Usually, if something is tiny, it’s probably pretty cute to boot. [Luke J. Barker]’s lunar navigation game is no exception to this unwritten rule. And as far as contest rules go, this one seems to fit rather nicely, as it is tiny on more than one level.

Moon Base P (for Puppies) is built upon a XIAO ESP32-C3, an SSD1306 OLED display, and a single button to keep the BOM tidy. In this riveting side-scroller which sort of marries Lunar Lander and Flappy Bird, the top bar is always yellow and displays fuel and such, and the bottom is a rough, blue lunar surface over which you must maneuver your lunar lander. Keep pressing the button to stay up and avoid mountains, or let off the gas to cool the engine.

Fly that thing over the terrain, avoiding stray meteors and picking up free fuel, and then land gently at Moon Base P to save the stranded puppies. But you must keep flying — touch down anywhere but where you’re supposed to, and it’s game over! Once you’ve picked up the puppies, you must fly them safely onward to the rescue pod in order to win. Don’t miss the walk-through and demo after the break.

youtube.com/embed/Q-2Vkb4ArgM?…

Serena OS is not just another operating system—it’s a playground for hackers, tinkerers, and Amiga enthusiasts pushing vintage hardware to new limits. Born from modern design principles and featuring pervasive preemptive concurrency and multi-user support, [dplanitzer]’s Serena OS is far from ordinary. Running on Amiga systems with a 68030 or better CPU, it challenges traditional OS concepts by ditching threads in favor of dispatch queues, akin to Apple’s Grand Central Dispatch. The result? A dynamic, flexible kernel that combines forward-thinking design with retro charm.

The real innovation in Serena is its kernel, which uses a virtual processor concept to manage system resources efficiently. Instead of threads, Serena dynamically adjusts a pool of virtual processors based on dispatch queue needs, ensuring tasks are executed with precision and speed. Interrupt handling is also unique: interrupts are converted into semaphore signals, allowing the code to handle these signals at its convenience without missing any, making hardware interactions more controlled, especially where timing is critical.

For Amiga enthusiasts already customizing their setups, Serena OS offers new possibilities. It shares some spirit with projects like AROS (Amiga Research Operating System) but adds its own twist with object-oriented design and cross-platform goals. Whether you’re developing software for your classic Amiga or exploring new hardware interfaces, Serena OS provides a robust and adaptable foundation.

Dive into the future of Amiga computing and explore Serena OS on [dplanitzer]’s GitHub.

While track pads and mice dominate the pointing device landscape today, there was a time when track balls were a major part of the scene. In order to really sell the retro chops of his portable computer, [Ominous Industries] designed a clip-on style track ball for his retro Raspberry Pi laptop.

Starting with a half circle shape, he designed the enclosure in Fusion360 to house the guts of a USB trackball. Using the pattern along a path feature of the software, he was able to mimic the groovy texture of the main device on the trackball itself. Flexures in the top of the track ball case with pads glued on actuate the buttons.

We appreciate the honesty of the cuts showing how often the Pi can get grumpy at the extra wide display in this video as well as the previous issues during the laptop build. The bezel around the screen is particularly interesting, being affixed with magnets for easy access when needing to work on the screen.

Retro portables are having a moment. We just covered the Pi Portable 84 and previously saw one inspired by the GRiD Compass . If you’re more interested in trackballs, maybe give this trackball ring or the Ploopy trackball a look?

youtube.com/embed/4WGlwC6Pkp0?…

In vista del DEF CON 32, è stata presentata la nuova versione di BBOT 2.0 , che promette di semplificare notevolmente l’utilizzo dello strumento e di accelerare il processo di scansione. BBOT (Bighuge BLS OSINT Tool) è diventato famoso per la sua capacità di trovare più sottodomini di qualsiasi altro strumento simile. Oggi ha già raggiunto i 400mila download, il che sottolinea la sua rilevanza e popolarità tra gli utenti, soprattutto nel campo della ricerca delle vulnerabilità.

BBOT è stato sviluppato due anni fa. Lo scopo principale della sua creazione è aiutare a trovare le vulnerabilità, il che è particolarmente importante nel campo dei bug bounty. La community sostiene attivamente lo sviluppo di BBOT, contribuendo allo sviluppo di nuovi moduli e funzionalità. Di conseguenza, il numero di commit nel repository del progetto ha superato i 4.000, ovvero addirittura più del suo predecessore Spiderfoot, sviluppato in dieci anni.

Le principali innovazioni di BBOT 2.0 includono tre funzionalità chiave: pre impostazioni, uno strumento per identificare le vulnerabilità DNS chiamato BadDNS e ottimizzazione della velocità.

Preimpostazioni

Una delle principali innovazioni di BBOT 2.0 è stata la funzione di preselezione. Consente agli utenti di salvare l’intera configurazione di scansione in un singolo file YAML, semplificando notevolmente il processo di lavoro. Nelle versioni precedenti, BBOT si distingueva per un elevato grado di personalizzazione, che, da un lato, offriva ampie opportunità, ma dall’altro complicava il processo di creazione dei team. Ora, utilizzando le pre impostazioni, puoi avviare facilmente e rapidamente le scansioni richieste combinando diverse impostazioni e moduli.

Per utilizzare le preimpostazioni, è sufficiente eseguire il comando bbot -p , dove -p indica la preimpostazione desiderata. Gli utenti possono anche creare le proprie configurazioni che includono più preimpostazioni contemporaneamente.

BadDNS

Creato da @paulmmueller, BadDNS sostituisce il vecchio modulo subdomain_hijack ed espande notevolmente la capacità di BBOT di identificare le vulnerabilità DNS. Con il suo aiuto, puoi rilevare varie vulnerabilità, inclusi record pericolosi che possono causare attacchi di hacking.

