[Extreme Kits] asks the question: “What the hell is a luminiferous theremin?” We have to admit, we know what a thermin is, but that’s as far as we got. You’ve surely seen and heard a theremin, the musical instrument developed by Leon Theremin that makes swoopy music often associated with science fiction movies. The luminiferous variation is a similar instrument that uses modern time of flight sensors to pick up your hand positions.

The traditional instrument uses coils, and your hands alter the frequency of oscillators. Some versions use light sensors to avoid the problems associated with coils. While the time of flight sensors also use light, they are immune to many false readings caused by stray light.

While there is a kit for sale, you can find the schematic and source code on
GitHub with a BSD-3-Clause license. We had hoped for a video of the device, but we didn’t see one.

One nice thing about the device is you can easily swap the “handedness.” That is, you can switch the function of the virtual coils easily if you prefer to use your dominant hand for pitch.

We talk about theremins around here more than you’d think. You can build a classic one quite easily, and we’ve seen plenty of more complex designs, too.

One can only imagine the wonders held within the crypto labs of organizations like the CIA or NSA. Therein must be machines of such sophistication that no electronic device could resist their attempts to defeat whatever security is baked into their silicon. Machines such as these no doubt bear price tags that only a no-questions-asked budget could support, making their techniques firmly out of reach of even the most ambitious home gamer.

That might be changing, though, with this $500 DIY laser fault injection setup. It comes to us from Finnish cybersecurity group [Fraktal], who have started a series of blog posts detailing how they built their open-source reverse-engineering rig. LFI is similar to other “glitching” attacks we’ve covered before, such as EMP fault injection, except that a laser shining directly on a silicon die is used to disrupt its operation rather than a burst of electromagnetic energy.

Since LFI requires shining the laser very precisely on nanometer-scale elements of a bare silicon die, nanopositioning is the biggest challenge. Rather than moving the device under attack, the [Fraktal] rig uses a modified laser galvanometer to scan an IR laser over the device. The galvo and the optical components are all easily available online, and they’ve started a repo to document the modifications needed and the code to tire everything together.

Of course, this technique requires the die in the device under study to be exposed, but [Fraktal] has made that pretty approachable too. They include instructions for milling away the epoxy from the lead-frame side of a chip, which is safer for the delicate structures etched into the top of the die. The laser can then shine directly through the die from the bottom. For “flip-chip” packages like BGAs, the same milling technique would be done from the top of the package. Either way, we can imagine a small CNC mill making the process safer and quicker, even though they seem to have done pretty well with a Dremel.

This looks like a fantastic reverse engineering tool, and we’re really looking forward to the rest of the story.

youtube.com/embed/4ts3wNRt18g?…

Thanks to [gnud] for the heads up on this one.

Anyone who has done an electronic engineering qualification will at some point have had to get to grips with transmission lines, and then if they are really lucky, waveguides. Perhaps there should be one of those immutable Laws stating that for each step in learning about these essential parts, the level of the maths you are expected to learn goes up in an exponential curve, for it’s certainly true that most of us breathe a hefty sigh of relief when that particular course ends. It’s not impossible to understand waveguides though, and [Old Hack EE] is here to slice through the formulae with some straightforward explanations.

First of all we learn about the basics of propagation in a waveguide, then we look at the effects of dimension on frequency. Again, there’s little in the way of head-hurting maths, just real-world explanations of cutt-off frequencies, and of coupling techniques. For the first time we’ve seen, here are simple and understandable explanations of the different types of splitter, followed up by the famous Magic T. It’s all in the phase, this is exactly the stuff we wish we’d had at university.

