Claroty’s TEAM82 has a report on a new malware strain, what they’re calling IOCONTROL. It’s a Linux malware strain aimed squarely at embedded devices. One of the first targets of this malware, surprisingly, is the Iraeli made Orpak gas station pumps. There’s a bit of history here, as IOCONTROL is believed to be used by CyberAv3ngers, a threat actor aligned with Iran. In 2023 a group aligned with Israel claimed to have compromised the majority of the gas stations in Iran. IOCONTROL seems to have been deployed as retribution.

There are a few particularly interesting aspects of this malware, and how TEAM82 went about analyzing it. The first is that they used unicorn to emulate the obscure ARM platform in question. This was quite an adventure, as they were running the malicious binary without the normal Linux OS under it, and had to re-implement system calls to make execution work. The actual configuration data was encrypted as the data section of the executable, presumably to avoid simple string matching detection and analysis.

Then to communicate with the upstream command and control infrastructure, the binary first used DNS-Over-HTTPS to resolve DNS addresses, and then used the MQTT message protocol for actual communications. Once in place, it has the normal suite of capabilities, like code execution, cleanup, lateral scanning, etc. An interesting speculation is that the level of control this malware had over these gas pumps, it was in a position to steal credit card information. This malware family isn’t limited to gas pumps, either, as it’s been spotted in IoT and SCADA devices from a whole host of vendors.

Bit-unlocker

We have another attack against TPM backed Bitlocker full disk encryption. The idea here is that by default Bitlocker uses an encryption key provided by the system’s Trusted Platform Module (TPM). Unless the user intentionally turns on Bitlocker PIN, this key from the TPM is the only credential needed to decrypt the drive, and is automatically provided at boot time. We’ve covered one attack against Bitlocker, where the key is sniffed while it’s being transferred from the external TPM. The conclusion as of that coverage was that a firmware TPM saves you from this attack, since there’s no accessible bus to sniff data from.

Well. There’s another approach, as you might have guessed. Modern memory requires constant refreshing to not lose its value, but that doesn’t mean that it’s entirely lost immediately. That’s what [Jack Crouse] discovered, and put to work here. Using the reset pins on a motherboard, the system is reset and booted off a flash drive. That drive contains a very minimal EFI application that just reads system memory and dumps it to the flash drive. Because the memory is mostly intact, if you reset the machine at the right point during boot, the memory dump includes the disk encryption key, allowing for easy drive decryption. If nothing else, this should be your queue to add a PIN to your Bitlocker setup. This was also a talk given at 38c3, which is now available!

Stars for Sale

GitHub stars are a useful way to determine the popularity of a project, and by extension how trustworthy that project is. At least, that’s the idea. Like any measure of popularity and trustworthiness, the GitHub Stars system has been gamed. Given how easy it is to create a GitHub account, and that giving out stars is a free action, it’s not surprising. The research suggested that between 3 and 4.5 million stars were fake, and GitHub has been quite responsive at removing the accounts and stars that are very likely to be inauthentic.

The Downside to a Connected Car

In a tale that gets worse the more you think about it, it’s revealed that 800,000 Volkswagen electric vehicles were leaking their precise information history via an unsecured Amazon storage instance. This wasn’t explicitly referred to as an S3 bucket, but we’ll use the “bucket” term for ease of discussion. This was discovered via an unnamed whistleblower, so it’s unclear whether the bucket name was accidentally made public. Regardless, it was accessible without any authentication. The broader question is why VW needs to keep these records on their drivers. It’s the downside to an always connected car.

How’s the Passkey Doing?

[Dan Goodin] is no stranger to the pages of this column, and he has thoughts about Passkeys. This isn’t a vulnerability — the FIDO2 specification hasn’t been broken in some new and clever way. Passkeys are still a good, secure way to use a trusted device as an authentication source. The problem is, they’re sort of a pain to use. Say you’re using Google Chrome on an Apple device. A site prompts you to create a passkey. Is that passkey managed by Apple, or Google? The answer is, by Apple, unless you explicitly ask Chrome to manage it. And then, Chrome on Mac isn’t allowed to sync Passkeys to Chrome on an iPhone.