BadDNS è integrato in BBOT 2.0 ed è diventato una parte importante dello strumento aggiornato. Questo modulo offre agli utenti la possibilità non solo di individuare le vulnerabilità, ma anche di analizzarne la natura, il che è particolarmente utile per i professionisti della sicurezza.

Ottimizzazione della velocità

Altri miglioramenti chiave di BBOT 2.0 includono numerose ottimizzazioni che rendono la scansione fino a 10 volte più veloce rispetto alla versione precedente. La principale accelerazione del funzionamento dello strumento è stata ottenuta attraverso l’integrazione di YARA e motori aggiornati per l’elaborazione delle richieste DNS e HTTP.

Integrazione YARA

BBOT inizialmente utilizzava la libreria Python standard per lavorare con le espressioni regolari, cosa che rallentava il processo di scansione. Nella versione 2.0, è stato completamente ridisegnato e ora utilizza YARA, che ha dato un significativo aumento della velocità. YARA ti consente anche di aggiungere le tue regole, rendendo lo strumento ancora più flessibile e potente.

Nuovi motori DNS/HTTP

Per risolvere i problemi di velocità, BBOT 2.0 ha introdotto ottimizzazioni che dedicano processi separati al funzionamento con DNS e HTTP, aumentando significativamente la velocità di elaborazione delle richieste.

L'articolo Presentato BBOT 2.0 al DEF CON. 10 volte più veloce nell’individuare vulnerabilità proviene da il blog della sicurezza informatica.

When the Raspberry Pi 5 SBC was released last year, it came in 4 and 8 GB RAM variants, which currently retail from around $80 USD and €90 for the 8 GB variant to $60 and €65 for the 4 GB variant. Now Raspberry Pi has announced the launch of a third Raspberry Pi 5 variant: a 2 GB version which also features a new stepping of the BCM2712 SoC. This would sell for about $50 USD and feature the D0 stepping that purportedly strips out a lot of the ‘dark silicon’ that is not used on the SBC.

These unused die features are likely due to the Broadcom SoCs used on Raspberry Pi SBCs being effectively recycled set-top box SoCs and similar. This means that some features that make sense in a set-top box or such do not make sense for a general-purpose SBC, but still take up die space and increase the manufacturing defect rate. The D0 stepping thus would seem to be based around an optimized die, with as only possible negative being a higher power density due to a (probably) smaller die, making active cooling even more important.

As for whether 2 GB is enough for your purposes depends on your use case, but knocking $10 off the price of an RPi 5 could be worth it for some. Perhaps more interesting is that this same D0 stepping of the SoC is likely to make it to the other RAM variants as well. We’re awaiting benchmarks to see what the practical difference is between the current C1 and new D0 steppings.

Thanks to [Mark Stevens] for the tip.

Recently the Christie’s auction house released the list of items that would be going up for sale as part of the first lot of Living Computer Museum items, under the banner “Gen One: Innovations from the Paul G. Allen Collection”. One auction covers many ‘firsts’ in the history of computing, including a range of computers like an Apple 1, and a PDP-10, as well as early Microsoft memos and code printouts. The other auctions include such items like a Gemini Spacesuit as worn by [Ed White] and a signed 1939 letter from [Albert Einstein] to [US President Roosevelt] on the discovery by the Germans of a fissionable form of uranium from which a nuclear weapon could be constructed.

We previously reported on this auction when it was first announced in June of this year. At the time many were saddened at seeing the only computer history and its related educational facilities vanish, and there were worries among those who had donated items to the museum what would happen to these now that the museum’s inventory was being put up for sale. As these donations tend to be unconditional, the museum is free to do with the item as they see fit, but ‘being sold at auction’ to probably a private collector was likely not on their mind when filling in the donation form.

As the first auctions kick off in a few days we will just have to wait and see where the museum’s inventory ends up at, but it seems likely that many of these items which were publicly viewable will now be scattered across the globe in private collections.

Top image: A roughly 180° panorama of the “conditioned” room of the Living Computer Museum, Seattle, Washington, USA. Taken in 2014. (Credit: Joe Mabel)

When the electric guitar was first produced in the 1930s, there was some skepticism among musicians as to whether or not this instrument would have lasting impact or be a flash-in-the-pan novelty. Since this was more than a decade before the invention of the transistor, it would have been hard then to imagine the possibilities that a musician nowadays would have with modern technology to shape the sound of an instrument like this. People are still innovating in this space as well as new technology appears, like [Gary Rigg] who has added a few extra degrees of freedom to a guitar effects pedal.

A traditional expression pedal, like a wah-wah pedal, uses a single motion to change an aspect of the sound of the guitar, and is generally controlled with the musician’s foot. [Gary]’s pedal, on the other hand, can be manipulated in three different ways to control separate elements of the instrument’s sound. It can be pitched forward and back like a normal effects pedal, but also rolled side-to-side and twisted around its yaw axis. The pedal has a built-in IMU to measure the various position changes of the pedal, which is then translated by an RP2040 microcontroller to a MIDI signal which controls the three different aspects of the sound digitally.

While the yaw motion might be difficult for a guitarist to create with their foot while playing, the idea for this pedal is still excellent. Adding in a few more degrees of freedom gives the musician more immediate control over the sound of their instrument and opens up ways of playing that might not be possible or easy with multiple pedals, with the MIDI allowing for versatility that might not be available in many analog effects pedals. Not every pedal needs MIDI though; with the help of a Teensy this digital guitar pedal has all its effects built into a self-contained package.

youtube.com/embed/qRjAQaGeyRA?…

A spare monitor and keyboard are handy things to have around, but they’re a bit of a hassle. They are useful for hardware development, plugging in to headless servers, or firing up a Raspberry Pi or similar single-board computer (SBC). If that’s something you do and portability and storage space are important to you, then you may be interested in the CrowView Note.

