How the Lost Mystery Pigment ‘Maya Blue’ Got Recreated
A distinct blue pigment reminiscent of turquoise or a clear sky was used by the ancient Maya to paint pottery, sculptures, clothing, murals, jewelry, and even human sacrifices. What makes it so interesting is not only its rich palette — ranging from bright turquoise to a dark greenish blue — but also its remarkable durability. Only a small number of blue pigments were created by ancient civilizations, and even among those Maya blue is unique. The secret of its creation was thought to be lost, until ceramicist and artist [Luis May Ku] rediscovered it.
Maya blue is not just a dye, nor a ground-up mineral like lapis lazuli. It is an unusual and highly durable organic-inorganic hybrid; the result of a complex chemical process that involves two colorants. Here is how it is made: Indigotin is a dye extracted from ch’oj, the Mayan name for a specific indigenous indigo plant. That extract is combined with a very specific type of clay. Heating the mixture in an oven both stabilizes it produces a second colorant: dehydroindigo. Together, this creates Maya blue.
The road to rediscovery was not a simple one. While the chemical makeup and particulars of Maya blue had been known for decades, the nuts and bolts of actually making it, not to mention sourcing the correct materials, and determining the correct techniques, was a long road. [May] made progress by piecing together invaluable ancestral knowledge and finally cracked the code after a lot of time and effort and experimentation. He remembers the moment of watching a batch shift in color from a soft blue to a vibrant turquoise, and knew he had finally done it.
Before synthetic blue pigments arrived on the scene after the industrial revolution, blue was rare and highly valuable in Europe. The Spanish exploitation of the New World included controlling Maya blue until synthetic blue colorants arrived on the scene, after which Maya blue faded from common knowledge. [May]’s rediscovered formula marks the first time the world has seen genuine Maya blue made using its original formula and methods in almost two hundred years.
Maya blue is a technological wonder of the ancient world, and its rediscovery demonstrates the resilience and scientific value of ancestral knowledge as well as the ingenuity of those dedicated to reviving lost arts.
We’re reminded that paints and coatings have long been fertile ground for experimentation, and as an example we’ve seen the success people had in re-creating an ultra-white paint that actually has a passive cooling effect.
Behold a Geared, Continuously Variable Transmission
When it comes to transmissions, a geared continuously-variable transmission (CVT) is a bit of a holy grail. CVTs allow smooth on-the-fly adjustment of gear ratios to maintain a target speed or power requirement, but sacrifice transmission efficiency in the process. Geared transmissions are more efficient, but shift gear ratios only in discrete steps. A geared CVT would hit all the bases, but most CVTs are belt drives. What would a geared one even look like? No need to wonder, you can see one for yourself. Don’t miss the two videos embedded below the page break.
The design is called the RatioZero and it’s reminiscent of a planetary gearbox, but with some changes. Here’s how the most visible part works: the outer ring is the input and the inner ring is the output. The three small gears inside the inner ring work a bit like relay runners in that each one takes a turn transferring power before “handing off” to the next. The end result is a smooth, stepless adjustment of gear ratios with the best of both worlds. Toothed gears maximize transmission efficiency while the continuously-variable gear ratio allows maximizing engine efficiency.
There are plenty of animations of how the system works but we think the clearest demonstration comes from [driving 4 answers] with a video of a prototype, which is embedded below. It’s a great video, and the demo begins at 8:54 if you want to skip straight to that part.
One may think of motors and gearboxes are a solved problem since they have been around for so long, but the opportunities to improve are ongoing and numerous. Even EV motors have a lot of room for improvement, chief among them being breaking up with rare earth elements while maintaining performance and efficiency.
youtube.com/embed/vc9o-O1n81E?…
youtube.com/embed/mWJHI7UHuys?…
tldr-pages Keeps it Short, Wherever You Need It
Let’s face it, even the most accomplished console cowboy can’t keep everything memorized. Sure, you might know all the important arguments for a daily-use tool like tar or ls, but what about the commands you don’t use that often? For that matter, even if you do use tar every day, we bet you don’t know all of the options it supports.
Built-in documentation or the man pages are of course a huge help, but they are dense resources. Sometimes what you really need is to see just a few key examples. When that happens, check out the tldr-pages project and its array of front-ends. Whether you’re working remotely on an embedded gadget, or have the luxury of a full desktop OS and browser, the project offers a way to get the help you need as quickly as possible.
The idea behind the project is that you can provide the command or tool you want to know more about, and instantly see a list of common options it takes. You’ll also be provided a realistic example for each one, which can often help make things “click” when you’re looking at a particularly obtuse utilization.
If you’re working on a box that has Python, getting access to the database of commands and examples is as simple as running pip3 install tldr and giving it a command you want to learn more about:
There’s also a very slick browser client which can be installed as a progressive web app (PWA) for off-line use. You can even embed it into your own web pages, like so:
tldr.inbrowser.app/pages/commo…
If none of that tickles your fancy, the entire database is offered up as a PDF for your local perusal — don’t worry, it only clocks in at around 6 MB.
No matter how you access it, tldr-pages offers up a wealth of practical command line knowledge. Whether you’re looking to hone your terminal skills, or perhaps want to submit your own examples for the benefit of the community, this is definitely a project to keep in mind.
Thanks to [abrakadabra] for the tip.
Hacker Tools, Hacked Tools
We just love a good DIY tool project, and more so when it’s something that we can actually use cobbled together from stuff in our closet, or hacked out of cheap “toys”. This week we saw both a superb Pi Pico-based logic analyzer and yet another software frontend for the RTL-SDR dongle, and they both had us thinking of how good we have it.
If you don’t already have a logic analyzer, or if you have one of those super-cheap 8-channel jobbies, it might be worth your while to check out the Pico firmware simply because it gets you 24 channels, which is more than you’ll ever need
And the RTL dongle; don’t get us started on this marvel of radio hacking. If you vaguely have interest in RF, it’s the most amazing bargain, and ever-improving software just keeps adding functionality. The post above adds HTML5 support for the RTL-SDR, allowing you to drive it with code you host on a web page, which makes the entire experience not only cheap, but painless. Talk about a gateway drug! If you don’t have an RTL-SDR, just go out and buy one. Trust me.
What both of these hacker tools have in common, of course, is good support by a bunch of free and open software that makes them do what they do. This software enables a very simple piece of hardware to carry out what used to be high-end lab equipment functions, for almost nothing. This has an amazing democratizing effect, and paves the way for the next generation of projects and hackers. I can’t think of a better way to spend $20.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
A Self Balancing Bike for Crash Dummy Billy
We aren’t sure there’s enough information in the [We Make Machines’] video to easily copy their self-balancing bike project, but if you want to do something similar, you can learn a lot from watching the video. Building sufficient gyros to keep the bike stable required quite a bit of trial and error.
There are some tricks to getting a stable heavy weight to rotate without a lot of vibration and problems. The gyros go on the rider’s saddle, so you aren’t going to be able to ride in the normal fashion. However, a substantial motor drives the wheels so there’s no need to peddle.
The first attempt to self-balance stayed stable for about 10 seconds. Some of it was fine-tuning code, but noise from the gyros also threw off the angle sensor. A higher-quality sensor seemed promising, but it didn’t really fix the problem. Instead of using PID, the guys tried an LQR (Linear Quadratic Regulator) algorithm. Once that was sorted and a servo allowed for steering, it was time to let the bike roam free.
Then disaster struck as the bike lost its cool in a parking lot, causing damage. After repairs, they found issues that confused the angle sensor. They didn’t have the stomach to fit a third sensor onboard, so they put Billy the Crash Dummy onboard and decided to try to run him and the bike off a ramp. That didn’t exactly work out, though. After two attempts, the bike was effectively totaled, although Billy seems to have survived with no more than a bruised ego.
We were dismayed that they didn’t really complete the project, but it does seem like they learned a lot, and maybe that will help someone else out in the future.
We have seen working bikes before. We also have seen some truly strange bike projects.
youtube.com/embed/qzF4t6Ysp_4?…
Personal Traffic Light Stops Them In Their Tracks
Working from home can be pretty cool, but if you’re not the only one in the house trying to do it, the whole situation can feel like you’re right back in the office with all those walking, talking distractions. Except they’re in pajamas instead of business casual.
Through a simple web app, you can be red to indicate that you’re super busy, yellow to mean busy-ish, and green for let’s gossip about the cats.
This mood indicator is built on the Seeed Xiao ESP32-C3 and shows the given mood indicator on a small matrix of sixteen WS2812B LEDs. It’s powered by a 600 mAh, 3.7 V battery and a small push button switch. As usual, [gokux] has grade-A instructions for building your own version of this slick solution.
Would you like something more tactile and low-tech? Check out our own [Bob Baddeley]’s free/busy indicator from the lockdown days.
Origami-Inspired, Self-locking Structures With 3D Printing
Researchers recently shared details on creating foldable, self-locking structures by using multi-material 3D printing. These origami-inspired designs can transition between flat and three-dimensional forms, locking into place without needing external support or fasteners.
The 3D structure of origami-inspired designs comes from mountain and valley fold lines in a flat material. Origami designs classically assume a material of zero thickness. Paper is fine, but as the material gets thicker things get less cooperative. This technique helps avoid such problems.
The research focuses on creating so-called “thick-panel origami” that wraps rigid panels in a softer, flexible material like TPU. This creates a soft hinge point between panels that has some compliance and elasticity, shifting the mechanics of the folds away from the panels themselves. These hinge areas can also be biased in different ways, depending on how they are made. For example, putting the material further to one side or the other will mechanically bias that hinge to fold into either a mountain, or a valley.
Thick-panel origami made in this way paves the way towards self-locking structures. The research paper describes several different load-bearing designs made by folding sheets and adding small rigid pieces (which are themselves 3D printed) to act as latches or stoppers. There are plenty of examples, so give them a peek and see if you get any ideas.
We recently saw a breakdown of what does (and doesn’t) stick to what when it comes to 3D printing, which seems worth keeping in mind if one wishes to do some of their own thick-panel experiments. Being able to produce a multi-material object as a single piece highlights the potential for 3D printing to create complex and functional structures that don’t need separate assembly. Especially since printing a flat structure that can transform into a 3D shape is significantly more efficient than printing the finished 3D shape.
Walkie Talkies, Jedi Style: Building a Communicator
Playing Star Wars Outlaws sparked an idea with [3DSage]: why not recreate the game’s wrist communicator as a functioning gadget? Inspired by the relatively simplistic design, he and his friend Ben set out to build their own device to take to Galaxy’s Edge in Disneyland. Armed with an arsenal of tools—3D printers, CNC machines, and soldering irons—he aimed to turn imagination into reality.
After ordering multiple walkie-talkies, they meticulously tested each one for audio quality, circuit board size, and compatibility with custom components. The ‘world’s tiniest walkie-talkie’ had potential but demanded creative modifications, including disassembling and resoldering components. They crafted their own circuit board and designed a 3D printed housing to fit both electronics and style. For the finishing touch, they weathered the device with paints and even glow-in-the-dark accents, making it authentic to the Star Wars universe. Even Chewbacca himself gave one a thumbs-up!
Weathering goes a long way towards creating a convincing prop — it can turn a bundle of pipes and some foam blocks into a movie-ready WWII machine gun.
youtube.com/embed/Jv44pDHvL1Y?…
Flashy Paper Christmas Tree Does It With a 555
‘Tis the season for holiday hacks, and [Ben Emmett] is here to remind us that we don’t necessarily need a fancy microcontroller in order to make flashy fun things happen.
Take this Christmas tree for example, which uses a 555 timer and a CB4017 decade counter in order to drive some blinking LEDs. The ICs are through-hole, making the circuit fairly accessible to new players, but there are a few SMD components that need soldering as well. (More on that later.)
Here, the 555 acts like a clock and drives a square wave. Using the clock as input, the decade counter toggles the output pins one after the other, driving the LEDs to blink in turn. Since there are only eight lights, there is a pause in the light-up pattern, but that could be fixed by wiring decade counter output #9 to the reset pin.
Although function was the main focus circuit-wise, [Ben] managed to lay the traces in the shape of a Christmas tree, which looks great. Having done a similar project in the past, he discovered that the craft cutting machine prefers thick traces and wider spaces between them. This is largely why [Ben] chose to use through-hole ICs.
After laying everything out in KiCad, [Ben] exported the copper layer image for use on the cutting machine. Once it was all cut out, he put it on transfer tape to weed out the extra copper, and get the traces onto cardstock, the final substrate.
This is such a fun project, and we love that the CR2032 that powers it also acts as the stand in its vertical holder. Hit up GitHub if you want to make one for yourself. Want something even more 3D? Check out this hollow tree we saw a few years ago.
Apple Newton Gets Rebuilt Battery Pack
We all carry touch screen computers around in our pockets these days, but before the smartphone revolution, there was the personal digital assistant (PDA). While it wasn’t a commercial success, one of the first devices in this category was the Apple Newton. Today they’re sought after by collectors, although most of the ones surviving to this day need a bit of rework to the battery pack. Luckily, as [Robert’s Retro] shows, it’s possible to rebuild the pack with modern cells.
By modern standards, the most surprising thing about these battery packs is both that they’re removable and that they’re a standard size, matching that of AA batteries. The Newton battery pack uses four cells, so replacing them with modern rechargeable AA batteries should be pretty straightforward, provided they can be accessed. This isn’t as easy, though. In true Apple fashion the case is glued shut, and prying it apart can damage it badly enough so it won’t fit back in the tablet after repair is complete. The current solution is to cut a hatch into the top instead and then slowly work on replacing the cells while being careful to preserve the electronics inside.