The world needs more of this type of explanation, after all it’s rare to watch a YouTube video and gain an understanding of something once badly taught. Take a look, the video is below the break.

youtube.com/embed/H09w5YSnpGI?…

It could happen to anyone of us: suddenly you got this inkling of an idea for a product that you think might just be pretty useful or even cool. Some of us then go on to develop a prototype and manage to get enough seed funding to begin the long and arduous journey to turn a sloppy prototype into a sleek, mass-produced product. This is basically the story of how the Fitbit came to be, with a pretty in-depth article by [Tekla S. Perry] in IEEE Spectrum covering the development process and the countless lessons learned along the way.

Of note was that this idea for an accelerometer-based activity tracker was not new in 2006, as a range of products already existed, from 1960s mechanical pedometers to 1990s medical sensors and the shoe-based Nike+ step tracker that used Apple’s iPod with a receiver. Where this idea for the Fitbit was new was that it’d target a wide audience with a small, convenient (and affordable) device. That also set them up for a major nightmare as the two inventors were plunged into the wonderfully terrifying world of industrial design and hardware development.

One thing that helped a lot was outsourcing what they could to skilled people and having solid seed funding. This left just many hardware decisions to make it as small as possible, as well as waterproof and low-power. The use of the ANT protocol instead of Bluetooth saved a lot of battery, but meant a base station was needed to connect to a PC. Making things waterproof required ultrasonic welding, but lack of antenna testing meant that a closed case had a massively reduced signal strength until a foam shim added some space. The external reset pin on the Fitbit for the base station had a low voltage on it all the time, which led to corrosion issues, and so on.

While much of this was standard development and testing fun, the real challenge was in interpreting the data from the accelerometer. After all, what does a footstep look like to an accelerometer, and when is it just a pothole while travelling by car? Developing a good algorithm here took gathering a lot of real-world data using prototype hardware, which needed tweaking when later Fitbits moved from being clipped-on to being worn on the wrist. These days Fitbit is hardly the only game in town for fitness trackers, but you can definitely blame them for laying much of the groundwork for the countless options today.

Who among us hasn’t at some point thought of building a little vehicle, and better still, a little off-road vehicle for a few high-octane rough-terrain adventures. [Made in Poland] has, and there he is in a new video with a little off-road buggy.

The video which we’ve paced below the break is quite long, and it’s one of those restful metalworking films in which we see the finished project take shape bit by bit. In this case the buggy has a tubular spaceframe, with front suspension taken from a scrap quad and a home-made solid rear axle. For power there’s a 500cc Suzuki two-cylinder motorcycle engine, with a very short chain drive from its gearbox to that axle. The controls are conventional up to a point, though we’d have probably gone for motorcycle style handlebars with a foot shift rather than the hand-grip shift.

The final machine is a pocket drift monster, and one we’d certainly like to have a play with. We’d prefer some roll-over protection and we wonder whether the handling might be improved were the engine sprung rather than being part of a huge swing-arm, but it doesn’t appear to interfere with the fun. If you fancy a go yourself it’s surprisingly affordable to make a small vehicle, just build a Hacky Racer.

youtube.com/embed/hdIBxKy-0YY?…

I criminali informatici utilizzano sempre più spesso le botnet, reti di dispositivi infetti che consentono loro di sferrare attacchi massicci come DDoS. Uno studio condotto dagli esperti di Kaspersky Digital Footprint Intelligence ha dimostrato che il costo per affittare o acquistare tali reti sul mercato nero parte da 99 dollari, rendendole accessibili a un’ampia gamma di aggressori.

Le botnet sono formate da dispositivi infettati da malware e consentono attacchi automatizzati su larga scala. Ad esempio, la botnet Mirai scansiona Internet alla ricerca di dispositivi IoT vulnerabili che utilizzano password standard, li cattura e li include nella sua rete.

Nella prima metà del 2024, gli analisti di Kaspersky Lab hanno registrato un aumento significativo del numero di gadget IoT infetti, che potrebbe variare da semplici dispositivi domestici a complessi sistemi industriali.