I got an opportunity to test and provide feedback on an early version of this unusual device, which is functionally a portable spare monitor plus keyboard (and touchpad) without the bulk and extra cables. Heck, it’s even giving me ideas as the guts of a Cyberdeck build. Let’s take a look.

What It Is

It really looks like a laptop, but it’s actually a 14″ 1920 x 1280 monitor and USB keyboard in a laptop form factor.

There is also an integrated trackpad, speakers and mic, and a rechargeable battery. That makes it capable of providing its own power, and it can even function as a power bank in a pinch. There’s an HDMI input on one side, and on the other is a full-featured USB-C port that accepts video input via the DisplayPort altmode.
Pictured here is a Raspberry Pi 5 with optional PCB adapter to eliminate cables. The three ports (HDMI in, USB-C 5 V out, and USB-A for peripherals) provide all the board needs.
The CrowView Note is a pretty useful device for a workbench where one is often plugging hardware in for development or testing, because there’s no need to manage a separate monitor, keyboard, and mouse.

It is not a laptop, but attaching an SBC like a Raspberry Pi makes it act like one. The three ports conveniently located on the left-hand side (HDMI in, USB-C out for power to the SBC, and USB-A in for peripherals like keyboard and trackpad) are all that are needed in this case. Elecrow offers a “cable eliminator” PCB adapters to make the process of connecting a Raspberry Pi 5 or a Jetson Nano as simple as possible. The result is something that looks and works just like a laptop.

Well, almost. The SBC will still be a separate piece of hardware, whether connected by cables or by one of Elecrow’s PCB adapters. The result is OK for bench work, but especially in the case of the PCB adapter, not particularly rugged. Still, it’s a nice option and makes working on such boards convenient and cable-free.

What It Isn’t

Visually the CrowView note looks so much like a laptop that it bears repeating: this is not a laptop. There are no processing brains whatsoever inside. It’s a portable and rechargeable monitor, keyboard, mic, and speakers in a laptop form factor.

Also, it is not a laptop kit. It’s got all the right hardware to act like one, but there’s no way to truly securely or semi-permanently attach an SBC. Attaching an SBC like a Raspberry Pi 5 can be done with cables or one of Elecrow’s PCB adapters, but the result is more a convenience than something that would survive being loaded into a bag or backpack and carried around.

Use Cases, and Video Input Options

A device like this is handy for any situation that would require a spare monitor and keyboard, like configuring headless systems or working with development kits. An HDMI and USB cable are all that’s really needed to provide monitor and keyboard/touchpad functionality in this way, and the built-in rechargeable battery means it can power itself as well as attached hardware.

The USB-C port on the left is a 5 V output for exactly this purpose, but the one on the right side is a full-featured port that supports modes such as power delivery (PD) and DisplayPort video over USB-C. Devices that support video in this way include some mobile phones, and portable devices like Valve’s Steam Deck (shown here.)

The only catch for video over USB-C is that both the device and the cable must support it. The DisplayPort altmode is one of USB-C’s high-speed interfaces and requires the cable to have the right pairs connected, or it won’t work. (Since cables all look the same from the outside, this is where a USB cable tester comes in handy.)

The Electrow Note is rechargeable, light, and charges and handles just like a laptop. It’s far less bulky than a standalone monitor and keyboard/mouse. This makes it attractive for use on a crowded workbench, or in field work where portability is key.

Limitations and Quirks

In my testing of an early version of the device, I found a couple quirks that are worth keeping in mind.

One is that this device is a monitor and keyboard/mouse all in one, and they aren’t really completely independent devices. That is to say, if the monitor isn’t getting a useable video signal, the display goes to sleep and seems to take the keyboard and touchpad functionality with it.

For example, pressing CAPS LOCK won’t toggle the caps lock indicator light because the keyboard isn’t “awake” without a video signal. I was unable to use the device just as a USB keyboard/mouse and ignore plugging in the monitor. Similarly, with no valid input video signal functions like brightness adjustment or using the monitor’s OSD menu are inaccessible. (Input switching and battery level display do work, however.)

Related to the above, the interface for adjusting monitor functions is basic, and understanding how it works may save time and frustration. As with many laptops, the function key row doubles as device controls with F1 for video input selection, F5 and F6 adjusting brightness down and up, and so on. On the version I tested, the default configuration is to have the function key row act as monitor controls. To send a literal F1 keypress from the keyboard, one must press Fn+F1. It’s possible to swap this behavior, but the setting reverts at the next power cycle, which led to some head-scratching on my part while troubleshooting.

The CrowView Note’s interface — while functional — isn’t completely obvious at first. On a workbench, one might be plugging a device like this into hardware that may not be working as it should, and its quirks can compound troubleshooting headaches unless one knows what to expect.

Does It Have a Place On Your Workbench, Or In Your Next Project?

Tabletop space and storage space are at premiums for most of us. The CrowView Note is an attractive all-in-one alternative to separate devices, especially with its rechargeable battery. That it includes speaker and mic and can work as a USB power bank in a pinch is a nice touch.

Honestly, it is also giving me DIY cyberdeck build ideas. Monitor, keyboard, speaker, mic, touchpad, and a 5000 mAh battery with charging circuitry built-in? It’s not a bad bundle of hardware for $169 USD. Elecrow is currently accepting pre-orders for the CrowView Note via a crowdfunding campaign if you’re interested.

