We’re covering two weeks of news today, which is handy, because the week between Christmas and New Years is always a bit slow.

And up first is the inevitable problem with digital license plates. Unless very carefully designed to be bulletproof, they can be jailbroken, and the displayed number can be changed. And the Reviver plates were definitely not bulletproof, exposing a physical programming port on the back of the plate. While it’s not explicitly stated, we’re guessing that’s a JTAG port, given that the issue is considered unpatchable, and the port allows overwriting the firmware. That sort of attack can be hardened against with signed firmware, and using an MCU that enforces it.

This does invite comparisons to the James Bond revolving license plate — and that comparison does put the issue into context. It’s always been possible to swap license plates. If someone really wants to cause mischief, traditional plates can be stolen, or even faked. What a digital plate adds to the equation is the ability to switch plate numbers on the fly, without stopping or turning a screwdriver. Regardless, this seems like it will be an ongoing problem, as so many manufacturers struggle to create secure hardware.

Malicious RDP

There’s a clever attack, that uses Microsoft’s Remote Desktop Protocol (RDP), to give away way too much control over a desktop. That’s accomplished by sending the target a .rdp file that shares local resources like the clipboard, filesystem, and more. What’s new is that it seems this theoretical attack has now shown up in the wild.

The attack campaign has been attributed to APT29, CozyBear, a threat actor believed to be associated with Russia’s Foreign Intelligence Service. This attribution tracks with the victims of choice, like government, research, and Ukrainian targets in particular. To escape detection, the malicious RDP endpoints are set up behind RDP proxies, running on services like AWS. The proxies and endpoints are accessed through TOR and other anonymous proxies. The .rdp files were spread via spear-phishing emails sent through compromised mail servers. The big push, with about 200 targets, was triggered on October 22nd. Researchers at TrendMicro believe this was the end of a targeted campaign. The idea being that at the end of the campaign, it no longer matters if the infrastructure and methods get discovered, so aim for maximum impact.

Free* Mcdonalds?

Here we learn that while McDonald’s USA dosn’t have a bug bounty program, McDonald’s India does — and that’s why researcher [Eaton Zveare] looked there. And found a series of Broken Object Level Authorization (BOLA) bugs. That’s a new term to this column, but a concept we’ve talked about before. BOLA vulnerabilities happen when a service validates a user’s authentication token, but doesn’t properly check that the user is authorized to access the specific resources requested.

In the McDonald’s case, any user of the web app is issued a guest JWT token, and that token is then valid to access any Order ID in the system. That allows some interesting fun, like leaving reviews on other users’ orders, accessing delivery maps, and getting copies of receipts. But things got really interesting when creating an account, and then ordering food. A hidden, incomplete password login page allowed breaking the normal user verification flow, and creating an account. Then after food is added to the cart, the cart can be updated to have a total price of a single rupee, about the value of a penny.

This research earned [Eaton] a $240 Amazon gift card, which seems a little stingy, but the intent behind the gesture is appreciated. The fixes landed just over 2 months after reported, and while [Eaton] notes that this is slower than some companies, it’s significantly faster than some of the less responsive vendors that we’ve seen.

Banning TP-Link

The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States. The reported reason is that TP-Link devices have shipped with security problems. One notable example is a botnet that Microsoft has been tracking, that primarily consists of TP-Link devices.

This explanation rings rather hollow, particularly given the consistent security failings from multiple vendors that we’ve covered on this very column over the years. Where it begins to make more sense is when considered in light of the Chinese policy that all new vulnerabilities must first be reported to the Chinese government, and only then can fixes be rolled out. It suggests that the US Commerce Department suspects that TP-Link is still following this policy, even though it’s technically now a US company.

I’m no stranger to hacking TP-Link devices. Many years ago I wrote a simple attack to put the HTTPD daemon on TP-Link routers into debug mode, by setting the wifi network name. Because the name was used to build a command run with bash, it was possible to do command injection, build a script in the device’s /tmp space, and then execute that script. Getting to debug mode allowed upgrading to OpenWRT on the device. And that just happens to be my advice for anyone still using TP-Link hardware: install OpenWRT on it.

Developers Beware

We have two separate instances of malware campaigns directly targeting developers. The first is malicious VSCode extensions being uploaded to the marketplace. These fakes are really compelling, too, with lots of installs, reviews, and links back to the real pages. These packages seem to be droppers for malware payloads, and seem to be targeting cryptocurrency users.