[Robert’s Retro] also demonstrates how to spot weld these new AA batteries together to prepare them for their new home in the Newton case. With the two rows fastened together with nickel strips they can be quickly attached to the existing electrical leads in the battery pack, and from there it’s just a matter of snapping the batteries into the case and sliding it back into the tablet. If you’re looking for something a bit more modern, though, we’d recommend this Apple tablet-laptop combo, but it’s not particularly easy on the wallet.
youtube.com/embed/wfXbp1AO4tk?…
The Stern-Gerlach Experiment Misunderstood
Two guys — Stern and Gerlach — did an experiment in 1922. They wanted to measure magnetism caused by electron orbits. At the time, they didn’t know about particles having angular momentum due to spin. So — as explained by [The Science Asylum] in the video below — they clearly showed quantum spin, they just didn’t know it and Physics didn’t catch on for many years.
The experiment was fairly simple. They heated a piece of silver foil to cause atoms to stream out through a tiny pinhole. The choice of silver was because it was a simple material that had a single electron in its outer shell. An external magnet then pulls silver atoms into a different position before it hits some film and that position depends on its magnetic field.
If electrons randomly flew around the nucleus like a cloud, you’d expect a cloudy line on the film. If the electrons had a fixed number of possible electron orbits, the film would show a series of points. In the end, the result was a big surprise — it was neither of the expected patterns. Instead, they got something shaped like the outline of some lips.
They realized that the horizontal deflection occurred even without the magnet, so what looked like two lines were really two points, and that implies that the electrons must be in one of two positions. However, the truth is more complicated.
In fact, Schrödinger’s equations appeared later and shed more light on how the electrons could orbit. It also seemed to imply that the earlier experiment should have been a single spot on the film. The answer turned out to be quantum spin.
According to the video, this was a lucky mistake. The experiment was perfect for measuring quantum spin, but it was unlikely that anyone would have thought to perform it for that purpose. By trying to prove one thing, they had actually proved another thing that no one understood yet. Science is strange and wonderful.
Spin is a big deal in many quantum computers. If you need a refresher on electron orbitals, it is a topic we cover periodically.
youtube.com/embed/vRI1fCOQ0GA?…
Hack On Self: How’d My Day Go?
Humans are well overdue for a technological revolution – not a profit-driven one like we’re having now, a human-centric one. Sci-fi is wonderful for having your brain run wild. Over the last century, we’ve had writers try and imagine what world would’ve had looked like if a new technology were to address different aspects of human condition, or, work to undercut us all in yet unseen ways, for a change.
Quite a few leading HaD projects have clear sci-fi inspiration, too, and same goes for a large number of Hackaday Prize entries. Over here, we live for fantasy made reality through skill, wit, and insights.
Ever got a sci-fi-esque dream that you’ve tried to implement with modern-day tech, only to fail because something fundamental was missing about how your phone/laptop/smartwatch functions? You’re not alone here, for sure – this describes a large chunk of my tech journey. In real life, you work with audience-tailored devices, the few fun usecases pre-cooked into the hardware-firmware blob.
Still, how much can you build on top of a consumer device? Alternative OSes that liberate you from the trend of enshittification, for instance, that one’s brilliant and a lifeline for preserving one’s sanity. Alternative platforms that bring a reprieve from a modern combative and ad-filled social media environment, sure. Still, feels limited
How about diary keeping? Personal diaries are really rad, aren’t they? Surely, that one’s a low-hanging fruit?
Betteridge’s Law Breaking
The first “hack on self”-like app I’ve ever built, was a parser/UI for our local public transport company schedules – letting me know when to run for a bus stop. I wanted to reduce resistance, and eventually, even integrate it into a portable device of some sort. I did bring that to a phone of mine, with help of Python SDK for Symbian S60, a wonderful if a little limited framework.
The next app of mine was a diary, encrypted with Blowfish, because that’s what I found a pure Python implementation of. I always tried keeping a diary, in a number of different paper forms, and I always failed in the end. The app though, it was fun, just secure enough to avoid relying on obscurity, and it worked great – for two weeks! It was pretty easy for me to forget about its existence, and every time I wanted to log something, I’d need to log in. Sounds easy? Yeah. In retrospect, I would’ve added a diary entry function before the decryption prompt, because even that small of a delay has backfired.
There’s a somberly fun saying, that with ADHD, a TODO list or a project can last at most two weeks. The diary is where I’ve really felt that one. Here I was, just having touched base with the dream of keeping a diary, and now it’s gone? How does that even work? How is it that I’m out of juice for it, somehow, why is it that opening the diary to make notes was fun two weeks ago, but is a chore today?
No worries, though, the sadness didn’t last long, I avoided learning too much in the moment, and immediately found something else to hack on. Every time I heard about journaling, keeping a diary, an archive, it felt fun, but also a fair bit more unreachable than before. I still wanted it, and, I’ve had my share of sadness to process through.
Or Did I?
Of course, if you’ve failed at building something, one way of processing the resulting sadness is to get distracted by other projects until you’re interested in the goal again, try and remember your mistakes, wait for the perfect conditions, and then build a new system that avoids those mistakes as you remember them.
Now, memories are fuzzy and malleable, so the “lessons from years ago” could be outright false, attention is hard to predict so it could take years to resume a project, and you’d want to reach for some actual insights, but whoops, you’d want some sort of diary to look back at, the whole thing is a chicken-and-egg problem yet again.
We don’t let that get in the way – we just build new stuff, and on average, it magically turns out to be better, because we’re building it differently this time. Really, just how many times can you try the same thing and fail? This time, it will be different! Seriously, it’s been days/months/years, how could it be the same? Keep pulling the lever of one-armed bandit that is project enthusiasm, see if you win the lottery and transform an aspect of your life for the better.
By that point, I had a few points of change filed away. I wanted some sort of daily notifications that’d motivate me to stick with it longer than two weeks, for sure. I also wanted to reduce resistance towards making entries – no more passphrase entry before logging, no more need for decryption. At the time, I spent 24/7 with my laptop on me, so that’s a low-resistance platform’s sorted out. I make it an Alt-Tab away, add regular notifications, should be easy this time.
Tale Of Two Scripts
I recalled one thing – the diary logs were accessible as long as I could remember the password, sure, and at the same time, I was rarely interested in re-reading them. Things changed, because I got a new question, trying to piece together a narrative about myself. How’d my days actually go? Could I draw trends of happiness, productivity, energy, excitement?
This time, I wrote a couple commandline apps with very simple text interfaces. The very first one, poc_1.py for proof-of-concept 1, used a non-dismissable notification service to poke me once every 24 hours, every morning, asking a very simple question – “how do you feel?”. Wake up, alt-tab into the commandline window, write in how I’m feeling as a baseline, then get up and go about my day.
Really, I wanted my computer to care about me, because it felt like the only entity that possibly would and really could, even, had the energy to. It can be hard to untangle a brain’s inner workings, even though stars know we all try, and my country isn’t known for having quality therapists that are easy to find. So, my computer it is – non-judgmental by nature, giving me space to talk, space of the kind I lacked everywhere else.
The next two poc_N.py scripts were about logging achievements and problems respectively, into the same logfile used by the poc_1.py. 10 minutes after I wrote both of them, I realized that they were a carbon copy of each other, and united them into poc_4.py – a script tailored for me to quickly log any sort of event into a commandline window at a whim.
The aim was very simple – let a stream of thoughts flow as quickly as possible. Type up your thoughts or an event, enter, type another, enter. One letter in the beginning to indicate event type, for rudimentary categorization – the script will remind you if you forget to input it, too. Primarily, I wanted to use it to log my day-to-day achievements and problems alike, but also general thoughts and feelings I wanted to let out.
"day_reflection": "it's been productive. Currently, I feel indifferent, to be honest. [...]"}
What Happened?
Two scripts, one asks me every morning how I’m feeling, and another is a place I can put any sorts of thoughts at any point. I wanted to – how my day went, and how I feel about the previous day. It was also pretty easy to read through the logs, or parse them – my “linebreak-separated json” strategy remains undefeated.
Every morning, I would wake up, look at my laptop, see a notification, and alt-tab the console window to talk about how I feel first thing in the morning. While writing my feedback, I could look to the side and see the achievements/problems/thoughts of the previous day. It was nice – and it’s still nice to use, even though I’ve definitely had gaps in its use. It wasn’t the nicest part about it!
I realized that my feelings about the previous day had nothing to do with the previous day. Instead, it was defined by how I feel in the morning. My feelings were about how well I slept, what I ate, my dreams in the night, the first thought that came into my mind when I woke up, the last open window on my laptop. My feelings about yesterday were defined by anything except what I actually did yesterday.
It was sobering to be reminded how much my assessments and decisions are influenced by my feelings and state in the moment, rather than a recollection of facts and a weighted assessment of them. A year or two later, I saw this fact in a Twitter thread, described as a piece of common knowledge about life logging as a practice. I don’t think I’ve ever bookmarked it, and, I’m yet to track that thread down again.
Before, I used to put a lot of stock into the feeling of “how my last few days went”. Now, I keep it firmly in mind that I need strong references to make such conclusions. I still have big, months-long gaps in using the diary script, but I have not given up on it, or the idea – it’s not the only insight I’ve gotten from it.
Self: Hacked
So, that was a quick and fruitful finding – we take those. Collecting more data has proven to be helpful yet again, and so has building low-interaction-resistance context-aware systems. What else… a system that taps into feelings, might give you insights you couldn’t even hope for – it’s not like most of us get a solid toolkit to navigate or analyze our feelings day-by-day. Still a few problems left to solve and tricks to try out, and it’s all pretty exciting.
How can I make my diary keeping more consistent? Voice logging option for the days when text’s not as accessible? Building the diary system into multiple places at once, always having new aspects to switch to when one gets boring? Dynamic reminders that catch me exactly when I have some free time to write? More helpful event logging? Those are just a few of the directions I’m pursuing at once.
In the meantime, hacking continues. You’ll see more concepts, new findings, and even some lovely hardware – especially given that a couple other hackers have joined the fight.
Hackaday Podcast Episode 300: The Dwingeloo 25 m Dish, a Dead-Tech Twofer, and Deconstructing PCBs
This week on the big 300th episode, Hackaday’s Elliot Williams and Kristina Panos teamed up to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week. So basically, business as usual.
First up in the news: it’s time for the Hackaday Europe 2025 call for proposals! Do you have a tale of hardware, firmware, or software that must be shared with the Hackaday crowd? Then this is your chance to regale us with a 20- or 40-minute talk. You know we love to hear new voices, so be sure to consider proposing a talk.
On What’s That Sound, it’s a results show week. Congratulations to [Kelvin] who was one of many that correctly identified it as the Wii startup sound. Kristina will just be over here with her Pikachu64 with the light-up cheeks.
Then it’s on to the hacks and such beginning with a rather nice reverse-engineering of the PS1, which surprisingly did it with a two-sided board. Then it’s on to a smartphone home server, magic eye images in a spreadsheet, and the math behind the music of 80s. Finally, we talk about disc cameras, the hovercraft revolution, and a whole mess of keyboards.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
Download in DRM-free MP3 and savor at your leisure.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 300 Show Notes:
News:
What’s that Sound?
- Congratulations to [Kelvin]! It was the Wii menu background music.
Interesting Hacks of the Week:
- PlayStation Motherboard Sanded And Scanned, But There’s More To Do
- The Audiophile Carrot
- Smartphone Runs Home Server
- I “Solved” Samsungs Swelling Battery Problem! (Batteryless Phone) – YouTube
- Want Octoprint But Lack A Raspberry Pi? Use An Old Android Phone
- Magic Eye Images In Your Spreadsheet
- Amateur Radio Operators Detect Signals From Voyager 1
- Moon Bouncing And Radar Imaging With LoRa
- Decoding JS1YMG: First Ham Radio Station On The Moon After SLIM Mission
- Voyager-1 single dish detection at Allen Telescope Array – Daniel Estévez
- Detecting Voyager 1 with the ATA
- Do 3D Printers Dream Of LEGO Sheep?
- Watch The OpenScan DIY 3D Scanner In Action
- Get Great 3D Scans With Open Photogrammetry
- What To Expect From 3D Scanning, And How To Work With It
Quick Hacks:
- Elliot’s Picks:
- The Math Behind The Music Of The 80s
- Chaotic System Cooks Meat Evenly
- Raspberry Pi 500 And The Case Of The Missing M.2 Slot
- Kristina’s Picks:
- Updated Mouse Ring Does It With A Joystick
- An Engineer’s Perspective On Baking Gingerbread Houses
- Unexpectedly Interesting Payphone Gives Up Its Secrets
Can’t-Miss Articles:
- Disc Film,When Kodak Pushed Convenience Too Far
- The Hovercraft Revolution And Finding The Right Niche For A Technology
- Keebin’ With Kristina: The One With The Funny Keyboard
hackaday.com/2024/12/13/hackad…
Saving an Electron Microscope from the Trash
Who wouldn’t want to have a scanning electron microscope (SEM)? If you’re the person behind the ProjectsInFlight channel on YouTube, you certainly do. In a recent video it’s explained how he got his mittens on a late 1980s, early 1990s era JEOL JSM-5200 SEM that was going to be scrapped. This absolute unit of a system comes with everything that’s needed to do the imaging, processing and displaying on the small CRT. The only problem with it was that it was defective, deemed irreparable and hence the reason why it was headed to the scrap. Could it still be revived against all odds?
The good news was that the unit came with the manual and schematics, and it turns out there’s an online SEM community of enthusiasts who are more than happy to help each other out. One of these even had his own JSM-5200 which helped with comparing the two units when something wasn’t working. Being an SEM, the sample has to be placed in a high vacuum, which takes a diffusion vacuum pump, which itself requires a second vacuum pump, all of which requires voltages and electronics before even getting to the amplification circuitry.
Since the first problem was that this salvaged unit wasn’t turning on, it started with the power supply and a blown fuse. This led to a shorted transformer, bad DC-DC converters, a broken vacuum pump, expired rubber hoses and seals, and so on, much of which can be attributed simply to the age of the machine. Finding direct replacements was often simply impossible to very expensive, necessitating creative solutions along with significant TLC.