How often do you find yourself needing to break out a monitor and keyboard, and what’s your favorite solution? Do you see a device like this as a space-saving tool, or more the basis of a hardware project like a cyberdeck build? Could you or have you DIYed something like this on the cheap? Let us know in the comments.

Lo studente diciassettenne Cesare Mencarini del Cardiff Sixth Form College, ha progettato e costruito un piccolo reattore a fusione come parte del suo ultimo progetto A-Level. Il suo lavoro è stato presentato al Cambridge Science Festival e ha suscitato grande interesse tra gli specialisti e il pubblico.

Lo sviluppo del reattore a fusione nucleare

Mencarini ha trascorso 18 mesi sviluppando e creando un’installazione per la generazione di neutroni. Secondo il giovane scienziato, la sua invenzione avrebbe dovuto creare le condizioni necessarie per la fusione nucleare. Tuttavia, a causa dei limiti del laboratorio scolastico, era impossibile raggiungere una pressione paragonabile a quella creata nelle profondità del Sole sotto l’influenza della gravità. Pertanto, Cesare ha utilizzato l’alta tensione per riscaldare gli atomi alla temperatura richiesta.

Il percorso non è stato agevole. Inizialmente, i funzionari universitari hanno espresso preoccupazione per la sicurezza dell’esperimento. Mencarini dovette fare molti sforzi per convincere gli insegnanti della fondatezza della sua idea. “All’inizio il college era preoccupato che questo progetto, che ho utilizzato anche per il mio EPQ, potesse essere pericoloso. Tuttavia, abbiamo effettuato una valutazione completa del rischio e il personale è stato di grande aiuto”, ha affermato il giovane fisico. Questo risultato non solo gli ha portato il voto più alto nel suo esame di livello A, ma gli ha anche aperto le porte al mondo della grande scienza.

Il preside del college, il dottor Julian Davies, ha definito il lavoro di Cesare “eccezionale” ed “estremamente emozionante“. Ha sottolineato l’importanza di dare agli studenti l’opportunità di lavorare su progetti che li interessano, oltre a studiare per gli esami. “Vogliamo insegnare loro ad essere coraggiosi, a correre dei rischi calcolati e a sviluppare progetti che si applichino a situazioni di vita reale“, ha detto Davis.

Le specifiche tecniche

Il reattore Mencarini ha generato plasma diversi mesi fa, a giugno. I dettagli tecnici dell’installazione sono impressionanti nella loro complessità. Il sistema è alimentato da una pompa principale Leybold Trivac E2, che consente una pressione massima di 8E-3 torr. Mencarini prevede inoltre di utilizzare la pompa turbomolecolare Pfeiffer TPH062 per la sintesi futura.

La griglia del reattore è collegata a un passante ad alta tensione valutato a 30 kV e collegato a un alimentatore Unilab da 5 kV. Ciò consente all’unità di essere attivata in un ambiente scolastico, poiché la corrente di uscita è limitata a 2 mA. Durante gli esperimenti Mencarini ha testato due diverse configurazioni di griglia.

Cesare Mencarini, originario dell’Italia, studia matematica, chimica e fisica. Ora sta progettando di studiare ingegneria, ma prima spera di lavorare presso il Centro per l’interfaccia e l’analisi dell’Università di Bristol.

I risultati di Mencarini non solo dimostrano le sue eccezionali capacità di hacking del ragazzi, ma aprono anche nuovi orizzonti nel campo della fisica e dell’energia nucleare. Il dottor Davis è fiducioso che Cesare avrà un impatto significativo sul settore energetico in futuro. Questo progetto costituisce un esempio stimolante di come i giovani talenti possono contribuire a risolvere i problemi energetici e climatici globali.

Il significato di Hacking

Come sempre abbiamo detto su queste pagine, “hacking” è una “capacità” e non un aggettivo negativo di una persona. Come in tutte le “capacità”, c’è chi la può usare a fin di bene o a fin di male.

Hacking significa superare un ostacolo con arte ingegno ed intelletto, significa innovare e abbraccia diverse discipline e non soltanto la sicurezza informatica,.ma anche la matematica, la musica e la Fisica.

Infatti la parola hacking deriva dal verbo inglese “to hack”, che significa “intaccare”, “sminuzzare”, ovvero vedere oltre, dove gli altri non sono riusciti a farlo.

L'articolo 17 Anni, Italiano, costruisce un Reattore a Fusione Nucleare al college. Anche questo è Hacking! proviene da il blog della sicurezza informatica.

Over at the [Usagi Electric] farm, [David Lovett]’s custom 1-bit, vacuum tube-based computer (UEVTC for short) has been coming along well the past years, matching and exceeding the Motorola MC14500B 1-bit industrial control unit (ICU) that it is heavily inspired by. What is still missing, however, is a faster way to get data into the computer than manually toggling switches. The obvious choice is to make a (punched) paper tape reader, but how does one go about this, and what options exist here? With a few historical examples as reference and the tape reader on the impressive 1950s Bendix G-15 which [David] happens to have lounging around, [David] takes us in a new video through the spiraling complexity of what at first glance seems like a simple engineering challenge.
Photodiodes in the tape reader of the Bendix G-15. (Credit: David Lovett, Usagi Electric)
Punched paper tape saw significant use alongside punched paper cards and magnetic tape, and despite their low bit density, if acid-free paper (or e.g. mylar) is used, rolls of paper tape should remain readable for many decades. So how to read these perforations in the paper? This can be done mechanically, or optically, with in both case the feedrate an important consideration. Right off the bat the idea of a mechanical reader was tossed out due to tape wear, with [David] digging into his stack of photodetector tubes. After looking at a few rather clunky approaches involving such tubes, the photodiodes in the Bendix G-15’s tape reader were instead used as inspiration for a design. These are 1.8 mm diameter photodiodes, which aren’t super common, but have the nice property that they align exactly with the holes in the paper tape.