If malware in your VSCode extensions isn’t bad enough, OtterCookie is a campaign believed to come from North Korea, spreading via fake job interviews. The interview asks a candidate to run a Node.js project, or install an npm package as part of prep. Those are malicious packages, and data stealers are deployed upon launch. Stay frosty, even on the job hunt.

Bits and Bytes

PHP has evolved over the years, but there are still a few quirks that might trip you up. One of the dangerous ones is tied up in $_SERVER['argv'], a quick way to test if PHP is being run from the command line, or on a server. Except, that relies on register_argc_argv set to off, otherwise query strings are enough to fool a naive application into thinking it’s running on the command line. And that’s exactly the footgun that caught Craft CMS with CVE-2024-56145.

Australia may know something we don’t, setting 2030 as the target for retiring cryptography primitives that aren’t quantum resistant. That’s RSA, Elliptic-curve, and even SHA-256. It’s a bit impractical to think that those algorithms will be completely phased out by then, but it’s an interesting development to watch.

Fuzzing is a deep subject, and the discovery of 29 new vulnerabilities found in GStreamer is evidence that there’s still plenty to discover. This wasn’t coverage-guided fuzzing, where the fuzzer mutates the fuzzing input to maximize. Instead, this work uses a custom corpus generator, where the generator is aware of how valid MP4 files are structured.

hackaday.com/2024/12/27/this-w…

Un team di ricercatori del Korea Advanced Institute of Technology (KAIST), guidato dal professor Kwang-Hyun Cho, ha presentato un metodo in grado di trasformare le cellule tumorali in cellule sane. In futuro, lo sviluppo sostituirà i metodi esistenti di trattamento del cancro, che spesso hanno gravi effetti collaterali.

Gli scienziati hanno osservato a lungo il processo di oncogenesi: come le cellule sane degenerano gradualmente in cellule maligne. Durante lo studio è stato possibile stabilire: durante la trasformazione perdono le loro caratteristiche specializzate e ritornano allo stato primitivo. Così è nata un’idea: perché non invertire questo processo?

Per implementare l’idea, il team ha creato un modello digitale della rete genetica che controlla il normale sviluppo cellulare. Utilizzando la modellazione computerizzata, hanno ricostruito il percorso di maturazione cellulare e hanno trovato gli interruttori molecolari chiave che innescano il processo. Quando gli interruttori furono attivati ​​nel tumore del colon, il tessuto cominciò effettivamente a ritornare al suo stato sano originale.

La tecnica si basa sulla reinclusione dei geni responsabili della differenziazione cellulare. Nei tumori, questi geni sono solitamente inattivi o contengono mutazioni. Quando il loro lavoro viene ripristinato, i tessuti non solo ritornano alle normali funzioni, ma in alcuni casi possono anche trasformarsi in un altro tipo di cellule specializzate: avviene la transdifferenziazione. Ad esempio, le cellule del cancro al seno possono essere convertite in cellule epatiche sane.

Studi simili sono stati condotti in precedenza. Gli scienziati sono riusciti a ottenere risultati simili anche per diversi tipi di cancro: leucemia mieloide, tumori al seno e carcinoma epatocellulare del fegato. Tuttavia, mentre in precedenza la scienza si basava su scoperte casuali, il nuovo approccio è molto più sistematico. La tecnologia sviluppata consente di determinare con precisione i geni e le proteine ​​che controllano la trasformazione cellulare.

In futuro, il metodo potrebbe costituire la base di una terapia personalizzata che tenga conto delle caratteristiche genetiche di ciascun paziente. Il gruppo di ricerca sta ora lavorando per espandere l’uso della tecnologia per trattare altre forme di cancro.

L'articolo Cellule tumorali Riprogrammate: il futuro della medicina rigenerativa parte da qui proviene da il blog della sicurezza informatica.

When you think of languages you might read about on Hackaday, COBOL probably isn’t one of them. The language is often considered mostly for business applications and legacy ones, at that. The thing is, there are a lot of legacy business applications out there, so there is still plenty of COBOL. Not only is it used, but it is still improved, too. So [Meyfa] wanted to set the record straight and created a Minecraft server called CobolCraft.

The system runs on GnuCOBOL and has only been tested on Linux. There are a few limitations, but nothing too serious. The most amazing thing? Apparently, [Meyfa] had no prior COBOL experience before starting this project!

Even if you don’t care about COBOL or Minecraft, the overview of the program is interesting because it shows how many things require workarounds. According to the author:

Writing a Minecraft server was perhaps not the best idea for a first COBOL project, since COBOL is intended for business applications, not low-level data manipulation (bits and bytes) which the Minecraft protocol needs lots of. However, quitting before having a working prototype was not on the table! A lot of this functionality had to be implemented completely from scratch, but with some clever programming, data encoding and decoding is not just fully working, but also quite performant.