Although there are still some small issues with for example the CRT due to possibly bad capacitors, overall the SEM seems to be in working condition now, which is amazing for a unit that was going to be trashed.
Thanks to [Hans] for the tip.
youtube.com/embed/Kqx9blbYDB0?…
hackaday.com/2024/12/13/saving…
Saving An Electron Microscope From The Trash
Who wouldn’t want to have a scanning electron microscope (SEM)? If you’re the person behind the ProjectsInFlight channel on YouTube, you certainly do. In a recent video it’s expla…Hackaday
This Week in Security: Recall, BadRAM, and OpenWRT
Microsoft’s Recall feature is back. You may remember our coverage of the new AI feature back in June, but for the uninitiated, it was a creepy security trainwreck. The idea is that Windows will take screenshots of whatever is on the screen every few seconds, and use AI to index the screenshots for easier searching. The only real security win at the time was that Microsoft managed to do all the processing on the local machine, instead of uploading them to the cloud. All the images and index data was available unencrypted on the hard drive, and there weren’t any protections for sensitive data.
Things are admittedly better now, but not perfect. The recall screenshots and database is no longer trivially opened by any user on the machine, and Windows prompts the user to set up and authenticate with Windows Hello before using Recall. [Avram] from Tom’s Hardware did some interesting testing on the sensitive information filter, and found that it worked… sometimes.
So, with the public preview of Recall, is it still creepy? Yes. Is it still a security trainwreck? It appears that the security issues are much improved. Time will tell if a researcher discovers a way to decrypt the Recall data outside of the Recall app.
Patch Tuesday
Since we’re talking about Microsoft, this week was Patch Tuesday, and we had seventy-one separate vulnerabilities fixed, with one of those being a zero-day that was used in real-world attacks. CVE-2024-49138 doesn’t seem to have a lot of information published yet. We know it’s a Heap-based Buffer Overflow in the Common Log File driver, and allows an escalation of privilege to SYSTEM on Windows machines.
BadRAM
One of the most interesting frontiers in computing right now is trying to give cloud computing actual security. AMD has approached this problem with SEV-SNP, Secure Encrypted Virtualization/Secure Nested Paging, among other approaches. But today we have a very clever hardware attack that can defeat SEV-SNP: BadRAM.
The key here is the DIMM memory specification’s SPD, Serial Presence Detect. That’s a simple protocol that uses SMBus, an I2C protocol, to pull information from a memory module. How does your desktop know that those are 4 GB modules? And how does it know the right timings to actually boot successfully? SPD provides that data. BadRAM asks the rather simple question, what happens if you overwrite a module’s SPD chip?
When you convince SPD to lie, and report a memory module that’s larger than it really is, you get a sort of shadow memory. Put simply, multiple memory addresses refer to the same physical bits. That should set your security alarm bells to sounding. This defeats most memory protection schemes, and allows overriding SEV-SNP, by just over-writing the security hashes after they’ve been calculated. AMD has released updated firmware that actively checks for aliasing addresses, defeating the attack.
When rnd is Hard
Getting good random bits is hard. There is the obvious problem, that computers are deterministic, and can’t actually generate randomness without dedicated hardware for the purpose. Beyond that, different languages and platforms have different quirks. Many of those languages have a pseudorandom function, that can produce a good approximation of random numbers. The catch is that those numbers are entirely deterministic, and to be anything close to usable as a safe source of randomness, the pseudorandom function must be seeded with a truly non-deterministic number.
Which is why it’s particularly bad to accidentally hard-code the seed into a platform. And yes, that’s exactly what the Web assembly platform for Dart did until surprisingly recently. This did result in an easy-to-guess websocket port/key/password combination that could result in the takeover of a Dart application from another visited website. And that’s not all, follow the link above to find two other similar stories in the Dart/Flutter world.
OpenWRT and sha256 collisions
The OpenWRT project had a bit of a security scare late last week. It turns out that the attended sysupgrade service actually triggers custom firmware builds on the OpenWRT servers. And it’s possible to run arbitrary code insode that build process. That’s not as bad as it sounds, as the project works very hard to isolate each of those builds inside podman containers. There was another problem, where build artifacts were tracked using a partial SHA256 hash. The full 64 characters of a SHA256 hash is enough to be secure, particularly in this case — but reducing that to twelve characters is not.
[RyotaK] actually did the work, using hashcat to find a hash collision, resulting in the server serving a tampered firmware image in place of the correct one. The find was reported, and the sysupgrade build server was temporarily taken offline, and a fix rolled out. The OpenWRT project put out a statement, acknowledging the issue, and pointing out that there are insufficient logs to determine whether this vulnerability chain has ever actually been used. And so out of an abundance of caution, users of the sysupgrade server should trigger an in place upgrade to completely rule out the possibility of running a compromised image.
Bits and Bytes
Facebook Messenger on iOS had an issue, where a member of group calls could crash the app for all members of the call, simply by sending an invalid emote to the group. Sure puts the angry face in context. It’s fixed now, appears to be strictly limited to the denial of service crash, and there’s a decent walkthrough of the problem at the link.
Maxwell Dulin, AKA [Striꓘeout], has now worked on both sides of the security coin. He’s both been the security researcher, and now is on the security team at a company. This puts him in a particularly good position to comment on why it takes so long to fix a given bug. And not to give it away, but some of the reasons are better than others.
And finally, how not to fall for a crypto scam. In this case, it was a Telegram group, that was hawking a fake new token. The scam was rather impressive, with faked reviews from Certik and TechRate, and legitimate looking smart contracts. But like most deals that seem to good to be true, this was a rugpull, where criminal con artists convinced a few investors to put money into the scheme, only to take the money and run. Stay frosty out there!
Cina Leader Nei Malware! EagleMsgSpy: lo Spyware che compete con Pegasus
Gli analisti di Lookout hanno scoperto uno spyware precedentemente sconosciuto per Android chiamato EagleMsgSpy. Si ritiene che venga utilizzato dalle forze dell’ordine cinesi e dalle agenzie governative per monitorare i dispositivi mobili.
I ricercatori ritengono che lo spyware sia stato sviluppato da una società cinese, Wuhan Chinasoft Token Information Technology Co., Ltd. (noto anche come uhan Zhongruan Tongzheng Information Technology Co., Ltd e Wuhan ZRTZ Information Technology Co, Ltd.) ed è in uso almeno dal 2017.
Inoltre, i primi artefatti associati a EagleMsgSpy sono stati caricati su VirusTotal solo il 25 settembre 2024.
EagleMsgSpy: Non solo la NSO Group
Come sempre abbiamo detto, la NSO Group, leader nella produzione di spyware di controllo remoto, non è l’unica a sviluppare malware avanzati di spionaggio.
Nel loro rapporto, gli investigatori forniscono numerose prove che collegano EagleMsgSpy ai suoi sviluppatori e operatori, inclusi indirizzi IP associati a server di controllo, domini, collegamenti diretti nella documentazione interna, nonché contratti pubblici e dati OSINT raccolti.
Ad esempio, il dominio utilizzato da Wuhan Chinasoft Token Information Technology per ospitare materiale pubblicitario (tzsafe[.]com) appare anche nel codice EagleMsgSpy e la documentazione del malware menziona direttamente il nome dell’azienda stessa.
Inoltre, gli screenshot esaminati dei dispositivi di prova dal pannello amministrativo di EagleMsgSpy corrispondono all’ubicazione dell’ufficio dell’azienda a Wuhan. È da notare che nella documentazione interna e nell’infrastruttura degli sviluppatori di spyware sono stati trovati indizi dell’esistenza di una versione iOS di EagleMsgSpy, ma i ricercatori non hanno ancora a disposizione un campione per i dispositivi Apple.
Gli stessi sviluppatori descrivono EagleMsgSpy come un “prodotto completo per il monitoraggio legale dei dispositivi mobili” in grado di raccogliere “informazioni dai telefoni cellulari dei sospettati in tempo reale, attraverso il monitoraggio della rete all’insaputa del sospettato, tracciando tutte le azioni del criminale con i telefoni cellulari e riassumendoli”.
Lookout ritiene che le forze dell’ordine installino manualmente EagleMsgSpy sui dispositivi mirati quando hanno accesso fisico ai dispositivi sbloccati. È probabile che ciò accada durante la confisca dei dispositivi, ad esempio durante gli arresti.
Spionaggio a 360 gradi
Poiché non è stato possibile trovare l’installer APK nel Google Play Store o negli app store di terzi, si ritiene che lo spyware sia distribuito da un numero molto limitato di operatori.
Uno studio su diversi campioni di spyware ha mostrato che gli sviluppatori stanno attivamente migliorando l’offuscamento e la crittografia del codice (ad esempio, utilizzando l’apkToolPlus open source), ovvero EagleMsgSpy è chiaramente in fase di sviluppo attivo.
Una volta installato sul dispositivo di destinazione, EagleMsgSpy mostra la seguente attività:
- ruba messaggi dai servizi di messaggistica istantanea (inclusi QQ, Telegram, Viber, WhatsApp, WeChat e così via);
- registra ciò che accade sullo schermo utilizzando l’API Media Projection, acquisisce screenshot e registra l’audio;
- recupera i registri delle chiamate, l’elenco dei contatti e i messaggi SMS;
- riceve dati sulla posizione (GPS), attività di rete, applicazioni installate;
- ruba segnalibri dai browser e file da dispositivi di archiviazione esterni.
Tutti i dati raccolti vengono temporaneamente archiviati in una directory nascosta, crittografati, compressi e quindi trasferiti ai server di controllo.
Un Pannello di amministrazione completo
Il pannello di amministrazione del malware si chiama “Stability Maintenance Judgment System”. Consente agli operatori remoti di avviare azioni in tempo reale come la registrazione dell’audio, la visualizzazione della distribuzione geografica dei contatti di una vittima e il monitoraggio dei messaggi.
Per quanto riguarda gli operatori di spyware, Lookout afferma che i server di controllo di EagleMsgSpy sono associati ai domini dell’Ufficio di pubblica sicurezza, come le filiali di Yantai e Zhifu.
Il rapporto rileva inoltre che gli specialisti di Lookout sono stati in grado di identificare due indirizzi IP associati ai certificati SSL dei server di controllo EagleMsgSpy (202.107.80[.]34 e 119.36.193[.]210). Questi indirizzi sono stati precedentemente utilizzati da altri strumenti di spionaggio provenienti dalla Cina, tra cui PluginPhantom e CarbonSteal.
L'articolo Cina Leader Nei Malware! EagleMsgSpy: lo Spyware che compete con Pegasus proviene da il blog della sicurezza informatica.
Secondo giorno di attacchi DDoS da parte di NoName057 ai danni di istituzioni e banche
Autori: Luca Stivali e Francesco De Marcus del gruppo DarkLab
Le nostre fonti di Threat Inteligence purtroppo sono confermate. Alle ore 7:10 di oggi, nei canali underground da noi monitorati, è apparso un messaggio che annunciava un’altra ondata di attacchi DDoS ai danni di target italiani.
Il gruppo di attivisti filorussi NoName057 sta conducendo, per il secondo giorno consecutivo, attacchi di Distributed Denial Of Of Service (DDoS) contro istituzioni pubbliche e private italiane.
Dopo gli attacchi di ieri che hanno colpito i siti dei principali porti italiani (Trieste e Taranto), il sito della Guardia di Finanza e molti altri; oggi nel mirino risultano fra gli altri: Aereonautica Militare, Marina Militare, Banca BPER, Corte costituzionale, Ministero del Lavoro, Consiglio Superiore della Magistratura, Ministero delle Infrastrutture e molti altri.
Ecco la lista dei target:
- concorsi.gdf.gov.it
- openpnrr.it
- www.acqualatina.it
- acamir.regione.campania.it
- www.agenziatplbergamo.it
- www.mimit.gov.it
- www.mediobanca.com
- www.uni.com
- www.aeronautica.difesa.it
- www.bper.it
- sso.csm.it
- www.cortecostituzionale.it
- www.lavoro.gov.it
- www.mit.gov.it
- www.csm.it
- www.popso.it
- www.fingenia.it
- www.marina.difesa.it
- www.ctmcagliari.it
Al momento della stesura dell’articolo (13 dicembre ore 9:39) i target risultano effettivamente non raggiungibili.
Attacchi DDoS e NIS2
Come già ampiamente discusso nei nostri precedenti articoli un attacco DDos (Distributed Denial of Service) è una tipologia di attacco mirato a sovraccaricare un sito web, un server o una rete con una quantità eccessiva di traffico che arriva da una rete di computer compromessi (noti anche come reti zombie) che rendono difficilmente individuabile il traffico malevolo da quello genuino.
Nell’ultimo rapporto CLUSIT del 2024 si evidenzia che i criminali prediligono due tipologie di attacchi, i Malware e i DDos i quali rappresentano rispettivamente il 32,6 e il 30,3 degli incidenti segnalati. Pertanto, come soleva dire Antonio Lubrano, “la domanda ci sorge spontanea”.
Vista la caratura delle realtà colpite in questi giorni, che peraltro avrebbero dovuto già implementare la NIS1, quanto manca ancora al sistema Italia per essere compliance con la nuova NIS2?
La domanda che ci poniamo vuole essere assolutamente provocatoria, stuzzicante e riflessiva. Le scadenze purtroppo hanno spesso valore per il mero adeguamento formale ma, in questo caso, sono strumentali e funzionali alla sicurezza paese e quindi di necessaria implementazione.
L'articolo Secondo giorno di attacchi DDoS da parte di NoName057 ai danni di istituzioni e banche proviene da il blog della sicurezza informatica.
