create a robust defense.

In our compromise assessment practice, we have witnessed several cases, listed below, which were detected because specialized scanners were deployed alongside an existing AV/EDR solution, providing a second layer of detection capabilities.

• Absence of detection rules. The customer’s antivirus was unable to detect a pivotnacci webshell because the vendor did not have a defined detection rule.
• Outdated malware signatures. The client antivirus was unable to detect malware because the network port listening to the central update server was blocked by a firewall, preventing the antivirus from receiving the latest updates.
• Shadow IT. The customer’s antivirus was not deployed on certain servers because those servers were not part of Active Directory, which left them unprotected.

Conclusion

Compromise assessment has proven to be an indispensable component in the broader cybersecurity strategy of these organizations. The cases discussed above underscore that no security measure, no matter how advanced, is entirely foolproof. From internal policy violations to patch management failures and overlooked misconfigurations by third-party service providers, the risks are manifold and often hidden in plain sight. These examples highlight that a false sense of security can be more dangerous than no security at all, as it leaves organizations vulnerable to threats that might have otherwise been detected with thorough, periodic assessments.

By integrating compromise assessment into the security framework, organizations can uncover these hidden threats, address vulnerabilities that slip through the cracks, and ultimately strengthen their overall security posture. In a world where cyberthreats are constantly evolving, the proactive identification and mitigation of potential compromises is not just advisable but also necessary. This approach ensures that organizations are not only reacting to breaches but are continuously verifying the effectiveness of their defenses, thereby reducing the risk of undetected compromises and safeguarding their assets more effectively.

securelist.com/compromise-asse…

If you’re hear a rushing noise, don’t be alarmed — that’s just the rapidly approaching 2024 Hackaday Supercon. As hard as it is to believe, a whole year has gone by, and we’re now just a few days away from kicking off our annual hardware hacking extravaganza in Pasadena. Tickets just sold out over the weekend — thank you procrastinators!

For those of you who have tickets to join us this weekend, we’ve got a few last minute announcements and bits of information we wanted to get out to you. As a reminder, you can find the full schedule for all three days on the official Supercon site.

New Events Added!

For those who’ve attended a Supercon before, you know we like to cram as much content as we can into the weekend. But there’s always room for more, and this year we’ve managed to squeeze in a couple extra activities that we’re very excited about.

Halloween Hacker Happy Hour

It just so happens that Halloween is the night before Supercon officially kicks off, and that seemed like too good of an opportunity to pass up. So we’ll be throwing a pre-event party at the nearby KingsRow Gastropub where costumes and all manner of blinking LEDs are very much encouraged. Officially we’ll be hanging out from 7:00 to 10:00 PM, but don’t be surprised if you find yourself still talking to Hackaday folks at last call.

You don’t need tickets for this event, but we’d like to have a rough head count, so if you could RSVP through Eventbrite we’d appreciate it.

Tina’s Junk Challenge

Tina’s been piling up her treasures for weeks
We’ve always wanted to introduce some kind of swap meet aspect to Supercon, but the logistics have always been a challenge. This year though, we’re finally going to get the chance to test out the idea. Former DesignLab Resident Tina Belmont is in the process of moving out of the country and needs to find a new home for her electronic bric-a-brac.

Everything is free, so attendees are encouraged to take anything they think they can make use of. Naturally, an influx of interesting hardware could provide for some very unique badge hacking possibilities. If we can get enough people to graft these second-hand components onto their badges, we just might be able to turn it into a proper category come Sunday night.

A table where folks can offload their electronic bits and bobs has worked well at other hacker cons, so we’re eager to see how it goes at Supercon. If this is something you’d like to see more of, or would potentially like to participate in next year, let us know.

Krux’s Side Quests

Let’s be honest, most of us are already taking our marching orders from the computer in one way or another. So why not turn it into a fun interactive game?

The idea is simple: use the mysterious retrocomputer oracle, and it gives you a quest. Maybe you’ll have to find a hidden item, or solve a riddle. Krux has a run a variation of this game at Toor Con in the past, but the challenges spit out by the computer this time will be tailored to Supercon.

Windows Through Wires Exhibition

You may recall that we asked the Hackaday community if they had any unusual display technology they’d like to show off during Supercon as part of an exhibit.

Well, as you might have imagined, the response was incredible. From gorgeous vintage pieces to completely custom hardware, there’s going to be a wide array of fascinating hardware for attendees to study up-close.

While getting a chance to see various display technologies throughout the years would have our attention as it is, what’s really exciting is that many of the custom-built devices in the exhibit are either projects hosted on Hackaday.io or ones that we’ve covered at some point on the front page.

Considering how gorgeous some of them have looked in photographs, we’re eager to drool over them in the real world — and we bet you are to.

Workshop Technical Difficulties

Hopefully we’ve provided enough good news that we can slip in a bit of the bad. Unfortunately, we’ve had to cancel the “Hands on with an Electron Microscope” workshop that was to be hosted by Adam McCombs and Isabel Burgos. Everyone with tickets will of course be getting a refund, and you should be receiving an email to that effect shortly if you haven’t already.