This left building a proof-of-concept on a breadboard with some incandescent bulbs and one of the photodiode to demonstrate that a valid logic signal could be produced. This turned out to be the case, clearing the construction of the actual tape reader, which will feature in upcoming videos.

youtube.com/embed/eNsV_gKfvf4?…

Secondo l’articolo di Dark Reading: “Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs”, recentemente è stata scoperta una vulnerabilità nel processo di validazione delle credenziali negli ambienti Microsoft Entra ID. Questa vulnerabilità, scoperta dai ricercatori di Cymulate, permetterebbe agli attaccanti di bypassare l’autenticazione nelle infrastrutture ibride.

Dettagli dell’Attacco ed Implicazioni

• Manipolazione delle Credenziali: Gli attaccanti possono sfruttare questa vulnerabilità per accedere come utenti di Entra ID attraverso diversi domini on-premises senza necessità di autenticazione separata.
• Local Admin Necessario: L’attacco richiede che un avversario abbia accesso come local admin su un server che ospita un PTA agent.
• Agente PTA come Doppio Agente: La vulnerabilità trasforma l’agente PTA in un “doppio agente”, permettendo agli attaccanti di accedere come qualsiasi utente AD sincronizzato senza conoscere la password reale. Questo potrebbe concedere accesso a un global admin, indipendentemente dal dominio AD sincronizzato, e consentire movimenti laterali tra diversi domini on-premises.
• Malfunzionamento delle Richieste: Gli agenti PTA a volte gestiscono in modo errato le richieste di autenticazione per diversi domini on-premises. Questo può portare a un fallimento dell’autenticazione perché il server non riconosce l’utente specifico.

Cymulate ha dimostrato come un attaccante potrebbe sfruttare questa vulnerabilità, iniettando una libreria dinamica non gestita nell’agente PTA. Una volta caricata, la DLL gestita intercetta la funzione ValidateCredential responsabile della verifica delle credenziali utente sia all’inizio che alla fine. Intercettando questa funzione, l’attaccante può manipolare il risultato, forzandolo sempre a restituire True. Questo significa che anche se vengono fornite le credenziali di un utente di un dominio diverso, l’hook restituirà True, permettendo così di accedere come qualsiasi utente da qualsiasi AD on-prem sincronizzato.

Il team di ricercatori ha raccomandato Microsoft di implementare un “domain-aware” routing per garantire che le richieste siano indirizzate all’agente PTA corretto, ed ha indicato inoltre che una separazione logica tra i diversi domini on-premises all’interno dello stesso tenant potrebbe portare benefici.

Le organizzazioni che hanno sincronizzato più domini Active Directory on-premises con un singolo tenant Azure risultano essere particolarmente vulnerabili. Anche la sincronizzazione di un singolo dominio può essere sfruttata, poiché l’attaccante sarebbe comunque in grado di accedere come qualsiasi utente sincronizzato da quel dominio.

La Risposta di Microsoft

Microsoft, identificando la minaccia con livello medio (dato che è necessario essere local admin, ndr), ha pianificato di risolvere la vulnerabilità. Ha inoltre raccomandato di attivare l’MFA su tutte le utenze sincronizzate e di trattare il server PTA come un componente di Tier-0 applicando le pratiche più importanti, quali network isolation, access management stringenti e monitoraggio.

L'articolo Vulnerabilità di Microsoft Entra ID Minaccia le Infrastrutture Ibride proviene da il blog della sicurezza informatica.

BlindEagle, also known as “APT-C-36”, is an APT actor recognized for employing straightforward yet impactful attack techniques and methodologies. The group is known for their persistent campaigns targeting entities and individuals in Colombia, Ecuador, Chile, Panama and other countries in Latin America. They have been targeting entities in multiple sectors, including governmental institutions, financial companies, energy and oil and gas companies, among others.

BlindEagle has demonstrated adaptability in shaping the objectives of its cyberattacks and the versatility to switch between purely financially motivated attacks and espionage operations.

There is evidence that the group has been active since at least 2018. At GReAT, we have been closely tracking their campaigns. This blog aims to give an introduction to the group, detail its TTPs, and provide insights into their recent operations.

The eagle goes phishing

The spreading method used by BlindEagle is via phishing emails. Depending on the type of cyberoperation they conduct, it could be spear phishing (used in targeted espionage attacks) or more generalized phishing (particularly used in financial attacks).

The phishing emails typically impersonate governmental institutions, such as Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs or Office of the Attorney General, among others. Spam campaigns impersonating financial and banking entities are also common.

Phishing impersonating the Attorney General’s Office

The campaigns involve sending deceptive emails containing a notification about an issue that requires immediate action by the user. Each email contains a link in its body that appears to lead to the official website of the entity being impersonated, and an attached file (particularly PDF or Word documents). The attached document mirrors the email’s message, contains the same URL and, in some cases, adds extra details and a heightened sense of urgency to make the phishing attempt sound more convincing. The links usually point to DDNS services and redirect victims to public repositories or sites owned by the attackers where they host malware implants, also known as “the initial dropper”.

A distinctive aspect of the malware delivery is geolocation filtering. The group often uses URL shorteners that are capable of geographical detection and redirection. That means that, if a connection is detected to be coming from a country which is not among the group’s targets, the attack is called off, and the victim is redirected to the site of the organization the attackers are impersonating. This geographical redirection prevents new malicious sites from being flagged, and thwarts hunting and analysis of these attacks.