Nel mercato ombra le botnet possono essere acquistate o noleggiate. Il loro prezzo varia a seconda della qualità e della funzionalità: da 99 a 10mila dollari per l’acquisto e da 30 a 4.800 dollari per l’affitto al mese. Queste reti possono essere configurate per attività specifiche e variano in termini di metodi di infezione, tipo di software utilizzato e metodi per aggirare i sistemi di sicurezza.

Particolarmente pericolose sono le botnet il cui codice sorgente è trapelato online. Sono disponibili a costi minimi o addirittura gratuiti, ma la loro efficacia è ridotta dalla facilità di rilevamento da parte dei moderni sistemi di sicurezza. Tuttavia, tali botnet sono ancora ampiamente utilizzate negli attacchi informatici.

Inoltre, sui mercati neri compaiono offerte per la creazione di botnet personalizzate. Il costo di tali servizi parte da 3mila dollari USA e tali transazioni vengono spesso concluse privatamente.

Le botnet vengono utilizzate per qualcosa di più che semplici attacchi. Con il loro aiuto, gli aggressori possono utilizzarle per effettuare mining di criptovalute o distribuire ransomware. Il riscatto richiesto per decrittografare i dati rubati utilizzando tali programmi può arrivare fino a 2 milioni di dollari.

Come notano gli analisti di Kaspersky Digital Footprint Intelligence, nonostante la relativa accessibilità, le botnet rimangono solo uno dei tanti strumenti nell’arsenale dei criminali informatici. Tuttavia, la loro popolarità continua a crescere, ponendo notevoli minacce alla sicurezza sia per gli individui che per le organizzazioni.

L'articolo Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari! proviene da il blog della sicurezza informatica.

Hackaday Editors Elliot Williams and Al Williams reflect on the fact that, as humans, we have–at most–two eyes and no warp drives. While hacking might not be the world’s most dangerous hobby, you do get to work with dangerous voltages, temperatures, and frickin’ lasers. Light features prominently, as the guys talk about LED data interfaces, and detecting faster-than-light travel.

There’s also a USB sniffer, abusing hot glue, and some nostalgia topics ranging from CRT graphics to Apollo workstations (which have nothing directly to do with NASA). The can’t miss articles this week cover hacking you and how Apollo Computer: The Forgotten Workstations you make the red phone ring in the middle of a nuclear war.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

As always, please download the file to archive in your doomsday bunker.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 283 Show Notes:

News:

• Tickets For Supercon 2024 Go On Sale Now!
• Taco Bell To Bring Voice AI Ordering To Hundreds Of US Drive-Throughs

What’s that Sound?

• Al was unsuccessful, but if you know the correct answer, submit it and you could win a limited edition Hackaday Podcast T-shirt.

Interesting Hacks of the Week:

• Getting A Laser Eye Injury And How To Avoid It
  
  • Saving Your Vision from Super Glue in the Eyes

  
  

• Detecting Faster Than Light Travel By Extraterrestrials
• Programming Tiny Blinkenlight Projects With Light
  
  • You Can Use LEDs As Sensors, Too
  • Photoresistors Provide Air Gap Data Transfer, Slowly

  
  

• Need A USB Sniffer? Use Your Pico!
  
  • Hacking A $100 Signal Generator

  
  

• Pixel Art And The Myth Of The CRT Effect
  
  • All About CRTs
  • Linux Fu: The Old School Terminal

  
  

• Over-molding Wires With Hot Glue And 3D Printed Molds

Quick Hacks:

• Elliot’s Picks:
  
  • An ESP Makes A Bicycle Odometer
  • Tiny Trackpad Fits On Ergonomic Keyboard
  • Get Your Glitch On With A PicoEMP And A 3D Printer
  • RC Car Gets Force Feedback Steering

  
  

• Al’s Picks:
  
  • 1000 Picks Make For A Weird Guitar
  • Homebrew Relay Computer Features Motorized Clock
  • Apollo Computer: The Forgotten Workstations

  
  

Can’t-Miss Articles:

• Hack On Self: Sense Of Time
• Radio Apocalypse: HFGCS, The Backup Plan For Doomsday

Few consumer-grade PCs are what you’d categorize as built to last. Most office-grade machines are as likely as not to give up the ghost after ingesting a few too many dust bunnies, and the average laptop can barely handle a few drops of latte and some muffin crumbs before croaking. Sticking a machine like that in the shop, especially a metal shop, is pretty much a death sentence.

