If we accept the erosion of human rights for others, we may soon find ourselves subjected to that same treatment

by Mario Gerada, sul Times of Malta di Venerdì 11 aprile 2025

The will to live

^{Times of Malta}

One of the delights in Bash, zsh, or whichever shell tickles your fancy in your OSS distribution of choice, is the ease of which you can use scripts. These can be shell scripts, or use the Perl, Python or another interpreter, as defined by the shebang (#!) at the beginning of the script. This signature is followed by the path to the interpret, which can be /bin/sh for maximum compatibility across OSes, but how does this actually work? As [Bruno Croci] found while digging into this question, it is not the shell that interprets the shebang, but the kernel.

It’s easy enough to find out the basic execution sequence using strace after you run an executable shell script with said shebang in place. The first point is in execve, a syscall that gets one straight into the Linux kernel (fs/exec.c). Here the ‘binary program’ is analyzed for its executable format, which for the shell script gets us to binfmt_script.c. Incidentally the binfmt_misc.c source file provides an interesting detour as it concerns magic byte sequences to do something similar as a shebang.

As a bonus [Bruno] also digs into the difference between executing a script with shebang or running it in a shell (e.g. sh script.sh), before wrapping up with a look at where the execute permission on a shebang-ed shell script is checked.

hackaday.com/2025/04/11/tracin…

Human biology is very much like that of other mammals, and yet so very different in areas where it matters. One of these being human neurology, with aspects like the human brain and the somatosensory pathways (i.e. touch etc.) being not only hard to study in non-human animal analogs, but also (genetically) different enough that a human test subject is required. Over the past years the use of human organoids have come into use, which are (parts of) organs grown from human pluripotent stem cells and thus allow for ethical human experimentation.

For studying aspects like the somatosensory pathways, multiple of such organoids must be combined, with recently [Ji-il Kim] et al. as published in Nature demonstrating the creation of a so-called assembloid. This four-part assembloid contains somatosensory, spinal, thalamic and cortical organoids, covering the entirety of such a pathway from e.g. one’s skin to the brain’s cortex where the sensory information is received.

Such assembloids are – much like organoids – extremely useful for not only studying biological and biochemical processes, but also to research diseases and disorders, including tactile deficits as previously studied in mouse models by e.g. [Lauren L. Orefice] et al. caused by certain genetic mutations in Mecp2 and other genes, as well as genes like SCN9A that can cause clinical absence of pain perception.

Using these assembloids the development of these pathways can be studied in great detail and therapies developed and tested.

hackaday.com/2025/04/11/creati…

Over on the Google blog [Joel Meares] explains how Google built the new family of Gemini Robotics models.

The bi-arm ALOHA robot equipped with Gemini 2.0 software can take general instructions and then respond dynamically to its environment as it carries out its tasks. This family of robots aims to be highly dexterous, interactive, and general-purpose by applying the sort of non-task-specific training methods that have worked so well with LLMs, and applying them to robot tasks.

There are two things we here at Hackaday are wondering. Is there anything a robot will never do? And just how cherry-picked are these examples in the slick video? Let us know what you think in the comments!

youtube.com/embed/4MvGnmmP3c0?…

hackaday.com/2025/04/11/gemini…

There are some ideas which someone somewhere has to try. Take [Uri Tuchman]’s foot mouse. It’s a computer mouse for foot operation, but it’s not just a functional block. Instead it’s an ornate inlaid-wood-and-brass affair in the style of a very fancy piece of antique footwear.

The innards of an ordinary USB mouse are placed in something best described as a wooden platform heel, upon which is placed a brass sole with a couple of sections at the front to activate the buttons with the user’s toes. The standout feature is the decoration. With engraving on the brass and inlaid marquetry on the wood, it definitely doesn’t look like any computer peripheral we’ve seen.

The build video is below the break, and we’re treated to all the processes sped up. At the end he uses it in a basic art package and in a piloting game, with varying degrees of succes. We’re guessing it would take a lot of practice to gain a level of dexterity with this thing, but we salute him for being the one who tries it.

This has to be the fanciest peripheral we’ve ever seen, but surprisingly it’s not the first foot mouse we’ve brought you.

youtube.com/embed/Lqgbl6JoYoQ?…

hackaday.com/2025/04/11/a-mous…

Un uomo di 39 anni è stato condannato a 6 anni e 8 mesi di reclusione per pornografia minorile aggravata e violenza sessuale su minori. Decisive per la sentenza sono state le immagini degli abusi, che lui stesso aveva ripreso e conservato sul proprio computer.