Chirality Could Kill Us All, If We Let It
In our high school chemistry classes we all learn about chirality, the property of organic molecules in which two chemically identical molecules can have different structures that are mirror images of each other. This can lead to their exhibiting different properties, and one aspect of chirality is causing significant concerns in the field of synthetic biology. The prospect of so-called mirror organisms is leading to calls from a group of prominent scientists for research in the field to be curtailed due to the risks they would present.
Chirality is baked into all life; our DNA is formed of right-handed molecules while our proteins are left handed. The “mirror” organisms would reverse either or both of these, and could in theory be used to improve biochemical production processes. The concern is that these organisms would evade both the immune systems of all natural life forms, and any human defences such as antibiotics, thus posing an existential risk to life. It’s estimated that the capacity to produce such a life form lies more than a decade away, and the scientists wish to forestall that by starting the conversation early. They are calling for a halt to research likely to result in these organisms, and a commitment from funding bodies not to support such research.
Warnings of the dangers from scientific advances are as old as science itself, and it’s safe to say that many such prophecies have come from dubious sources and proved not to have a basis in fact. But this one, given the body of opinion behind it, is perhaps one that should be heeded.
Header: Original: Unknown Vector: — πϵρήλιο, Public domain.
Use Your RTL, In The Browser
The web browser started life as a relatively simple hypertext reading application, but over the 30+ years since the first one displayed a simple CERN web page it has been extended to become the universal platform. It’s now powerful enough to run demanding applications, for example a full software-defined radio. [Jtarrio] proves this, with an application to use an RTL-SDR, in HTML5.
It’s a fork of a previous Google-Chrome-only FM receiver, using the HTML5 WebUSB API, and converted to TypeScript. You can try it out for yourself if you have a handy RTL dongle lying around, it provides an interface similar to the RTL apps you may be used to.
The Realtek digital TV chipset has been used as an SDR for well over a decade now, so we’re guessing most of you with an interest in radio will have one somewhere. The cheap ones are noisy and full of spurious peaks, but even so, they’re a bucket of fun. Now all that’s needed is the transmit equivalent using a cheap VGA adapter, and the whole radio equation could move into the browser.
Meta lancia un cavo sottomarino da 10 miliardi di Dollari: La rivoluzione nei dati globali
Meta, che possiede le piattaforme Facebook, Instagram e WhatsApp, è il secondo più grande motore di traffico Internet nel mondo. Gli utenti dei suoi servizi creano il 10% del traffico Internet fisso e il 22% di quello mobile. Gli investimenti dell’azienda nell’intelligenza artificiale probabilmente aumenteranno questi numeri. Per garantire un’infrastruttura stabile, Meta prevede di realizzare un cavo sottomarino lungo oltre 40mila chilometri, che sarà interamente di proprietà della società.
Fonti vicine all’azienda hanno confermato i piani di costruzione. Il costo totale del progetto potrebbe superare i 10 miliardi di dollari. Questo cavo sarà il primo progetto di comunicazione sottomarina completamente proprietario di Meta. Il budget iniziale è di 2 miliardi di dollari, ma si prevede che aumenterà in modo significativo nel corso del progetto, il cui completamento richiederà diversi anni.
La realizzazione fisica del progetto non è ancora iniziata. Meta prevede di pubblicare i dettagli sul percorso, sulla capacità e sugli obiettivi di costruzione del cavo all’inizio del 2025.
Il percorso previsto del cavo prevede il collegamento della costa orientale degli Stati Uniti all’India attraverso il Sud Africa, e poi della costa occidentale degli Stati Uniti all’India attraverso l’Australia. Questo creerà una forma a “W” per il cavo. Il progetto è in fase di sviluppo nella divisione dell’azienda in Sud Africa.
I progetti infrastrutturali di Meta sono guidati da Santosh Janardhan, responsabile globale delle infrastrutture dell’azienda e co-responsabile dell’ingegneria. Le divisioni di ingegneria delle infrastrutture di Meta sono dislocate in tutto il mondo.
I cavi sottomarini in fibra ottica fanno parte dell’infrastruttura delle comunicazioni da 40 anni. Tuttavia, in questo caso, il fatto importante è chi finanzia e possiede interamente il progetto. Meta intende investire e possedere il cavo stesso, riflettendo una tendenza globale: il ruolo dei consorzi di operatori di telecomunicazioni sta diminuendo e le grandi aziende tecnologiche stanno assumendo sempre più il controllo di tali reti.
Per Meta, il coinvolgimento in progetti di cavi sottomarini non è una novità. Secondo Telegeography l’azienda è già proprietaria di 16 reti, tra cui il cavo 2Africa, che copre l’intero continente africano. Al progetto 2Africa partecipano anche operatori di telecomunicazioni come Orange, Vodafone, China Mobile e Bayobab/MTN. Tuttavia, il progetto attuale sarà il primo ad essere interamente di proprietà di Meta. Ciò metterà l’azienda nella stessa categoria di Google.
Google, secondo Telegeography, è coinvolta in 33 tratte di cavi sottomarini, comprese diverse reti regionali, di cui è l’unico proprietario. Anche Amazon e Microsoft investono in progetti simili, ma non possiedono ancora alcuna tratta interamente.
L’installazione di cavi in fibra ottica sottomarini è un processo complesso limitato dal numero di specialisti e risorse disponibili. Aziende come SubCom sono già impegnate a soddisfare gli ordini di grandi clienti, incluso Google. La costruzione può essere effettuata in segmenti, il che allungherà i tempi di implementazione.
Il cavo fornirà a Meta un canale di trasmissione dati indipendente in tutto il mondo. La piena proprietà del cavo fornirà all’azienda l’accesso prioritario alla larghezza di banda per le sue piattaforme.
L'articolo Meta lancia un cavo sottomarino da 10 miliardi di Dollari: La rivoluzione nei dati globali proviene da il blog della sicurezza informatica.
Predator: Un Piccolo IDS Open Source per farvi entrare nella CyberSecurity Made in Italy
Iniziare oggi a sviluppare software di sicurezza “Made in Italy” non è solo un’opportunità, ma una necessità per il nostro mercato interno e la sicurezza nazionale. Tutte le grandi innovazioni nascono spesso da piccoli progetti. Un’idea, una piccola proof of concept (PoC) che può sembrare modesta, con il tempo può trasformarsi in una soluzione di riferimento.
Ogni riga di codice che scrivete oggi potrebbe diventare il cuore di un prodotto riconosciuto domani. È fondamentale che l’Italia si affermi anche in questo settore, riducendo la dipendenza da tecnologie estere, spesso opache, e creando un ecosistema di software e firmware sicuri, trasparenti e sotto il nostro pieno controllo.
Giovani sviluppatori, imprenditori e ricercatori: il futuro della cybersecurity italiana inizia con voi, dalle vostre idee e la vostra passione. Noi di Red Hot Cyber chiediamo a chi fosse interessato a sviluppare soluzioni “made in italy” di contattare il nostro capo progetto andrycavallini87@gmail.com per unirvi al suo team di sviluppo di un EDR e IDS Tutto italiano.
Il concetto di IDS
Partendo dal progetto Anubi (presentato con questo articolo), torno ad affrontare il tema cybersecurity protection in chiave made in Italy. La base importante dell’EDR da me sviluppato mira ad aiutare migliaia di appassionati nella loro sicurezza quotidiana con sempre la volontà di ampliare la suite open-source. Cosa è che manca in tutto questo? Il concetto chiave è l’IDS.
Un IDS è quella cosa che permette agli analisti di capire che tipo di traffico sia in transito su una rete di computer. E’ configurato in modalità sniffing su una o più interfacce (tipicamente in mirroring o span in modo da avere l’esatta replica del traffico) e riesce a identificare le varie richieste che entrano ed escono dalla rete; che sia sviluppato tramite soluzione software o hardware, il risultato non cambia: è una sonda inserita in un punto strategico del networking in modo da poter verificare tutto il traffico entrante e uscente.
Qual è però considerata la migliore soluzione? Non esiste una risposta scontata perché questa dipende da molti fattori, quali i vincoli imposti, gli schemi di rete, ecc. Io propongo la mia, il Predator!
Predator è un tool nato dalla mia solita idea di mettere in open-source e a completo aiuto di tutti le tecnologie che al giorno di oggi possono aiutare a essere pronti e molto più reattivi agli attacchi informatici di ultima generazione. E’ disponibile nel mio repo github ed è installabile su piattaforma Linux, MacOS e Windows.
E’ completamente scritto in Python ed è configurabile con:
- i CIDR da tenere sotto controllo
- le interfacce da monitorare
- i moduli da attivare
Le regole utilizzate per gli IP sono generate dal mio repository usato dall’altro mio progetto Anubi in modo automatico e con cadenza quotidiana.
Le funzionalità di Predator
Come default, Predator ha abilitate le funzionalità di:
- IDS che ispeziona il traffico a livello 4 e 7 per la connessioni non criptate secondo le regole specificate nel path di configurazione
- API che permette tramite un’interfaccia minimale di operare a livello di management
Gli altri due moduli al momento sviluppati e configurabili sono:
- Proxy che interviene come vero e proprio MITM e identifica tutto il traffico criptato
- Dummy che replica il traffico decriptato dal proxy su un’interfaccia parallela in modo che un altro IDS possa, per esempio, verificare il traffico tramite le proprie regole.
Predator è un tool estremamente semplice, personalizzabile sia nel codice che nella regole ed è molto leggero.
La suite che vi propongo vuole costruire una solida base open-source in chiave made in Italy, cercando di proporre soluzioni non scontate, facile da usare e da personalizzare. Vi invito a provarlo e a suggerirmi qualsiasi idea abbiate in mente a riguardo (potete contattarmi alla mail andrycavallini87@gmail.com per qualsiasi cosa vogliate), non ve ne pentirete!
L'articolo Predator: Un Piccolo IDS Open Source per farvi entrare nella CyberSecurity Made in Italy proviene da il blog della sicurezza informatica.
Automated Rig Grows Big, Beautiful Crystals Fast
We haven’t seen [Les Wright] in a while, and with the release of his new video, we know why — he’s been busy growing crystals.
Now, that might seem confusing to anyone who has done the classic “Crystal Garden” trick with table salt and laundry bluing, or tried to get a bit of rock candy out of a supersaturated sugar solution. Sure, growing crystals takes time, but it’s not exactly hard work. But [Les] isn’t in the market for any old crystals. Rather, he needs super-sized, optically clear crystals of potassium dihydrogen phosphate, or KDP, which are useful as frequency doublers for lasers. [Les] has detailed his need for KDP crystals before and even grown some nice ones, but he wanted to step up his game and grow some real whoppers.
And boy, did he ever. Fair warning; the video below is long and has a lot of detail on crystal-growing theory, but it’s well worth it for anyone taking the plunge. [Les] ended up building an automated crystal lab, housing it in an old server enclosure for temperature and dust control. The crystals are grown on a custom-built armature that slowly rotates in a supersaturated solution of KDP which is carefully transitioned through a specific temperature profile under Arduino control. As a bonus, he programmed the rig to take photographs of the growing crystals at intervals; the resulting time-lapse sequences are as gorgeous as the crystals, one of which grew to 40 grams in only a week.
We’re keen to see how [Les] puts these crystals to work, and to learn exactly what a “Pockels Cell” is and why you’d want one. In the meantime, if you’re interested in how the crystals that make the whole world work are made, check out our deep dive into silicon.
youtube.com/embed/uSSoSIcXWa0?…
Thanks to [Joseph Hopfield] for the tip.
A Look Back at Google’s 2015 Chromecast
Google’s Chromecast was first released in 2013, with a more sophisticated follow-up in 2015, which saw itself joined by the Chromecast Audio dongle. The device went through an additional two hardware generations before the entire line of products was discontinued earlier this year in favor of Google TV.
In addition to collecting each generation of Chromecast, [Brian Dipert] over at EDN looked back on this second-generation dongle from 2015 while also digging into the guts of a well-used example that got picked up used.
While not having any of the fascinating legacy features of the 2nd-generation Ultra in his collection that came with the Stadia gaming controller, it defines basically everything that Chromecast dongles were about: a simple dongle with a HDMI & USB connector that you plugged into a display that you wanted to show streaming content on. The teardown is mostly similar to the 2015-era teardown by iFixit, who incidentally decided not to assign any repairability score, for obvious reasons.
Most interesting about this second-generation Chromecast is that the hardware supported Bluetooth, but that this wasn’t enabled until a few years later, presumably to fix the wonky new device setup procedure that would be replaced with a new procedure via the Google Home app.
While Google’s attention has moved on to newer devices, the Chromecast isn’t dead — the dongles in the wild still work, and the protocol is supported by Google TV and many ‘smart’ appliances including TVs and multimedia receivers.
British Spooks Issue Yearly Teaser
As a British taxpayer it’s reassuring to know that over in Cheltenham there’s a big round building full of people dedicated to keeping us safe. GCHQ is the nation’s electronic spying centre, and just to show what a bunch of good eggs they are they release a puzzler every year to titillate the nation’s geeks. 2024’s edition is out if you fancy trying it, so break out your proverbial thinking caps.
The puzzle comes in several stages each of which reveals a British landmark, and we’re told there’s a further set of puzzles hidden in the design of the card itself. We know that Hackaday readers possess fine minds, so you’ll all be raring to have a go.
Sadly GCHQ would for perfectly understandable reasons never let Hackaday in for a tour, but we’ve encountered some of their past work. First the Colossus replica codebreaking computer at Bletchley Park was the progenitor of the organisation, and then a few years ago when they had an exhibition from their archive in the London Science Museum.
Good Lighting on a Budget with Cordless Tool Batteries
It’s perhaps not fair, but even if you have the best idea for a compelling video, few things will make people switch off than poor lighting. Good light and plenty of it is the order of the day when it comes to video production, and luckily there are many affordable options out there. Affordable, that is, right up to the point where you need batteries for remote shoots, in which case you’d better be ready to open the purse strings.