And yet, computers are so useful in the shop that [Lucas] from “Cranktown City” built this neat industrial-strength monitor arm. His design will look familiar to anyone with a swing-arm mic or desk light, although his home-brew parallelogram arm is far sturdier thanks to the weight of the monitor and sheet-metal enclosure it supports. All that weight exceeded the ability of the springs [Lucas] had on hand, which led to the most interesting aspect of the build — a pair of pneumatic locks. These were turned from a scrap of aluminum rod and an old flange-head bolt; when air pressure is applied, the bolt is drawn into the cylinder, which locks the arm in place. To make it easy to unlock the arm, a pneumatic solenoid releases the pressure on the system at the touch of a button. The video below has a full explanation and demonstration.

While we love the idea, there are a few potential problems with the design. The first is that this isn’t a fail-safe design, since pressure is needed to keep the arm locked. That means if the air pressure drops the arm could unlock, letting gravity do a number on your nice monitor. Second is the more serious problem [Lucas] alluded to when he mentioned not wanting to be in the line of fire of those locks should something fail and the piston comes flying out under pressure. That could be fixed with a slight design change to retain the piston in the event of a catastrophic failure.

Problems aside, this was a great build, and we always love [Lucas]’ seat-of-the-pants engineering and his obvious gift for fabrication, of which his wall-mount plasma cutter is a perfect example.

youtube.com/embed/TjYBY7cUfkE?…

You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. GhostWrite is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core implementation. These findings come courtesy of a group of researchers at the CISPA Helmholtz Center for Information Security in Germany. They took at look at RISC-V cores, and asked the question, do any of these instructions do anything unexpected? The answer, obviously, was “yes”.

Undocumented instructions have been around just about as long as we’ve had Van Neumann architecture processors. The RISC-V ISA put a lampshade on that reality, and calls them “vendor specific custom ISA extensions”. The problem is that vendors are in a hurry, have limited resources, and deadlines wait for no one. So sometimes things make it out the door with problems. To find those problems, CISPA researchers put together a test framework is called RISCVuzz, and it’s all about running each instruction on multiple chips, and watching for oddball behavior. They found a couple of “halt-and-catch-fire” problems, but the real winner (loser) is GhostWrite.

Now, this isn’t a speculative attack like Meltdown or Spectre. It’s more accurate to say that it’s a memory mapping problem. Memory mapping helps the OS keep programs independent of each other by giving them a simplified memory layout, doing the mapping from each program to physical memory in the background. There are instructions that operate using these virtual addresses, and one such is vs128.v. That instruction is intended to manipulate vectors, and use virtual addressing. The problem is that it actually operates directly on physical memory addresses, even bypassing cache. That’s not only memory, but also includes hardware with memory mapped addresses, entirely bypassing the OS. This instruction is the keys to the kingdom.

So yeah, that’s bad, for this one particular RISC-V model. The only known fix is to disable the vector extensions altogether, which comes with a massive performance penalty. One benchmark showed a 77% performance penalty, nearly slashing the CPU’s performance in half. The lessons here are that as exciting as the RISC-V is, with its open ISA, individual chips aren’t necessarily completely Open Sourced, and implementation quality may very wildly between vendors.

0.0.0.0 Day Vulnerability

We’ve come a long way since the days when the web was young, and the webcam was strictly for checking on how much coffee was left. Now we have cross-site scripting attacks and cross-site request forgeries to deal with. You might be tempted to think that we’ve got browser security down. You’d be wrong. But finally, a whole class of problems are getting cleaned up, and a related problem you probably didn’t even realize you had. That last one is thanks to researchers at Oligo, who bring us this story.