Got the urge for Cobol? We’ve been there. Or write Minecraft in… Minecraft.

hackaday.com/2024/12/27/minecr…

Statistics across all threats

In the third quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 1.5 pp to 22% when compared to the previous quarter.

Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024

Compared to the third quarter of 2023, the percentage decreased by 1.7 pp.

The percentage of ICS computers on which malicious objects were blocked during the third quarter of 2024 was highest in July and September, and lowest in August. In fact, the percentage in August 2024 was the lowest of any month in the observation period.

Percentage of ICS computers on which malicious objects were blocked, Jan 2023–Sep 2024

Region rankings

Regionally^[1], the percentage of ICS computers that blocked malicious objects during the quarter ranged from 9.7% in Northern Europe to 31.5% in Africa.

Regions ranked by percentage of ICS computers where malicious objects were blocked, Q3 2024

Six regions: Africa, South Asia, South-East Asia, the Middle East, Latin America and East Asia, saw their percentages increase from the previous quarter.

Regions and the world. Changes in the percentage of attacked ICS computers in Q3 2024

Selected industries

The biometrics sector led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.

Percentage of ICS computers on which malicious objects were blocked in selected industries

In the third quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased across most industries, with the exception of the biometrics and manufacturing sectors.

Changes in the percentage of ICS computers on which malicious objects were blocked in selected industries

Diversity of detected malicious objects

In the third quarter of 2024, Kaspersky’s protection solutions blocked malware from 11,882 different malware families in various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects in various categories was prevented

The most notable proportional growth during this period was in the percentage of ICS computers on which malicious scripts and phishing pages were blocked, representing an increase of 1.1 times.

Main threat sources

The internet, email clients and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure. Note that the source of the blocked threats cannot be reliably identified every time.

In the third quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for all threat sources described in this report.

Percentage of ICS computers on which malicious objects from various sources were blocked

Moreover, the percentage of ICS computers on which threats from email clients, removable media and network folders were blocked in the third quarter was the lowest in the observation period.

Threat categories

Malicious objects used for initial infection

Malicious objects used for initial infection of ICS computers include denylisted dangerous internet resources, malicious scripts and phishing pages, and malicious documents.

In the third quarter of 2024, the percentage of ICS computers on which denylisted internet resources and malicious documents were blocked increased to 6.84% (by 0.21 pp) and 1.97% (by 0.01 pp), respectively. The rate of malicious scripts and phishing pages increased more significantly to 6.24% (by 0.55 pp), although in the previous quarter it reached its lowest level since the beginning of 2022.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware: spyware, ransomware, and miners, to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

The percentage of ICS computers on which spyware (spy Trojans, backdoors and keyloggers) was blocked decreased by 0.17 pp to 3.91% when compared to the previous quarter.

The percentage of ICS computers on which ransomware was blocked continued to vary from quarter to quarter within 0.03 p.p. It decreased to 0.16% in the observation period.

The percentage of ICS computers on which miners in the form of executable files for Windows were blocked decreased by 0.18 pp to 0.71%.

The percentage of ICS computers on which web miners were blocked decreased by 0.09 pp to 0.41%.

Self-propagating malware

Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

In the third quarter of 2024, the percentage of ICS computers on which worms were blocked continued to decrease (by 0.18 pp), reaching 1,30%. This is the lowest point since the beginning of 2022. The rate of viruses decreased slightly to 1.53%.

AutoCAD malware

AutoCAD malware is typically a low-level threat, coming last in the malware category rankings in terms of the percentage of ICS computers on which it was blocked.

In the third quarter of 2024, the percentage of ICS computers on which AutoCAD malware was blocked showed a slight decrease to 0.40%.

You can find the full Q3 2024 report on the Kaspersky ICS CERT website.

^[1] The report takes into account statistics for the USA received before September 29, 2024.

securelist.com/ics-cert-q3-202…

Do you ever have clothes that you only wore for a few hours, so you don’t want to wash them, but it still seems icky to put them back in the drawer or closet? What if you had a dedicated place to put them instead of on your floor or piled on a chair in the corner? [Simone Giertz] has a tidier solution for you.

On top of the quasi-dirty clothing conundrum, [Giertz]’s small space means she wanted to come up with a functional, yet attractive way to wrangle these clothes. By combining the time-honored tradition of hanging clothes on the back of a chair and the space-saving efficiency of a Lazy Susan, she was able to create a chair with a rotating rack to tuck the clothes out of the way when not wearing them.