Le violenze si sono consumate tra il 2021 e il 2022, all’interno delle mura domestiche, approfittando dell’assenza della madre delle bambine. Gli inquirenti hanno ricostruito un quadro drammatico, basato su documentazione e testimonianze che hanno confermato la gravità degli atti compiuti dall’uomo.

Le indagini sono scattate dopo la denuncia di una ragazza, che aveva accusato il trentanovenne di abusi subiti quando era minorenne. In quel caso, il procedimento si era concluso con un’assoluzione per insufficienza di prove. Tuttavia, il materiale trovato successivamente sul suo computer ha permesso di riaprire l’inchiesta, portando alla scoperta delle violenze sulle figlie.

Con la condanna, l’uomo ha perso la responsabilità genitoriale ed è stato colpito dall’interdizione perpetua da qualsiasi incarico che comporti contatti con minori. Una misura necessaria per tutelare le vittime e prevenire il rischio di ulteriori crimini.

Questa tragica vicenda riporta al centro l’urgenza di proteggere e sorvegliare i minori da abusi spesso consumati nell’ambiente familiare, dimostrando quanto il male possa annidarsi proprio dove dovrebbe esserci amore e sicurezza.

L'articolo Il Mostro è stato Arrestato! Violentava e filmava le proprie figlie di 3 e 6 anni mentre la Mamma era fuori proviene da il blog della sicurezza informatica.

GPS and similar satellite navigation systems revolutionized how you keep track of where you are and what time it is. However, it isn’t without its problems. For one, it generally doesn’t work very well indoors or in certain geographic or weather scenarios. It can be spoofed. Presumably, a real or virtual attack could take the whole system down.

Addressing these problems is a new system called Broadcast Positioning System (BPS). It uses upgraded ATSC 3.0 digital TV transmitters to send exact time information from commercial broadcast stations. With one signal, you can tell what time it is within 100 ns 95% of the time. If you can hear four towers, you can not only tell the time, but also estimate your position within about 100 m.

The whole thing is new — we’ve read that there are only six transmitters currently sending such data. However, you can get a good overview from these slides from the National Association of Broadcasters. They point out that the system works well indoors and can work with GPS, help detect if GPS is wrong, and stand in for GPS if it were to go down suddenly.

If all digital TV stations adopt this, the presentation mentions that there would be 516 VHF stations operating with up to 10 kW over two widely separated bands. That adds to 1,526 UHF stations running between 100 kW to 1000 kW. So lots of power and very diverse in terms of frequencies. Coverage is spotty in some parts of the country, though. A large part of the western United States would lack visibility of the four stations required for a position fix. Of course, currently there are only five or six stations, so this is theoretical at this point.

The Real Story

If you read the slide deck, the real story is at the end in the backup slides. That shows the ATSC standard frame and how the preamble changes. The math is fairly standard stuff. You know where the stations are, you know what time they think they sent the signal, and you can estimate the range to each station. With three or four stations, you can get a good idea of where you must be based on the relative receive times.

The stations diversify their time sources, which helps guard against spoofing. For example, they may get time information from GPS, the network, a local atomic clock, and even neighboring stations, and use that to create an accurate local time that they send out with their signal.

Learn More

Most of the slides come from more detailed white papers you can find on the NAB website. A lot of the site is dedicated to explaining why you can’t live without GPS, but you can’t depend on it, either. The bottom right part of the page has the technical papers you’ll probably be more interested in.

GPS is an impressive system, but we know it needs some help. BPS reminded us a bit of LORAN.

hackaday.com/2025/04/11/gps-br…

Join Hackaday Editors Elliot Williams and Tom Nardi as they talk about the best stories and hacks of the week. This episode starts off with a discussion of the Vintage Computer Festival East and Philadelphia Maker Faire — two incredible events that just so happened to be scheduled for the same weekend. From there the discussion moves on to the latest developments in DIY soft robotics, the challenge of running Linux on 8-pin ICs, hardware mods to improve WiFi reception on cheap ESP32 development boards, and what’s keeping old smartphones from being reused as general purpose computers.

You’ll also hear about Command and Conquer: Red Alert running on the Pi Pico 2, highly suspect USB-C splitters, and producing professional looking PCBs at home with a fiber laser. Stick around to the end to hear about the current state of non-Google web browsers, and a unique new machine that can engrave circuit boards with remarkable accuracy.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

As always, the Hackaday Podcast is available as a DRM-free MP3 download.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 316 Show Notes:

News:

• Celebrating 30 Years Of Windows 95 At VCF
• In 2025, The Philly Maker Faire Finds Its Groove

What’s that Sound?