How the eagles attack

Once an email is delivered, it paves the way for the group’s final malicious implant. BlindEagle is well known for using publicly available or open-source Remote Access Trojans (RATs), with the primary goal of spying on victims and stealing financial information. The group constantly switches from one RAT to another, using different tools in different campaigns. We have observed BlindEagle running operations using njRAT, LimeRAT, BitRAT and AsyncRAT, among others. They usually modify the samples to add customization them and new capabilities.

To deploy the final implant, the group uses a multi-stage process that is consistently similar across their campaigns. Unlike the final payload, the tools they use at the intermediate stages are custom built. The initial dropper, downloaded from malicious links, is typically a compressed file that tricks the victim by pretending to be an official document from the government or financial entity being spoofed in the phishing attack. We have observed the use of popular compression formats like ZIP, but also older and less known formats, such as LHA and UUE. Many threat actors exploit these lesser-known formats to deceive their victims into opening the file, taking advantage of their lack of knowledge about these formats.

The victim is persuaded to extract and run the files within the archive allegedly to solve the issue mentioned in the phishing email. The extracted files are typically Visual Basic Scripts that use WScript, XMLHTTP objects, or PowerShell commands to contact another server to download a malicious artifact for the next stage. The server address is usually hardcoded in the VBS file.

During the monitored campaigns, we have observed various server options chosen by BlindEagle, including servers controlled by the group and public infrastructure, such as image hosting sites, text storage sites like Pastebin, CDN services like Discord or developer platforms like GitHub repositories.

As the second-stage artifact, the threat actor employs various files, with the most common types being text files, images and .NET executables. These are usually encoded or obfuscated.

Steganography used in a BlindEagle campaign

The text files often contain a payload encoded in base64, ASCII or a combination of both. For images, the group has explored using steganography techniques to hide similarly encoded malicious code. The executable files typically masquerade as legitimate and contain the next malicious payload within their resource section.

In the next phase, the malicious code is extracted if needed and decoded by the initial dropper, yielding an intermediate file that, judging by the campaigns we have monitored, can be either a DLL or a .NET injector. This file calls yet another malicious server, whose address is, too, hardcoded in the executable, to download the final payload: the open-source RAT.

During this intermediate phase, the group often uses process injection techniques to execute the RAT in the memory of a legitimate process, thereby evading process-based defenses. The group’s preferred technique is process hollowing. This technique consists in creating a legitimate process in a suspended state, then unmapping its memory, replacing it with a malicious payload, and finally resuming the process to start execution.

Cyber-espionage or a financial attack: Actually, both

BlindEagle uses open-source RATs as the final link in their attack chain, which they modify in a way that suits their campaign objectives. This approach gives them the flexibility to adapt their malware with minimal efforts, as they do not need to develop implants from scratch. We have observed a wide variety of RATs used by the group, with notable examples including AsyncRAT, njRAT, Lime-RAT, Quasar RAT and BitRAT.

The group demonstrates great adaptability between campaigns. For example, in some of its financial attacks, the threat actor utilized a modified version of the Quasar RAT, a malware primarily used for espionage but in this case, repurposed as a banking Trojan to specifically target customers of financial institutions in Colombia.

The group modified the RAT by adding functionality to capture information from the victim’s browser to intercept credentials for banking services. After execution, the malware monitored newly opened browser windows. If the titles of any of these windows returned a match with a list of strings relating to ten Colombian financial entities, the RAT initiated keylogging to capture the login credentials for these entities’ online services.

A version of Quasar RAT modified to steal financial credentials

When it comes to espionage campaigns, the group turns to Trojans like njRAT. Modified versions of this malware allow them to capture sensitive information from their victims through keylogging and application monitoring. Additionally, the RAT exfiltrates system information and screenshots to C2 servers and can create RDP sessions or even install additional plugins. In one of the recent campaigns we have detected, the group modified this RAT to add the capability to install plugins sent from the C2 in the form of .NET assemblies or other binary files.

Improving flight precision

The group has always been known for using simple yet highly effective tactics and techniques: straightforward phishing, basic encoding and obfuscation methods, and the use of publicly available malware. However, during the latest campaigns, we have observed changes in the group’s techniques, reinforcing the idea of “adapt or perish”.

In May this year, for instance, the group conducted a new espionage campaign targeting Colombia. During this operation, BlindEagle employed an infection process featuring artifacts with strings and variable names entirely in Portuguese (instead of Spanish they had predominantly used before) and utilized Brazilian image hosting sites. Although not definitive, these elements could hint at the involvement of third parties with the group, either through collaboration or outsourcing to increase their attack capacity.

More recently, in June, we observed an espionage campaign that also targeted Colombia in which the group introduced a new technique into their arsenal. The campaign followed all the group’s usual TTPs, but this time, added a DLL sideloading twist and a new modular malware loader dubbed “HijackLoader”.

The attack was initiated through phishing emails impersonating Colombia’s judicial institutions and containing malicious PDF or DOCX files masquerading as a demand notice or a court summons. The victims were tricked into opening the attached files and clicking embedded links to download fictitious lawsuit documents, allegedly to resolve the previously mentioned legal issues. These documents were actual legitimate executable files signed by ASUS or IObit. They invoked malicious DLLs through sideloading, ultimately executing a version of HijackLoader that injected the spy RAT: in this case, AsyncRAT.

Victims

Since its inception, BlindEagle has been conducting persistent campaigns targeting entities and individuals, particularly in Colombia and other Latin American, countries such as Ecuador, Chile and Panama.

In the espionage campaigns we observed in May and June this year, the group primarily targeted individuals and organizations in Colombia, which accounted for 87% of the detected victims. These attacks involved entities across various sectors, notably government, education, health and transportation.