And those are essentially the two problems with Passkeys: Every vendor wants users to use their platform to store passkeys, and once stored it’s devilishly difficult to manage and move passkeys to another device/platform. The silver lining is that many password managers can act as a Passkey store, and handle syncing between devices. But then again, there’s not much difference between passwords and passkeys, when you use a password manager to handle them.

Double-Click-Jack

And in related news, there’s a new approach to harvesting unintended clicks. Clickjacking is what happens when a site loads an advertisement at the top of the page, just as you’re trying to click on something, and your click gets hijacked to something else. Browsers have added protections to make truly malicious clickjacking harder to pull off. But Doubleclickjacking neatly sidesteps all of them. It’s simple: Launch another tab that claims to be a captcha, asking the user to double-click to prove they are human. Close the tab after a single click, and the second click goes to a different window. It’s clever and devious, and one more thing to watch out for.

youtube.com/embed/4rGvRRMrD18?…

Bits and Bytes

The US Treasury has reported that it was breached, via the ironically named BeyondTrust remote support vendor. It’s reported that this was an APT affiliated with the Chinese government, though very few details are available.

The intersection of data scraping and AI writing has led to dangerously good targeted phishing emails. Part of the danger here is that so much of the legitimate emails that spam filters are trained on are also written by LLMs, and executives are so used to that style of message, phishing emails fit right in.

[Mateusz Jurczyk] has released part five of the Windows Registry deep dive over at Google Project Zero. This installment is all about how the data is actually encoded into the registry files, as well as how those files are loaded and verified. Good stuff.

hackaday.com/2025/01/03/this-w…

Flying a first-person view (FPV) remote controlled aircraft with goggles is an immersive experience that makes you feel as if you’re really sitting in the cockpit of the plane or quadcopter. Unfortunately, while your wearing the goggles, you’re also completely blind to the world around you. That’s why you’re supposed to have a spotter nearby to keep watch on the local meatspace while you’re looping through the air.

But what if you could have the best of both worlds? What if your goggles not only allowed you to see the video stream from your craft’s FPV camera, but you could also see the world around you. That’s precisely the idea behind mixed reality goggles such as Apple Vision Pro and Meta’s Quest, you just need to put all the pieces together. In a recent video [Hoarder Sam] shows you exactly how to pull it off, and we have to say, the results look quite compelling.

[Sam]’s approach relies on the fact that there’s already cheap analog FPV receivers out there that act as a standard USB video device, with the idea being that they let you use your laptop, smartphone, or tablet as a monitor. But as the Meta Quest 3 is running a fork of Android, these devices are conveniently supported out of the box. The only thing you need to do other than plug them into the headset is head over to the software repository for the goggles and download a video player app.
The FPV receiver can literally be taped to the Meta Quest
With the receiver plugged in and the application running, you’re presented with a virtual display of your FPV feed hovering in front of you that can be moved around and resized. The trick is to get the size and placement of this virtual display down to the point where it doesn’t take up your entire field of vision, allowing you to see the FPV view and the actual aircraft at the same time. Of course, you don’t want to make it too small, or else flying might become difficult.

[Sam] says he didn’t realize just how comfortable this setup would be until he started flying around with it. Obviously being able to see your immediate surroundings is helpful, as it makes it much easier to talk to others and make sure nobody wanders into the flight area. But he says it’s also really nice when bringing your bird in for a landing, as you’ve got multiple viewpoints to work with.