• Congratulations to [laserkiwi] for winning a Hackaday Podcast t-shirt!

Interesting Hacks of the Week:

• Salamander Robot Is Squishy
  
  • The Future of Robots is Soft (and Squishy!) – YouTube
  • These Electronics-free Robots Can Walk Right Off the 3D-Printer
  • FlowIO Platform

  
  

• 8 Pins For Linux
  
  • Building The Worst Linux PC Ever

  
  

• Simple Antenna Makes For Better ESP32-C3 WiFi
  
  • ESP32 Range Extender / Antenna Modification

  
  

• LayerLapse Simplifies 3D Printer Time-lapse Shots
• Turning Old Cellphones Into SBCs
  
  • IOIO – Wikipedia

  
  

• Ben Eater Vs. Microsoft BASIC
  
  • A Very Trippy Look At Microsoft’s Beginnings

  
  

Quick Hacks:

• Elliot’s Picks:
  
  • A Tiny Tape Synth
  • If You’re 3D Scanning, You’ll Want A Way To Work With Point Clouds
  • Why USB-C Splitters Can Cause Magic Smoke Release

  
  

• Tom’s Picks:
  
  • Tracking The ISS Made Easy
  • Command And Conquer Ported To The Pi Pico 2
  • Fiber Laser Gives DIY PCBs A Professional Finish

  
  

Can’t-Miss Articles:

• Which Browser Should I Use In 2025?
  
  • qutebrowser

  
  

• Supercon 2024: Quick High-Feature Boards With The Circuit Graver

hackaday.com/2025/04/11/hackad…

If you are a visual thinker, you might enjoy [AIHVHIA’s] recent video, which shows the effect of applying audio processing to text displayed on an oscilloscope. The video is below.

Of course, this presupposes you have some way to display text on an oscilloscope. Audio driving the X and Y channels of the scope does all the work. We aren’t sure exactly how he’s doing that, but we suspect it is something like Osci-Render.

Does this have any value other than art? It’s hard to say. Perhaps the effect of panning audio on text might give you some insight into your next audio project. Incidentally, panning certainly did what you would expect it to do, as did the pass filters. But some of the effects were a bit surprising. We still want to figure out just what’s happening with the wave folder.

If text isn’t enough for you, try video. Filtering that would probably be pretty entertaining, too. If you want to try your own experiments, we bet you could do it all — wave generation and filtering — in GNU Radio.

youtube.com/embed/47jlny15IEc?…

hackaday.com/2025/04/11/audio-…

AI continues to be used in new and exciting ways… like generating spam messages. Yes, it was inevitable, but we now have spammers using LLM to generate unique messages that don’t register as spam. AkiraBot is a Python-powered tool, designed to evade CAPTCHAs, and post sketchy SEO advertisements to web forms and chat boxes around the Internet.

AkiraBot uses a bunch of techniques to look like a legitimate browser, trying to avoid triggering CAPTCHAs. It also runs traffic through a SmartProxy service to spread the apparent source IP around. Some captured logs indicate that of over 400,000 attempted victim sites, 80,000 have successfully been spammed.

SSRF Attacking AWS

March brought a spike in instances of an interesting EC2 attack. F5 labs has the details, and it’s really pretty simple. Someone is sending requests ending in /?url=hxxp://169.254.169.254/latest/meta-data/iam/security-credentials/, with the hope that the site is vulnerable to a Server Side Request Forgery (SSRF).

That IP address is an interesting one. It’s the location where Amazon EC2 makes the Instance Metadata Service available (IMDSv1). Version 1 of this service completely lacks authentication, so a successful SSRF can expose whatever information that service makes available. And that can include AWS credentials and other important information. The easiest fix is to upgrade the instance to IMDSv2, which does have all the authentication features you’d expect.

SAP and setuid

Up next is this Anvil Secure report from [Tao Sauvage], about finding vulnerable setuid binaries in the SAP Linux images.

Setuid is a slightly outdated way to allow a less-privileged user to run a binary with elevated privileges. The simplest example is ping, which needs raw socket access to send special ICMP packets. The binary is launched by the user, escalates its privileges to send the packet, and then terminates without actually breaking the security barrier. At least that’s what is supposed to happen. In reality, setuid binaries are a consistent source of privilege escalation problems on Linux. So much so, that it’s now preferred to use the capabilities functionality to achieve this. But that’s fairly new, and many distros just give binaries like ping the setuid bit.