When [Dane Kouttron] ran into the battery problem with his video lighting setup, he fought back with these cheap and clever cordless tool battery pack adapters. His lights were designed to use Sony NP-F mount batteries, which are pretty common in the photography trade but unforgivably expensive, at least for Sony-branded packs. Having access to 20 volt DeWalt battery packs, he combined an off-the-shelf battery adapter with a 3D printed mount that slips right onto the light. Luckily, the lights have a built-in DC-DC converter that accepts up to 40 volts, so connecting the battery through a protection diode was a pretty simple exercise. The battery pack just slots right in and keeps the lights running for portable shoots.
Of course, if you don’t already have DeWalt batteries on hand, it might just be cheaper to buy the Sony batteries and be done with it. Then again, there are battery adapters for pretty much every cordless tool brand out there, so you should be able to adapt the design. We’ve also seen cross-brand battery adapters which might prove useful, too.
The Disappearing Capacitor
As part of a phosphorescence detector, [lcamtuf] has been working with photodiodes. The components, like all diodes, have some capacitance at the junction, and this can limit performance. That’s why [lcamtuf] turned to bootstrapping to make that parasitic capacitance almost disappear.
The technique appears in several Analog Devices datasheets that presents a mystery. An op amp circuit that would normally limit changes to about 52 kHz has an unusually-placed JFET and claims to boost the bandwidth to 350 kHz.
The JFET turns out to be in a voltage-follower configuration. The photodiode sees approximately the same voltage on both terminals, so the internal capacitor can’t charge and, therefore, doesn’t impose any limits on rate of change.
Of course, a better way to think of it is that tiny changes cause an immediate response to counteract them, and so the capacitor’s charging and discharging are kept to a minimum.
It really isn’t important that the capacitor is not charged, but rather that the capacitor doesn’t increase or decrease charge. This leads to a second design, which imposes a DC bias voltage on the diode but prevents any signal from causing the capacitor to change from its precharged value.
Photodiodes seem exotic, but honestly, all semiconductor diodes are photodiodes if you let the light get to them. It seems that capacitors and op amps are always at loggerheads.
The 6GHz Band Opens in the US
On December 11th, the FCC announced that the band around 6GHz would be open to “very low-power devices.” The new allocation shares space with other devices already using these frequencies. The release mentions a few limitations over the 350 MHz band (broken into two segments). First, the devices must use a contention-based protocol and implement transmit power control. The low-power devices may not be part of a fixed outdoor infrastructure.
The frequencies are 6.425-6.525 GHz, 6.875-7.125 GHz and the requirements are similar to those imposed on 802.11ax in the nearby U-NII-5 and U-NII-7 bands.
In her remarks, Chairwoman Jessica Rosenworcel said, in part:
But powerful innovation in wireless does not only come from licensed spectrum. Unlicensed spectrum matters, too. In fact, our lives run on unlicensed spectrum. We use it for everything from connecting at work and home with Wi-Fi to supply chain management in warehouses and delivery trucks, from maximizing our workouts with fitness trackers and earbuds to making our homes smarter and more efficient.I like to think of unlicensed spectrum as an invisible force in our economy. Wi-Fi alone will foster $769 billion in economic growth in 2024. That number is projected to rise 21 percent
in 2025 and as high as 67 percent by 2027 when the latest version of Wi-Fi will be in available in millions of devices.. . .
We made it possible to access airwaves without licenses, to innovate without permission, and to develop low-power wireless technologies that
have changed the way we live and work.
Sounds like hacking to us. We remember when 6 GHz was nearly impossible to use, and hams building stuff using Gunn diodes to hit over 10 GHz was super edgy. Now, there’s a lot going on up there. It still isn’t trivial to design for frequencies that high.
Telegram Mostra i Muscoli sulla Moderazione! bloccati 15 milioni di canali nel 2024
Il messenger di Telegram ha pubblicato dati sul blocco di gruppi e canali che violano le politiche e la legislazione della piattaforma. Sul sito ufficiale dell’azienda è apparsa una scheda con le statistiche.
Nel 2024 sono stati bloccati 15,3 milioni di gruppi e canali. Tra questi ci sono quasi 702mila comunità associate alla diffusione di materiale sugli abusi sessuali sui minori e circa 129mila gruppi e canali con orientamento terroristico. Inoltre, sono stati rimossi più di 100 milioni di contenuti terroristici.
Il sito web dell’azienda riporta che Telegram blocca ogni giorno decine di migliaia di gruppi e canali, eliminando milioni di contenuti vietati. Le violazioni identificate includono incitamento alla violenza, distribuzione di materiale pedopornografico e commercio di beni illegali.
Si chiarisce che il processo di moderazione prevede l’elaborazione dei reclami degli utenti e il monitoraggio proattivo. Dal 2015 queste misure vengono realizzate utilizzando tecnologie di machine learning. Nel 2024 Telegram ha introdotto nuovi strumenti basati sull’intelligenza artificiale, che hanno permesso di aumentare l’efficienza nell’identificazione e nel blocco dei materiali vietati.
Ricordiamo che ad inizio di agosto, il fondatore di Telegram è stato arrestato in Francia nell’ambito di un’indagine relativa a crimini quali la distribuzione di immagini di abusi sessuali su minori, traffico di droga e frode. Dopo questo incidente, Durov ha difeso attivamente la sua piattaforma, poiché milioni di post e canali dannosi vengono cancellati ogni giorno.
Durov è riuscito a evitare la detenzione pagando una cauzione di 5 milioni di euro. Secondo l’accordo, dovrà recarsi alla stazione di polizia due volte a settimana e rimanere in Francia fino alla conclusione del processo. L’imprenditore è stato interrogato per la prima volta il 6 dicembre in un tribunale di Parigi per un caso di moderazione insufficiente nel messenger di Telegram, ha scritto 20Minuti con riferimento all’AFP.
Durov è arrivato in tribunale con i suoi avvocati David-Olivier Kaminsky e Christoph Ingren. L’uomo d’affari ha rifiutato di commentare in dettaglio, dicendo solo che ha fiducia nel sistema giudiziario francese. L’avvocato di Kaminsky ha definito assurda la posizione dell’accusa secondo cui Durov era coinvolto in crimini commessi tramite Telegram.
L'articolo Telegram Mostra i Muscoli sulla Moderazione! bloccati 15 milioni di canali nel 2024 proviene da il blog della sicurezza informatica.
It’s Critical: Don’t Pile Up Your Fissionable Material
Nuclear fission is a powerful phenomenon. When the conditions are right, atomic nuclei split, releasing neutrons that then split other nuclei in an ongoing chain reaction that releases enormous amounts of energy. This is how nuclear weapons work. In a more stable and controlled fashion, it’s how our nuclear reactors work too.
However, these chain reactions can also happen accidentally—with terrifying results. Though rare, criticality incidents – events where an accidental self-sustaining nuclear chain reaction occurs – serve as sobering reminders of the immense and unwieldy forces we attempt to harness when playing with nuclear materials.
Too Much Already
A criticality incident is when a nuclear fission chain reaction is caused by accident. The cause is usually quite simple. When it comes to fissionable material, like radioactive isotopes of uranium, there is a certain critical mass at which a chain reaction will occur. At this point, the natural radioactive decay of the material will release enough neutrons such that one might strike and split another atom. This then releases further neutrons, which split more atoms, and the chain reaction continues.
Calling it critical mass is a simplified way of saying it. More realistically, the critical mass depends on more factors—the shape of the radioactive material plays a role, too. As does the presence of any neutron reflectors that could bounce neutrons back towards more atoms to split.
Long story short, if you put too much fissionable material in one place, you’re asking for trouble. If it gets to that critical point and the chain reaction starts, it’s going to release a ton of radiation in a split second.
The most famous example of a criticality incident occurred when Louis Slotin was working with the Demon Core at Los Alamos back in 1946. The story has been told many a time, including on these hallowed pages. Start there if you’re curious, before we look at some more recent disasters.
America’s nuclear program hasn’t just had one awkward mistake like this. It’s had a few. One of the most serious criticality accidents in history occurred on December 30, 1958, once again at the Los Alamos National Laboratory in New Mexico. Chemical operator Cecil Kelley was processing plutonium-containing liquids in a large mixing tank as per his regular duties.
The tank was used for recovering and reusing plutonium solutions from various experiments, and was expected at that time to contain less than 0.1 grams of plutonium per liter of solution. Unbeknownst to Kelley, the tank actually held a far greater quantity of plutonium—over 3 kilograms—due to improper transfers of waste materials to the tank. The fluid in the tank wasn’t homogenous, either—there was a denser layer of aqueous solution at the bottom, topped with a lighter layer of organic solution which contained more of the plutonium.
The tank was already close to a critical state at rest. When Kelley switched on the mixer inside, the blades formed a vortex, pushing the dense aqueous layer of fluid outwards. In turn, the more plutonium-rich organic fluid was drawn to the center of the vessel, where it promptly went critical.
As Kelley stood on a ladder viewing the mixing tank, there was a sudden bright flash of blue light. A huge surge of neutron and gamma radiation flooded the room, delivering Kelley a lethal dose in a split second. His death was harrowing, and he passed away just 35 hours after the accident. While investigations were undertaken into the matter, there has never been a public explanation for how the excessively high concentration of plutonium ended up in the tank.
Fast forward to 1999, when carelessness caused a similar incident in Tokaimura, Japan. At a uranium processing facility, technicians were tasked with preparing a batch of fuel. Official regulations mandated that a uranyl nitrate solution be stored in a buffer tank, and added to a precipitation tank in controlled increments. However, as per a company operations manual that was unapproved by regulators, technicians were mixing chemicals in stainless steel buckets instead, rather than using the buffer tank that was designed to prevent criticality incidents. The crew were pouring the liquid directly into the precipitation tank, which had a cylindrical geometry that was favorable for inducing criticality.
The tank soon ended up with over 16 kg of uranium inside, well over the 2.4 kg limit set by regulators. As the seventh bucket was added, the tank went critical with a bright blue flash. Radiation alarms wailed as neutron levels shot up to 15,000 times normal. Three technicians received extreme radiation doses with severe ill effects; two of the three later died. The facility was irradiated, with residents in surrounding areas having to evacuate in the immediate aftermath.
Much like the Los Alamos event, the cause of the problem was simple. The technicians simply combined too much fissile material in one place.
youtube.com/embed/r3fWhW_NsMs?…
CRITICALITY (1969) is a British documentary on the danger of criticality incidents, and how to avoid them. If you work with nuclear materials, you’ve ideally been educated with something more up-to-date. Still, the basic physics was well-understood back then, and the lessons here largely ring true today.
Los Alamos suffered an embarrassing incident in more recent times, too, though thankfully a near miss. Back in 2011, technicians had arranged a number of plutonium rods on a table in order to take a photo—the intent being to celebrate their successful production. A supervisor returning to the area noticed the close assembly of the rods and quickly instructed they be separated, lest a criticality incident occur. Disaster was averted before the dreaded blue flash occurred, but it was yet another harrowing example where fundamental safety rules around criticality had been ignored.
Lessons
So what can these unfortunate incidents teach us? Strict limits and controls on fissionable materials are key. Standard procedures that control the flow of fissionable material are important to achieve this. The Tokaimura incident showed how bypassing these protocols even briefly can be disastrous. Beyond that, it’s important that those working with these materials are cognicent of the risks at all times. Even something as simple as bringing together a few rods to take a photo could cause a major incident through carelessness.
But perhaps the biggest lesson is respecting the sheer power of fission itself. When a chain reaction starts, things go wrong fast. By the time the blue flash has told you something’s happened, it’s all too late. Radiation levels have spiked through the roof and the damage is done. There is no early warning sign in these cases. Proper procedure is the only real way to avoid disaster.
Fssion remains a fickle phenomenon that is not to be trifled with. When we do trifle with it, either by honest accident or gross negligence, the results can be swift and brutal. Each of these criticality incidents was a stern reminder to humanity to maintain the utmost vigilance and safeguards when working with fissionable materials. Failure to do so always ends up the same way.
Ore To Iron In A Few Seconds: New Chinese Process Will Revolutionise Smelting
The process of ironmaking has relied for centuries on iron ore, an impure form of iron oxide, slowly being reduced to iron by carbon monoxide in a furnace. Whether that furnace is the charcoal fire of an Iron Age craftsman or a modern blast furnace, the fundamental process remains the same, even if the technology around it has been refined. Now details are emerging of a new take on iron smelting from China, which turns what has always been a slow and intensive process into one that only takes a few seconds. So-called flash ironmaking relies on the injection of a fine iron ore powder into a superheated furnace, with the reduction happening explosively and delivering a constant stream of molten iron.
Frustratingly there is little detail on how it works, with the primary source for the news coverage being a paywalled South China Morning Post article. The journal article alluded to has proved frustratingly difficult to find online, leaving us with a few questions as to how it all works. Is the reducing agent still carbon monoxide, for example, or do they use another one such as hydrogen? The interesting part from an economic perspective is that it’s said to work on lower-grade ores, opening up the prospect for the Chinese steelmakers relying less on imports. There’s no work though on how the process would deal with the inevitable slag such ore would create.
If any readers have journal access we’d be interested in some insight in the comments, and we’re sure this story will deliver fresh information over time. Having been part of building a blast furnace of our own in the past, it’s something we find interesting
Careto is back: what’s new after 10 years of silence?
During the first week of October, Kaspersky took part in the 34th Virus Bulletin International Conference, one of the longest-running cybersecurity events. There, our researchers delivered multiple presentations, and one of our talks focused on newly observed activities by the Careto threat actor, which is also known as “The Mask”. You can watch the recording of this presentation here:
youtube.com/embed/d3DSPtOZEck?…
The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007. Their targets are usually high-profile organizations, such as governments, diplomatic entities and research institutions. To infect them, The Mask uses complex implants, often delivered through zero-day exploits. The last time we published our findings about The Mask was in early 2014, and since then, we have been unable to discover any further traces of this actor.