Tactics, techniques and procedures (TTPs)

Although the group’s toolset varies greatly, as do their goals, they employ a range of tactics, techniques, and procedures that are consistently used across their various campaigns. Below are some key TTPs that frequently recur:

• Phishing impersonating governmental entities as the spreading method. In some campaigns, particularly those involving financial attacks, the group impersonates banking institutions.
• Attached PDFs and DOCX files containing embedded links.
• URL shortener services employed for geolocation filtering.
• Dynamic DNS services utilized for resolving the addresses of servers hosting the group’s malicious artifacts.
• Public infrastructure used to host some of the malicious artifacts (image hosting services, pastebin sites, GitHub repositories and the Discord CDN, among others).
• Process hollowing applied for injecting malicious code into legitimate processes during intermediate stages of the attack.
• VBS scripts and .NET assemblies employed as intermediate artifacts.
• Open-source RATs used as the final payload in the attack.

Conclusions

As simple as BlindEagle’s techniques and procedures may appear, their effectiveness allows the group to sustain a high level of activity. By consistently executing cyber-espionage and financial credential theft campaigns, BlindEagle remains a significant threat in the region.

Additionally, the group is exploring alternative strategies within their infection processes and adding new techniques to their arsenal to sustain their operations and maintain their impact. BlindEagle continues to fly high, and we will maintain vigilant monitoring of their activity.

securelist.com/blindeagle-apt/…

We don’t know how you feel when designing hardware, but we get uncomfortable at the extremes. High voltage or current, low noise figures, or extreme frequencies make us nervous. [Orion Serup] from CrabLabs has been turning up a few of those variables and has created a fairly beefy 3-phase motor driver using GaN technology that can operate up to 80V at 70A. GaN semiconductors are a newer technology that enables greater power handling in smaller packages than seems possible, thanks to high electron mobility and thermal conductivity in the material compared to silicon.

The KiCAD schematic shows a typical high-power driver configuration, broken down into a gate pre-driver, the driver itself, and the following current and voltage sense sub-circuits. As is typical with high-power drivers, these operate in a half-bridge configuration with identical N-channel GaN transistors (specifically part EPC2361) driven by dedicated gate drivers (that’s the pre-driver bit) to feed enough current into the device to enable it to switch quickly and reliably.

The design uses the LM1025 low-side driver chip for this task, as you’d be hard-pushed to drive a GaN transistor with discrete components! You may be surprised that the half-bridge driver uses a pair of N-channel devices, not a symmetric P and N arrangement, as you might use to drive a low-power DC motor. This is simply because, at these power levels, P-channel devices are a rarity.

Why are P-channel devices rare? N-channel devices utilise electrons as the majority charge carrier, but P-channel devices utilise holes, and the mobility of holes in GaN is very low compared to that of electrons, resulting in much worse ON-resistance in a P-channel and, as a consequence, limited performance. That’s why you rarely see P-channel devices in a circuit like this.

Of course, schematic details are only part of the problem. High-power design at the PCB level also requires careful consideration. As seen from the project images, this involves heavy, thick copper traces on two or more heavily via-stitched layers to maximise copper volume and lower resistance as far as possible. But, you can overdo this and end up with too much inductance in critical areas, quickly killing many high-power devices. Another vital area is the footprint design for the GaN device and how it connects to the rest of the circuit. Get this wrong or mess up the soldering, and you can quickly end up with a much worse performance!

We’ve seen DIY high-power controllers here a few times. Here’s an EV controller that uses discrete power modules. Another design we saw a few years ago drives IGBTs for a power output of 90kW.

Secondo MTS RED, nella prima metà del 2024, il numero di attacchi informatici critici contro le organizzazioni mediche è aumentato del 32% rispetto allo scorso anno. Tali incidenti minacciano di far trapelare i dati dei pazienti, distruggere le infrastrutture e interrompere i servizi medici.

L’azienda ha affermato che non solo è aumentato il numero degli attacchi, ma è aumentata anche la loro quota nel volume totale degli incidenti legati alla sicurezza informatica. Se nella prima metà dello scorso anno era circa il 6%, dall’inizio del 2024 è già quasi al 19%. Questa tendenza è particolarmente evidente dato che il numero totale di attacchi contro le organizzazioni mediche durante questo periodo è aumentato di non più del 10%.

Stanno anche emergendo delle cyber-gang specializzate nella violazione delle organizzazioni sanitarie, come RansomCortex, intervistata recentemente da Red Hot Cyber.

All’inizio del 2024, gli analisti di MTS RED hanno notato un aumento degli attacchi hacker alle strutture delle infrastrutture critiche informative (CII) in Russia. Circa il 69% di tutti gli attacchi erano diretti contro organizzazioni provenienti da aree legate alla CII. Tra questi, il settore sanitario è al secondo posto per frequenza di attacchi, secondo solo all’industria.

Il ritmo delle minacce informatiche alla medicina e all’assistenza sanitaria continua a crescere rapidamente. Nel secondo trimestre, MTS RED ha registrato il 65% in più di attacchi contro le organizzazioni sanitarie rispetto al primo. Nei mesi di maggio e giugno il numero degli attacchi ha superato di 2-2,5 volte la media mensile di inizio anno.

MTS RED ha spiegato che il settore sanitario è diventato un nuovo bersaglio per gli hacker per diversi motivi.

• In primo luogo, si tratta di un settore abbastanza digitalizzato, in cui viene elaborata una grande quantità di dati personali e riservati, la cui fuga può causare una grande risonanza.
• l’assistenza sanitaria è un ramo dell’infrastruttura informatica critica; la continuità del suo funzionamento è di grande importanza per i cittadini del Paese. Un attacco riuscito a un’organizzazione medica porterà inevitabilmente a conseguenze significative.
• Un altro motivo è il basso livello di maturità della sicurezza informatica del settore significa che gli hacker non necessitano di grandi investimenti finanziari o di risorse per sferrare un attacco serio.