Perhaps the best part of this whole thing is that anyone with a Meta Quest can do this right now. Just buy the appropriate receiver, stick it to your goggles, and go flying. If any readers give this a shot, we’d love to hear how it goes for you in the comments.

youtube.com/embed/XOmeAAlSTWM?…

hackaday.com/2025/01/03/fpv-fl…

Un quarto di secolo fa nasceva "In Your Eyes Ezine" grazie ad una passione che non immaginavo potesse rimanere viva per così tanto tempo e portarmi così lontano. Oggi, dopo 25 anni di presenza sul web, guardo indietro con un senso di gratitudine e meraviglia. Mai avrei pensato che questo progetto sarebbe diventato ciò che è oggi, ma il cammino è stato incredibile.

iyezine.com/25-anni-di-in-your…

25 anni di In Your Eyes Ezine

25 anni di In Your Eyes Ezine - In Your Eyes Ezine: 25 anni di passione e creatività. Scopri il nostro viaggio, le storie e i talenti che ci hanno ispirato lungo la strada. - 25 anni

^{admin (In Your Eyes ezine)}

Un recente studio di Black Fog ha rivelato tendenze allarmanti tra i dirigenti della sicurezza informatica.

Secondo i dati, nell’ultimo anno il 45% dei professionisti ha fatto ricorso all’alcol o a sostanze illegali per alleviare lo stress lavorativo e il 69% ha evitato le attività sociali. Ciò mostra segni di esaurimento, non solo di stress.

L’Organizzazione Mondiale della Sanità (OMS) definisce il burnout come una sindrome causata da stress cronico che non è stato gestito con successo. È caratterizzato da tre sintomi principali: esaurimento, cinismo e diminuzione della produttività. La ricerca mostra che il recupero completo dal burnout può richiedere anni, mentre le condizioni stressanti, con una terapia adeguata, scompaiono in poche settimane.

Il burnout colpisce molto spesso i dipendenti responsabili e motivati ​​che ignorano i propri sentimenti in un ambiente in cui non hanno alcun controllo sulla situazione. Ciò ha conseguenze devastanti, soprattutto per le persone con caratteristiche neurodivergenti. Ad esempio, il burnout autistico è accompagnato da stanchezza cronica e perdita di capacità. Tali sintomi sono esacerbati dalla depressione e dall’ansia, che creano circoli viziosi di stati negativi.

Gli esperti sottolineano l’importanza di identificare precocemente i segni del burnout. Leader come Brian Kissinger di Trace3 suggeriscono di supportare in modo proattivo i propri dipendenti rivedendo la loro giornata lavorativa e assegnando compiti per prevenire il sovraccarico. Jill Knezek di BlackLine si concentra sulle conversazioni individuali con i dipendenti per rafforzare il loro senso di valore e dare loro l’opportunità di esprimere le loro preoccupazioni.

I dipendenti notano che i programmi di benessere aziendale sono spesso percepiti come inefficaci. Gli esperti consigliano invece di cercare un aiuto professionale. La psicoterapia aiuta a far fronte allo stress crescente, costruendo strumenti per prevenire il burnout e aumentare la resilienza alle sfide future.

Il recupero dal burnout, dicono gli esperti, può portare alla “crescita dopo il trauma”. Molti pazienti ripensano ai propri valori, dedicano più tempo ai propri cari e imparano a essere felici. Essere consapevoli dei propri bisogni e creare un ambiente di lavoro confortevole, soprattutto per le persone neurodivergenti, aiuta a evitare le ricadute.

La sicurezza informatica rimane un ambito complesso e impegnativo. Tuttavia, sostenere i dipendenti, essere consapevoli dello stress e agire tempestivamente può ridurre il rischio di burnout e rafforzare lo spirito di squadra.

L'articolo Allarme Burnout: Quando la Cybersecurity Diventa una Minaccia per la Salute Mentale proviene da il blog della sicurezza informatica.

While modern gaming systems deliver ever more realistic experiences, there’s still something to be said for the consoles and handhelds of the 80s and 90s. For many, the appeal is nostalgic. Others are attracted to the “lo-fi” graphical and sound design of these games, necessitated by the limited hardware of the time.