While we’re just as disappointed by this news as you are, it’s one of those situations where there simply weren’t any good solutions. Long story short, the scanning electron microscope that was small enough to bring to Supercon is down, and there’s just not enough time to get it up and running at this point. An attempt was made to find another small-ish electron microscope on short notice but…well, that’s just as tricky to pull off as it sounds.

Send Us Your Lightning Talks!

To end this update on a high note, we want to remind everyone that this year we’ll once again be going Lighting Talks on Sunday morning. If you’ve never given a talk before, the shorter seven minute format is perfect for getting your feet wet. Or maybe you’ve got something you want to talk about that doesn’t take a whole hour to explain. Either way, the Lightning Talks are a great way to share what your passionate about with the Supercon audience.

If you’d like to give a Lightning Talk, simply fill out this form. You can upload slides if you’ve got them, but they aren’t strictly necessary.

hackaday.com/2024/10/29/2024-s…

Frontiere Sonore Radio Show Ep. 4: Simone inizia una sezione di presentazione di piccole etichette italiane, in questa puntata presentiamo Stanze Fredde Records di Torino

iyezine.com/frontiere-sonore-r…

#radio

Frontiere Sonore Radio Show Ep. 4

Frontiere Sonore Radio Show Ep. 4 - Frontiere Sonore Radio Show Ep. 4: Simone inizia una sezione di presentazione di piccole etichette italiane, in questa puntata presentiamo Stanze Fredde Records di Torino -

^{Simone Benerecetti (In Your Eyes ezine)}

The Animal Kingdom, In un futuro prossimo alcuni umani iniziano a mutare trasformandosi gradualmente in animali.

iyezine.com/the-animal-kingdom

The Animal Kingdom

The Animal Kingdom - The Animal Kingdom, In un futuro prossimo alcuni umani iniziano a mutare trasformandosi gradualmente in animali. - The Animal Kingdom

^{Roberto Pardini (In Your Eyes ezine)}

La legge Calderoli spezzetta l'Italia e peggiora i iservizi "per tutti". Quello che migliora, se si vuol dire così, è il potere dei Presidenti di Regione e la "vicinanza" fra grossi imprenditori locali ed il sistema di potere.
Altro proprio non mi sovviene.

#autonomiadifferenziata

pontebianco.noblogs.org/post/2…

differx

2024-10-27 18:16:03

_

pontebianco.noblogs.org/post/2…

#000000 #ffffff #JeanMarieGleize #post2024

autre chose a lieu autrement / jean-marie gleize | _ ponte bianco

^{pontebianco.noblogs.org}

pontebianco.noblogs.org/post/2…

differx

2024-10-25 12:16:43

I

protosisma* al centro della piazza che la notte del] centro carbonfossile e ghisa l’acqua poi alimenta a] dentro gente ben vestita struttura punto] focale il crollo mimetico acceso i marmi serpentino saccheggiati fondi del paese] l’origine fanno uno spettacolo nel buio dell’edicola la chiesa madre di cui solo resta] un abbeveratoio le bestie a caligine controllata oltre a questo] rimangono ] doppiando ] i cani a breve abbandonano le casse gli] scioperi a rovescio

II

il tempo passa la processione] [non cammina l’occhio della pittura è tellurico a scappamento inverso -il proverbio innesca ha iniziato una pendrive uno senza zucchero qui 53°34′51.44″N 9°59′36.04″E qui

III

l’edificio gestito ha una doppia veduta le news] della rotazione del cloroformio in Rai] riapre la fonoteca la bellezza del sovraccarico nasce] frequenta solo] la minuta in scansione in] -fondo

inquadra il fa] [delle esplorazioni profilo ridotto luce al 30% notizie spicciole dalla città con l’Acca dal momento una doppia] vita a elica va] in malora trascina

tot spese per il nottambulo tot la] scuola dell’avviamento prevede un tot di ore l’ora di cordicelle è un fallimento totale] notizie spie prolisse

IV

il generale il generico fa] le pieghe emissioni con cartello trilingue intelligence] variolux [le finestre non coincidono con l’interno il] ballatoio fissato con mollette scende promette il gas i] turisti con visto l’apparecchio i] [denti

su tutte, le furie sono state scritte a ripetizione] otto ore non sono nessuna

V

abilità tecnica è sufficiente][nota che provvede invece] [nota che non è possibile utilizzare il monumento] sistemato a poche centinaia di metri il] recapito senza obbligo o spaventa per l’estrema abilità tecnica si legge] [che

alle 18 in punto cominciano a fare il caffè il primo [oscilla il secondo conduce alle stanze il terzo vuote

molte necessità fanno delle pulegge il più grande monosistema idrico e [la mosca sembra che rimbalzi meglio sul pelo plastico] che descritte spariscono dalla manualistica dai costi della regola] [ una mosca topicida un] ingranaggio non

[firmano i piedi neri the smoke that thunders*

pontebianco.noblogs.org/post/2…

#LucaZanini #post2024

le frasi quali / luca zanini. 2024 | _ ponte bianco

^{pontebianco.noblogs.org}