The problem is that websites from the wider Internet are accessing resources on the local network or even the localhost. What happens if a website tries to load a script, using the IP address of your router? Is there some clever way to change settings using nothing but a JS script load? In some cases, yes. Cross Origin Resource Sharing (CORS) fixes this, surely? CORS doesn’t prevent requests, it just limits what the browser can do after the request has been made. It’s a bit embarrassing how long this has been an issue, but PNA finally fixes this, available as an origin trial in Chrome 128. This divides the world into three networks, with the Internet as the least privileged layer, then the local network, and finally the local machine and localhost as the inner, most protected. A page hosted on localhost can pull scripts from the Internet, but not the other way around.

And this brings us to 0.0.0.0. What exactly is that IP address? Is it even an IP address? Sort of. In some cases, like in a daemon’s configuration file, it indicates all the network devices on the local machine. It also gets used in DHCP as the source IP address for DHCP requests before the machine has an IP address. But what happens when you use it in a browser? On Windows, nothing much. 0.0.0.0 is a Unixism that hasn’t (yet) made its way into Windows. But on Linux and MacOS machines, all the major browsers treat it as distinct from 127.0.0.1, but also as functionally equivalent to localhost. And that’s really not great, as evidenced by the list of vulnerabilities in various applications when a browser can pull this off. The good news is that it’s finally getting fixed.

PLCs Sleuthing

Researchers at Claroty have spent some time digging into Unitronics Programmable Logic Controllers (PLCs), as those were notably cracked in a hacking campaign last fall. This started with a very familiar story, of rigging up a serial connection to talk to the controller. There is an official tool to administrate the controller over serial, so capturing that data stream seemed promising. This led to documenting the PCOM protocol, and eventually building a custom admin application. The goal here is to build tooling for forensics, to pull data off of one of those compromised devices.

You Don’t Need to See My JWT

Siemens had a bit of a problem with their AMA Cloud web application. According to researchers at Traceable ASPEN, it’s a surprisngly common problem with React web applications. The login flow here is that upon first visiting the page, the user is redirected to an external Single Sign On provider. What catches the eye is that the React application just about fully loads before that redirect fires. So what happens if that redirect JS code is disabled? There’s the web application, just waiting for data from the back end.

That would be enough to be interesting, but this goes a step further. After login, the authenticated session is handled with a JSON Web Token (JWT). That token was checked for by the front-end code, but the signature wasn’t checked. And then most surprisingly, the APIs behind the service didn’t check for a JWT either. The authentication was all client-side, in the browser. Whoops. Now to their credit, Siemens pushed a fix within 48 hours of the report, and didn’t drop the ball on disclosure.

(Hackaday’s parent company, Supplyframe, is owned by Siemens.)

Bits and Bytes

If you run NeatVNC, 0.8.1 is a pretty important security update. Specifying the security type is left up to clients, and “none” is a valid option. That’s not great.

Apparently we owe Jia Tan a bit of our thanks, as the extra attention on SSH has shaken loose a few interesting findings. While there isn’t a single glaring vulnerabiltiy to cover, HD Moore and Rob King found a bunch of implementation problems, particularly in embedded devices. This was presented at Black Hat, so hopefully the presentation will eventually be made available. For now, we do have a nifty new tool, SSHamble, to play with.

In 2023, the Homebrew project undertook an audit by Trail of Bits. And while there weren’t any High severity problems found, there were a decent handful of medium and lower issues. Those have mostly been fixed, and the audit results have now been made public. Homebrew is the “missing package manager for MacOS”, and if that sounds interesting, be sure to watch for next week’s FLOSS Weekly episode, because we’re chatting with Homebrew about this, their new Workbrew announcement, and more!