This brings us to SAP’s Linux images, like SAP HANA Express. These images include a small collection of custom setuid binaries, with icmbnd and hostexecstart catching our researcher’s eyes. icmbnd notably has the -f flag to specify the output file for a debug trace. That’s a typical setuid problem, in that a user can specify an oddball location, and the binary will change the system’s state in unexpected ways. It’s an easy denial of service attack, but is there a way to actually get root? It turns out the the Linux /etc/passwd file is particularly resilient. Lines that don’t make any sense as password entries are just ignored. Inject a pair of newlines and a single valid passwd entry into the passwd file, and you too can be root on an SAP system.

The hostexecstart vulnerability is a bit more involved. That binary starts and stops the SAP Host Agent on the system. That would be a dead end, except it can also take a SAR archive and upgrade the system agent. [Tao] chased a couple of dead ends regarding library injection and SAR archive signing, before finally using another standard setuid technique, the symbolic link. In this case, link the /etc/passwd file to the local sapcar_output location, and include a malicious passwd line inside a cooked SAR archive. hostexecstart tries to unpack the archive, and outputs the log right into the local sapcar_output file. But that file is really a symbolic link, and it once again clobbers passwd.

Google’s Take on End-to-end-encryption

We’re fans of end-to-end encryption around here. If Alice had a message that’s only intended for Bob to see, then it seems only right that Bob is really the only one that can read the message. The reality of modern cryptography is that this is 100% possible via RSA encryption, and the entire variety of asymmetric encryption schemes that followed. The problem with actually using such encryption is that it’s a pain. Between managing keys, getting an email client set up properly, and then actually using the system in practice, end-to-end asymmetric encryption is usually just not worth the hassle for everyday people.

Google feels that pain, and is bringing easy end-to-end encryption to business Gmail accounts. Except, it’s not actually asymmetric encryption. This works using the key access control list (KACL). Here Alice writes a message, and asks the KACL server for a key to use to send it to Bob. The server provides a symmetric key, and Alice encrypts the message. Then when Bob receives the message, he asks the same server for the same key, and the server provides it, allowing him to decrypt the message.

So is this actually end-to-end encryption? Yes, but also no. While this solution does mean that Google never has the key needed to decrypt the message, it also means that whoever is running the KACL server does have that key. But it is better than the alternative. And the technique in use here could be adapted to make true symmetric encryption far easier for end users.

Ivanti Connect Active Exploit

Google’s Mandiant has announced that Ivanti Connect Secure boxes are under active exploitation via an n-day exploit. This is a buffer overflow that Ivanti discovered internally, and patched in February of this year. The overflow was considered to be strictly limited to denial of service, as the characters written to memory could only be digits and the dot symbol. If that sounds like an IP address, just hang on, and we’ll get there.

It’s apparent that malware actors around the world are actively checking for potential vulnerabilities in Ivanti firmware updates, as the group Mandiant calls UNC5221 has apparently worked out a way to achieve Remote Code Execution with this vulnerability, and is using it to deploy malware on these systems. This is thought to be the same Chinese group that Microsoft appropriately calls Silk Typhoon.

Our friends at watchTowr have dug a bit more into this issue, and found the exact vulnerable code. It’s in HTTP header handling code, where a specific header is first limited to numerals and the period, and then copied into a fixed size buffer. Remember that observation that this sounds like an IP address? The header is X-Forwarded-For, and setting that to a long string of numbers on a vulnerable Ivanti box will indeed trigger a crash in the web binary. There’s no word yet on how exactly that was used to achieve RCE, but we’re very much hoping the rest of the story comes to light, because it’s an impressive feat.

Bits and Bytes

About 100,000 WordPress sites have a real problem. The Ottokit plugin has an authentication bypass issue, where a blank API key can be matched by setting an empty st_authorization header in an incoming request. The flaw was reported privately on April 3rd, and a fixed version was released the same day. But within hours exploitation attempts were seen in the wild.

Legacy Gigacenter devices expose a TR-069 service on port 6998. That service can be accessed with a simple telnet connection, and the commands entered here are not properly sanitized before being evaluated. Anything inside a $() substitution string is executed locally: $(ping -c5 your.ip.address) This makes for an exceedingly trivial remote code execution attack on these devices.