The Mask’s new unusual attacks
However, our newest research into two notable targeted attack clusters made it possible to identify several recent cyberattacks that have been, with medium to high confidence, conducted by The Mask. Specifically, we observed one of these attacks targeting an organization in Latin America in 2022. While we do not have any traces allowing us to tell how this organization became compromised, we have established that over the course of the infection, attackers gained access to its MDaemon email server. They further leveraged this server to maintain persistence inside the compromised organization with the help of a unique method involving an MDaemon webmail component called WorldClient.
Authentication panel of the WorldClient component
Implanting the MDaemon server
The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server. These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file, which has the format demonstrated in the screenshot below:
Sample of the WorldClient.ini file containing plugin entries
As can be observed from the screenshot above, the information about each extension includes a relative URL controlled by the extension (specified in the CgiBase parameter), as well as the path to the extension DLL (in the parameter CgiFile).
To use WorldClient’s extension feature for obtaining persistence, the threat actor compiled their own extension and configured it by adding malicious entries for the CgiBase6 and CgiFile6 parameters, underlined in red in the screenshot. As such, the actor was able to interact with the malicious extension by making HTTP requests to the URL https://<webmail server domain name>/WorldClient/mailbox.
Spreading the FakeHMP implant inside the network
The malicious extension installed by attackers implemented a set of commands associated with reconnaissance, performing file system interactions and executing additional payloads. We observed attackers using these commands to gather information about the infected organization and then spread to other computers inside its network. While investigating the infection that occurred in Latin America in 2022, we established that the attackers used the following files to conduct lateral movement:
- sys, a legitimate driver of the HitmanPro Alert software
- dll, a malicious DLL with the payload to be delivered
- ~dfae01202c5f0dba42.cmd, a malicious .bat file
- Tpm-HASCertRetr.xml, a malicious XML file containing a scheduled task description
To spread to other machines, attackers uploaded these four files and then created scheduled tasks with the help of the Tpm-HASCertRetr.xml description file. When started, these scheduled tasks executed commands specified in the ~dfae01202c5f0dba42.cmd file, which in turn installed the hmpalert.sys driver and configured it to load on startup.
One of the functions of the hmpalert.sys driver is to load HitmanPro’s DLL, placed at C:\Windows\System32\hmpalert.dll, into running processes. However, as this driver does not verify the legitimacy of the DLLs it loads, attackers were able to place their payload DLLs at this path and thus inject them into various privileged processes, such as winlogon.exe and dwm.exe, on system startup.
What was also notable is that we observed attackers using the hmpalert.sys driver to infect a machine of an unidentified individual or organization in early 2024. However, unlike in 2022, the adversary did not use scheduled tasks to do that. Instead, they leveraged a technique involving Google Updater, described here.
The payload contained in the malicious hmpalert.dll library turned out to be a previously unknown implant that we dubbed FakeHMP. Its capabilities included retrieving files from the filesystem, logging keystrokes, taking screenshots and deploying further payloads to infected machines. Apart from this implant, we also observed attackers deploying a microphone recorder and a file stealer to compromised computers.
Same organization, hacked by the Mask in 2019
Having examined available information about the organization compromised in 2022, we found that it was also compromised with an advanced attack in 2019. That earlier attack involved the use of two malicious frameworks which we dubbed “Careto2” and “Goreto”. As for Careto2, we observed the threat actor deploying the following three files to install it:
- Framework loader (placed at %appdata%\Media Center Programs\cversions.2.db);
- Framework installer (named ~dfae01202c5f0dba42.cmd);
- Auxiliary registry file (placed at %temp%\values.reg).
We further found that, just like in the 2022 infection case, attackers used a scheduled task to launch a .cmd file, which in turn configured the framework to persist on the compromised device. The persistence method observed was COM hijacking via the {603d3801-bd81-11d0-a3a5-00c04fd706ec} CLSID.
Regarding the framework itself, it was designed to read plugins stored in its virtual file system, located in the file %appdata%\Media Center Programs\C_12058.NLS. The name of each plugin in this filesystem turned out to be a four-byte value, such as “38568efd”. We have been able to ascertain that these four-byte values were DJB2 hashes of DLL names. This made it possible to brute-force these plugin names, some of which are provided in the table below:
| Plugin DLL name hash | Likely DLL name | Plugin description |
| 38568efd | ConfigMgr.dll | Manages configuration parameters of Careto2. |
| 5ca54969 | FileFilter.dll | Monitors file modifications in specified folders. |
| b6df77b6 | Storage.dll | Manages storage of stolen files. |
| 1c9f9885 | Kodak.dll | Takes screenshots. |
| 82b79b83 | Comm.dll | Uploads exfiltrated data to an attacker-controlled OneDrive storage. |
Regarding the other framework, Goreto, it is a toolset coded in Golang that periodically connects to a Google Drive storage to retrieve commands. The list of supported commands is as follows:
| Command name | Description |
| downloadandexec | Downloads a file from Google Drive, decrypts it, drops it to disk and executes. |
| downloadfile | Downloads a file from Google Drive, decrypts it and drops it to disk. |
| uploadfile | Reads a specified file from disk, encrypts it and uploads it to Google Drive. |
| exec | Executes a specified shell command. |
Apart from the command execution engine, Goreto implements a keylogger and a screenshot taker.
Attribution
As mentioned above, we attribute the previously described attacks to The Mask with medium to high confidence. One of the first attribution clues that caught our attention was several file names used by the malware since 2019, alarmingly similar to the ones used by The Mask more than 10 years ago:
| 2007-2013 attack file names | 2019 attack file names |
| ~df01ac74d8be15ee01.tmp | ~dfae01202c5f0dba42.cmd |
| c_27803.nls | c_12058.nls |
The brute-forced DLL names of Careto2 plugins also turned out to resemble the names of plugins used by The Mask in 2007–2013:
| 2007-2013 attack module names | 2019 attack module names |
| FileFlt | FileFilter |
| Storage | Storage |
| Config | ConfigMgr |
Finally, the campaigns conducted in 2007–2013 and 2019 have multiple overlaps in terms of TTPs, for instance the use of virtual file systems for storing plugins and leveraging of COM hijacking for persistence.
Regarding the attacks observed in 2022 and 2024, we have also attributed these to The Mask, mainly for the following reasons:
- The organization in Latin America, infected in 2022, was the one compromised by Careto2 in 2019, and by historical The Mask implants in 2007-2013
- In both 2019 and 2022 cases, the same unique file name was used to deploy implants to infected machines: ~dfae01202c5f0dba42.cmd;
- The attacks from 2019 and 2022–2024 overlap in terms of TTPs, as the malware deployed in these attacks uses cloud storages for exfiltration and propagates across system processes.
Conclusion
Ten years after we last saw Careto cyberattacks, this actor is still as powerful as before. That is because Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware. While we cannot estimate how long it will take for the community to discover the next attacks by this actor, we are confident that their next campaign will be as sophisticated as the previous ones.
If you want more technical information about Careto, please feel free to also read the research paperon this actor, published in Proceedings of the 34th Virus Bulletin International Conference.
Italia Sotto Attacco: Guardia di Finanza, Porto di Taranto e altre istituzioni nella mira di NoName057(16)
Il gruppo di attivisti filorussi NoName057(16) sta conducendo una serie di attacchi DDoS mirati contro numerose istituzioni e aziende italiane, con l’intento di destabilizzare e paralizzare l’infrastruttura digitale del Paese. Questi attacchi, che fanno parte di una campagna più ampia di cyberattacchi contro i Paesi che sostengono l’Ucraina, mirano a danneggiare la reputazione e le capacità operative delle entità coinvolte, sfruttando tecniche sofisticate per compromettere la sicurezza e l’affidabilità delle reti italiane.
Motivazione
Secondo quanto riferito dal gruppo di hacker sul suo canale Telegram, NoName057(16) ha dichiarato l’intenzione di “celebrare” la nomina di Giorgia Meloni, indicata da Politico come il politico più influente d’Europa, con una serie di attacchi DDoS mirati contro l’infrastruttura internet italiana, accusandola di essere un’alleata dell’Ucraina e del presidente Zelensky.
Il tool usato per condurre gli attacchi: DDoSia
NoName057(16) è un gruppo hacktivista pro-Russia attivo dal 2022, noto per condurre attacchi DDoS contro istituzioni governative, aziende e infrastrutture critiche nei Paesi che sostengono l’Ucraina. Utilizzano il loro canale Telegram per rivendicare attacchi, coordinare operazioni e mobilitare la loro comunità di sostenitori. Il gruppo si distingue per l’uso del tool DDosia, un software progettato per eseguire attacchi distribuiti con efficacia crescente, e per l’adozione di tecniche avanzate per eludere le difese informatiche.
Funzionamento tecnico del tool
- Architettura e linguaggio:
- Originariamente sviluppato in Python, il tool è stato successivamente riscritto in linguaggio Go per migliorare l’efficienza e la sicurezza.
- Utilizza il protocollo HTTP per comunicare con i server Command & Control (C2), che forniscono istruzioni e obiettivi.
- Esecuzione e comunicazione con i server C2:
- All’avvio, DDoSia effettua una richiesta di autenticazione POST al server C2 con un payload cifrato in AES-GCM.
- Dopo l’autenticazione, il server fornisce un identificativo temporale (epoch) e l’elenco dei target da attaccare, anch’esso cifrato.
- Le richieste includono parametri specifici, come:
- “U”: un hash fornito tramite il bot Telegram del gruppo.
- “C”: un GUID del dispositivo che esegue il tool.
- “K”: un valore codificato in base32 per accedere alla lista dei target.
- I target sono distribuiti in un file JSON cifrato che viene decifrato localmente per l’attacco.
- Cifratura e sicurezza:
- Il toolkit utilizza algoritmi avanzati come AES-GCM per cifrare sia le comunicazioni che i dati trasmessi.
- La chiave di cifratura è generata dinamicamente utilizzando informazioni del sistema, come il GUID del dispositivo e il Process ID (PID).
- L’uso di header e valori dinamici, come User-Agent casuali, rende più difficile il rilevamento da parte delle difese di rete.
- Aggiornamenti e miglioramenti:
- Nel 2023, sono stati introdotti nuovi meccanismi di autenticazione e ulteriori livelli di cifratura per nascondere meglio i target e complicare l’analisi tecnica.
- Le risposte del server includono dati strutturati in modo da eludere i controlli statici, con variazioni regolari per evitare il blocco delle infrastrutture C2.
Conclusioni
Gli attacchi DDoS orchestrati dal gruppo hacktivista NoName057(16) rappresentano una minaccia concreta e persistente per le infrastrutture critiche e aziendali italiane. Motivati da ragioni ideologiche e politiche, i membri del gruppo sfruttano strumenti tecnicamente avanzati, come il toolkit DDoSia, per condurre operazioni di cyberwarfare contro i Paesi percepiti come ostili alla Russia.
La capacità del gruppo di adattare le proprie tecniche, migliorare la sicurezza delle comunicazioni e mobilitare una comunità di sostenitori attraverso i social media lo rende un avversario particolarmente complesso da contrastare. Gli attacchi contro l’Italia evidenziano non solo una strategia ben coordinata, ma anche l’intento di colpire simbolicamente e strategicamente un Paese considerato influente a livello europeo.
Per fronteggiare questa minaccia, è essenziale che le istituzioni e le aziende italiane rafforzino le proprie difese informatiche, investano in tecnologie di monitoraggio avanzate e promuovano una maggiore collaborazione tra pubblico e privato. Solo attraverso un approccio proattivo e condiviso sarà possibile mitigare gli impatti di questa campagna di attacchi e proteggere le infrastrutture strategiche nazionali.
L'articolo Italia Sotto Attacco: Guardia di Finanza, Porto di Taranto e altre istituzioni nella mira di NoName057(16) proviene da il blog della sicurezza informatica.
Pico Logic Analyzer Gets New Version
[Happy Little Diodes] built a Pi Pico logic analyzer designed by [El Dr. Gusman] using the original design. But he recently had a chance to test the newest version of the design, which is a big upgrade. You can see his take on the new design in the video below.
The original design could sample 24 channels at 100 MHz and required two different PCBs. The new version uses a single board and can operate up to 400 MHz. There’s also a provision for chaining multiple boards together to get more channels.
You can set the level shifters to use 5V, 3.3V, or an external voltage. Since [Happy] is working on a ZX Spectrum, the 5V conversion is a necessity.
One thing that a cheap logic analyzer lets you do is dedicate it to a particular purpose. In fact, by the end of the video, we see a dedicated connector to make it easier to attach the board to a ZX Spectrum.
The code is on GitHub, although it warns you there that you that version 6 — the one seen in the video — isn’t stable, so you might have to wait to make one on your own. The software looks impressive and there may be some effort to integrate with Sigrok.
If you missed our coverage of the earlier version, you can still catch up. Dead set on Sigrok support? [Pico-Coder] can help you out.
youtube.com/embed/VjSF2LWJVVU?…
Termite Ransomware : Analisi sulla Minaccia e le Sue Implicazioni
Il mondo della sicurezza informatica è in continua evoluzione, con nuove minacce che emergono regolarmente. Una delle più recenti è il ransomware Termite, analizzato dettagliatamente in un articolo di Cyble.
Questo malware ha attirato l’attenzione per la sua sofisticazione e per gli attacchi mirati a specifici settori industriali. Inoltre, l’immagine associata all’articolo offre una panoramica visiva delle tecniche e delle correlazioni tra diverse minacce ransomware.