Questa settimana Google ha rilasciato le patch di sicurezza di agosto per Android. L’elenco delle vulnerabilità risolte includeva, tra le altre cose, un bug zero-day (CVE-2024-36971, punteggio CVSS 7.8) associato all’esecuzione di codice remoto nel kernel.

Secondo quanto riferito, lo zeroday è stato scoperto dallo specialista di Google Threat Analysis Group (TAG) Clement Lecigne e rappresenta un bug use-after-free nella gestione dei percorsi di rete nel kernel Linux. Il suo corretto funzionamento richiede privilegi a livello di sistema per consentire di modificare il comportamento di determinate connessioni di rete.

Google rileva che il CVE-2024-36971 potrebbe già essere “soggetto a sfruttamento limitato e mirato” e gli aggressori potrebbero sfruttare la vulnerabilità per eseguire codice arbitrario senza l’interazione dell’utente.

Finora l’azienda non ha rivelato dettagli su come viene sfruttata esattamente la vulnerabilità e chi potrebbe utilizzarla nei suoi attacchi. Vale la pena notare che gli specialisti di TAG stanno monitorando gli hacker governativi, nonché i fornitori di software commerciale, inclusi i creatori di Pegasus (NSO Group) e Predator (Intellexa). Ad esempio, nel 2023, gli esperti di TAG hanno scoperto 25 vulnerabilità zero-day, 20 delle quali sono state utilizzate da fornitori di sorveglianza commerciale.

In totale, questo mese sono state corrette più di 40 vulnerabilità in Android. Google, come di consueto, ha rilasciato due serie di aggiornamenti: livello 2024-08-01 e livello 2024-08-05. Quest’ultimo include tutte le correzioni di sicurezza del primo set e correzioni aggiuntive per componenti closed source di terze parti e il kernel. Ad esempio, questo livello risolve una vulnerabilità critica (CVE-2024-23350) in un componente Qualcomm closed-source.

Sono state inoltre risolte 11 gravi vulnerabilità relative all’escalation dei privilegi nel componente Framework che potevano essere sfruttate dagli aggressori senza privilegi aggiuntivi.

L'articolo Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel proviene da il blog della sicurezza informatica.

Le Nazioni Unite hanno adottato all’unanimità il Trattato globale sulla criminalità informatica. Il documento ha rappresentato un passo importante nella creazione di un quadro giuridico internazionale per la lotta alla criminalità informatica e allo scambio di dati tra paesi. Il trattato è stato approvato all’unanimità l’8 agosto e sarà messo ai voti in autunno nell’Assemblea generale delle Nazioni Unite.

Il trattato è stato proposto dalla Russia nel 2021, il suo obiettivo principale è sviluppare standard globali riguardo al problema dei crimini informatici transnazionali.

Successivamente, Russia ed USA presentarono un documento che descriveva le regole di comportamento nel cyberspazio, ad ottobre del 2021.

Da quando sono iniziati i lavori sul trattato nel 2019, la comunità internazionale non ha raggiunto un consenso sulle sue necessità e sui suoi obiettivi. Nonostante tutti i dubbi, l’accordo è stato adottato dopo 3 anni di negoziati, conclusisi con una sessione di due settimane.

Tuttavia, i gruppi per i diritti umani e le grandi aziende tecnologiche hanno già sollevato preoccupazioni riguardo alle clausole che consentono alle forze dell’ordine di richiedere prove e dati elettronici ai fornitori di servizi Internet di altri paesi.

Alcuni hanno osservato che i tentativi di modificare il testo del trattato non hanno avuto successo e che il documento non contiene ancora garanzie sufficienti per la tutela dei diritti umani. Inoltre, il trattato potrebbe portare ad una maggiore sorveglianza e all’erosione della fiducia delle persone nella tecnologia digitale.

Molti credono che gli stati membri delle Nazioni Unite abbiano adottato il trattato sulla base del principio secondo cui “un cattivo trattato è meglio di nessun trattato”. Prima esistevano solo accordi regionali, come la Convenzione di Budapest, di cui Cina, Russia, India e Brasile non erano firmatari.