The circular rack attached to the chair orbits around a circular seat and arm rests allowing clothes to be deposited on the chair from the front and conveniently pushed to the back so they remain out of sight and out of mind until you need them. The hardware chosen seems to be pretty strong as well given the number of items placed on the rail during the demonstration portion of the video. We also really like how [Giertz] challenged herself to “CAD celibacy” for the duration of the build to try to build it quick.

If you want to see some other clever furniture hacks, how about repurposing the seats from an old subway, or hacking IKEA furniture to be more accessible?

youtube.com/embed/H175G8NH2Cg?…

hackaday.com/2024/12/27/uncann…

Lo so, lo sento; lo sono.
Ci provo a dare amore
Lento pesante ma senza far rumore
oggi si trascina il tempo mio; qual vecchio treno
fuori orario che ansa controvoglia
su binari da cambiare
Il telefono
ormai fuori uso
pure, sembra dir qualcosa
ma era falso allarme
La carrozza del pensiero
oggi davvero non parte

L’apparenza bugiarda riveste le cose
L’essenza rivela molto di più
La paranoia
nei volti delusi si rimira
e poi ancorara;
piega le labbra della gente all'ingiù
Io rimugino fantasie
mi fosse toccata un’altra sorte
Ho perso a carte con mezz’ora di pc
Oggi ho poca fame
e del resto
se non posso averti qui

La vita come Penelope
tesse e disfa una tela di notte
Talvolta s’eclissa, vile come ombra
all'accendersi del giorno. E per la strada
un’ombra
col biglietto già timbrato
per un’avventura
senza garanzia di ritorno
che mi faccia sentire ancora
Il grande gatto immobile della volta azzurra
Lo Spirito dell’Essere
prende a calci il tempo

"... attacchi avanzati, capaci di sfruttare la manipolazione psicologica per indurre le vittime a installare malware sui propri dispositivi autonomamente. Ciò avviene attraverso CAPTCHA falsi, finti tutorial e aggiornamenti, il tutto condito da tecniche avanzate di social engineering."

ilsoftware.it/attacchi-scam-yo…

Da quando una persona ha usato per errore il mio indirizzo @gmail per iscriversi a #Duolingo, ricevo decine di email che dovrebbero essere "motivanti" per non mollare il corso di lingue e riprendere le lezioni. Evidentemente Duolingo permette di usare il servizio senza prima validare l'indirizzo email, che è già un problema non da poco.

Ancora peggio, non riesco a spegnere queste email automatizzate perché quando clicco su "Unsubscribe" mi porta su una finestra dove vengo informato che non esiste un account legato al mio indirizzo email.

Ma il capolavoro è accaduto oggi, Natale 2024: ho ricevuto l'ennesima email motivazionale da Duolingo con
Oggetto: Duo sa leggere tra le righe
Testo: I promemoria insistenti di Duo non sembrano funzionare. Non te ne invierà più... per ora.

Infastidito, provo nuovamente a cliccare su Unsubscribe, dove scopro che il tono passivo/aggressivo era una precisa scelta di #marketing. Mah!

🎅

Sebbene l'origine precisa della data non sia chiara, il Natale, che commemora la nascita di Gesù Cristo, viene celebrato in questo giorno, essendo stato identificato per la prima volta come la data della nascita di Gesù da Sesto Giulio Africano nel 221.

@Storia
#otd

Carissimi iscritti,

prima di passare ai due contenuti informativi CHE VI CONSIGLIAMO DI LEGGERE CON MOLTA ATTENZIONE, vorremmo approfittare del nostro canale di comunicazione per augurare a tutti voi buone feste, in particolare vi auguriamo di trascorrere un Natale rilassante e riflessivo in attesa di un 2025 ricco di soddisfazioni personali e soprattutto ricco di relazioni interpersonali!