Caratteristiche del Ransomware Termite
Termite è un ransomware che si distingue per l’uso di tecniche avanzate e per la scelta mirata delle sue vittime. Secondo l’analisi di Cyble, Termite adotta le seguenti strategie:
- Accesso Iniziale: Utilizza credenziali valide per infiltrarsi nei sistemi target, spesso ottenute tramite phishing o altre forme di ingegneria sociale.
- Esecuzione: Una volta ottenuto l’accesso, esegue comandi malevoli per stabilire il controllo sul sistema compromesso.
- Persistenza: Implementa meccanismi per mantenere l’accesso anche dopo eventuali riavvii o tentativi di rimozione.
- Evasione delle Difese: Utilizza tecniche per eludere i sistemi di sicurezza, come la disabilitazione di software antivirus o l’offuscamento del codice.
- Cifratura dei Dati: Cripta i file dell’utente, rendendoli inaccessibili e richiedendo un riscatto per la decrittazione.
Queste tattiche rendono Termite una minaccia particolarmente insidiosa, capace di causare danni significativi alle organizzazioni colpite.
Analisi dell’Immagine
L’immagine associata all’articolo di Cyble offre una rappresentazione schematica delle tecniche utilizzate da Termite e delle sue correlazioni con altri ransomware. Ecco una descrizione dettagliata degli elementi principali:
- Entità Chiave:
- Termite: Posizionato al centro dello schema, indica il focus dell’analisi.
- Altri Ransomware: Entità come Vasa Locker, Babuk e Babyk sono collegate a Termite, suggerendo somiglianze nelle tecniche utilizzate.
- Tecniche MITRE ATT&CK:
- Le linee che collegano Termite e gli altri ransomware a specifiche tecniche rappresentano le metodologie adottate durante gli attacchi.
- Ad esempio, la tecnica T1486 (Data Encrypted for Impact) è comune tra questi ransomware, indicando l’uso della cifratura dei dati per estorcere denaro.
- Settori Presi di Mira:
- Il settore Technology è evidenziato come uno dei principali bersagli, mostrando la predilezione di questi ransomware per le aziende tecnologiche.
- Correlazioni:
- Le connessioni tra le entità e le tecniche suggeriscono una possibile condivisione di strumenti o metodologie tra diversi gruppi di attacco.
Questa rappresentazione visiva aiuta a comprendere la complessità delle operazioni di Termite e le sue interazioni con altre minacce simili.
Implicazioni per la Sicurezza Informatica
L’emergere di ransomware come Termite ha diverse implicazioni per la sicurezza informatica:
- Aumento della Complessità degli Attacchi: L’uso di tecniche avanzate richiede alle organizzazioni di adottare misure di sicurezza più sofisticate.
- Necessità di Monitoraggio Continuo: Implementare sistemi di monitoraggio in tempo reale è fondamentale per rilevare e rispondere rapidamente alle minacce.
- Collaborazione tra Attori Malevoli: Le somiglianze tra diverse famiglie di ransomware suggeriscono una possibile collaborazione o condivisione di risorse tra cybercriminali.
- Settori a Rischio: Il settore tecnologico è particolarmente vulnerabile, rendendo essenziale l’adozione di misure di protezione specifiche.
Per affrontare efficacemente queste sfide, le organizzazioni devono investire in formazione, tecnologie di sicurezza avanzate e strategie di risposta agli incidenti.
Conclusione
Il ransomware Termite rappresenta una minaccia significativa nel panorama della sicurezza informatica. La sua capacità di utilizzare tecniche avanzate e di colpire settori specifici sottolinea l’importanza di una difesa proattiva e informata. Comprendere le sue modalità operative e le sue correlazioni con altre minacce è essenziale per sviluppare strategie efficaci di prevenzione e risposta.
L'articolo Termite Ransomware : Analisi sulla Minaccia e le Sue Implicazioni proviene da il blog della sicurezza informatica.
Al Via la Quarta Edizione in Live Class del Corso Darkweb & Cyber Threat Intelligence in partenza a Gennaio
Dopo che il terzo corso si è concluso ad Ottobre scorso e i partecipanti iniziano ad entrare sempre più all’interno della CTI Attraverso il gruppo DarkLab, il team di Formazione di Red Hot Cyber avvia il nuovo corso di formazione professionale in “Live Class” di livello intermedio sulla cyber threat intelligence. Il corso consentirà, dopo aver sostenuto con successo l’esame finale, di conseguire la certificazione Cyber Threat Intelligence Professional, rilasciata da Red Hot Cyber anche se il corso non sarà fine a se stesso.
Conoscere l’underground per imparare a proteggerti meglio
Sei pronto per un viaggio nel lato oscuro di Internet ed accedere al Dark Web? Sei pronto a comprendere come criminali informatici collaborano e utilizzano le risorse informatiche?
Se la risposta è sì, allora il nostro nuovo corso di Cyber Threat Intelligence (CTI) potrebbe essere esattamente ciò di cui hai bisogno.
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Condotta dal professor Pietro Melillo, PhD presso l’Università del Sannio e docente presso l’Università IUSI, questa esperienza formativa rivoluzionaria promette di fornire agli studenti gli strumenti e la conoscenza necessari per navigare in sicurezza le profondità del web sotterraneo.
Il Professore Melillo è un esperto riconosciuto nel campo della sicurezza informatica, con anni di esperienza nella ricerca e nell’insegnamento. Ha condotto ricerche innovative nel campo della minaccia informatica e ha una vasta conoscenza dei meccanismi che regolano il Dark Web.
“La threat intelligence, o CTI, consiste in dati contenenti informazioni dettagliate sulle minacce alla sicurezza informatica che prendono di mira un’organizzazione”, spiega il Professore Melillo. “Il corso fornirà sia ai neofiti che ai professionisti del settore le competenze tecnico-operative e strategiche necessarie per affrontare le nuove sfide professionali sollevate dalla cybersecurity.”
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Ma che cos’è la Cyber Threat Intelligence?
La Cyber Threat Intelligence (CTI), è un campo della sicurezza informatica che si occupa di raccogliere, analizzare e interpretare informazioni relative alle minacce informatiche. Queste informazioni possono riguardare attacchi informatici in corso, potenziali vulnerabilità nei sistemi informatici, gruppi hacker, metodi di attacco e altro ancora.
L’obiettivo principale della CTI è quello di fornire alle organizzazioni e agli individui le informazioni necessarie per comprendere le minacce alla sicurezza informatica che potrebbero mettere a rischio i loro dati, le loro reti o i loro sistemi informatici. Utilizzando queste informazioni, le organizzazioni possono prendere decisioni informate sulla protezione dei loro asset digitali e implementare strategie di difesa più efficaci.
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
La CTI può includere sia fonti di informazioni pubbliche (OSINT), come report di sicurezza, articoli di ricerca e notizie, sia fonti di informazioni non pubbliche (CLOSINT), come dati raccolti da sensori di sicurezza, analisi di malware e rapporti di intelligence condivisi tra organizzazioni.
In sintesi, la Cyber Threat Intelligence è uno strumento fondamentale nella lotta contro le minacce informatiche, fornendo una panoramica approfondita e strategica delle attività e delle intenzioni degli attaccanti, e consentendo alle organizzazioni di prepararsi meglio e rispondere in modo più efficace alle minacce alla sicurezza informatica.
Come si articolerà il corso in Live Class
Il corso si articolerà in diverse fasi cruciali:
- Dark web e reti protette
- Cos’è il dark web
- Storia del dak web
- Come accedere al dark web in modo sicuro
- Le risorse undeground
- Le minacce cyber
- I threat actors
- I forum underground
- Le botnet e gli infostealer
- Gli 0day e il mercato degli exploit
- I broker di accesso
- Il lato oscuro di Telegram
- Il MaaS (Malware as a service)
- Il Threat Hunting
- Gli indicatori di compromissione (IoC)
- Accesso alle risorse underground
- La cyber threat intelligence
- La Cyber Threta Intelligence
- Benefici per le organizzazioni
- Fonti OSINT, HUMINT, TECHINT, CLOSINT
- Traffic Light Protocol (TLP)
- Strumenti di raccolta
- Il fenomeno del ransomware
- Le cyber gang ransomware
- La piramide del RaaS (Ransomware as a service)
- I data leak site (DLS o siti della vergogna)
- I ransomware monitor
- Fonti open source
- Accesso ai data leak site
- Strumenti di raccolta dati ed analisi
- Tool open source, a pagamento e risorse online freeware
- Tecniche di monitoraggio e rilevamento
- Metodologie di analisi
- Strumenti e tecniche di analisi
- Esercitazioni pratiche
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Per partecipare al corso sono necessarie delle nozioni di base sulla navigazione internet e sulla sicurezza informatica. Le lezioni saranno in modalità live-webinar dove gli alunni potranno interagire con i professori online. Le lezioni sono a numero chiuso, per poter seguire al meglio ogni singola persona dal docente che sarà a vostra disposizione per eventuali dettagli o chiarimenti relativamente alle lezioni svolte.
Di seguito le date per la quarta edizione del corso:
- Domenica 9 Febbraio dalle 16 alle 19
- Domenica 16 Febbraio dalle 16 alle 19
- Domenica 23 Febbraio dalle 16 alle 19
- Domenica 2 Marzo dalle 16 alle 19
- Domenica 9 Marzo dalle 16 alle 19
Al termine del corso verrà rilasciato da Red Hot Cyber una certificazione di partecipazione al corso a seguito del completamento dei test che ne attestano il raggiungimento delle competenze acquisite. Per chi fornirà il consenso, il numero del certificato corrispondente e il nome, verranno pubblicati all’interno della pagina delle certificazioni.
Differenza tra corsi in Live-Class e in E-Learning
I corsi in live class rappresentano un’esperienza formativa interattiva e dinamica, ideale per chi desidera un confronto diretto con il docente e una partecipazione attiva. Gli studenti seguono le lezioni online in tempo reale e possono fare domande, ricevere chiarimenti immediati e approfondire argomenti complessi attraverso il dialogo. Nei corsi di livello intermedio, come quello sulla Cyber Threat Intelligence (CTI), questa modalità permette di affrontare temi avanzati con il supporto continuo del professore, disponibile anche durante la settimana per risolvere dubbi e fornire ulteriore assistenza.
I corsi in e-learning, invece, offrono la massima flessibilità e autonomia, rendendoli particolarmente adatti per chi si approccia per la prima volta a un argomento o ha bisogno di gestire i propri tempi di studio. Con lezioni registrate disponibili in qualsiasi momento, gli studenti possono costruire il proprio percorso di apprendimento senza vincoli di orario. Per i corsi di livello base sulla CTI, questa modalità permette di avvicinarsi ai fondamenti della materia. Anche se l’interazione con il docente non avviene in tempo reale, gli studenti possono inviare domande via email e ricevere risposte per chiarire eventuali incertezze.
Ad oggi puoi acquistare con uno sconto del 20% fino a Dicembre 2024 il corso “Dark Web e Cyber threat Intelligence” in versione E-Learning utilizzando questo link sulla nostra piattaforma di Academy.
Ma dopo il corso arriva il bello …
Il corso “Dark Web & Cyber Threat Intelligence” progettato da Red Hot Cyber offre un’esperienza pratica che continua anche dopo la conclusione del percorso formativo. I partecipanti che lo desiderano avranno l’opportunità di entrare a far parte del collettivo “DarkLab”, dove, sotto la guida di esperti, potranno contribuire alla redazione di report e articoli, interviste ai threat actors e approfondimenti legati alla cyber threat intelligence.
Questo percorso didattico è unico nel suo genere: Red Hot Cyber offre infatti un accesso esclusivo ad analisi e report di cyber threat intelligence, pubblicati regolarmente sul blog. I partecipanti avranno la possibilità di esplorare le realtà dell’underground digitale, con la possibilità di condurre analisi specifiche e mirate, un’opportunità che non troverete altrove.
Ulteriori informazioni utili:
- Pagina del corso “Darkweb e Cyber Threat Intelligence”: redhotcyber.com/academy/corso-…
- Pagina delle certificazioni (solo per chi fornisce il consenso alla pubblicazione del nome): redhotcyber.com/academy/certif…
- Conferimento alla Red Hot Cyber Conference dei certificati CTIP (minuto 2:18): youtube.com/watch?v=p71gQYUnv7…
- Alcuni post su Linkedin che riportano informazioni sul corso, da parte dei precedenti partecipanti al corso e alla certificazione CTIP.
- Il Gruppo Dark Lab https://www.redhotcyber.com/post/nasce-dark-lab-il-team-di-cyber-threat-intelligence-della-community-di-red-hot-cyber/
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
L'articolo Al Via la Quarta Edizione in Live Class del Corso Darkweb & Cyber Threat Intelligence in partenza a Gennaio proviene da il blog della sicurezza informatica.
Al Via la Quarta Edizione in Live Class del Corso Darkweb & Cyber Threat Intelligence in partenza a Febbraio
Dopo che il terzo corso si è concluso ad Ottobre scorso e i partecipanti iniziano ad entrare sempre più all’interno della CTI Attraverso il gruppo DarkLab, il team di Formazione di Red Hot Cyber avvia il nuovo corso di formazione professionale in “Live Class” di livello intermedio sulla cyber threat intelligence. Il corso consentirà, dopo aver sostenuto con successo l’esame finale, di conseguire la certificazione Cyber Threat Intelligence Professional, rilasciata da Red Hot Cyber anche se il corso non sarà fine a se stesso.
Conoscere l’underground per imparare a proteggerti meglio
Sei pronto per un viaggio nel lato oscuro di Internet ed accedere al Dark Web? Sei pronto a comprendere come criminali informatici collaborano e utilizzano le risorse informatiche?
Se la risposta è sì, allora il nostro nuovo corso di Cyber Threat Intelligence (CTI) potrebbe essere esattamente ciò di cui hai bisogno.