Gli incidenti più comuni sono i tentativi di aggirare le misure di sicurezza, che rappresentano il 36% di tutti gli attacchi.

Al secondo posto ci sono gli attacchi di rete e l’iniezione di malware, ciascuna di queste categorie rappresenta circa un quarto di tutti gli attacchi. Nel 5% degli incidenti sono state registrate violazioni delle politiche di sicurezza delle informazioni e azioni illegittime degli amministratori dei sistemi informativi.

L'articolo Gli attacchi al settore sanitario sono in aumento. +32% rispetto all’anno precedente proviene da il blog della sicurezza informatica.

I criminali informatici hanno preso il controllo di oltre 35.000 domini registrati utilizzando un attacco chiamato dai ricercatori “Sitting Ducks” . Questo metodo consente agli aggressori di prendere il controllo dei domini senza accedere al provider DNS o all’account del registrar del proprietario.

Nell’attacco di Sitting Ducks i criminali informatici sfruttano difetti di configurazione a livello di registrar e un’insufficiente verifica della proprietà presso i provider DNS. I ricercatori di Infoblox ed Eclypsium hanno scoperto che ogni giorno più di un milione di domini possono essere violati utilizzando questo attacco.

Numerosi gruppi di criminali informatici utilizzano questo metodo da diversi anni per inviare spam, truffe, diffondere malware, phishing e furto di dati. Il problema è stato documentato per la prima volta nel 2016 da Matthew Bryant, un ingegnere della sicurezza di Snap.

Perché un attacco abbia successo devono essere soddisfatte diverse condizioni: il dominio deve utilizzare o delegare i servizi DNS autoritativi a un provider diverso dal registrar; un server DNS autorevole non dovrebbe essere in grado di risolvere le query; Il provider DNS dovrebbe consentirti di rivendicare i diritti su un dominio senza verificarne la proprietà.

Se queste condizioni vengono soddisfatte, gli aggressori possono impossessarsi del dominio. Le varianti dell’attacco includono la delega parzialmente errata e il reindirizzamento a un altro provider DNS. Se i servizi DNS o l’hosting web per un dominio di destinazione scadono, un utente malintenzionato può rivendicare la proprietà del dominio creando un account presso il provider DNS.

Infoblox ed Eclypsium hanno osservato numerosi casi di sfruttamento di Sitting Ducks dal 2018 e 2019. Durante questo periodo sono stati registrati più di 35.000 casi di dirottamento di domini utilizzando questo metodo. In genere, i criminali informatici detenevano i domini per un breve periodo, ma in alcuni casi i domini rimanevano sotto il controllo degli aggressori fino a un anno.

L'articolo Attacco Sitting Ducks: 35.000 Domini Compromessi dai Cybercriminali proviene da il blog della sicurezza informatica.

Quello che stiamo per raccontarvi è qualcosa di inquietante, che risulta una ennesima deriva dell’intelligenza artificiale generativa e delle regolamentazioni ancora assenti sulle quali occorre lavorare.

Il Regno Unito ha dovuto affrontare un incidente inquietante in cui una famiglia è finita in ospedale dopo aver consumato funghi velenosi raccolti seguendo le raccomandazioni contenute in un libro acquistato da un’importante piattaforma online.

Questo libro di identificazione dei funghi, destinato ai principianti, è stato generato utilizzando l’intelligenza artificiale e conteneva errori che potevano portare a conseguenze tragiche.

Il libro, con un titolo simile a Mushrooms UK: A Guide to Harvesting Safe and Edible Mushrooms, è stato regalato al compleanno di un capofamiglia. Tuttavia, dopo che tutti i membri della famiglia hanno manifestato sintomi di grave avvelenamento, è diventato chiaro che il libro conteneva informazioni errate. Dopo un’analisi più attenta, si è scoperto che le immagini dei funghi nel libro erano state generate dall’intelligenza artificiale e che il testo conteneva incongruenze e frasi senza senso.

Il caso ha portato l’attenzione del pubblico una questione più ampia: la proliferazione di libri scritti dall’intelligenza artificiale su piattaforme come Amazon. Gli esperti avvertono che tali libri possono essere pericolosi poiché contengono errori che potrebbero costare vite umane. Ad esempio, alcuni consigliano di utilizzare l’olfatto o il gusto per identificare i funghi, un metodo che può essere fatale. Oltre a ciò, è stato rivelato che molti di questi libri scritti dalle AI, i loro autori reali spesso non sono disponibili per essere contattati.

Amazon ha già ritirato dalla vendita questo particolare libro e ha dichiarato il proprio impegno per la sicurezza degli utenti. Tuttavia, il problema rimane: sulla piattaforma si possono ancora trovare molti libri simili, il che continua a rappresentare una minaccia per gli acquirenti disinformati.

Questo caso evidenzia l’importanza di selezionare attentamente le fonti di informazione, soprattutto in aree critiche come la raccolta dei funghi. Errori in tali libri possono avere gravi conseguenze, sollevando interrogativi sulla necessità di una regolamentazione più rigorosa dei contenuti generati dall’intelligenza artificiale.

L'articolo Guida Mortale! Un libro scritto da una AI mette a rischio la vita dei lettori proviene da il blog della sicurezza informatica.

The City of Prague has cancelled plans to award a contract to PORR for the construction of the Nová Palmovka building, which is to become the new headquarters of the EU's space agency.

euractiv.com/section/politics/…