And finally, the Langflow AI workflow tool has a simple remote exploit vulnerability fixed in version 1.3.0. This vulnerability notably allows bypassing authentication through an API endpoint. While Langflow has Python execution by design, doing it while bypassing authentication is a definite problem. You should update to 1.3.0, and don’t expose Langflow to the Internet at all if you can help it.

hackaday.com/2025/04/11/this-w…

Microsoft ha registrato una distribuzione su larga scala di e-mail dannose che sfruttano argomenti relativi alla dichiarazione dei redditi per rubare dati e installare malware.

La particolarità di queste campagne è l’impiego di tecniche moderne per aggirare filtri e sistemi di sicurezza: gli aggressori introducono codici QR, accorciatori di link, servizi legittimi di archiviazione di file e profili aziendali per non destare sospetti nei sistemi antivirus e nei gateway di posta.

Le campagne sono rivolte a utenti aziendali e privati ​​che vengono attirati verso pagine di accesso false tramite la piattaforma di phishing RaccoonO365. Viene utilizzato per raccogliere le credenziali di Microsoft 365 e distribuire payload dannosi come i trojan remoti Remcos, GuLoader, AHKBot, i downloader Latrodectus e il framework di test di penetrazione e post-sfruttamento BruteRatel C4.

Uno degli attacchi, scoperto il 6 febbraio 2025, aveva come target gli utenti statunitensi ed era attivamente diffuso tramite file PDF con link che rimandavano a una falsa pagina DocuSign. Dopo aver cliccato sul collegamento, venivano controllati il ​​sistema e l’indirizzo IP della vittima: se il dispositivo veniva considerato “promettente”, veniva scaricato JavaScript, che installava un file MSI dannoso con BRc4 e poi scaricava Latrodectus. In altri casi, l’utente riceveva un file innocuo, il che riduceva il rischio che il sistema venisse scoperto.

Un’altra campagna, registrata tra il 12 e il 28 febbraio, è stata ancora più grande: più di 2.300 organizzazioni nei settori IT, ingegneria e consulenza sono state vittime di una mailing con PDF contenenti codici QR. Questi codici portavano alle pagine di phishing di RaccoonO365 camuffate da interfaccia di accesso di Microsoft 365, costringendo così i dipendenti a inserire i propri nomi utente e password.

Gli scenari di phishing variano notevolmente. Nel caso di AHKBot, all’utente veniva offerto un documento Excel con macro: dopo averle attivate, iniziava una catena di download che si concludeva con l’installazione di uno script AutoHotKey. Catturava degli screenshot e li trasmetteva a un server remoto. La campagna GuLoader ha utilizzato archivi ZIP con etichette che assomigliavano a moduli fiscali. Una volta aperto, è stato avviato PowerShell, che ha avviato il download del codice dannoso e l’installazione di Remcos RAT.

Sempre più spesso gli aggressori utilizzano strumenti per aggirare filtri e gateway di sicurezza: ad esempio, file SVG per aggirare i sistemi anti-spam, finestre del browser false (BitB) che imitano le interfacce di accesso e l’uso dei servizi Adobe, Dropbox, Zoho e DocuSign per nascondere attività dannose.

I ricercatori hanno prestato particolare attenzione alle azioni del gruppo Storm-0249. Tra le sue campagne più recenti rientrano il reindirizzamento degli utenti a false pagine di download di Windows 11 Pro tramite annunci di Facebook, che hanno portato all’installazione di Latrodectus. Una versione aggiornata del malware, rilevata a febbraio, includeva nuovi comandi e un modo per persistere nel sistema tramite attività pianificate.

L'articolo Benvenuto nel mondo delle Botnet! Apri un file PDF e perdi tutto proviene da il blog della sicurezza informatica.

Un avviso è comparso sul sito ufficiale di Busitalia, la società del gruppo Ferrovie dello Stato che gestisce il trasporto pubblico nelle province di Padova e Rovigo. In mezzo agli aggiornamenti sulle nuove corse e alle modifiche delle linee, è stato pubblicato un comunicato dal titolo inequivocabile: “Comunicazione di una violazione dei dati personali”.

Nei giorni scorsi Busitalia è stata vittima di un attacco informatico che ha compromesso i dati personali dei passeggeri registrati. L’incidente riguarda in particolare i canali digitali come l’App Busitalia Veneto e il portale abbonamenti, che vengono utilizzati quotidianamente da migliaia di utenti per gestire spostamenti e titoli di viaggio.
Si informano i clienti dei servizi di trasporto di Busitalia Veneto S.p.A. che i canali App Busitalia Veneto e il portale abbonamenti on line gestiti da un fornitore esterno quale Responsabile del trattamento, hanno subito una violazione dei dati personali.