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Condotta dal professor Pietro Melillo, PhD presso l’Università del Sannio e docente presso l’Università IUSI, questa esperienza formativa rivoluzionaria promette di fornire agli studenti gli strumenti e la conoscenza necessari per navigare in sicurezza le profondità del web sotterraneo.
Il Professore Melillo è un esperto riconosciuto nel campo della sicurezza informatica, con anni di esperienza nella ricerca e nell’insegnamento. Ha condotto ricerche innovative nel campo della minaccia informatica e ha una vasta conoscenza dei meccanismi che regolano il Dark Web.
“La threat intelligence, o CTI, consiste in dati contenenti informazioni dettagliate sulle minacce alla sicurezza informatica che prendono di mira un’organizzazione”, spiega il Professore Melillo. “Il corso fornirà sia ai neofiti che ai professionisti del settore le competenze tecnico-operative e strategiche necessarie per affrontare le nuove sfide professionali sollevate dalla cybersecurity.”
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Ma che cos’è la Cyber Threat Intelligence?
La Cyber Threat Intelligence (CTI), è un campo della sicurezza informatica che si occupa di raccogliere, analizzare e interpretare informazioni relative alle minacce informatiche. Queste informazioni possono riguardare attacchi informatici in corso, potenziali vulnerabilità nei sistemi informatici, gruppi hacker, metodi di attacco e altro ancora.
L’obiettivo principale della CTI è quello di fornire alle organizzazioni e agli individui le informazioni necessarie per comprendere le minacce alla sicurezza informatica che potrebbero mettere a rischio i loro dati, le loro reti o i loro sistemi informatici. Utilizzando queste informazioni, le organizzazioni possono prendere decisioni informate sulla protezione dei loro asset digitali e implementare strategie di difesa più efficaci.
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
La CTI può includere sia fonti di informazioni pubbliche (OSINT), come report di sicurezza, articoli di ricerca e notizie, sia fonti di informazioni non pubbliche (CLOSINT), come dati raccolti da sensori di sicurezza, analisi di malware e rapporti di intelligence condivisi tra organizzazioni.
In sintesi, la Cyber Threat Intelligence è uno strumento fondamentale nella lotta contro le minacce informatiche, fornendo una panoramica approfondita e strategica delle attività e delle intenzioni degli attaccanti, e consentendo alle organizzazioni di prepararsi meglio e rispondere in modo più efficace alle minacce alla sicurezza informatica.
Come si articolerà il corso in Live Class
Il corso si articolerà in diverse fasi cruciali:
- Dark web e reti protette
- Cos’è il dark web
- Storia del dak web
- Come accedere al dark web in modo sicuro
- Le risorse undeground
- Le minacce cyber
- I threat actors
- I forum underground
- Le botnet e gli infostealer
- Gli 0day e il mercato degli exploit
- I broker di accesso
- Il lato oscuro di Telegram
- Il MaaS (Malware as a service)
- Il Threat Hunting
- Gli indicatori di compromissione (IoC)
- Accesso alle risorse underground
- La cyber threat intelligence
- La Cyber Threta Intelligence
- Benefici per le organizzazioni
- Fonti OSINT, HUMINT, TECHINT, CLOSINT
- Traffic Light Protocol (TLP)
- Strumenti di raccolta
- Il fenomeno del ransomware
- Le cyber gang ransomware
- La piramide del RaaS (Ransomware as a service)
- I data leak site (DLS o siti della vergogna)
- I ransomware monitor
- Fonti open source
- Accesso ai data leak site
- Strumenti di raccolta dati ed analisi
- Tool open source, a pagamento e risorse online freeware
- Tecniche di monitoraggio e rilevamento
- Metodologie di analisi
- Strumenti e tecniche di analisi
- Esercitazioni pratiche
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
Per partecipare al corso sono necessarie delle nozioni di base sulla navigazione internet e sulla sicurezza informatica. Le lezioni saranno in modalità live-webinar dove gli alunni potranno interagire con i professori online. Le lezioni sono a numero chiuso, per poter seguire al meglio ogni singola persona dal docente che sarà a vostra disposizione per eventuali dettagli o chiarimenti relativamente alle lezioni svolte.
Di seguito le date per la quarta edizione del corso:
- Domenica 9 Febbraio dalle 16 alle 19
- Domenica 16 Febbraio dalle 16 alle 19
- Domenica 23 Febbraio dalle 16 alle 19
- Domenica 2 Marzo dalle 16 alle 19
- Domenica 9 Marzo dalle 16 alle 19
Al termine del corso verrà rilasciato da Red Hot Cyber una certificazione di partecipazione al corso a seguito del completamento dei test che ne attestano il raggiungimento delle competenze acquisite. Per chi fornirà il consenso, il numero del certificato corrispondente e il nome, verranno pubblicati all’interno della pagina delle certificazioni.
Differenza tra corsi in Live-Class e in E-Learning
I corsi in live class rappresentano un’esperienza formativa interattiva e dinamica, ideale per chi desidera un confronto diretto con il docente e una partecipazione attiva. Gli studenti seguono le lezioni online in tempo reale e possono fare domande, ricevere chiarimenti immediati e approfondire argomenti complessi attraverso il dialogo. Nei corsi di livello intermedio, come quello sulla Cyber Threat Intelligence (CTI), questa modalità permette di affrontare temi avanzati con il supporto continuo del professore, disponibile anche durante la settimana per risolvere dubbi e fornire ulteriore assistenza.
I corsi in e-learning, invece, offrono la massima flessibilità e autonomia, rendendoli particolarmente adatti per chi si approccia per la prima volta a un argomento o ha bisogno di gestire i propri tempi di studio. Con lezioni registrate disponibili in qualsiasi momento, gli studenti possono costruire il proprio percorso di apprendimento senza vincoli di orario. Per i corsi di livello base sulla CTI, questa modalità permette di avvicinarsi ai fondamenti della materia. Anche se l’interazione con il docente non avviene in tempo reale, gli studenti possono inviare domande via email e ricevere risposte per chiarire eventuali incertezze.
Ad oggi puoi acquistare con uno sconto del 20% fino a Dicembre 2024 il corso “Dark Web e Cyber threat Intelligence” in versione E-Learning utilizzando questo link sulla nostra piattaforma di Academy.
Ma dopo il corso arriva il bello …
Il corso “Dark Web & Cyber Threat Intelligence” progettato da Red Hot Cyber offre un’esperienza pratica che continua anche dopo la conclusione del percorso formativo. I partecipanti che lo desiderano avranno l’opportunità di entrare a far parte del collettivo “DarkLab”, dove, sotto la guida di esperti, potranno contribuire alla redazione di report e articoli, interviste ai threat actors e approfondimenti legati alla cyber threat intelligence.
Questo percorso didattico è unico nel suo genere: Red Hot Cyber offre infatti un accesso esclusivo ad analisi e report di cyber threat intelligence, pubblicati regolarmente sul blog. I partecipanti avranno la possibilità di esplorare le realtà dell’underground digitale, con la possibilità di condurre analisi specifiche e mirate, un’opportunità che non troverete altrove.
Ulteriori informazioni utili:
- Pagina del corso “Darkweb e Cyber Threat Intelligence”: redhotcyber.com/academy/corso-…
- Pagina delle certificazioni (solo per chi fornisce il consenso alla pubblicazione del nome): redhotcyber.com/academy/certif…
- Conferimento alla Red Hot Cyber Conference dei certificati CTIP (minuto 2:18): youtube.com/watch?v=p71gQYUnv7…
- Alcuni post su Linkedin che riportano informazioni sul corso, da parte dei precedenti partecipanti al corso e alla certificazione CTIP.
- Il Gruppo Dark Lab https://www.redhotcyber.com/post/nasce-dark-lab-il-team-di-cyber-threat-intelligence-della-community-di-red-hot-cyber/
Contattaci tramite WhatsApp al 379 163 8765 per maggiori informazioni o per bloccare il tuo posto, oppure scrivici a: academy@redhotcyber.com. Ricorda che il corso è a numero chiuso e i posti sono limitati.
L'articolo Al Via la Quarta Edizione in Live Class del Corso Darkweb & Cyber Threat Intelligence in partenza a Febbraio proviene da il blog della sicurezza informatica.
Tiny PONG, Big Ambitions: World’s Smallest Arcade
London, Ontario college student [Victoria Korhonen] has captured the attention of tech enthusiasts and miniaturization lovers with her creation of what might be the world’s smallest arcade machine. Standing just 64 mm tall, 26 mm wide, and 30 mm deep, this machine is a scaled-down marvel playing the classic Atari game PONG. While the record isn’t yet official—it takes about three months for Guinness to certify—it’s clear [Korhonen]’s creation embodies ingenuity and dedication.
[Korhonen], an electromechanical engineering student, took six months to design and build this micro arcade. Inspired by records within reach, she aimed to outdo the previous tiniest arcade machine by shaving off just a few millimeters During the project she faced repeated failures, but viewed each iteration as a step towards success. Her miniature machine isn’t just a gimmick; it’s fully functional, with every component—from paddle mechanics to coding—developed from scratch.
[Korhonen] is already eyeing new projects, including creating the smallest humanoid robot. She also plans to integrate her electromechanical expertise into her family’s escape room business. Her journey aligns with other hobbyist projects pushing the limits of miniaturization, such as this credit card-sized Tetris clone or [Aliaksei Zholner]’s paper micro engines.
Danger-Klipper Fork Renamed to Kalico
Hobbyist 3D printers have traditionally run the open source Merlin firmware, but as printers are being pushed to the limits, more capable firmware Klipper are being developed. This is why the aptly named ‘Danger-Klipper’ fork of the Klipper firmware comes with the motto ‘I should be able to light my printer on fire’. Because the goal of Danger-Klipper wasn’t literally to light printers on fire (barring unfortunate accidents), the project has now been renamed to Kalico by the developers, after the pirate Calico Jack to maintain the nautical theming.
Not only does the project get a new name, but also a cute new pirate-themed calico cat logo. Beyond these changes not much else is different, though the documentation is obviously now also at a new domain. As a Klipper fork just about any printer that can run Klipper should be able to run Kalico, though the focus is on Raspberry Pi 2, 3 or 4. The FAQ has some more details on what Kalico can run on. Obviously, Kalico makes for a great option if you are building your own customized 3D printer (or similar), and will support the typical web UIs like Fluidd, OctoPrint, etc.
For some of the differences between Klipper and Kalico, the ‘Danger Features’ section of the documentation provides an impression. Suffice it to say that Kalico is not the kind of firmware to hold your hand or provide guiderails, making it an option for advanced users for whom breaking things while pushing boundaries is just part of the hobby.
Thanks to [Vinny] for the tip.
Chaotic System Cooks Meat Evenly
For better or worse, a lot of human technology is confined to fewer dimensions than the three we can theoretically move about in. Cars and trains only travel two dimensionally with limited exceptions, maps and books generally don’t take advantage of a third dimension, and most computer displays and even the chips that make them work are largely two-dimensional in nature. Most styles of cooking can only apply heat in a single dimension as well, but [Dane Kouttron] wanted to make sure the meat his cookouts took advantage of a truly three-dimensional cooking style by adding a gyroscopic mechanism to the spit.
The first thing that needed to be built were a series of concentric rings for each of the three axes of rotation. Metal tubes were shaped with a pipe bender and then welded into their final forms, with an annealing step to flatten the loops. From there, the rings are attached to each other with a series of offset bearings. The outer tube is mounted above the fire and a single motor spins this tube. Since no piece of meat is perfectly symmetrical (and could be offset on the interior ring a bit even if it were) enough chaos is introduced to the system that the meat is free to rotate in any direction, change direction at any time, and overall get cooked in a more uniform way than a traditional single-dimensional rotating spit.
As a proof of concept [Dane] hosted a cookout and made “gyro” sandwiches (even though the machine may technically be more akin to a gimbal), complete with small Greek flag decorative garnishes. It seems to have been a tremendous success as well. There are a few other novel ways we’ve seen of cooking food over the years, including projects that cook with plasma and much more widely available methods that cook food efficiently using magnets, of a sort.
Retrotechtacular: 1980s Restoration of San Francisco’s Cable Car System
The cable car system of San Francisco is the last manually operated cable car system in the world, with three of the original twenty-three lines still operating today. With these systems being installed between 1873 and 1890, they were due major maintenance and upgrades by the time the 1980s and with it their 100th year of operation rolled around. This rebuilding and upgrading process was recorded in a documentary by a local SF television station, which makes for some fascinating viewing.
While the cars themselves were fairly straight-forward to restore, and the original grips that’d latch onto the cable didn’t need any changes. But there were upgrades to the lubrication used (originally pine tar), and the powerhouse (the ‘barn’) was completely gutted and rebuilt.
As opposed to a funicular system where the cars are permanently attached to the cable, a cable car system features a constantly moving cable that the cars can grip onto at will, with most of the wear and tear on the grip dies. Despite researchers at San Francisco State University (SFSU) investigating alternatives, the original metal grip dies were left in place, despite their 4-day replacement schedule.
Ultimately, the rails and related guides were all ripped out and replaced with new ones, with the rails thermite-welded in place, and the cars largely rebuilt from scratch. Although new technologies were used where available, the goal was to keep the look as close as possible to what it looked at the dawn of the 20th century. While more expensive than demolishing and scrapping the original buildings and rolling stock, this helped to keep the look that has made it a historical symbol when the upgraded system rolled back into action on June 21, 1984.
Decades later, this rebuilt cable car system is still running as smoothly as ever, thanks to these efforts. Although SF’s cable car system is reportedly mostly used by tourists, the technology has seen somewhat of a resurgence. Amidst a number of funicular systems, a true new cable car system can be found in the form of e.g. the MiniMetro system which fills the automated people mover niche.
youtube.com/embed/56QWZwLMCsA?…
Thanks to [JRD] for the tip.