Il Centro per gli studi strategici e internazionali (CSIS) ha sottolineato l’importanza del trattato adottato, sottolineando che la comunità globale dispone ora di un documento comune che consentirà di progredire nella lotta contro la criminalità informatica.

L'articolo Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica proviene da il blog della sicurezza informatica.

United Nations member states approved its first-ever treaty aimed at combating cybercrime, a controversial text opposed by digital rights organisations and Big Tech companies.

euractiv.com/section/cybersecu…

Researchers demonstrate sustainable 3D printing by using poly(N-isopropylacrylamide) solutions (PNIPAM), which speedily and reliably turn solid by undergoing a rapid phase change when in a salt solution.

This property has been used to 3D print objects by using a syringe tip as if it were a nozzle in a filament-based printer. As long as the liquid is being printed into contact with a salt solution, the result is a polymer that solidifies upon leaving the syringe.

What’s also interesting is that the process by which the PNIPAM-based solutions solidify is entirely reversible. Researchers demonstrate printing, breaking down, then re-printing, which is an awfully neat trick. Finally, by mixing different additives in with PNIPAM, one can obtain different properties in the final product. For example, researchers demonstrate making conductive prints by adding carbon nanotubes.

While we’ve seen the concept of printing with liquids by extruding them into a gel bath or similar approach, we haven’t seen a process that prides itself on being so reversible before. The research paper with all the details is available here, so check it out for all the details.

I ricercatori di Certitude hanno dimostrato un modo per aggirare la protezione anti-phishing in Microsoft 365 (ex Office 365). Tuttavia, le vulnerabilità non sono state ancora risolte.

Gli esperti dicono che esiste un modo per nascondere il suggerimento di sicurezza del primo contatto. Come suggerisce il nome, First Contact Safety Tip è progettato per avvisare gli utenti di Outlook quando ricevono e-mail da nuovi contatti. Viene visualizzato un messaggio come questo: “Non ricevi spesso email da xyz@example.com. Scopri perché è importante.”

La chiave qui è che l’avviso viene aggiunto direttamente al corpo HTML principale dell’e-mail, il che apre la possibilità di manipolare il CSS incorporato nell’e-mail.

I ricercatori di Certitude scrivono che questo messaggio può essere facilmente nascosto nel modo seguente.

Cioè, il testo e il colore dello sfondo vengono cambiati nel colore bianco, la dimensione del carattere viene impostata su 0, il che alla fine nasconde l’avviso e lo rende invisibile all’utente.

Portando avanti questa idea, gli esperti hanno scoperto che potevano aggiungere ulteriore codice HTML alle e-mail che imitavano le icone che Microsoft Outlook aggiunge alle e-mail crittografate e firmate per farle sembrare sicure. Sebbene alcune limitazioni di formattazione impediscano una perfetta corrispondenza visiva, questo trucco può comunque aiutare a bypassare controlli poco approfonditi.

I ricercatori sottolineano di non essere a conoscenza di casi di sfruttamento dei bug descritti e di non aver trovato modi per manipolare l’HTML per visualizzare testo arbitrario in un’e-mail.

Certitude ha informato Microsoft delle sue scoperte inviando una PoC e un rapporto dettagliato agli sviluppatori tramite il Microsoft Researcher Portal (MSRC). Tuttavia, i rappresentanti di Microsoft hanno dato ai ricercatori la seguente risposta:

“Abbiamo stabilito che le tue informazioni sono valide, ma non soddisfano i nostri criteri per una risposta immediata poiché [il problema] può essere utilizzato principalmente per attacchi di phishing. Tuttavia, abbiamo preso nota di queste informazioni per un’ulteriore revisione volta a migliorare i nostri prodotti.”

L'articolo Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS proviene da il blog della sicurezza informatica.