Per quello che ci compete, noi amministratori siamo molto contenti: Poliverso è infatti diventata stabilmente l'istanza Friendica con il maggior numero di utenti attivi e noi cercheremo di fare il possibile per rendere vivibile e soddisfacente questo angolo di web e vi chiediamo di diffondere tra i vostri parenti, amici, scopamici (beh, perché no...), ammiratori e conoscenti la notizia dell'esistenza dei nostri tre progetti, tutti integrati grazie al Fediverso:

1) Poliverso.org, per chi vuole vivere il web sociale al massimo delle potenzialità
2) Poliversity.it, per chi ama Mastodon, ma non vuole rinunciare alla possibilità di scrivere post lunghi e formattati
3) Feddit.it, per chi al social network preferisce i contenuti tematici

E se volete farci un regalo per Natale o per la Befana, potete sempre dare un'occhiata alla nostra pagina di supporto su Liberapay it.liberapay.com/poliverso/ o alla pagina dei menu di Ko-Fi ko-fi.com/poliverso

Veniamo quindi alle informazioni:

Formattazione post con titolo leggibili da Mastodon

Come saprete, con Friendica possiamo scegliere di scrivere post con il titolo (come su WordPress) e post senza titolo (come su Mastodon). Uno dei problemi più fastidiosi per chi desidera scrivere post con il titolo è il fatto che gli utenti Mastodon leggeranno il vostro post come se fosse costituito dal solo titolo e, due a capi più in basso, dal link al post originale: questo non è di certo il modo miglior per rendere leggibili e interessanti i vostri post!
Con le ultime release di Friendica abbiamo però la possibilità di modificar un'impostazione per rendere perfettamente leggibili anche i post con il titolo. Ecco come fare:

A) dal proprio account bisogna andare alla pagina delle impostazioni e, da lì, alla voce "Social Network" al link poliverso.org/settings/connect…
B) Selezionando la prima sezione "Impostazione media sociali" e scorrendo in basso si può trovare la voce "Article Mode", con un menu a cascata
C) Delle tre voci disponibili bisogna scegliere "Embed the title in the body"

Ecco, ora i nostri post saranno completamente leggibili da Mastodon!

Le novità di Raccoon For Friendica

Raccoon for Friendica sta migliorando a vista d'occhio. Dalle anteprime dei video, al miglioramento della composizione dei messaggi con immagini, fino ad alcuni aggiornamenti alla stessa architettura dell'app, la maturazione di Raccoon for Friendica è quasi conclusa.
Ci sono ancora alcuni aspetti che verranno risolti nella release di fine anno, come la modifica dei messaggi pubblicati, o novità molto interessanti dal punto di vista della visualizzazione, ma oggi Raccoon copre tutte le esigenze dell'utente Friendica, escluse le impostazioni avanzate dell'account che è opportuno gestire sempre dal browser.
Raccoon for Friendica può essere utilizzata anche dagli utenti Mastodon; anzi, al momento è l'unica app per Mastodon che consenta agli utenti di navigare facilmente tra i gruppi Activitypub (comunità Lemmy, gruppi Friendica, gruppi gup.pe o magazine Mbin), che sono oggettivamente difficili da apprezzare per gli utenti Mastodon, qualsiasi sia l'app che utilizzano.
Infine Raccoon for Friendica è l'unica app che consenta agli utenti Mastodon Glitch-soc (come Poliversity.it) di scrivere messaggi formattati sfruttando una barra di formattazione molto intuitiva!

Come installare Raccoon for Friendica?

Se avete F-droid, potete farlo direttamente da lì

Se volete scaricare proprio l'ultima versione, potete cercare il file .apk a questo link

Se invece volete complimentarvi con lo sviluppatore, potete trovarlo qui:

Una nuova istanza italiana Lemmy

Chiaramente feddit.it è la più bellissima meravigliosissima istanza Lemmy del mondo, ma da questa settimana non sarà più l'unica a parlare Italiano. Nasce infatti l'istanza diggita, un progetto per portare su Lemmy la comunità di diggita, uno dei più longevi aggregatori di notizie e commenti

Qui l'elenco delle comunità diggita attive finora

================

E con queste tre notizie abbiamo finito l'ultimo bollettino dell'anno.

Ancora tanti auguri di Buon Natale e a presto!

Gli amministratori

diggita - istanza lemmy

2024-12-19 12:11:32

Diggita è una nuova istanza italiana del #fediverso! 🥳

Il lavoro di lancio è terminato, è ora possibile iscriversi: diggita.com oppure seguire i gruppi tematici dal proprio account #mastodon:

▶️ @spettacoli

▶️ @internet

▶️ @fediverso

▶️ @tecnologia

▶️ @linux

▶️ @cultura

▶️ @salute

▶️ @diggita@diggita.com

▶️ @economia

▶️ @attualita

▶️ @societa

▶️ @video

▶️ @computer

▶️ @sport

▶️ @opensource

▶️ @astronomia

▶️ @sicurezza

▶️ @scienze

▶️ @ambiente

▶️ @calcio

▶️ @giochi

▶️ @foto

▶️ @formula1