That said nobody would claim those old systems were perfect. Which is why a hybrid approach like [Peter Khouly] has been working on with the Pico Pal might be the ultimate solution. This replacement motherboard for the Game Boy Color (GBC) is powered by the RP2350, meaning the external hardware will have the same look and feel as it did back in 1998, but you’ll still be able to reap the benefits of modern emulation.

While the origins of the project go a bit farther, [Peter] has been working on this particular variation of the Pico Pal GBC since August, and has kept a fascinating log of his progress. Just getting the RP2350 to emulate Pokémon isn’t really that big of a deal, but getting all the ancillary hardware implemented and fitted inside the case of the GBC is a different story. Especially since [Peter] intends to pack plenty of features into the final product, such as rechargable batteries, Bluetooth audio, real-time clock support, and digital video out.

The most recent status update is from just last week, where [Peter] goes over some of the new features he’s been working on. A major one is the soft power solution, where the physical power switch doesn’t just pull the plug like it did back in the 1990s. Instead, the switch triggers the board to save the game and enter into a low-power mode so that it can come right back on to where you left off. This does impact battery life, but so far, it looks like the Pico Pal GBC will be able to run for at least five hours on a charge, and more than twice that if you don’t mind turning off the audio.

It sounds like there’s still several gremlins to track down in the design, but even in its current state, the Pico Pal GBC looks very interesting. We’re immediately reminded of the phenomenal work [Bucket Mouse] has put in on a similar refit for the original DMG-1 Game Boy.

hackaday.com/2025/01/03/pico-p…

A questa pagina della Oxford University Press trovata una breve storia della loro "parola dell'anno" 2024 "Brain Rot", di cui avrete sicuramente letto nelle scorse settimane, e traducibile come "marciume cerebrale".
La parola è stata votata dopo una consultazione con circa 37.000 persone, e viene descritta come il deterioramento delle capacità mentali o intellettuali di una persona a causa del consumo eccessivo di materiale online di scarsa qualità o incapace di stimolare il pensiero critico (o qualsiasi tipo di pensiero).
Si lega, quindi, al fenomeno dell'eccessivo consumo di contenuti online di infima qualità.
Il primo uso "annotato" di "Brain Rot" viene individuato in un'opera del 1854 di Henry David Thoreau (nel libro "Walden") ed è riferito a uno stile di vita semplice, senza pensieri, nella natura e nei boschi.
Thoreau critica la tendenza della società di allora a dare poco valore alle idee complesse, o a idee che possono essere interpretate in tanti modi diversi, a favore di quelle semplici. E vede questo comportamento come un indice generale di declino mentale e intellettuale.
Nella nota, la OUP cita, ad esempio, i contenuti su TikTok e le Gen Z e Gen Alpha, ma anche parte del giornalismo mainstream.
Dopo che è stata annunciata la parola dell'anno, sono fioccate interviste e commenti (trovate tutto online) sugli aspetti patologici (e medici) di tale "abitudine".
Nel comunicato trovate anche un link a una clinica per la salute mentale in Nordamerica che ha pubblicato consigli online su come riconoscere e evitare il "Brain Rot".
Qui il link per un vostro approfondimento, nel caso il tema vi interessi!

@Informatica (Italy e non Italy 😁)

corp.oup.com/news/brain-rot-na…

https://t.me/ppInforma/10295

Non si tratta solo di un fuoco di paglia, ma dobbiamo chiarire alcune cose sull'intelligenza artificiale.

Quasi ogni anno riceviamo un rapporto che ci informa che qualcosa nel settore dei PC sta morendo o sta scomparendo, oppure che i giorni di qualche aspetto della tecnologia informatica sono contati.

@Intelligenza Artificiale

techradar.com/computing/laptop…

AI smartphone and laptop sales are said to be slowly dying – but is anyone surprised?

This isn't just a flash in the pan, but we need to get a few things straight about AI here

^{Zak Storey (TechRadar)}