Nello specifico, il fornitore ha comunicato che è stata riscontrata a livello di un data center esterno, una violazione dei dati personali (esfiltrazione non autorizzata verso un cloud esterno) causata da attività malevole di attori esterni non identificati, avvenuta tra il 29 e il 30 marzo 2025.

Di tali fatti, è stata trasmessa comunicazione a Busitalia Veneto S.p.A. in data 4 aprile u.s., quale Titolare del trattamento dei dati personali in argomento. Nel dettaglio, il fornitore ha comunicato che:

· le categorie di interessati coinvolte sono: Utenti/Contraenti/Abbonati/Clienti attuali o potenziali;

· le categorie di dati personali oggetto della violazione sono: dati anagrafici, dati di contatto, dati di profilazione, dati relativi all’ubicazione. Non sono stati invece coinvolti i dati relativi alle carte di credito, in quanto conservati presso i sistemi di Payment Service Provider;

· le probabili conseguenze della violazione per gli interessati riguardano la potenziale perdita di riservatezza (possibilità che i dati siano divulgati al di fuori di quanto previsto dall’informativa ovvero dalla disciplina di riferimento) e perdita di disponibilità (mancato accesso a servizi, malfunzionamento e difficoltà nell’utilizzo di servizi);

· non appena rilevata la violazione, il sistema è stato reso inaccessibile per un periodo di tempo limitato al fine di consentire le opportune verifiche ed azioni di sicurezza;

· sono state adottate e sono in corso di adozione misure per contenere la violazione e attenuarne gli effetti, nonché volte a prevenire il ripetersi di violazioni analoghe.

Si consiglia comunque, in via del tutto precauzionale, di modificare la password dell’account e di prestare particolare attenzione a e-mail di phishing, messaggi e chiamate sospetti o altre richieste di informazioni personali.

L’Azienda si è immediatamente attivata per analizzare quanto accaduto e per mettere in atto tutte le misure possibili per scongiurare le conseguenze negative di tale attacco verso i propri Clienti. In particolare, Busitalia Veneto S.p.A., oltre al presente comunicato, ha ritenuto di effettuare:

• la notifica preliminare all’Autorità Garante per la protezione dei dati personali;

• la richiesta di informazioni al Responsabile del trattamento, ai sensi dell’art. 28, par. 3, lettere f) e g), del GDPR affinché assista Busitalia Veneto S.p.A. nel garantire il rispetto degli artt. da 32 a 36, con particolare riferimento alla gestione della violazione dei dati personali e alle misure di sicurezza implementate a seguito della stessa.

Per ulteriori informazioni in ordine alla violazione in argomento, le richieste possono essere presentanti direttamente ai contatti istituzionali della società. di seguito indicati:
• privacy@fsbusitaliaveneto.it
• protezionedati@fsbusitalia.it

Infine, si desidera rassicurare i Clienti che Busitalia Veneto S.p.A. è impegnata a proteggere e a salvaguardare qualsiasi dato personale e, anche in questa circostanza, agirà nell’interesse e per la tutela dei diritti dei propri Clienti.

Rimarremo costantemente in contatto con il fornitore per monitorare l’esito degli accertamenti e per assumere ogni altra iniziativa volta a mitigare i possibili effettivi di quanto verificatosi.
La società ha prontamente informato i clienti, specificando che l’attacco ha potenzialmente esposto informazioni sensibili. Tuttavia, non sono ancora stati resi noti i dettagli tecnici sull’entità dell’intrusione, né quali dati siano stati effettivamente compromessi. Busitalia ha dichiarato di aver immediatamente avviato le procedure di sicurezza previste dal GDPR e di essere al lavoro per limitare gli impatti dell’incidente.

Secondo le prime ricostruzioni, l’accesso non autorizzato ai sistemi avrebbe potuto permettere la visualizzazione di dati personali come “dati anagrafici, dati di contatto, dati di profilazione, dati relativi all’ubicazione. Non sono stati invece coinvolti i dati relativi alle carte di credito, in quanto conservati presso i sistemi di Payment Service Provider”

L’accaduto sottolinea ancora una volta la crescente vulnerabilità dei sistemi informatici nel settore dei trasporti pubblici. In un contesto in cui la digitalizzazione dei servizi è sempre più centrale, episodi come questo richiamano l’urgenza di investire in soluzioni di cybersecurity più robuste e in una maggiore sensibilizzazione degli utenti.

L'articolo Attacco hacker a Busitalia: compromessi i dati dei passeggeri proviene da il blog della sicurezza informatica.